CN112269982A - Data access control method based on authority configuration - Google Patents
Data access control method based on authority configuration Download PDFInfo
- Publication number
- CN112269982A CN112269982A CN202011304848.5A CN202011304848A CN112269982A CN 112269982 A CN112269982 A CN 112269982A CN 202011304848 A CN202011304848 A CN 202011304848A CN 112269982 A CN112269982 A CN 112269982A
- Authority
- CN
- China
- Prior art keywords
- data
- authority
- rule
- level
- annotation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Abstract
The invention discloses a data access control method based on authority configuration, which comprises the following steps: defining an access authority rule strategy for a data field needing authority control; implementing a policy resolution module; a data interception module is realized; a rule matching module is realized; the invention solves the problem that the data access control is invalid because the authority judgment logic cannot be updated in real time after the authority or the data field of the role is changed in the traditional scheme by configuring the data authority rules of the role and analyzing and utilizing the data authority rules.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a data access control method based on authority configuration.
Background
In many application developments, the authority management is involved, and the authority management is mainly divided into two parts, namely function authority and data access authority; there are already mature schemes for controlling functional rights.
Data as an important information carrier interacts with a service end at the front end of a service, and in consideration of information security, role division is more and more definite, different roles have different access rights to the data, and when the same piece of data is accessed, the result may be different.
In the current business system development, the control on the data authority is generally realized by judging and calling different data acquisition statements to user roles in a business layer during code development, or adding a WHERE or CASE WHERE condition related to data authority control to an SQL statement for accessing database data.
This has the disadvantage that it is developed in detail which data needs to be added to the right control and that the code about the right control of the data is spread throughout the application. Once the SQL statement needs to be adjusted, many SQL statements need to be modified, which is very labor-consuming, and the modification needs to be repackaged for line access, which is tedious and lagged.
Disclosure of Invention
In order to solve the problems in the prior art, the invention aims to provide a data access control method based on authority configuration, and the method solves the problem that the data access control is invalid due to the fact that authority or data fields of roles cannot be updated in real time after the authority or the data fields of the roles are changed in the traditional scheme by configuring the data authority rules and analyzing and utilizing the data authority rules.
In order to achieve the purpose, the invention adopts the technical scheme that: a method for data access control based on privilege configuration, comprising the steps of:
step 1, defining an access authority rule strategy for a data field needing authority control:
defining the authority level required by the field and the authority level of the role, wherein different login roles correspond to different authority levels and can correspondingly access data of different levels; configuring a log output rule according to a log system, configuring the authority level of a data root level and a root level rule, and configuring the refinement authority level of an attribute field;
step 2, implementing a strategy analysis module:
writing an analysis rule strategy, putting the rule strategy into a memory, starting a timing function, periodically acquiring a configuration file and loading the configuration file to trigger the rule strategy to be synchronized into the memory after being updated;
step 3, realizing a data interception module:
writing a custom annotation and realizing the custom annotation and enabling the custom annotation to be effective with an annotation used in an interceptor, and judging whether a requested return message contains a data authority control annotation or not through the interceptor when a requested service interface accesses data, so as to ensure that the finally passed data is data which is already subjected to authority control or data which does not need to be controlled;
step 4, a rule matching module is realized:
after the interceptor intercepts the data, the authority of the attribute field is judged first, and then the upper layer rule, namely the root-level rule, is judged.
The invention has the beneficial effects that:
the invention achieves low code intrusion degree, does not need to pay much attention to the control of data access authority in the application development process, and only needs to specify that the data can be controlled; when application development is about to be completed, a control rule strategy is bound through the access right of the data field and the right to which the role belongs; when the data access control needs to be adjusted, only the configured authority rule strategy needs to be modified.
Drawings
Fig. 1 is a flowchart of data access right control in an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Example 1
A method for data access control based on privilege configuration, comprising the steps of:
step 1, defining an access authority rule strategy for a data field needing authority control:
the main purpose of data access control is to control what rights can access which data. The access authority rule strategy for defining the data field is actually the authority level required by the field definition and the role authority level definition, and different login roles correspond to different authority levels and can access data of different levels correspondingly. In view of the log output rule configured by the log system, the authority level of the data root (root level) is configured first, and then the refinement authority level of the following attribute fields is configured.
Step 2, implementing a strategy analysis module:
the method for compiling the analysis rule strategy puts the strategy into a memory so as to avoid the problem that the efficiency is seriously influenced by frequently reading the configuration file for re-analysis. And starting a timing function, periodically acquiring and loading the configuration file, and synchronizing the configuration file to the memory after the rule strategy is triggered to be updated.
Step 3, realizing a data interception module:
and the data interception module comprises writing the self-defined annotation and realizing the self-defined annotation and using the annotation in the interceptor to take effect. When the requested service interface accesses data, the interceptor is used for judging whether the requested return information contains data authority control annotation, so that the finally passed data is the data which is already subjected to authority control or the data which does not need to be controlled. The annotation information does not need to contain redundant attribute information, only the annotation itself is needed, and the annotation identifier is removed after the data is filtered.
Step 4, a rule matching module is realized:
after the interceptor intercepts the data, the sequence is opposite to the order of the analysis rules, firstly, the rule which is more accurately matched, namely the authority of the attribute field, is judged, and then, the upper-layer rule, namely the root-level rule, is judged. The data controlled by access is cleared of value content, and the visibility of the data is guaranteed to be controlled, but the service logic and the normal operation of the service are not influenced.
In order to reduce the code intrusion degree, when the rules are judged, the data are filtered in the interceptors by adopting the mode of AOP interceptors. In order to realize the timely validation of the authority rules, the invention uses asynchronous timing task to read the configuration at regular time when the rules are analyzed, acquires new configuration information after the authority configuration is detected to be updated, and uses the new rule configuration when the rules are judged next time. And filtering the attribute fields exceeding the authority in the interceptor to finally achieve the purpose of controlling the data access authority.
The data authority control of the application is independent, the intrusion of codes is reduced like section programming, and the data authority control is flexibly and conveniently processed in a configuration mode; and (3) injecting authority control into response data in an annotation mode, reading new configuration in real time by the system before data return, and achieving the purpose of data access control by analyzing the authority rules of annotation configuration and modifying data.
The method for controlling data access based on authority configuration is simple in implementation mode, after configuration is analyzed, only corresponding addition or modification needs to be carried out on configuration information, code intrusion is reduced, authority check is convenient and visual to read, the configuration information can be written into a database table or an xml configuration file, configuration change is quick to take effect, new configuration rule information can be obtained when a service reads configuration again, the new configuration rule information can take effect, and the requested access of data is not aware of the authority access control process, namely normal operation of a service is not affected.
Example 2
In the embodiment of this chapter, the role authority levels are 1, 2, 3, and 4 as examples, and the larger the number is, the larger the authority is. When configuring an access right of data, such as name:2, it indicates that the user roles with the minimum right of 2 and the right levels of 2, 3 and 4 required by the name field can access the data.
The data are exemplified by the basic information of an organization and an article,
the basic information of the organization (org) includes: id (number), name (organization name), desc (description), address (address), location (geographical latitude and longitude), code (internal code), payAccout (payment information), payKey (payment key), and the like.
The article (article) basic information includes: id (number), title (), content (), createTime (), comment, and the like.
The rights configuration information can be written in a variety of formats, and the yml format configuration file is taken as an example below:
the implementation strategy analysis module:
the module mainly functions to parse the configuration file and keep it in the memory.
Taking java language as an example, the parsing method is as follows:
in order to realize the timing update of the configuration information, the method getAuthInfo () can be added with the @ Scheduled related annotation, so as to achieve the purpose of timing update.
The data interception module is realized:
as shown in fig. 1, after the traffic processing module generates data, it returns to the interface control layer. In the project development, the annotation @ AuthData can be customized and added to the method of the interface control layer. The method is bound to the AOP tool class, and when an interface is requested, all data can be intercepted and acquired by the interception module for subsequent rule module processing.
And a rule matching module is realized:
when the interception module intercepts the service data, the user information in the request thread information, including the authority level of the user, is also acquired.
In this module, when the service data is an article, the article partial authority information in auth is acquired. And traversing the authority information of the service data, and sequentially judging the authority of the user and the authority level of the data.
If the user authority is higher than the authority of the article field, no change is made to the service data.
If the user authority is lower than the authority of the articile field, if the user authority is 1, comment information in the processing data articile is null, namely the comment is not shown.
The mechanism (org) information is processed in the same manner.
After being processed by the module, the data1 is converted into data2 and returned to the interface request end.
The above-mentioned embodiments only express the specific embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention.
Claims (1)
1. A method for data access control based on privilege configuration, comprising the steps of:
step 1, defining an access authority rule strategy for a data field needing authority control:
defining the authority level required by the field and the authority level of the role, wherein different login roles correspond to different authority levels and can correspondingly access data of different levels; configuring a log output rule according to a log system, configuring the authority level of a data root level and a root level rule, and configuring the refinement authority level of an attribute field;
step 2, implementing a strategy analysis module:
writing an analysis rule strategy, putting the rule strategy into a memory, starting a timing function, periodically acquiring a configuration file and loading the configuration file to trigger the rule strategy to be synchronized into the memory after being updated;
step 3, realizing a data interception module:
writing a custom annotation and realizing the custom annotation and enabling the custom annotation to be effective with an annotation used in an interceptor, and judging whether a requested return message contains a data authority control annotation or not through the interceptor when a requested service interface accesses data, so as to ensure that the finally passed data is data which is already subjected to authority control or data which does not need to be controlled;
step 4, a rule matching module is realized:
after the interceptor intercepts the data, the authority of the attribute field is judged first, and then the upper layer rule, namely the root-level rule, is judged.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011304848.5A CN112269982A (en) | 2020-11-19 | 2020-11-19 | Data access control method based on authority configuration |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011304848.5A CN112269982A (en) | 2020-11-19 | 2020-11-19 | Data access control method based on authority configuration |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112269982A true CN112269982A (en) | 2021-01-26 |
Family
ID=74339296
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011304848.5A Pending CN112269982A (en) | 2020-11-19 | 2020-11-19 | Data access control method based on authority configuration |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112269982A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113434534A (en) * | 2021-08-25 | 2021-09-24 | 中博信息技术研究院有限公司 | Data permission interception method |
| CN113722733A (en) * | 2021-08-27 | 2021-11-30 | 北京航天云路有限公司 | Data access authority control method based on Java annotation |
| CN115879156A (en) * | 2022-12-27 | 2023-03-31 | 北京明朝万达科技股份有限公司 | Dynamic desensitization method, device, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104680082A (en) * | 2015-03-17 | 2015-06-03 | 浪潮集团有限公司 | Data authority accessing control model |
| CN107122406A (en) * | 2017-03-24 | 2017-09-01 | 东华大学 | Towards the access control method of data field in a kind of Hadoop platform |
| CN108900475A (en) * | 2018-06-06 | 2018-11-27 | 麒麟合盛网络技术股份有限公司 | User authority control method and device |
| CN109472159A (en) * | 2018-11-15 | 2019-03-15 | 泰康保险集团股份有限公司 | Access control method, device, medium and electronic equipment |
| US20190154439A1 (en) * | 2016-03-04 | 2019-05-23 | May Patents Ltd. | A Method and Apparatus for Cooperative Usage of Multiple Distance Meters |
| CN110175464A (en) * | 2019-06-05 | 2019-08-27 | 中国民用航空总局第二研究所 | Data access control method, device, storage medium and electronic equipment |
| CN110381068A (en) * | 2019-07-23 | 2019-10-25 | 迈普通信技术股份有限公司 | Forced access control method, device, the network equipment and storage medium |
-
2020
- 2020-11-19 CN CN202011304848.5A patent/CN112269982A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104680082A (en) * | 2015-03-17 | 2015-06-03 | 浪潮集团有限公司 | Data authority accessing control model |
| US20190154439A1 (en) * | 2016-03-04 | 2019-05-23 | May Patents Ltd. | A Method and Apparatus for Cooperative Usage of Multiple Distance Meters |
| CN107122406A (en) * | 2017-03-24 | 2017-09-01 | 东华大学 | Towards the access control method of data field in a kind of Hadoop platform |
| CN108900475A (en) * | 2018-06-06 | 2018-11-27 | 麒麟合盛网络技术股份有限公司 | User authority control method and device |
| CN109472159A (en) * | 2018-11-15 | 2019-03-15 | 泰康保险集团股份有限公司 | Access control method, device, medium and electronic equipment |
| CN110175464A (en) * | 2019-06-05 | 2019-08-27 | 中国民用航空总局第二研究所 | Data access control method, device, storage medium and electronic equipment |
| CN110381068A (en) * | 2019-07-23 | 2019-10-25 | 迈普通信技术股份有限公司 | Forced access control method, device, the network equipment and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 丁振凡: "Spring的任务定时调度方法的研究比较", 《智能计算机与应用》 * |
| 不能说的秘密GO: "使用拦截器或者AOP实现权限管理(OA系统中实现权限控制)", 《HTTPS://BLOG.CSDN.NET/CANOT/ARTICLE/DETAILS/50645039》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113434534A (en) * | 2021-08-25 | 2021-09-24 | 中博信息技术研究院有限公司 | Data permission interception method |
| CN113722733A (en) * | 2021-08-27 | 2021-11-30 | 北京航天云路有限公司 | Data access authority control method based on Java annotation |
| CN115879156A (en) * | 2022-12-27 | 2023-03-31 | 北京明朝万达科技股份有限公司 | Dynamic desensitization method, device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112269982A (en) | Data access control method based on authority configuration | |
| CN106778288B (en) | A kind of method and system of data desensitization | |
| US11093490B2 (en) | Recommending data enrichments | |
| US8402547B2 (en) | Apparatus and method for detecting, prioritizing and fixing security defects and compliance violations in SAP® ABAP™ code | |
| CN100489879C (en) | Method, system and server for checking page data | |
| CA2725274C (en) | Monitoring and tracking application usage | |
| US8498995B1 (en) | Optimizing data retrieval during event data query processing | |
| CN105787366B (en) | Android software visualization safety analytical method based on component relation | |
| WO2017071189A1 (en) | Webpage access method, apparatus, device and non-volatile computer storage medium | |
| US20060251073A1 (en) | Methods and apparatus for transferring data | |
| WO2022126983A1 (en) | Electronic report file export method, apparatus and device, and storage medium | |
| CN110489310B (en) | Method and device for recording user operation, storage medium and computer equipment | |
| AU2012271085A1 (en) | Recommending data enrichments | |
| CN103559118A (en) | Security auditing method based on aspect oriented programming (AOP) and annotation information system | |
| WO2018196650A1 (en) | User feature data acquisition method and device, server, and medium | |
| CN109992983A (en) | A kind of forced access control method, device, equipment and readable storage medium storing program for executing | |
| CN109902101B (en) | Transparent partitioning method and device based on spark SQL | |
| US20220229657A1 (en) | Extensible resource compliance management | |
| CN110895537A (en) | Method and device for freely inquiring authority control | |
| CN115357590A (en) | Recording method and device for data change, electronic device and storage medium | |
| US20070192324A1 (en) | Method and device for advanced cache management in a user agent | |
| CN113918149A (en) | Interface development method and device, computer equipment and storage medium | |
| Luo et al. | QFilter: rewriting insecure XML queries to secure ones using non-deterministic finite automata | |
| US11580251B1 (en) | Query-based database redaction | |
| CN109117422B (en) | Global unique number rapid generation method and system in large-scale high-concurrency system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210126 |
|
| RJ01 | Rejection of invention patent application after publication |