CN111191251A - Data authority control method, device and storage medium - Google Patents
Data authority control method, device and storage medium Download PDFInfo
- Publication number
- CN111191251A CN111191251A CN201811352266.7A CN201811352266A CN111191251A CN 111191251 A CN111191251 A CN 111191251A CN 201811352266 A CN201811352266 A CN 201811352266A CN 111191251 A CN111191251 A CN 111191251A
- Authority
- CN
- China
- Prior art keywords
- data
- user
- authority
- role
- data authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of computers, and discloses a data authority control method, a data authority control device and a storage medium, which are used for reducing the number of roles needing to be maintained by a system, further reducing the maintenance cost of the system and improving the development efficiency of the system. The method comprises the following steps: obtaining a user request from a client for accessing a data resource; acquiring at least one item of data authority distributed to the user according to pre-established user data authority distribution information, wherein the user data authority distribution information comprises data authority information directly distributed to the user; and acquiring the data resources corresponding to the at least one data authority from a database according to the at least one data authority, and feeding back the acquired data resources to the client.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for controlling data permissions, and a storage medium.
Background
At present, almost all kinds of system construction involve the control of authority, wherein, the authority includes functional authority and data authority, and the functional authority can be understood as: problems with what can be done, such as adding sales orders; the data rights can be understood as: the question of where and what to do can be seen, such as a sales order from the Haihai sales division of Shanghai division. At present, most of authority Control is basically an authority Control system constructed Based on a Role-Based Access Control (RBAC) model, however, how to further optimize the authority Control Based on the RBAC to reduce the development cost and improve the development efficiency is a technical problem to be solved.
Disclosure of Invention
The embodiment of the invention provides a data authority control method, a data authority control device and a storage medium, which are used for reducing the number of roles needing to be maintained by a system, further reducing the system maintenance cost and improving the system development efficiency.
In one aspect, an embodiment of the present invention provides a data authority control method, including:
obtaining a user request from a client for accessing a data resource;
acquiring at least one item of data authority distributed to the user according to pre-established user data authority distribution information, wherein the user data authority distribution information comprises data authority information directly distributed to the user;
and acquiring the data resources corresponding to the at least one data authority from a database according to the at least one data authority, and feeding back the acquired data resources to the client.
Optionally, the user data right allocation information further includes data right information allocated to the user in the following manner:
when a request of a user for applying a role is obtained, a corresponding relation between the role established in advance and the data authority is obtained;
and after the role is distributed to the user applying for the role, adding the data authority corresponding to the distributed role for the user applying for the role according to the corresponding relation between the role and the data authority, thereby obtaining the data authority information distributed to the user.
Optionally, the obtaining, according to the at least one data permission, a data resource corresponding to the at least one data permission from a database specifically includes:
splicing the at least one item of data authority to form a specific access statement for accessing the database;
and accessing the database through the specific access statement to obtain the data resource corresponding to the at least one item of data authority.
Optionally, the obtaining of the user request for accessing the data resource from the client specifically includes:
when the fact that the user successfully logs in through a login interface system presented by the client is determined, a target role corresponding to the user is obtained;
acquiring a function authority corresponding to the target role according to a pre-established corresponding relationship between the role and the function authority;
feeding back the obtained function authority to the client so that the client establishes a function authority interface according to the obtained function authority;
and acquiring a user request for accessing the data resource triggered by the user based on the function permission interface.
Optionally, after obtaining the user request for accessing the data resource from the client, the method includes:
and checking the functional authority of the user, wherein if the checking is passed, executing the data authority distribution information of the user according to the pre-established data authority distribution information of the user to obtain at least one item of data authority distributed to the user, and otherwise rejecting the user request.
Optionally, different data permissions in the user data permission allocation information are identified by different data codes.
In one aspect, an embodiment of the present invention provides a data right control apparatus, including:
the obtaining unit is used for obtaining a user request for accessing the data resource from the client; the system comprises a user data authority distribution information module, a data authority management module and a data authority management module, wherein the user data authority distribution information module is used for acquiring at least one item of data authority distributed to a user according to pre-established user data authority distribution information, and the user data authority distribution information comprises data authority information directly distributed to the user;
and the sending unit is used for acquiring the data resources corresponding to the at least one data authority from a database according to the at least one data authority and feeding back the acquired data resources to the client.
Optionally, the user data right allocation information further includes data right information allocated to the user in the following manner, and the obtaining unit is further configured to:
when a request of a user for applying a role is obtained, a corresponding relation between the role established in advance and the data authority is obtained;
and after the role is distributed to the user applying for the role, adding the data authority corresponding to the distributed role for the user applying for the role according to the corresponding relation between the role and the data authority, thereby obtaining the data authority information distributed to the user.
Optionally, the sending unit is further configured to:
splicing the at least one item of data authority to form a specific access statement for accessing the database;
and accessing the database through the specific access statement to obtain the data resource corresponding to the at least one item of data authority.
Optionally, the obtaining unit is further configured to:
when the fact that the user successfully logs in through a login interface system presented by the client is determined, a target role corresponding to the user is obtained;
acquiring a function authority corresponding to the target role according to a pre-established corresponding relationship between the role and the function authority;
feeding back the obtained function authority to the client so that the client establishes a function authority interface according to the obtained function authority;
and acquiring a user request for accessing the data resource triggered by the user based on the function permission interface.
Optionally, the obtaining unit is further configured to:
and checking the functional authority of the user, wherein if the checking is passed, executing the data authority distribution information of the user according to the pre-established data authority distribution information of the user to obtain at least one item of data authority distributed to the user, and otherwise rejecting the user request.
Optionally, different data permissions in the user data permission allocation information are identified by different data codes.
In one aspect, an embodiment of the present invention provides an information processing apparatus, including at least one processor and at least one memory, where the memory stores a computer program, and when the program is executed by the processor, the processor is caused to execute the steps of the data authority control method in the embodiment of the present invention.
In one aspect, an embodiment of the present invention provides a storage medium, where the storage medium stores computer instructions, and when the computer instructions are executed on a computer, the computer is caused to execute the steps of the data right control method.
In an embodiment of the invention, upon obtaining a user request from a client to access a data resource, obtaining at least one data authority distributed for the user according to the pre-established user data authority distribution information, wherein the pre-established user data right distribution information includes data right information directly distributed to the user, then, according to at least one item of data authority, obtaining the data resource corresponding to the at least one item of data authority from the database, and feeding back the obtained data resource to the client, thus, in the method, the data authority can be directly distributed to the user, the role overhead in the system is reduced, the condition that one role needs to be established first when the data authority is distributed and then the related data authority is distributed to the roles in the prior art is avoided, therefore, the number of roles to be maintained is reduced, the maintenance cost is reduced, and the development efficiency is improved. Meanwhile, the data authority can be directly distributed to the user, and the purpose of setting the personalized data authority for the user is also realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present invention;
fig. 2 is a flowchart of a data right control method according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a user request for accessing a data resource according to an embodiment of the present invention;
fig. 4 is a data right control apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the technical solutions of the present invention. All other embodiments obtained by a person skilled in the art without any inventive work based on the embodiments described in the present application are within the scope of the protection of the technical solution of the present invention.
Some concepts related to the embodiments of the present invention are described below.
RBAC technique: considering that authority authorization is actually a problem of What, How, in the RBAC model, Who, What, How constitute an access authority triple, that is, What is performed by What to What (What), that is, What is "subject" to "object", is operated by What, where Who is the owner or subject of authority (e.g., User, Role), and What is a Resource or object (Resource, Class). The RBAC associates all resources with roles, so that unified authority control is facilitated, the authority is associated with the roles, and users obtain the authority of the roles by becoming members of proper roles. Wherein, the roles are created for completing various works, the user is assigned with corresponding roles according to the responsibility and qualification, and the user can be easily assigned from one role to another role.
In a specific practical process, the inventor of the present invention finds that the following problems mainly exist when the RBAC technology is applied as an authority control system in the prior art: the data authority exists depending on roles, when a specific data authority needs to be allocated to a specific user, a user role corresponding to the user can only be created for the user, and then the data authority is allocated to the user role, so that the role overhead required to be maintained by the system is increased, and when the role system is too large, the maintenance cost and the development efficiency of the system are seriously influenced.
To this end, an embodiment of the present invention provides a data right control method, which obtains at least one item of data right allocated to a user according to pre-established user data right allocation information when obtaining a user request from a client for accessing data resources, where the pre-established user data right allocation information includes data right information directly allocated to the user, and then obtains data resources corresponding to the at least one item of data right from a database according to the at least one item of data right, and feeds back the obtained data resources to the client, so that in the method, data rights can be directly allocated to the user, which reduces role overhead in a system, and avoids a situation that a role needs to be created first when data rights are allocated, and then related data rights are allocated to the role, thereby reducing the number of roles that need to be maintained, the maintenance cost is reduced and the development efficiency is improved. Meanwhile, the data authority can be directly distributed to the user, and the purpose of setting the personalized data authority for the user is also realized.
The data authority control method in the embodiment of the present invention may be applied to an application scenario as shown in fig. 1, where the application scenario includes a user terminal 10 and a server 11, where the user terminal 10 has a client installed therein, and a function of the client may be supported by the server 11, where the user terminal 10 and the server 11 are connected through a network, and the network may be any one of communication networks such as a local area network, a wide area network, or a mobile internet. The user terminal 10 may be any intelligent electronic device capable of automatically and rapidly processing a large amount of data according to a program, such as a computer, an ipad, a mobile phone, and the like. The server 11 may be one server, or may be a server cluster or a cloud computing center formed by several servers.
In this scenario, when the server 11 obtains a user request from the user terminal 10 for accessing the data resource, at least one data right allocated to the user may be obtained according to pre-established user data right allocation information, where the pre-established user data right allocation information includes data right information directly allocated to the user; and acquiring the data resources corresponding to the at least one data authority from a database according to the at least one data authority, and feeding back the acquired data resources to the client.
It should be noted that the above-mentioned application scenarios are only presented to facilitate understanding of the spirit and principles of the present invention, and the present invention is not limited in this respect. Rather, embodiments of the present invention may be applied in any scenario where applicable.
The following describes a data authority control method provided in an embodiment of the present invention with reference to an application scenario shown in fig. 1.
As shown in fig. 2, a method for controlling data permission provided in an embodiment of the present invention includes:
step 201: a user request from a client to access a data resource is obtained.
In the embodiment of the present invention, when a user needs to access a data resource in a system, a user request for accessing the data resource in the system may be sent through an interface provided by the system, where the system may be any type of system related to energy authority and data authority control, such as a human resource management system, a data statistics system, and the like, which are not listed here.
In practical applications, step 201 can also be implemented by the flow shown in fig. 3:
the process shown in fig. 3 includes:
step 301: when the fact that the user successfully logs in through a login interface system presented by the client is determined, a target role corresponding to the user is obtained;
step 302: acquiring a function authority corresponding to the target role according to a pre-established corresponding relationship between the role and the function authority;
step 303: feeding back the obtained function authority to the client so that the client establishes a function authority interface according to the obtained function authority;
step 304: and acquiring a user request for accessing the data resource triggered by the user based on the function permission interface.
In the embodiment of the invention, a user can log in the system through a client in the user terminal, and when the user logs in the system, the server supporting the system (hereinafter, referred to as the server for short) can check whether the information of the login user is recorded in the user information table according to the stored user information table, if the information of the login user exists, after the login is successful, the server can obtain the role of the login user in the system according to the corresponding relation table of the user and the role, in practical application, the corresponding relationship table between the user and the role can be pre-established, for example, the user is zhang san, when zhang san registers the system, the role assigned to zhang san is "administrator", so the corresponding relation between zhang san and the role "administrator" can be stored in the user-role corresponding relation table, and of course, one user may correspond to one role or to multiple roles.
In the embodiment of the invention, the functional authority of the system is managed through roles, wherein the functional authority is used for controlling the page display elements. Therefore, the server can pre-establish a relation table corresponding to the color and the function authority, after the user successfully logs in the system, the server can firstly acquire the role corresponding to the logged-in user according to the relation table corresponding to the user and the role, then acquire the function authority corresponding to the role of the logged-in user according to the relation table corresponding to the role and the function authority, and then the server can feed back the acquired function authority corresponding to the user role to the user terminal, namely the client in the user terminal feeds back the acquired function authority to the user terminal, so that the client in the user terminal can establish a function authority interface according to the acquired function authority for user interaction.
Similarly, in the embodiment of the present invention, a role may correspond to one function right, or to multiple function rights, so that when a role corresponding to a login user corresponds to one function right, the server may feed back a function right corresponding to the role of the login user to the client; when the role corresponding to the login user corresponds to a plurality of function rights, the server feeds back a plurality of function rights corresponding to the role of the login user to the client; if a plurality of roles corresponding to the login user exist, the server feeds back the function authority corresponding to each role corresponding to the login user to the client.
After the client receives the function permission fed back by the server, the client can control the page display element according to the fed back function permission, and then display the page matched with the fed back function permission.
In the embodiment of the present invention, data codes may be used to manage and control data permissions of the system, for example, a national province and city district custom code may be used as a dataCode, and other datacodes with meanings may be used as data permission management and control parameters.
Therefore, in the page displayed by the client and matched with the fed-back function authority, each function button can use the dataCode code corresponding to the corresponding data authority, and when the user operates based on the page, namely, selects the data resource to be accessed by the user, and selects one or more buttons in the page, the user terminal sends a user request for accessing the data resource to the server according to the selection of the user.
Step 202: and acquiring at least one item of data authority distributed for the user according to pre-established user data authority distribution information.
The pre-established user data authority distribution information comprises data authority information directly distributed to the user.
In the embodiment of the invention, in order to reduce the role overhead in the system, reduce the maintenance cost and improve the development efficiency, a scheme for directly distributing the data permission to the user is set, and the purpose of setting the personalized data permission to the user is also realized. For example, when a user needs to access a data resource of a beijing library, a data right for accessing the data resource of the beijing library can be directly allocated to the user, so that the problems of increased role overhead and complicated operation caused by the fact that a role such as a beijing administrator needs to be established first, then the data right for accessing the data resource of the beijing library is allocated to the beijing administrator, and finally the role of the beijing administrator is allocated to the user in the prior art so as to obtain the data right for accessing the data resource of the beijing library are solved.
In the embodiment of the invention, the user data authority distribution information can be pre-established, and the data authority information which can be directly distributed for the user, namely the corresponding relation table of the user and the data authority, is stored in the given information. Then, when the server obtains a user request for accessing the data resource sent by the client, the server can determine the data authority corresponding to the user according to the user data authority distribution information.
In the embodiment of the invention, the server can also check the functional authority again when acquiring the user request for accessing the data resource sent by the client, so that an association table linking the address url and the functional authority can be maintained in the server, the only corresponding functional authority is found by requesting the url, then all the functional authorities of the roles corresponding to the user and the user are checked, if the check is passed, the data authority corresponding to the user can be determined according to the user data authority distribution information, the data acquisition is carried out through a related interface, and if the check is passed, no authority is reminded, and the access is terminated.
Similarly, in the embodiment of the present invention, a user may correspond to one data right or multiple data rights, and then, when an obtained user request for accessing data resources sent by a client corresponds to one data right, a server may determine one data right corresponding to the user according to a correspondence table between the user and the data right in user data right allocation information; when the obtained user corresponding to the user request for accessing the data resource sent by the client corresponds to multiple data rights, the server can determine the multiple data rights corresponding to the user according to the corresponding relation table of the user and the data rights in the user data right distribution information.
In order to further improve efficiency, considering that the user who logs in at this time may log in the system to access the data resource before a short time, the data right information of the user may be cached in the cache in the server, so when the data right corresponding to the user is determined, the data right information corresponding to the user may be queried in the cache in the server first, and if the data right information is not queried in the cache, the data right corresponding to the user may be determined according to the corresponding relation table of the user and the data right in the user data right allocation information.
Step 203: and acquiring the data resources corresponding to the at least one data authority from a database according to the at least one data authority, and feeding back the acquired data resources to the client.
In the embodiment of the invention, after the data authority corresponding to the user is determined according to the user-data authority distribution information and the corresponding relation table of the user and the data authority, the server can obtain the data resources with various data authorities corresponding to the user from the database.
In an embodiment of the present invention, step 203 may be implemented in the following manner: splicing at least one item of data authority to form a specific access statement for accessing the database; and then accessing the database through a specific access statement to obtain the data resource corresponding to the at least one item of data authority.
That is, in the embodiment of the present invention, when the data authority corresponding to the user includes multiple items, the multiple items of data authority may be spliced by the background data processing layer of the server to form a specific access statement of the range database, for example, a data request sql statement: dataCode like "0101"% and dataCode like "0102"%. The statement comprises two data authority areas, namely, dataCode 0101 and dataCode0102, and then the database is accessed by using the spliced specific access statement to obtain data resources returned by the database. And then the server sends the data resource returned by the database to the client, so that the client displays the received data resource in the page, wherein the data resource is the data resource visible to the user.
Therefore, by the method, when a user request for accessing data resources from a client is obtained, at least one item of data authority allocated to the user is obtained according to the pre-established user data authority allocation information, wherein the pre-established user data authority allocation information comprises data authority information directly allocated to the user, then the data resources corresponding to the at least one item of data authority are obtained from the database according to the at least one item of data authority, and the obtained data resources are fed back to the client, so that the method can directly allocate the data authority to the user, reduce the role overhead in the system, realize the decoupling of roles and data authorities, avoid the condition that one role needs to be created first when the data authority is allocated and then the relevant data authority is allocated to the roles in the prior art, and therefore, the number of the roles needing to be maintained is reduced, the maintenance cost is reduced and the development efficiency is improved.
As an optional manner, in the embodiment of the present invention, the user data right allocation information further includes data right information allocated to the user by the following manner: when a request of a user for applying a role is obtained, a corresponding relation between the role established in advance and the data authority is obtained; and after the role is distributed to the user applying for the role, adding the data authority corresponding to the distributed role for the user applying for the role according to the corresponding relation between the role and the data authority, thereby obtaining the data authority information distributed to the user.
In other words, in the embodiment of the present invention, in consideration of the fact that there are a plurality of users that need to assign the same data authority in practical applications, in the embodiment of the present invention, a corresponding relationship between a role and a data authority may also be established, and then a plurality of users may be selected to add to the role, and then the data authority corresponding to the role may be assigned to the added users according to the data authority corresponding to the role, that is, the authority is assigned to the users under the role, but the role does not have the related attribute of the data authority, and only the data authority corresponding to the role may be added to the users under the role. Therefore, the maintenance cost of the system is further reduced and the development efficiency is improved.
Based on the same inventive concept, an embodiment of the present invention provides a data right control apparatus, as shown in fig. 4, the apparatus includes:
an obtaining unit 40, configured to obtain a user request from a client to access a data resource; the system comprises a user data authority distribution information module, a data authority management module and a data authority management module, wherein the user data authority distribution information module is used for acquiring at least one item of data authority distributed to a user according to pre-established user data authority distribution information, and the user data authority distribution information comprises data authority information directly distributed to the user;
a sending unit 41, configured to obtain, according to the at least one item of data permission, a data resource corresponding to the at least one item of data permission from a database, and feed back the obtained data resource to the client.
Optionally, the user data right allocation information further includes data right information allocated to the user in the following manner, and the obtaining unit is further configured to:
when a request of a user for applying a role is obtained, a corresponding relation between the role established in advance and the data authority is obtained;
and after the role is distributed to the user applying for the role, adding the data authority corresponding to the distributed role for the user applying for the role according to the corresponding relation between the role and the data authority, thereby obtaining the data authority information distributed to the user.
Optionally, the sending unit is further configured to:
splicing the at least one item of data authority to form a specific access statement for accessing the database;
and accessing the database through the specific access statement to obtain the data resource corresponding to the at least one item of data authority.
Optionally, the obtaining unit is further configured to:
when the fact that the user successfully logs in through a login interface system presented by the client is determined, a target role corresponding to the user is obtained;
acquiring a function authority corresponding to the target role according to a pre-established corresponding relationship between the role and the function authority;
feeding back the obtained function authority to the client so that the client establishes a function authority interface according to the obtained function authority;
and acquiring a user request for accessing the data resource triggered by the user based on the function permission interface.
Optionally, the obtaining unit is further configured to:
and checking the functional authority of the user, wherein if the checking is passed, executing the data authority distribution information of the user according to the pre-established data authority distribution information of the user to obtain at least one item of data authority distributed to the user, and otherwise rejecting the user request.
Optionally, different data permissions in the user data permission allocation information are identified by different data codes.
Based on the same inventive concept, an embodiment of the present invention provides an information processing apparatus, including at least one processor and at least one memory, where the memory stores a computer program, and when the program is executed by the processor, the processor is caused to execute the steps of the data right control method in the embodiment of the present invention.
Based on the same inventive concept, an embodiment of the present invention provides a storage medium, where the storage medium stores computer instructions, and when the computer instructions are executed on a computer, the computer is caused to execute the steps of the data permission control method in the embodiment of the present invention.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (13)
1. A method for controlling data permissions, comprising:
obtaining a user request from a client for accessing a data resource;
acquiring at least one item of data authority distributed to the user according to pre-established user data authority distribution information, wherein the user data authority distribution information comprises data authority information directly distributed to the user;
and acquiring the data resources corresponding to the at least one data authority from a database according to the at least one data authority, and feeding back the acquired data resources to the client.
2. The method of claim 1, wherein the user data right assignment information further includes data right information assigned to the user by:
when a request of a user for applying a role is obtained, a corresponding relation between the role established in advance and the data authority is obtained;
and after the role is distributed to the user applying for the role, adding the data authority corresponding to the distributed role for the user applying for the role according to the corresponding relation between the role and the data authority, thereby obtaining the data authority information distributed to the user.
3. The method according to claim 1 or 2, wherein the obtaining, according to the at least one item of data authority, a data resource corresponding to the at least one item of data authority from a database specifically includes:
splicing the at least one item of data authority to form a specific access statement for accessing the database;
and accessing the database through the specific access statement to obtain the data resource corresponding to the at least one item of data authority.
4. The method of claim 3, wherein obtaining the user request from the client for access to the data resource specifically comprises:
when the fact that the user successfully logs in through a login interface system presented by the client is determined, a target role corresponding to the user is obtained;
acquiring a function authority corresponding to the target role according to a pre-established corresponding relationship between the role and the function authority;
feeding back the obtained function authority to the client so that the client establishes a function authority interface according to the obtained function authority;
and acquiring a user request for accessing the data resource triggered by the user based on the function permission interface.
5. The method of claim 4, wherein after obtaining the user request from the client to access the data resource, the method comprises:
and checking the functional authority of the user, wherein if the checking is passed, executing the data authority distribution information of the user according to the pre-established data authority distribution information of the user to obtain at least one item of data authority distributed to the user, and otherwise rejecting the user request.
6. The method of claim 1, wherein different data rights in the user data rights assignment information are identified by different data encodings.
7. A data right control apparatus, comprising:
the obtaining unit is used for obtaining a user request from a client for accessing the data resource; the system comprises a user data authority distribution information module, a data authority management module and a data authority management module, wherein the user data authority distribution information module is used for acquiring at least one item of data authority distributed to a user according to pre-established user data authority distribution information, and the user data authority distribution information comprises data authority information directly distributed to the user;
and the sending unit is used for acquiring the data resources corresponding to the at least one data authority from a database according to the at least one data authority and feeding back the acquired data resources to the client.
8. The apparatus of claim 7, wherein the user data right assignment information further includes data right information assigned to the user by:
when a request of a user for applying a role is obtained, a corresponding relation between the role established in advance and the data authority is obtained;
and after the role is distributed to the user applying for the role, adding the data authority corresponding to the distributed role for the user applying for the role according to the corresponding relation between the role and the data authority, thereby obtaining the data authority information distributed to the user.
9. The apparatus of claim 7 or 8, wherein the sending unit is further configured to:
splicing the at least one item of data authority to form a specific access statement for accessing the database;
and accessing the database through the specific access statement to obtain the data resource corresponding to the at least one item of data authority.
10. The apparatus of claim 9, wherein the obtaining unit is further configured to:
when the fact that the user successfully logs in through a login interface system presented by the client is determined, a target role corresponding to the user is obtained;
acquiring a function authority corresponding to the target role according to a pre-established corresponding relationship between the role and the function authority;
feeding back the obtained function authority to the client so that the client establishes a function authority interface according to the obtained function authority;
and acquiring a user request for accessing the data resource triggered by the user based on the function permission interface.
11. The apparatus of claim 10, wherein the obtaining unit is further configured to:
and checking the functional authority of the user, wherein if the checking is passed, executing the data authority distribution information of the user according to the pre-established data authority distribution information of the user to obtain at least one item of data authority distributed to the user, and otherwise rejecting the user request.
12. A data rights control device comprising at least one processor and at least one memory, wherein the memory stores a computer program which, when executed by the processor, causes the processor to perform the steps of the method of any one of claims 1 to 6.
13. A storage medium storing computer instructions which, when executed on a computer, cause the computer to perform the steps of the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811352266.7A CN111191251A (en) | 2018-11-14 | 2018-11-14 | Data authority control method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811352266.7A CN111191251A (en) | 2018-11-14 | 2018-11-14 | Data authority control method, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111191251A true CN111191251A (en) | 2020-05-22 |
Family
ID=70707282
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811352266.7A Pending CN111191251A (en) | 2018-11-14 | 2018-11-14 | Data authority control method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111191251A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112100641A (en) * | 2020-11-09 | 2020-12-18 | 成都掌控者网络科技有限公司 | Multi-dimensional authorization method, system, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130111583A1 (en) * | 2011-10-27 | 2013-05-02 | International Business Machines Corporation | System and method for hybrid role mining |
| CN107506658A (en) * | 2017-07-10 | 2017-12-22 | 上海最会保网络科技有限公司 | A kind of user authority management system and method |
| CN107895123A (en) * | 2017-11-13 | 2018-04-10 | 医渡云(北京)技术有限公司 | Data access authority control method and device, method for managing user right |
| CN108763960A (en) * | 2018-06-04 | 2018-11-06 | 北京奇虎科技有限公司 | Access authorization for resource management method and device |
-
2018
- 2018-11-14 CN CN201811352266.7A patent/CN111191251A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130111583A1 (en) * | 2011-10-27 | 2013-05-02 | International Business Machines Corporation | System and method for hybrid role mining |
| CN107506658A (en) * | 2017-07-10 | 2017-12-22 | 上海最会保网络科技有限公司 | A kind of user authority management system and method |
| CN107895123A (en) * | 2017-11-13 | 2018-04-10 | 医渡云(北京)技术有限公司 | Data access authority control method and device, method for managing user right |
| CN108763960A (en) * | 2018-06-04 | 2018-11-06 | 北京奇虎科技有限公司 | Access authorization for resource management method and device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112100641A (en) * | 2020-11-09 | 2020-12-18 | 成都掌控者网络科技有限公司 | Multi-dimensional authorization method, system, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10623406B2 (en) | Access authentication for cloud-based shared content | |
| US8959114B2 (en) | Entitlement management in an on-demand system | |
| US10037430B2 (en) | System and method for controlling the on and off state of features of business logic at runtime | |
| RU2598324C2 (en) | Means of controlling access to online service using conventional catalogue features | |
| US9195707B2 (en) | Distributed event system for relational models | |
| WO2018141242A1 (en) | Resource scheduling method, system, server and storage medium | |
| CN109656879B (en) | Big data resource management method, device, equipment and storage medium | |
| CN107948203A (en) | A kind of container login method, application server, system and storage medium | |
| US10911299B2 (en) | Multiuser device staging | |
| CN111191210A (en) | Data access right control method and device, computer equipment and storage medium | |
| KR20090106541A (en) | Time based permissioning | |
| WO2018119589A1 (en) | Account management method and apparatus, and account management system | |
| CN108875387B (en) | Data processing method, device, equipment and medium based on AD system | |
| US11882154B2 (en) | Template representation of security resources | |
| US9665732B2 (en) | Secure Download from internet marketplace | |
| CN115758459A (en) | Data authority management method and device | |
| CN111752539B (en) | BI service cluster system and construction method thereof | |
| CN111191251A (en) | Data authority control method, device and storage medium | |
| US10951600B2 (en) | Domain authentication | |
| CN111159729A (en) | Authority control method, device and storage medium | |
| US20220374532A1 (en) | Managed metastorage | |
| US11411813B2 (en) | Single user device staging | |
| CN111723401A (en) | Data access authority control method, device, system, storage medium and equipment | |
| US20180336220A1 (en) | Dynamic reprioritization of content download during synchronization | |
| KR20190058044A (en) | Method for handling organization-based data access control in cloud |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200522 |