CN101739523B - Data permission control method and device - Google Patents
Data permission control method and device Download PDFInfo
- Publication number
- CN101739523B CN101739523B CN2009102238795A CN200910223879A CN101739523B CN 101739523 B CN101739523 B CN 101739523B CN 2009102238795 A CN2009102238795 A CN 2009102238795A CN 200910223879 A CN200910223879 A CN 200910223879A CN 101739523 B CN101739523 B CN 101739523B
- Authority
- CN
- China
- Prior art keywords
- data
- combination
- basic
- permission information
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a data permission control method and a system. The method comprises the following steps: carrying out permutation and combination based on all basic data of M basic data types to obtain a first data combination; distributing a unique combination identification for each first data combination; when data storage is determined, searching the first data combination corresponding to the basic data of the data obtained from the first data combination, and using the combination identification corresponding to the searched first data combination as the combination identification of the data; when a data operation request message from a user is received, obtaining first data permission information of the user which includes a combination identification of the user; determining that the combination identification of the data requested by the message is within the scope of the first data permission information; and permitting the user to carry out the function operation requested by the message for the data requested by the message. The control method of data permission and the system can improve the response speed of a data management system to the data operation request of the user.
Description
Technical field
The present invention relates to the data permission control technology, relate in particular to a kind of control method and device of data permission.
Background technology
In the existing data management system, it is RBAC (Role-Based AccessControl that the conventional data authority is processed, further expanding and the extend access control based on the role), namely increase the management of data permission on the basis of function privilege, realize focusing on of data permission and function privilege.In actual applications, the reference mark of data permission is generally relatively fixing, as for company, department, individual, client, supplier etc., that is to say that data permission is generally for some the basic data objects under the specified data type.
In the prior art, when check when the user need to carry out a certain data, modification etc. operated, data management system needed at first inquire about in the Database Systems of correspondence, confirms whether this user has the data permission that these data are checked or revised.And since present various data permissions for the basic data object, be stored in the different tables of data such as department, client's philosophy, therefore, Database Systems are when carrying out the inquiry of data permission, need to call a plurality of tables of data, carry out the multilist correlation inquiry, could final determine whether this user has these data are checked or the data permission of the operation such as modification.
The average query time of a tables of data of tentation data storehouse system queries is t, and then the time of n table of Database Systems inquiry is nt, even at some in particular cases, this time may be t
n, had a strong impact on the search efficiency of Database Systems, and then affected the response speed of data management system to user's data operation request.
Summary of the invention
In view of this, the technical problem to be solved in the present invention is, a kind of control method and device of data permission is provided, and can improve data management system to the response speed of user's data operation request.
For this reason, the embodiment of the invention adopts following technical scheme:
The embodiment of the invention provides a kind of control method of data permission, comprising:
According to all included basic datas in the M kind basic data type, permutation and combination obtains at least one the first data combination, at least comprise a kind of basic data in described the first data combination, and the basic data in the combination of the first data belongs to different basic data types; For each the first data combination distributes unique combination sign; M is not less than 1 integer;
When determining to carry out the data storage, from described the first data combination, search corresponding the first data combination of the basic data that obtains these data, will search the combination sign of the combination sign of described the first data combination correspondence that obtains as these data;
When receiving user's data operation request message, obtain the first data permission information of this user, described the first data permission information comprises the combination sign that the user is corresponding; When determining to comprise in the scope of the first data permission information the combination sign of the data that described message asks, the data that allow the user that described message is asked are carried out the feature operation that described message is asked.
Wherein, the combination sign that comprises the data that described message asks in the described scope of determining the first data permission information is specially:
Determine to comprise in whole the first data permission information the combination sign of described data, described data are the data of described message institute solicit operation.
Described the first data permission information is divided at least two the second data permission information according to feature operation;
Accordingly, the combination sign that comprises the data that described message asks in the described scope of determining the first data permission information is specially:
From described the first data permission information, obtain the corresponding second data permission information of feature operation of described message request;
Determine to comprise in described the second data permission information the combination sign of described data, described data are the data of described message institute solicit operation.
Describedly from the combination of described the first data, search corresponding the first data combination of the basic data that obtains these data and be specially:
Obtain basic data corresponding to these data;
Described basic data is compared as the combination of the second data and each the first data combination, obtain the first data combination identical with this second data combination.
Comprise in the M1 kind basic data type a kind of basic data under every kind of basic data type in the combination of described the second data; M1 kind basic data type is contained in described M kind basic data type; M1 is not less than 1 integer;
Perhaps, described the second data combination comprises at least a basic data, and described basic data belongs to different basic data types.
The embodiment of the invention also provides a kind of data permission control system, comprising:
Concern generation unit, be used for according to all included basic datas of M kind basic data type, permutation and combination obtains at least one the first data combination, at least comprise a kind of basic data in described the first data combination, and the basic data in the combination of the first data belongs to different basic data types; For each the first data combination distributes unique combination sign; M is not less than 1 integer;
Storage unit, when being used for determining to carry out the data storage, from described the first data combination, search corresponding the first data combination of the basic data that obtains these data, will search the combination sign of the combination sign of described the first data combination correspondence that obtains as these data;
Authentication unit when being used for receiving user's data operation request message, obtains the first data permission information of this user, and described the first data permission information comprises the combination sign that the user is corresponding; When determining to comprise in the scope of the first data permission information the combination sign of the data that described message asks, the data that allow the user that described message is asked are carried out the feature operation that described message is asked.
Wherein, authentication unit comprises:
First obtains subelement, when being used for receiving user's data operation request message, obtains the first data permission information of this user, and described the first data permission information comprises the combination sign that the user is corresponding;
First determines subelement, and when being used for determining that whole the first data permission information comprises the combination sign of the data that described message asks, the data that allow the user that described message is asked are carried out the feature operation that described message is asked.
Described the first data permission information is divided at least two the second data permission information according to feature operation, and corresponding, authentication unit comprises:
Second obtains subelement, when being used for receiving user's data operation request message, obtains the first data permission information of this user, and described the first data permission information comprises the combination sign that the user is corresponding;
Second determines subelement, is used for corresponding the second data permission information of feature operation of obtaining described message request from described the first data permission information; When determining to comprise in described the second data permission information the combination sign of the data that described message asks, the data that allow the user that described message is asked are carried out the feature operation that described message is asked.
Storage unit comprises:
The 3rd obtains subelement, when being used for determining to carry out the data storage, obtains basic data corresponding to these data;
Compare subelement, be used for described basic data is compared as the combination of the second data and each the first data combination, when obtaining the first data combination identical with this second data combination, the combination sign that described the first data combination that obtains is corresponding is as the combination sign of these data.
Comprise in the M1 kind basic data type a kind of basic data under every kind of basic data type in the combination of described the second data; M1 kind basic data type is contained in described M kind basic data type; M1 is not less than 1 integer;
Perhaps, described the second data combination comprises at least a basic data, and described basic data belongs to different basic data types.
Technique effect for technique scheme is analyzed as follows:
Set up in advance the corresponding relation between the first data combination and the combination sign, and when data stores, the combination that the basic data of these data is converted to correspondence identifies, with this data corresponding stored; Thereby when receiving user's data operation request message, when only needing to determine to comprise the combination sign of data in the first data permission information of user, can determine that the user has the authority of the data of described message request being carried out the corresponding function operation.Therefore, the method of the invention is by setting up the corresponding relation between the combination of the first data and the combination sign, and when data are stored, basic data is converted to the combination sign, thereby reduced the user and carried out the time that Database Systems are carried out the data permission inquiry in the process operation data, and then shortened the time that data management system is verified user's data permission, improved the response speed of data management system to user's data operation request.
Description of drawings
Fig. 1 is a kind of data permission control method schematic flow sheet of the embodiment of the invention;
Fig. 2 is the another kind of data permission control method schematic flow sheet of the embodiment of the invention;
Fig. 3 is a kind of data permission control system of embodiment of the invention structural representation;
Fig. 4 is the implementation structure exemplary plot of authentication unit in the embodiment of the invention data permission control system;
Fig. 5 is the another kind of implementation structure exemplary plot of authentication unit in the embodiment of the invention data permission control system;
Fig. 6 is the implementation structure exemplary plot of storage unit in the embodiment of the invention data permission control system.
Embodiment
At first, Key Term and the abbreviation that relates in the embodiment of the invention is described:
(1) user: participate in the main body of system activity, such as the people, system etc.;
(2) function: to the operation of resource, be two tuples of resource and action type, as increasing sales slip, revising sales slip etc.;
Authority: the spendable function of user, minute user's function privilege and user's data permission;
(3) function privilege: the operable feature operation of user, as increasing sales order;
Data permission: whether the user can only process the interior data of own extent of competence and the statistics of these data, as having data permission to check Beijing Company Haidian Zhang San's of sales department sales order;
(4) basic data type: record needs the basic data type of control, such as department, storehouse, employee, client, supplier, subject etc.;
Basic data: record all types of object instances, comprise Beijing sales department, Shanghai sales department such as department, storehouse comprises raw material storage, finished room etc.;
(5) business paper type: the document types of processing in the register system, such as buying order, sales order, invoice, stores list etc.;
Business paper: record the concrete document of a certain document types, comprise such as buying order purchase the document of material certain days, sales order comprises record of being sold to certain client's product etc.
In the prior art, when the feature operations such as the user need to check a certain data, modification, system need at first inquire about this user and whether have the data permission that these data is carried out the above-mentioned functions operation.And since present various data permissions for the basic data object, be stored in the different tables of data such as department, client's philosophy, therefore, system is when carrying out the inquiry of data permission, need to call a plurality of tables of data, carry out the multilist correlation inquiry, could determine finally whether this user has the data permission that these data is carried out feature operation.
The average query time of a tables of data of supposing the system inquiry is t, and then the time of system queries n table is nt, even at some in particular cases, this time may be t
n, had a strong impact on the response speed of system; And then the multilist correlation inquiry also needs to take the cache resources of a lot of Database Systems, thereby also may affect concurrent user's quantity that Database Systems are supported, reduces the treatment effeciency of Database Systems.
Below, be described with reference to the accompanying drawings the realization of data permission control method of the present invention and device.
Fig. 1 is embodiment of the invention data permission control method schematic flow sheet, as shown in Figure 1, comprising:
Step 101: according to all included basic datas in the M kind basic data type, permutation and combination obtains at least one the first data combination, at least comprise a kind of basic data in described the first data combination, and the basic data in the combination of the first data belongs to different basic data types; For each the first data combination distributes unique combination sign;
Step 102: when determining to carry out the data storage, from described the first data combination, search corresponding the first data combination of the basic data that obtains these data, will search the combination sign of the combination sign of described the first data combination correspondence that obtains as these data;
Step 103: when receiving user's data operation request message, obtain the first data permission information of this user, when determining to comprise in the scope of the first data permission information the combination sign of the data that described message asks, the data that allow the user that described message is asked are carried out the feature operation that described message is asked.
Described step 101 is for preparing step, and step 102 is the data storing step, the data permission determining step when step 103 is carried out the feature operation of certain data for the user.
Wherein, generally behind the corresponding relation and storage set up in the data management system between the combination of the first data and the combination sign, unless the basic data in basic data type or certain the basic data type changes, otherwise, step 101 is in case after first the execution, when needing execution in step 102 and/or step 103, data management system is as long as directly read stored described corresponding relation at every turn, and needn't leave no choice but execution in step 101, rebulid described corresponding relation.
In addition, only have after having carried out the data storage in the step 102, the user could carry out other feature operations to described data.Therefore, for identical data, the execution sequence of step 102 and step 103 is certain.But for whole data management system, step 102 or step 103 can trigger execution at any time, and do not have fixing execution sequence.
In embodiment of the invention data permission control method shown in Figure 1, set up in advance the corresponding relation between the first data combination and the combination sign, and when data stores, the combination that the basic data of these data is converted to correspondence identifies, with this data corresponding stored; Thereby when receiving user's data operation request message, when only needing to determine to comprise the combination sign of data in the first data permission information of user, can determine that the user has the authority of the data of described message request being carried out the corresponding function operation.Therefore, the method of the invention is by setting up the corresponding relation between the combination of the first data and the combination sign, and when data are stored, basic data is converted to the combination sign, thereby reduced the user and carried out the time that Database Systems are carried out the data permission inquiry in the process operation data, and then shortened the time that data management system is verified user's data permission, improved the response speed of data management system to user's data operation request.
On the basis of the embodiment of the invention shown in Figure 1, with the embodiment of the invention shown in Figure 2 data permission control method of the present invention is described in more details, as shown in Figure 2, comprising:
Step 201: according to all included basic datas in all M kind basic data types, permutation and combination obtains at least one the first data combination, at least comprise a kind of basic data in described the first data combination, and the basic data in the combination of the first data belongs to different basic data types; For each the first data combination distributes unique combination sign.
Described combination sign is used for each data combination of unique identification.For example, can identify as the combination that the first data makes up with natural number or positive integer.
M described in this step should be the quantity of all basic data types that the data permission information of class data (for example a kind of business paper type) can comprise; And should list all basic datas that data permission information corresponding to these class data may relate in every kind of basic data type, thereby, can be used as the basic data of searching the combination sign in the subsequent step.
In actual applications, the corresponding relation between described the first data combination and the combination sign can be recorded in the Database Systems by the form of tables of data.
For instance: the data permission information of supposing business paper type (such as sales order) data relates to 2 basic data types (department, warehouse):
Comprise 3 kinds of basic datas in this basic data type of department, be respectively A1, A2, A3;
Comprise 2 kinds of basic datas in this basic data type of warehouse, be respectively B1, B2.
Then resulting the first data combination should be 11 in this step, distributes to described the first data combination with 1~11 natural number as the combination sign respectively, and then, mapping table is as shown in table 1 between the first data combination that obtains and the combination sign:
Table 1
| The combination sign | Department | The warehouse |
| 1 | A1 | B1 |
| 2 | A1 | B2 |
| 3 | A2 | B1 |
| 4 | A2 | B2 |
| 5 | A3 | B1 |
| 6 | A3 | B2 |
| 7 | A1 | |
| 8 | A2 | |
| 9 | A3 | |
| 10 | B1 | |
| 11 | B2 |
The implementation method of this step can for: " Materialized View " technology of utilizing relational database to support produces described the first data combination, just can set up an automatically Materialized View of renewal according to department table major key and warehouse table major key such as table 1.
Step 102 can realize by following step 202~step 203.
Step 202: when determining to carry out the data storage, obtain basic data corresponding to these data.
Wherein, when data were stored, basic data corresponding to above-mentioned data can be configured by the user of these data of storage, and for example, system arranges the interface for this user provides, and obtains the configuration information of user's input, as the basic data of data.
Perhaps, also can different base data informations be set for dissimilar data, when the user carried out a certain data storage, system can directly search according to the type of these data and obtain corresponding basic data.
Step 203: described basic data is compared as the combination of the second data and each the first data combination, obtain the first data combination identical with this second data combination, the combination sign that described the first data combination that obtains is corresponding is as the combination sign of these data.
The combination of described the second data can for:
Comprise in the M1 kind basic data type a kind of basic data under every kind of basic data type in the second data combination; M1 kind basic data type is contained in described M kind basic data type; M1 is not less than 1 integer;
Perhaps, described the second data combination comprises at least a basic data, and described basic data belongs to different basic data types.
Suppose a certain data, the basic data corresponding such as sales order is: the A1 of department, warehouse B1 then, will search in this step and obtain combination corresponding to this sales order and be designated 1.
Step 103 realizes by following steps 204~step 206:
Step 204: when receiving user's data operation request message, obtain the first data permission information of this user.
Described the first data permission information is made of combination sign corresponding to user.
Wherein, when the first data permission information of storage user, can directly be set to described combination sign, perhaps, also can be by the basic data that the user is arranged, the combination of generation data, and from the combination of the first data, find corresponding the first data combination, thus the data that gets access to the user makes up the process implementation that corresponding combination identifies.
Wherein, user's basic data is converted to the combination of the 3rd data, and then is converted to the process of combination sign, concrete:
The basic data of supposing the user belongs to M2 kind basic data type, and described M2 kind basic data type is contained in described M kind basic data type.
Wherein, the 3rd data that requires to obtain makes up difference, and the method for permutation and combination can adaptations.Can independently arrange for the 3rd data combination, for example: (1) arranges a kind of basic data that comprises in described the 3rd data combination in the M1 kind basic data type under every kind of basic data type; Perhaps, (2) arrange the combination of the 3rd data and comprise at least a basic data, and the basic data in the combination of the 3rd data belongs to different basic data types.
The 3rd data set with (1) is combined into example, suppose, for the basic data that a certain user arranges as follows:
Comprise a kind of basic data in this basic data type of department, be A1;
Comprise 2 kinds of basic datas in this basic data type of warehouse, be respectively B1, B2.
Then resulting the 3rd data combination of permutation and combination should be 2, and is as shown in table 2:
Table 2
| Department | The warehouse |
| A1 | B1 |
| A1 | B2 |
Be combined into example such as the 3rd data set with (2), other Information invariabilities, then the 3rd data combination that obtains of permutation and combination should be 5, and is as shown in table 3:
Table 3
| Department | The warehouse |
| A1 | B1 |
| A1 | B2 |
| A1 | |
| B1 | |
| B2 |
For the 3rd data combination as shown in table 2, then, in this step, make up by the 3rd data in the look-up table in table 12, can obtain making up sign and be respectively 1 identical with the 3rd data combination in the table 2 with two the first data combinations of 2, the first data permission information that then obtains the user is: combination identifies 1 and 2.
For the 3rd data combination as shown in table 3, then, in this step, make up by the 3rd data in the look-up table in table 13, can obtaining making up sign, to be respectively the first data combination of 1,2,7,10,11 identical with the 3rd data combination in the table 3, and the first data permission information that then obtains the user is: combination identifies 1,2,7,10,11.
Step 205: judge the combination sign that whether comprises data in the scope of the first data permission information, described data are the data of described data operation request message institute solicit operation, if so, and execution in step 206; Otherwise, execution in step 207.
The scope of the first data permission information comprises two kinds of situations in this step:
(1) feature operation corresponding to the first data permission information of user, also namely: all feature operations share same the first data permission information, and at this moment, the scope of the first data permission information in this step is whole the first data permission information.
Wherein, described feature operation can comprise: to the modification of these data, check, deletion etc.
At this moment, the realization of this step can for: judge the combination sign that whether comprises the data that described message asks in whole the first data permission information.
Suppose to comprise in the first data permission information of user combination sign 1,2,3, and the combination corresponding to data of described data operation request message institute solicit operation is designated 1, then the combination sign 1 of corresponding all of user combinations sign 1,2,3 and data compares in this step, determines to comprise that the combination of these data identifies in the first data permission information of user.
(2) the first data permission information of user is divided at least two the second data permission information according to feature operation, also namely: the first data permission information of user is divided according to feature operation, at this moment, the scope of the first data permission information in this step is the second data permission information corresponding to feature operation that described message is asked.
The realization of this step can be corresponding the second data permission information of feature operation of obtaining described message request from described the first data permission information;
Determine to comprise in described the second data permission information the combination sign of the data that described message asks.
For example, in the first data permission information of user, feature operation A, corresponding the second data permission information 1,2; Corresponding the second data permission information 3,4 of feature operation B.Suppose that described message request is carried out feature operation B, and combination corresponding to the data that this message is asked is designated 2, then will use feature operation B corresponding 3,4 and combination sign 2 to compare in this step, determines that comparative result is no.
Step 206: the data that allow the user that described message is asked are carried out the feature operation that described message is asked, and current treatment scheme finishes.
Step 207: the data that do not allow the user that described message is asked are carried out the feature operation that described message is asked, and current treatment scheme finishes.
In embodiment of the invention data permission control method shown in Figure 2, set up in advance the corresponding relation between the first data combination and the combination sign, and when data stores, the combination that the basic data of these data is converted to correspondence identifies, with this data corresponding stored; Thereby when receiving user's data operation request message, when only needing to determine to comprise the combination sign of data in the first data permission information of user, can determine that the user has the authority of the data of described message request being carried out the corresponding function operation.Thereby, data management system is as long as compare the combination sign of the combination sign in the first data permission range of information and data, can determine whether this user can carry out corresponding feature operation, need not as prior art, repeatedly to inquire about, shorten the query time of Database Systems, and then improved the response speed of data management system; And, when the corresponding relation between the combination of above-mentioned the first data and combination identify is stored in the Database Systems with the form of tables of data, Database Systems at most only need be carried out one time table lookup operation, need not as prior art, to take the cache resources of too much Database Systems, process so that Database Systems can support more concurrent user to carry out data, improved the treatment effeciency of Database Systems.
Fig. 3 is embodiment of the invention data permission control device structural representation, as shown in Figure 3, comprising:
Preferably, as shown in Figure 4, authentication unit 330 can comprise:
First obtains subelement 410, when being used for receiving user's data operation request message, obtains the first data permission information of this user, and described the first data permission information comprises user's combination sign;
First determines subelement 420, and when being used for determining that whole the first data permission information comprises the combination sign of the data that described message asks, the data that allow the user that described message is asked are carried out the feature operation that described message is asked.
Preferably, described the first data permission information is divided at least two the second data permission information according to feature operation, and corresponding, as shown in Figure 5, authentication unit 330 can comprise:
Second obtains subelement 510, when being used for receiving user's data operation request message, obtains the first data permission information of this user, and described the first data permission information comprises user's combination sign;
Second determines subelement 520, for corresponding the second data permission information of feature operation of obtaining described message request from described the first data permission information, when determining to comprise in described the second data permission information the combination sign of the data that described message asks, the data that allow the user that described message is asked are carried out the feature operation that described message is asked.
As shown in Figure 6, storage unit 320 can comprise:
The 3rd obtains subelement 610, when being used for determining to carry out the data storage, obtains basic data corresponding to these data;
Compare subelement 620, be used for described basic data is compared as the combination of the second data and each the first data combination, when obtaining the first data combination identical with this second data combination, the combination sign that described the first data combination is corresponding is as the combination sign of these data.
Wherein, comprise in the M1 kind basic data type a kind of basic data under every kind of basic data type in the combination of described the second data; M1 kind basic data type is contained in described M kind basic data type; M is not less than 1 integer; Perhaps, described the second data combination comprises at least a basic data, and described basic data belongs to different basic data types.
In the embodiment of the invention data permission control system of Fig. 3~shown in Figure 6, concern that generation unit sets up the first data combination corresponding relation between identifying with combination in advance, and when data are stored, storage unit is converted to corresponding combination sign with the basic data of these data, with this data corresponding stored; When thereby authentication unit receives user's data operation request message, when only needing to determine to comprise the combination sign of data in the first data permission information of user, can determine that the user has the authority of the data of described message request being carried out the corresponding function operation.Therefore, system of the present invention is by setting up the corresponding relation between the combination of the first data and the combination sign, and when data are stored, basic data is converted to the combination sign, thereby reduced the user and carried out the time that Database Systems are carried out the data permission inquiry in the process operation data, and then shortened the time that data management system is verified user's data permission, improved the response speed of data management system to user's data operation request
One of ordinary skill in the art will appreciate that, the process of the control method of realization above-described embodiment data permission can be finished by the relevant hardware of programmed instruction, described program can be stored in the read/write memory medium, and this program is carried out the corresponding step in the said method when carrying out.Described storage medium can be such as ROM/RAM, magnetic disc, CD etc.
The above only is preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. the control method of a data permission is characterized in that, comprising:
According to all included basic datas in the M kind basic data type, permutation and combination obtains at least one the first data combination, at least comprise a kind of basic data in described the first data combination, and the basic data in the combination of the first data belongs to different basic data types; For each the first data combination distributes unique combination sign; M is not less than 1 integer;
When determining to carry out the data storage, from described the first data combination, search corresponding the first data combination of the basic data that obtains these data, will search the combination sign of the combination sign of described the first data combination correspondence that obtains as these data;
When receiving user's data operation request message, obtain the first data permission information of this user, described the first data permission information comprises the combination sign that the user is corresponding; When determining to comprise in the scope of the first data permission information the combination sign of the data that described message asks, the data that allow the user that described message is asked are carried out the feature operation that described message is asked.
2. method according to claim 1 is characterized in that, the combination sign that comprises the data that described message asks in the described scope of determining the first data permission information is specially:
Determine to comprise in whole the first data permission information the combination sign of described data, described data are the data of described message institute solicit operation.
3. method according to claim 1 is characterized in that, described the first data permission information is divided at least two the second data permission information according to feature operation;
Accordingly, the combination sign that comprises the data that described message asks in the described scope of determining the first data permission information is specially:
From described the first data permission information, obtain the corresponding second data permission information of feature operation of described message request;
Determine to comprise in described the second data permission information the combination sign of described data, described data are the data of described message institute solicit operation.
4. according to claim 1 to 3 each described methods, it is characterized in that, describedly from the combination of described the first data, search corresponding the first data combination of the basic data that obtains these data and be specially:
Obtain basic data corresponding to these data;
Described basic data is compared as the combination of the second data and each the first data combination, obtain the first data combination identical with this second data combination.
5. method according to claim 4 is characterized in that, comprises in the M1 kind basic data type a kind of basic data under every kind of basic data type in the combination of described the second data; M1 kind basic data type is contained in described M kind basic data type; M1 is not less than 1 integer;
Perhaps, described the second data combination comprises at least a basic data, and described basic data belongs to different basic data types.
6. a data permission control system is characterized in that, comprising:
Concern generation unit, be used for according to all included basic datas of M kind basic data type, permutation and combination obtains at least one the first data combination, at least comprise a kind of basic data in described the first data combination, and the basic data in the combination of the first data belongs to different basic data types; For each the first data combination distributes unique combination sign; M is not less than 1 integer;
Storage unit, when being used for determining to carry out the data storage, from described the first data combination, search corresponding the first data combination of the basic data that obtains these data, will search the combination sign of the combination sign of described the first data combination correspondence that obtains as these data;
Authentication unit when being used for receiving user's data operation request message, obtains the first data permission information of this user, and described the first data permission information comprises the combination sign that the user is corresponding; When determining to comprise in the scope of the first data permission information the combination sign of the data that described message asks, the data that allow the user that described message is asked are carried out the feature operation that described message is asked.
7. system according to claim 6 is characterized in that, authentication unit comprises:
First obtains subelement, when being used for receiving user's data operation request message, obtains the first data permission information of this user, and described the first data permission information comprises the combination sign that the user is corresponding;
First determines subelement, and when being used for determining that whole the first data permission information comprises the combination sign of the data that described message asks, the data that allow the user that described message is asked are carried out the feature operation that described message is asked.
8. system according to claim 6 is characterized in that, described the first data permission information is divided at least two the second data permission information according to feature operation, and corresponding, authentication unit comprises:
Second obtains subelement, when being used for receiving user's data operation request message, obtains the first data permission information of this user, and described the first data permission information comprises the combination sign that the user is corresponding;
Second determines subelement, is used for corresponding the second data permission information of feature operation of obtaining described message request from described the first data permission information; When determining to comprise in described the second data permission information the combination sign of the data that described message asks, the data that allow the user that described message is asked are carried out the feature operation that described message is asked.
9. according to claim 6 to 8 each described systems, it is characterized in that storage unit comprises:
The 3rd obtains subelement, when being used for determining to carry out the data storage, obtains basic data corresponding to these data;
Compare subelement, be used for described basic data is compared as the combination of the second data and each the first data combination, when obtaining the first data combination identical with this second data combination, the combination sign that described the first data combination that obtains is corresponding is as the combination sign of these data.
10. system according to claim 9 is characterized in that, comprises in the M1 kind basic data type a kind of basic data under every kind of basic data type in the combination of described the second data; M1 kind basic data type is contained in described M kind basic data type;
Perhaps, described the second data combination comprises at least a basic data, and described basic data belongs to different basic data types.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102238795A CN101739523B (en) | 2009-11-25 | 2009-11-25 | Data permission control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102238795A CN101739523B (en) | 2009-11-25 | 2009-11-25 | Data permission control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101739523A CN101739523A (en) | 2010-06-16 |
| CN101739523B true CN101739523B (en) | 2013-02-27 |
Family
ID=42462998
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102238795A Active CN101739523B (en) | 2009-11-25 | 2009-11-25 | Data permission control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101739523B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102012981B (en) * | 2010-11-16 | 2012-09-05 | 传神联合(北京)信息技术有限公司 | Distributing and matching method and system of general permission grade |
| CN106202412A (en) * | 2016-07-11 | 2016-12-07 | 浪潮软件集团有限公司 | Data retrieval method and device |
| CN106874360A (en) * | 2016-12-29 | 2017-06-20 | 金蝶软件(中国)有限公司 | Basic data treating method and apparatus |
| CN108460286A (en) * | 2018-01-30 | 2018-08-28 | 青岛中兴智能交通有限公司 | A kind for the treatment of method and apparatus of public security data |
| CN111597777B (en) * | 2020-05-15 | 2023-06-02 | 上海电机系统节能工程技术研究中心有限公司 | Material data processing method and device and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1561496A (en) * | 2001-09-28 | 2005-01-05 | 甲骨文国际公司 | An efficient index structure to access hierarchical data in a relational database system |
| CN1581161A (en) * | 2003-08-13 | 2005-02-16 | 华为技术有限公司 | Method for realizing quick-accessing database |
| CN101520875A (en) * | 2009-04-07 | 2009-09-02 | 金蝶软件(中国)有限公司 | Method for controlling user data authority and information management system |
-
2009
- 2009-11-25 CN CN2009102238795A patent/CN101739523B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1561496A (en) * | 2001-09-28 | 2005-01-05 | 甲骨文国际公司 | An efficient index structure to access hierarchical data in a relational database system |
| CN1581161A (en) * | 2003-08-13 | 2005-02-16 | 华为技术有限公司 | Method for realizing quick-accessing database |
| CN101520875A (en) * | 2009-04-07 | 2009-09-02 | 金蝶软件(中国)有限公司 | Method for controlling user data authority and information management system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101739523A (en) | 2010-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103377336B (en) | The control method of a kind of computer system user authority and system | |
| CN101739523B (en) | Data permission control method and device | |
| CN101329676B (en) | Data paralleling abstracting method and apparatus and database system | |
| CN106611064B (en) | Data processing method and device for distributed relational database | |
| CN105100050A (en) | User permission management method and system | |
| CN102012981A (en) | Distributing and matching method and system of general permission grade | |
| US10943023B2 (en) | Method for filtering documents and electronic device | |
| CN110929280B (en) | System and method for realizing data authority control based on metadata in big data environment | |
| CN104657430A (en) | Method and system for data acquisition | |
| CN101866360A (en) | Data warehouse authentication method and system based on object multidimensional property space | |
| CN111814197A (en) | Data sharing method and device, server and storage medium | |
| CN101520875A (en) | Method for controlling user data authority and information management system | |
| US20040122868A1 (en) | System and method for identifying and maintaining base table data blocks requiring deferred incremental integrity maintenance | |
| US20130185280A1 (en) | Multi-join database query | |
| CN101408882B (en) | Method and system for searching authorization document | |
| CN111090803A (en) | Data processing method and device, electronic equipment and storage medium | |
| JP5687989B2 (en) | Access authority management apparatus, access authority management method, and access authority management program | |
| CN104463665A (en) | Method for conducting storage analyzing on general invoice data | |
| CN102831123B (en) | Method and system for querying authority control of data | |
| CN101702180B (en) | Method and system for searching associated field value | |
| US10320798B2 (en) | Systems and methodologies for controlling access to a file system | |
| CN115953119A (en) | Form authority management method and device, storage medium and electronic equipment | |
| JP5012900B2 (en) | Update management system | |
| CN112926084B (en) | Access authority management method and system | |
| JP4864412B2 (en) | HR management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |