Desensitization display method for dynamically configured service data
Technical Field
The invention relates to the technical field of electric digital data processing, in particular to a desensitization display method for dynamically configuring service data.
Background
With the continuous forward development of informatization, the requirement on network security is higher and higher, the requirement on the confidentiality of user data is also higher and higher, and in the application process, most business data, such as information of names, mobile phone numbers, identity cards and the like, are required to be desensitized and displayed.
Data desensitization refers to data deformation of some sensitive information through desensitization rules, so that reliable protection of sensitive private data is realized; in the case of client security data or some business sensitive data, the real data is modified and provided for test use without violating system rules.
In the process of desensitizing data, most of the existing service implementation methods implement desensitization of service data by program coding or queried SQL for the data to be desensitized according to the actual service data condition when service query is performed; however, the adoption of this method brings about a lot of inconvenience, the requirement and content of service desensitization can change at different times, for example, the query of the same data interface is desensitized to the mobile phone number yesterday, today desensitization operation is required to be performed to the address, when this happens, a professional is generally required to modify the code and to perform version sending, and a life cycle of software change is required to be performed every time, so that not only is the resource and time cost increased, which is not beneficial to the system implementation and maintenance.
Disclosure of Invention
The invention solves the problems in the prior art and provides an optimized desensitization display method for dynamically configuring service data.
The technical scheme adopted by the invention is that a desensitization display method for dynamically configuring service data comprises the following steps:
step 1: configuring a service interface desensitization rule and a user desensitization authority in a system, wherein the desensitization rule sets secondary treatment corresponding to the user desensitization authority;
the secondary treatment comprises the following steps:
step 1.1: splitting a user into a plurality of classes based on the user type, and identifying each class;
step 1.2: carrying out authority sorting and assignment based on any type of user type;
step 1.3: setting a corresponding primary desensitization rule aiming at any type of user types;
step 1.4: setting a secondary desensitization rule based on the authority of any user in any type of user type;
step 2: the user logs in, if the user has the access permission, the next step is carried out, otherwise, the step 2 is repeated;
and step 3: the user inquires the service data, and the interface acquires a service data set;
and 4, step 4: if the data set is empty, returning to empty, and ending, otherwise, performing the next step;
and 5: acquiring the desensitization authority of the current user, if the desensitization is not required, performing the step 8, otherwise, performing the next step;
step 6: if the desensitization rule corresponding to the current service data set is empty, performing the step 8, otherwise, performing the next step;
and 7: processing the service data set based on a desensitization rule corresponding to the current user;
and 8: and rechecking the user, and if the display condition is met, outputting the service data set returned in the step 5, the service data set returned in the step 6 or the processed service data set returned in the step 7.
Preferably, in step 1.2, for users in any user type, based on the permissions from large to small, the assignments are from small to large, and the sum of the assignments of all users in any user type is 1.
Preferably, in the step 1.2, one or more thresholds are set for any type of user type, the users are distinguished to different authorities according to the thresholds, and the assignment of the users in each threshold is the same; the sum of the assignments for all users in any user type is 1.
Preferably, in step 1.3, the primary desensitization rule is to perform content division on the service data, and desensitize a plurality of contents or perform desensitization processing corresponding to different user types.
Preferably, in the step 1.3, the content to be desensitized is labeled for the corresponding user type according to the primary desensitization rule, and core content desensitization is performed on the content.
Preferably, in step 1.4, the second desensitization rule is to obtain a random number α and an assignment β of the current user for the data after the first desensitization, and perform desensitization on the desensitization segment of the service data by taking a percentage after α × β, where α ∈ (0, 1).
Preferably, in step 2, the user inputs a user name and a password in the system interface, and if matching is successful, a tag for assigning the user type and the weight is generated and stored in a database of the system.
Preferably, in step 8, the user data, the user type, and the label assigned by the weight stored in the database of the system are obtained, the desensitization authority of the current user is applied to the cloud, and if the desensitization authority of the current user is matched with the user desensitization authority in the system, the service data set returned in step 5, or the service data set returned in step 6, or the processed service data set returned in step 7 is output.
Preferably, if the user desensitization permissions of the system and the cloud are not matched in step 8, the user desensitization permission of the system is updated according to the user desensitization permission of the cloud, and the interface prompts the user to operate again.
Preferably, if the user desensitization permissions of the system and the cloud are not matched in step 8, the user desensitization permission of the system is updated by the user desensitization permission of the cloud, the interface acquires the service data set queried by the current user again, and the step 4 is returned.
The invention relates to an optimized desensitization display method for dynamically configuring service data, which comprises the steps of configuring service interface desensitization rules and user desensitization authorities in a system, setting secondary processing corresponding to the user desensitization authorities according to the desensitization rules, inquiring service data after a user normally logs in, gradually judging the attributes of a data set, the desensitization authorities of the current user and the desensitization rules after the interface acquires a service data set, corresponding and processing the desensitization rules and the service data set under the condition of needing, and outputting data returned by the operation.
The invention sets different role authorities for different user roles and user levels, adopts a management background configuration mode for different service interface desensitization contents, performs desensitization configuration on service data interfaces needing desensitization, does not perform desensitization when authorized users access the service data, performs desensitization operation according to configuration when unauthorized users access the service data, and then performs configuration for the changes when the requirements of the service interface desensitization contents change.
The invention reduces the program development amount caused by the change of the service data desensitization object, accelerates the response speed to the service requirement, and simultaneously reduces the cost loss of enterprises.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
The present invention is described in further detail with reference to the following examples, but the scope of the present invention is not limited thereto.
The invention relates to a desensitization display method for dynamically configuring service data, which comprises the following steps.
Step 1: and configuring a service interface desensitization rule and a user desensitization authority in the system, wherein the desensitization rule sets secondary treatment corresponding to the user desensitization authority.
In the invention, different users may experience the change of the queryable data range, including but not limited to changing functional departments, increasing and decreasing of the queryable data amount caused by the lifting of positions, and the like, while the desensitization authority of the users cannot be really updated without time difference, and frequent updating of system data causes the operation amount of the system to be increased and the operation speed to be reduced, so that the real-time desensitization authority of the users actually exists in a cloud, and the system can store the latest desensitization authority of the users or the relatively closest desensitization authority of the users which are updated once.
In the invention, secondary treatment is set between the desensitization rule and the user desensitization authority, so that the desensitization difficulty is reduced and the protection level is improved.
The secondary treatment comprises the following steps:
step 1.1: splitting a user into a plurality of classes based on the user type, and identifying each class;
in the invention, the user types have diversity, such as business departments and management departments, wherein the business departments can refine different businesses, the management departments also refine different management fields, and for each subclass of user types, the data contents which can be inquired by the user types are different, and the contents which are not allowed to be checked by the user types are identified.
Step 1.2: carrying out authority sorting and assignment based on any type of user type;
in the step 1.2, for the users in any user type, the assignment is changed from small to large based on the permission from large to small, and the sum of the assignments of all the users in any user type is 1.
In the step 1.2, one or more thresholds are set for any type of user, the users are distinguished to different authorities according to the thresholds, and the assignment of the users in each threshold is the same; the sum of the assignments for all users in any user type is 1.
In the invention, after the user types are divided, the authority is distributed to different users in each user type, namely different users can possibly see different contents even in the same user type.
In the present invention, the distribution of rights includes at least two embodiments:
implementation mode one
The users in each user type are ranked according to the authority, and assignment is carried out based on the size of the authority, and in the embodiment, the assignment is smaller when the authority is larger, and a technician in the field can set the assignment according to the requirement; obviously, the sum of the assignments for all users in any user type is 1;
second embodiment
Setting one or more thresholds for users in each user type, setting threshold points based on subdivision requirements of technicians, and distinguishing the users to different authorities according to the thresholds, wherein the user assignment in each threshold is the same; the sum of the assignments for all users in any user type is 1.
In the present invention, the first embodiment is more suitable for the incentive user environment, and the second embodiment is more suitable for the flat-level administrative user environment.
Step 1.3: setting a corresponding primary desensitization rule aiming at any type of user types;
in step 1.3, the primary desensitization rule is to perform content division on the service data, and desensitize a plurality of contents or perform desensitization treatment corresponding to different user types.
In the step 1.3, the primary desensitization rule marks the content to be desensitized for the corresponding user type and carries out core content desensitization on the content.
In the invention, primary desensitization is mainly carried out based on different user types.
In the present invention, the primary desensitization rule includes at least two embodiments:
implementation mode one
Dividing the content of the service data, generally according to fields, and after division, desensitizing partial content divided based on different user types;
second embodiment
Marking the content to be desensitized, intercepting the core content of the content, and processing the core content, wherein the core content refers to the content which has a marking function, such as the last four digits of a mobile phone number, the middle 8 digits of an identity card number and the like.
In the invention, the first embodiment is more suitable for the service data with definite fields, and the second embodiment is more suitable for the service data with definite characteristics.
Step 1.4: and setting a secondary desensitization rule based on the authority of any user in any type of user type.
In step 1.4, the secondary desensitization rule is to obtain a random number α and an assignment β of the current user for the data after primary desensitization, and to desensitize the desensitization segment of the service data by taking percentage after α × β, and α belongs to (0, 1).
In the invention, the data after one desensitization is subjected to random desensitization on different parts based on different users, so that the adding density of the service data is ensured, wherein the desensitized field is randomly determined by a random number and the assignment of the current user, and the system security level is ensured.
In the invention, taking percentage after alpha x beta to desensitize the desensitization section of the service data means that the service data is divided into the desensitization sections and 10% of the content in the desensitization sections is desensitized by taking alpha as 0.5 and beta as 0.2 as examples, and the desensitization sections refer to fields needing desensitization.
In the present invention, in fact, the primary desensitization rule is a wide-range and universal desensitization, while the secondary desensitization rule is a refined desensitization process for the user.
Step 2: and (4) logging in by the user, if the user has the access authority, carrying out the next step, and otherwise, repeating the step (2).
In the step 2, the user inputs the user name and the password in the system interface, and if matching is successful, the user type and the label assigned by the weight are generated and stored in the database of the system.
In the invention, because the user has a conforming process before obtaining the inquired business data, the information of the user, including the user name, the user type, the label assigned by the weight and the like, is stored in the database when the user logs in, thereby being convenient for calling and tampering.
And step 3: the user inquires the service data, and the interface acquires a service data set.
And 4, step 4: and if the data set is empty, returning to empty, and ending, otherwise, performing the next step.
And 5: and (4) acquiring the desensitization permission of the current user, if the desensitization is not required, performing the step 8, and otherwise, performing the next step.
Step 6: and if the desensitization rule corresponding to the current service data set is empty, performing the step 8, otherwise, performing the next step.
And 7: and processing the service data set based on the desensitization rule corresponding to the current user.
In the invention, a user inquires a service data set through an interface, judges whether the returned data set is empty or not when the returned data set passes through a frame interceptor, and directly passes the returned data set if the returned data set is empty;
if the data set is not empty, judging the desensitization authority of the current user for accessing the current interface, and if the desensitization is not needed, directly returning the data set;
when the current user accesses the current interface and needs desensitization, acquiring a desensitization rule of the current interface, and if the desensitization rule is not configured, directly returning a data set;
and if the current interface has desensitization rules and the current access user also needs desensitization, performing unified desensitization operation on the service data result set according to the configured desensitization rules, and returning the desensitized service data set after the desensitization operation is completed.
And 8: and rechecking the user, and if the display condition is met, outputting the service data set returned in the step 5, the service data set returned in the step 6 or the processed service data set returned in the step 7.
In the step 8, the user data, the user type and the weight assignment tag stored in the database of the system are obtained, the desensitization authority of the current user is applied to the cloud, and if the desensitization authority of the current user is matched with the desensitization authority of the user in the system, the service data set returned in the step 5, the service data set returned in the step 6 or the processed service data set returned in the step 7 is output.
And if the user desensitization permission of the system is not matched with that of the cloud in the step 8, updating the user desensitization permission of the system by using the user desensitization permission of the cloud, and prompting the user to operate again by using an interface.
And if the user desensitization permission of the system is not matched with that of the cloud in the step 8, updating the user desensitization permission of the system by using the user desensitization permission of the cloud, acquiring the service data set queried by the current user again by using the interface, and returning to the step 4.
In the invention, the returned data content should not be directly fed back to the user, because the user desensitization authority and desensitization rule applicable to the user may change in the time between the query and the last query, the user desensitization authority and desensitization rule need to be rechecked with the cloud, and if the recheck is correct, the data is output.
In the invention, if the user desensitization authority of the system and the cloud end is not matched, at least two processing modes are included, the user desensitization authority of the system is updated and the user is directly informed to modify, or the user desensitization authority of the system is updated and the content inquired by the user is directly used for desensitization processing again; both modes are feasible and are suitable for different system levels.