CN112560066A - Data content access authority control method based on character string bit operation - Google Patents
Data content access authority control method based on character string bit operation Download PDFInfo
- Publication number
- CN112560066A CN112560066A CN202011547281.4A CN202011547281A CN112560066A CN 112560066 A CN112560066 A CN 112560066A CN 202011547281 A CN202011547281 A CN 202011547281A CN 112560066 A CN112560066 A CN 112560066A
- Authority
- CN
- China
- Prior art keywords
- data
- authorization
- bit
- access authorization
- data access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000013475 authorization Methods 0.000 claims abstract description 199
- 238000013499 data model Methods 0.000 claims abstract description 8
- 238000003860 storage Methods 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 5
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 238000009826 distribution Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000002411 adverse Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 229910002056 binary alloy Inorganic materials 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
- G06F16/90344—Query processing by using string matching techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Automation & Control Theory (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a data content access right control method based on character string bit operation, which comprises the following steps: according to the definition of the data access authorization bit ID and the data access authorization ID, a general data access authorization data model of the controlled data table is provided, and data content access authorization control of the controlled data table is completed by constructing a data access authorization ID information table and a data access authorization information table for the controlled data table; the data access authorization ID information table is used for storing the unique data access authorization identifier distributed to each data accessor; the data access authorization information table is used for storing authorization information for accessing the data content of the controlled data table, when a data accessor accesses the data content of the controlled data table, the data access authorization bit ID of the data accessor needs to be compared with the authorization group and the authorization bit information in the data access authorization information table, and the authorized information is accessed according to the comparison result.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a data content access right control method based on character string bit operation.
Background
How to correctly access and use data under the premise of safety, compliance and controllability is a key issue which is always concerned in the field of data safety, and with the coming of the data era, the continuous updating of data processing technology and the continuous expansion of the field of data application, how to control the authority of data content in the access process of mass data, especially how to efficiently control the access authority of structured data content in a relational database under the premise of not influencing normal business, becomes more and more a focus of attention.
In order to refine the granularity of access control of data contents of a structured data table stored in a database by a data visitor to each record of a controlled data table, known general basic methods include the following two types:
data content access authority control based on a numerical bit operation mode;
the numerical value bit operation mode is that a numerical value type (number, int, byte type) field is added to the controlled data table to control the data access authority, a binary bit is distributed to each data visitor according to the binary representation of the numerical value type value as the authorization bit of the data visitor, and the authorization bit of the specific data visitor is assigned according to the service requirement during authorization: the authorization position '1' represents permission of access, the authorization position '0' represents prohibition of access, and when a data accessor performs actual data access, data content access authority control is performed according to the authorization bit value of the data accessor in each row of the controlled data table.
And controlling the access authority of the data content based on the mode of the association table.
The association table mode is that one or more association tables are built for the controlled data table (usually, a main key of the controlled data table is used as an association item), a Boolean type authorization field is created on the association table for each data visitor to perform data access authority control, the authorization field of a specific data visitor is assigned according to service requirements during authorization, the field value is 'True' for allowing access, the value is 'False' for forbidding access, and the data visitor performs data content access authority control according to the data visitor authorization field value of each row of the association result view of the controlled table and the association table when performing actual data access.
Although the data content access authority control method of the numerical bit operation mode is low in implementation complexity and low in calculation and storage cost, the value of the authorization field is greatly limited by the data type, and the number of authorization bits provided by a single authorization field cannot meet the requirements of a specific data authority control scene under many conditions. For example: the authorization field of int type in Oracle database has length of only four bytes, and is converted into binary system with 32 bits, that is, only 32 authorization bits can be provided by the data type, and only 176 authorization bits can be provided by number type with 22 bytes.
Although the data content access right control method of the association table mode avoids the defect of insufficient authorization bits by adopting a numerical value bit operation mode in the aspect of realizing logic, DML operation on the controlled table is reduced, and theoretically, addition of an infinite number of authorization fields can be supported by a plurality of association tables, the realization complexity is obviously increased along with the increase of the authorization fields, the calculation and storage cost is higher and higher, and the risk of causing adverse effects on the calculation efficiency and the stability of the production environment where the authorization table is located is increased.
Disclosure of Invention
The present invention is directed to a method for controlling access rights to data content based on string bit operations, which is used to solve the above-mentioned problems in the prior art.
The invention relates to a data content access right control method based on character string bit operation, which comprises the following steps: calculating and distributing authorization bits for each data accessor based on the authorization fields of the character string types, and performing authorization control on the access behavior of each row of data content of the controlled data table according to the authorization bits; according to the definition of the data access authorization bit ID and the data access authorization ID, a general data access authorization data model of the controlled data table is provided, and data content access authorization control of the controlled data table is completed by constructing a data access authorization ID information table and a data access authorization information table for the controlled data table; the data access authorization ID information table is used for storing unique data access authorization identification distributed for each data visitor, calculating the corresponding data access authorization bit ID according to the data access authorization ID of the data visitor when the data visitor is subjected to access authorization on the content of the controlled data table, and updating the authorization group and the authorization bit information in the data access authorization information table by using the data access authorization bit ID; the data access authorization information table is used for storing authorization information for accessing the data content of the controlled data table, when a data accessor accesses the data content of the controlled data table, the data access authorization bit ID of the data accessor needs to be compared with the authorization group and the authorization bit information in the data access authorization information table, and the authorized information is accessed according to the comparison result.
An embodiment of the method for controlling data content access rights based on string bit operations according to the present invention, wherein the data access authorization bit ID includes: defining a data access authorization bit ID of a data visitor as a fixed-length character string, wherein a first part bit character represents an authorization group identifier, and a character value is represented by a character of a 16-system numerical value; the second part bit character represents authorization bits in an authorization group, the character takes the character representation of 16-system numerical values, and each character represents 4 authorization bits.
An embodiment of the method for controlling data content access rights based on string bit operations according to the present invention, wherein the data access authorization ID includes: and assigning the data access authorization bit ID to the data accessor, and authorizing and controlling the data content access behavior of the data accessor.
According to an embodiment of the method for controlling data content access right based on string bit operation of the present invention, wherein the data access authorization ID is defined as a fixed-length string with a length of 11 bytes, the 1 st-5 th bit character represents an authorization group identifier, and the character value is a character representation of a 16-system numerical value: [0-F ]; the 6 th-9 th bit character represents the byte bit of the authorization bit in the authorization group, and the character with 10-system numerical value represents that: [0-9], the legal value range after conversion into data values is: [0-1499 ]; the 10 th-11 th bit character represents the bit of the authorization bit in the byte, and the character takes the value of 2-system numerical value to represent that: [0-1], the legal value range after being converted into numerical values is: [0-3].
According to an embodiment of the method for controlling data content access authority based on string bit operation, the data access authority ID is defined based on the data access authority ID, the authority bit is analyzed and addressed, and the distribution, storage and access processing of the authority bit are optimized.
An embodiment of the method for controlling access rights to data contents based on string bit operations according to the invention, wherein the authorization bits are stored using a string of length 1500.
The invention provides a data content access right control method based on character string bit operation, which solves and optimizes the defects and shortcomings of two data content access right control methods based on numerical bit operation and an associated table mode in the background technology while fully playing the theoretical advantages of the two data content access right control methods, and meets the requirements of various data content access right control scenes on the premise of not causing adverse effects on normal services of an application environment where a controlled table is located as far as possible at lower implementation complexity and calculation and storage cost.
Drawings
FIG. 1 is a diagram of data access authorization bit ID definitions;
FIG. 2 is a diagram of data access authorization ID definitions;
FIG. 3 is a flow diagram of a data access authorization bit state process for a particular data content;
FIG. 4 is a data model entity relationship definition diagram.
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
The scheme of the invention technically realizes that authorization bits are calculated and distributed for each data visitor based on an authorization field of a character string type (varchar), and the access behavior of each row of data content of a controlled data table is subjected to authorization control according to the authorization bits. The specific authorization bit storage is carried out by adopting a field of a character string type, and the maximum length limits of the character string types of different databases are different, so that the scheme uses the character string storage authorization bit with the length of 1500 in order to ensure the universality of the scheme.
The scheme of the invention comprises the following contents:
data access authorization bit ID:
in order to reduce the computational complexity of the authorization and control process, each bit character of the authorization field uses hexadecimal numbers (0-F) to store authorization bits, each character provides 4 authorization bits, a position '1' represents permission of access, an authorization position '0' represents prohibition of access, at this time, an authorization string with the length of 1500 can provide 6000 authorization bits, and the authorization bits.
According to the description, the data access authorization bit ID of the data visitor is defined as a fixed-length character string with a length of 1505 bytes, the characters with 1-5 bits represent the authorization group identifier, and the character with a 16-system numerical value represents: [0-F ]; the 6 th-1505 th bit character represents the authorization bit in an authorization group, and the character with the value of 16-system numerical value represents that: 0-F, each character represents 4 authorization bits, and the total number of authorization bit IDs that can be provided can be more than 60 hundred million. For the specific definition, see fig. 1.
Data access authorization ID:
under normal conditions, the data access authorization bit ID can be directly distributed to the data accessor to authorize and control the data content access behavior of the data accessor, but considering that the data length of the data access authorization bit ID is larger, the performance bottleneck can occur in the distribution, storage and access process of the data accessor along with the increase of the number.
According to the above description, the authorization bit is analyzed and addressed by using the method of defining the data access authorization ID based on the data access authorization bit ID, so as to achieve the purpose of optimizing the distribution, storage and access processing of the authorization bit. The data access authorization ID is defined as a fixed-length character string with the length of 11 bytes, a 1-5 bit character represents an authorization group identifier, and a character with the value of 16-system numerical values represents that: [0-F ]; the 6 th-9 th bit character represents the byte bit of the authorization bit in the authorization group, and the character with 10-system numerical value represents that: [0-9], the legal value range after conversion into data values is: [0-1499 ]; the 10 th-11 th bit character represents the bit of the authorization bit in the byte, and the character takes the value of 2-system numerical value to represent that: [0-1], the legal value range after being converted into numerical values is: [0-3]. For the specific definition, see fig. 2.
The data length of the data access authorization ID is only 11 bytes, which is far less than the length of 1505 bytes of the data access authorization bit ID, so that the data access authorization bit ID is very convenient to store and process, and the data access authorization bit state specific to specific data content can be acquired at any time according to needs. The specific processing flow is shown in fig. 3.
Data access rights data model
According to the definition of the data access authorization bit ID and the data access authorization ID, a general data access authorization data model for the controlled data table can be provided. And the data content access authority control of the controlled data table is completed by constructing a data access authorization ID information table and a data access authorization information table for the controlled data table.
The data access authorization ID information table is used for storing unique data access authorization identification distributed to each data accessor, calculating the corresponding data access authorization bit ID according to the data access authorization ID of the data accessor when the data accessor is authorized to access in terms of the content of the controlled data table, and updating the authorization group and the authorization bit information in the data access authorization information table by using the data access authorization bit ID.
The data access authorization information table is used for storing authorization information for accessing the data content of the controlled data table, when a data accessor accesses the data content of the controlled data table, the data access authorization bit ID of the data accessor needs to be compared with the authorization group and the authorization bit information in the data access authorization information table, and the authorized information is accessed according to the comparison result.
The data model table entity definition is shown in table 1, table 2 and table 3. See FIG. 4 for data model entity relationship definition.
TABLE 1 controlled data sheet
Table 2 table of data access authorization ID information
Table 3 table of data access authorization information
The invention adopts the following steps:
1. string bit operation: the method has the advantages that the character string data type is adopted to store the authorization bit information of the data accessor, the storage capacity of a single authorization field to the authorization bit information is effectively expanded, bit operation is used for updating and matching computation of the authorization bit in the data access authorization and control process, and the computation efficiency of the data access authorization and control process is guaranteed.
2. Authorization group: an identification field representing the authorization packet is added on the basis of the authorization bit, and the number limit of the authorization bit supply of a single authorization field is broken through the accumulation of a plurality of authorization groups.
3. Data access authorization ID: aiming at the practical situation that the data length of the data access authorization bit ID is large and calculation and storage are not facilitated along with the increase of the number, the data access authorization bit ID is defined by recoding the data access authorization bit ID, and the data access authorization ID is used for completing the allocation, addressing and calculation of the data access authorization bit, so that the calculation and storage cost performance is improved, and meanwhile, efficient mutual conversion can be performed with the data access authorization bit ID at any time according to the needs.
The invention mainly discloses a brand-new method for controlling the content access authority of a structured data table in a database, which effectively solves the practical problems of small authorization bit quantity provided by a single authorization field of a numerical bit operation method in a background technical scheme and high computing and storage resource occupancy rate caused by the expansion of an association table in an association table method on the basis of fully absorbing and utilizing the advantages of the background technical scheme by using key technologies, design ideas and implementation methods of character string bit operation, authorization groups, data access authorization IDs and the like, and can complete the aim of controlling the access authority of the data content of a controlled table on the premise of basically not influencing the stability of the generation environment of the controlled data table.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.
Claims (6)
1. A method for controlling access authority of data content based on string bit operation is characterized by comprising the following steps:
calculating and distributing authorization bits for each data accessor based on the authorization fields of the character string types, and performing authorization control on the access behavior of each row of data content of the controlled data table according to the authorization bits;
according to the definition of the data access authorization bit ID and the data access authorization ID, a general data access authorization data model of the controlled data table is provided, and data content access authorization control of the controlled data table is completed by constructing a data access authorization ID information table and a data access authorization information table for the controlled data table;
the data access authorization ID information table is used for storing unique data access authorization identification distributed for each data visitor, calculating the corresponding data access authorization bit ID according to the data access authorization ID of the data visitor when the data visitor is subjected to access authorization on the content of the controlled data table, and updating the authorization group and the authorization bit information in the data access authorization information table by using the data access authorization bit ID;
the data access authorization information table is used for storing authorization information for accessing the data content of the controlled data table, when a data accessor accesses the data content of the controlled data table, the data access authorization bit ID of the data accessor needs to be compared with the authorization group and the authorization bit information in the data access authorization information table, and the authorized information is accessed according to the comparison result.
2. The method for controlling access rights to data contents based on string bit operations as claimed in claim 1,
a data access authorization bit ID comprising: defining a data access authorization bit ID of a data visitor as a fixed-length character string, wherein a first part bit character represents an authorization group identifier, and a character value is represented by a character of a 16-system numerical value; the second part bit character represents authorization bits in an authorization group, the character takes the character representation of 16-system numerical values, and each character represents 4 authorization bits.
3. The method for controlling data content access authority based on string bit operation as claimed in claim 1, wherein the data access authority ID comprises: and assigning the data access authorization bit ID to the data accessor, and authorizing and controlling the data content access behavior of the data accessor.
4. The method for controlling access rights to data contents based on string bit operations as claimed in claim 1,
the data access authorization ID is defined as a fixed-length character string with the length of 11 bytes, a 1-5 bit character represents an authorization group identifier, and a character with the value of 16-system numerical values represents that: [0-F ]; the 6 th-9 th bit character represents the byte bit of the authorization bit in the authorization group, and the character with 10-system numerical value represents that: [0-9], the legal value range after conversion into data values is: [0-1499 ]; the 10 th-11 th bit character represents the bit of the authorization bit in the byte, and the character takes the value of 2-system numerical value to represent that: [0-1], the legal value range after being converted into numerical values is: [0-3].
5. The method of claim 1, wherein the data access authorization ID is defined based on the data access authorization bit ID, the authorization bit is parsed and addressed, and the assignment, storage, and access processing of the authorization bit is optimized.
6. The method of claim 1, wherein the authorization bits are stored using a string of length 1500.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011547281.4A CN112560066A (en) | 2020-12-24 | 2020-12-24 | Data content access authority control method based on character string bit operation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011547281.4A CN112560066A (en) | 2020-12-24 | 2020-12-24 | Data content access authority control method based on character string bit operation |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112560066A true CN112560066A (en) | 2021-03-26 |
Family
ID=75032396
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011547281.4A Pending CN112560066A (en) | 2020-12-24 | 2020-12-24 | Data content access authority control method based on character string bit operation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112560066A (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8613108B1 (en) * | 2009-03-26 | 2013-12-17 | Adobe Systems Incorporated | Method and apparatus for location-based digital rights management |
CN107506655A (en) * | 2017-08-08 | 2017-12-22 | 北京盛华安信息技术有限公司 | Data permission distributes the method with access control |
CN111680274A (en) * | 2020-03-03 | 2020-09-18 | 支付宝(杭州)信息技术有限公司 | Resource access method, device and equipment |
-
2020
- 2020-12-24 CN CN202011547281.4A patent/CN112560066A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8613108B1 (en) * | 2009-03-26 | 2013-12-17 | Adobe Systems Incorporated | Method and apparatus for location-based digital rights management |
CN107506655A (en) * | 2017-08-08 | 2017-12-22 | 北京盛华安信息技术有限公司 | Data permission distributes the method with access control |
CN111680274A (en) * | 2020-03-03 | 2020-09-18 | 支付宝(杭州)信息技术有限公司 | Resource access method, device and equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11893018B2 (en) | Dispersing data and parity across a set of segments stored via a computing system | |
CN102231693A (en) | Method and apparatus for managing access authority | |
RU2373571C2 (en) | Systems and methods for control realised by means of access at level of minor structural units over data stored in relational databases | |
CN102867064B (en) | Associate field inquiry unit and associate field querying method | |
CN101316273A (en) | Distributed safety memory system | |
CN110473100A (en) | A kind of transaction processing method and device based on block catenary system | |
CN105989129A (en) | Real-time data statistic method and device | |
CN101639861A (en) | String matching method and device based on definite state automaton | |
CN105468298A (en) | Key value storage method based on log-structured merged tree | |
CN103810219B (en) | Line storage database-based data processing method and device | |
CN101488924A (en) | Metadata modification method and metadata server | |
CN109241056B (en) | Digital ID generation system for distributed system | |
JP2022547673A (en) | DATA PROCESSING METHOD AND RELATED DEVICE, AND COMPUTER PROGRAM | |
Li et al. | Scaling the blockchain-based access control framework for iot via sharding | |
CN112560066A (en) | Data content access authority control method based on character string bit operation | |
CN112084303B (en) | HBase-based power grid operation data storage and access method and system | |
CN109165262A (en) | Fragmentation clustering system and fragmentation method of relational large table | |
CN106411545A (en) | Service attribute counting method and device | |
JP4313845B2 (en) | Multi-instance in-memory database | |
CN116484442A (en) | Intelligent electricity selling data storage method based on data encryption | |
CN113157692B (en) | Relational memory database system | |
CN104657426B (en) | A kind of method for building up of the ranks blended data storage model based on unified view | |
CN101571858B (en) | Method and device for setting and checking security of a plurality of objects | |
CN101052944B (en) | Systems and methods for fine grained access control of data stored in relational databases | |
CN107924399A (en) | Handle the retrieval process system and method for the unknown retrieval request of volume of transmitted data for host |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |