CN101847197A - Method for controlling document access authority - Google Patents
Method for controlling document access authority Download PDFInfo
- Publication number
- CN101847197A CN101847197A CN200910048081A CN200910048081A CN101847197A CN 101847197 A CN101847197 A CN 101847197A CN 200910048081 A CN200910048081 A CN 200910048081A CN 200910048081 A CN200910048081 A CN 200910048081A CN 101847197 A CN101847197 A CN 101847197A
- Authority
- CN
- China
- Prior art keywords
- document
- access
- role
- visitor
- new
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a method for controlling document access authority and belongs to the field of electric digital data processing. The method is characterized by comprising the following steps of: classifying accessors according to the roles thereof; classifying documents in a system according to types; inputting an accessible document type to each access role Si and inputting the access role which is allowed to operate to each document type Oi; and determining a two-dimensional corresponding table relation between the document type which can be accessed by each access role and the access role which is allowed to operate by each document type, wherein when a new user role or a new document type occurs, data volume needing modifying is very small and real-time operation is not affected. Simultaneously a least privilege principle is ensured, the access role is added conveniently and the access authority is convenient to process when a new document is generated. The method contributes to reducing management cost and enhancing the safety of the system and can be widely used in document confidentiality fields of a computer operation system, a database system and other data systems.
Description
Technical field
The invention belongs to electric digital data processing field, relate in particular to the control method of the access rights of electronic document in a kind of computer system.
Background technology
The control of current access rights to document can be divided into two classes: a class is the authority by the Access Control List (ACL) of document is come limiting access person, this method utilization very general.The method is the angle from accessed document, it can be very natural combine with the independence access control policy, but in management, when having user, user's group or user role to increase newly, revise and delete, will edit the Access Control List (ACL) of each document.
Open day is on July 23rd, 2008, publication number is to disclose a kind of " methods of the access rights of control electronic document " in the Chinese patent application of CN 101226573A, its electronic document is made up of at least two elementary cells, and the elementary cell that is provided with authority has at least one authority; During the user capture electronic document, visit the elementary cell in this electronic document, and obtain the authority of this elementary cell correspondence.What as seen this patented claim was adopted promptly is above-mentioned control method.
Another kind of method then is by visitor's authority setting itself is controlled access object; It is the angle from the visitor of document, though utilization is not very extensive, but it can meet principle of least privilege effectively, effectively reduce the security risk of total system, but in management, whenever there being new document to generate, revise or deletion, will adjust each visitor's (comprising user and all programs) authority.
Open day is on August 29th, 2007, and publication number is to disclose a kind of " user authority control method and XML document management server " in the Chinese patent application of CN 101026493A, and it comprises: the XML document management server is accepted user's operation requests; Obtain user's authority configuration, determine that according to described user's authority configuration described user can carry out the operation in the described operation requests, allow the user to carry out described operation.As seen, this technical scheme is by to XDMS (XML Document Management Server, the XML document management server) business-level management function realizes purpose that the document resources of user creatable and management is controlled belonging to above-mentioned second kind of control method.
In order to guarantee the safety of concerning security matters data from the source, in conjunction with many levels such as the mandatory encryption of confidential document, deciphering authority classification, department's classification, safety management, security files classifications, a plurality of angles make up enterprises security assurance information technological frame, the software/hardware that helps simplified system again constitutes, reduce handling cost, need a kind of above-mentioned two kinds of methods can being combined urgently, realize the control method of document access authority jointly.
Summary of the invention
Technical matters to be solved by this invention provides a kind of can be well comprehensive above-mentioned two kinds of control methods advantage separately, helps reducing the control method of the document access authority of handling cost simultaneously again.
Technical scheme of the present invention is: the control method that a kind of document access authority is provided, comprise by the Access Control List (ACL) of document is come limiting access person's authority with by visitor's authority setting itself is controlled access object, it is characterized in that: at first the visitor is classified to it by its role; Again the document in the system is classified by type; To each access role S
iImport its addressable Doctype, again to each Doctype O
i, import the access role that it allows operation;
A) when the accessing operation request, inquire visitor's classification role, be made as S
A
B) inquire the type of document to be visited, be made as O
A
C) check at S
AIn the exercisable object O is arranged
A?
D) if C) step result is "Yes", carries out G) go on foot content;
E) if C) the step result is "No", then checks at O
AExercisable access role in S is arranged
A?
F) if E) step result is "Yes", carries out G) go on foot content;
G) if E) the step result is "No", denied access then;
H) allow visitor S
AAccess document O
A
Concrete, between the access role that the addressable Doctype of described each access role and each Doctype allow to operate, be a definite bivariate table case relation.
Further, when described access role has new visitor to generate, at first judge whether it is new access role? then add existing access role as "No"; Then create new role as "Yes", define/import its addressable document classification.
Same, when described document has new document to generate, judge that at first its document belongs to existing certain classification? then add existing document classification as "Yes"; Then create new Doctype as "No", define/import the visitor role who allows visit.
Compared with the prior art, advantage of the present invention is:
1. combine existing two kinds of control methods advantage separately well;
2. between the access role that the addressable Doctype of each access role and each Doctype allow to operate, determine one two-dimentional corresponding tables case relation, demonstrated fully principle of least privilege, both be convenient to the increase of access role, the processing of access rights when being convenient to new document again and generating.Help reducing handling cost.
Description of drawings
Fig. 1 is the schematic flow sheet of control method of the present invention;
Fig. 2 is the recognition methods synoptic diagram of new visitor when generating;
Fig. 3 is the new document recognition methods synoptic diagram when generating.
Embodiment
The present invention will be further described below in conjunction with drawings and Examples.
Among Fig. 1, the control method of this document access rights comprises that it is at first classified to it by its role to the visitor by the Access Control List (ACL) of document is come limiting access person's authority with by visitor's authority setting itself is controlled access object; Again the document in the system is classified by type; To each access role S
iImport its addressable Doctype, again to each Doctype O
i, import the access role that it allows operation;
A) when the accessing operation request, inquire visitor's classification role, be made as S
A
B) inquire the type of document to be visited, be made as O
A
C) check at S
AIn the exercisable object O is arranged
A?
D) if C) step result is "Yes", carries out G) go on foot content;
E) if C) the step result is "No", then checks at O
AExercisable access role in S is arranged
A?
F) if E) step result is "Yes", carries out G) go on foot content;
G) if E) the step result is "No", denied access then;
H) allow visitor S
AAccess document O
A
Concrete, between the access role that the addressable Doctype of described each access role and each Doctype allow to operate, be a definite bivariate table case relation.
Among Fig. 2, when new visitor generates, at first judge whether it is new access role? then add existing access role as "No"; Then create new role as "Yes", define/import its addressable document classification.
Do you among Fig. 3, when described document has new document to generate, judge that at first its document belongs to existing certain classification? then add existing document classification as "Yes"; Then create new Doctype as "No", define/import the visitor role who allows visit.
Embodiment one:
Three class visitor roles are arranged: general user, advanced level user and keeper in the initialization system; Two class Doctypes are arranged: general document and confidential document, and set up following two tables:
Table one:
| Existing member | Can operate Doctype | |
| The general user | ??S 1,S 2 | General document |
| Advanced level user | ??S 3 | General document, confidential document |
| The keeper | ??S 4 | General document, confidential document |
Table two:
| Existing member | Exercisable access role | |
| General document | ??O 1,O 2 | The general user |
| Confidential document | ??O 3,O 4 | The general user, advanced level user, keeper |
Judge and differentiate according to the method for Fig. 1, as a general user S
2Visit a confidential document O
3The time, inquired about above-mentioned two tables, all susceptible of proof is by S
2Visit O
3Lack of competence must be rejected, so its visit behavior of refusal/prevention.
Embodiment two:
As a new user S
5Occur, he is defined as the role of advanced level user.
Then according to principle shown in Figure 2, just directly this group of adding is just passable for that, shown in the table specific as follows.
Table three:
| Existing member | But class of operation | |
| The general user | ??S 1,S 2 | General document |
| Existing member | But class of operation | |
| Advanced level user | ??S 3,S 5 | General document, confidential document |
| The keeper | ??S 4 | General document, confidential document |
Equally, as a new document O
5Generate, according to discrimination principle shown in Figure 3, if document belongs to existing classification, as confidential document, just directly this document classification of adding is just passable, shown in the table specific as follows.
Table four:
| Existing member | Exercisable access role | |
| General document | ??O 1,O 2 | The general user |
| Confidential document | ??O 3,O 4,O 5 | The general user, advanced level user, keeper |
Embodiment three:
As a new user S
6Occur, but do not belong to existing any one user role, then need to create a new role for it; Suppose that it is " leader ", need to import this role simultaneously and allow the Doctype operated, shown in the table specific as follows.
Table five:
| Existing member | But class of operation | |
| The general user | ??S 1,S 2 | General document |
| Advanced level user | ??S 3,S 5 | General document, confidential document |
| The keeper | ??S 4 | General document, confidential document |
| The leader | ??S 6 | General document, confidential document |
Equally, as new document O
6Generate, and O
6Do not belong to existing any one Doctype, then need to create a new Doctype, be assumed to be " top-secret document ", input simultaneously allows the visitor role of operation, shown in the table specific as follows.
Table six:
| Existing member | Exercisable access role | |
| General document | ??O 1,O 2 | The general user |
| Confidential document | ??O 3,O 4,O 5 | The general user, advanced level user, keeper |
| Existing member | Exercisable access role | |
| Top-secret document | ??O 6 | The keeper, the leader |
At this moment, if S
6Visit O
6Though, in table five, do not find S in table six
6As the leader, be allowed to visit.
From the above embodiments as seen, because the present invention has adopted the document access authority control method of simultaneously visitor being classified to it by its role and the document in the system being classified by type, when two forms of each visitor role (meaning its addressable document kind) and each Doctype (meaning that it allows the visitor role who visits) are all sizable, when having new user role or new document classification to occur, the data volume of required modification is very little, do not influence true-time operation, guarantee principle of least privilege simultaneously, both be convenient to the increase of access role, the processing of access rights when being convenient to new document again and generating.Help reducing handling cost, the security of enhanced system.
The present invention can be widely used in the protection/area of security of electronic document in computer operating system, Database Systems and other data systems.
Claims (4)
1. the control method of a document access authority comprises by the Access Control List (ACL) of document is come limiting access person's authority with by visitor's authority setting itself is controlled access object, it is characterized in that:
At first the visitor is classified to it by its role;
Again the document in the system is classified by type;
To each access role S
iImport its addressable Doctype, again to each Doctype O
i, import the access role that it allows operation;
A) when the accessing operation request, inquire visitor's classification role, be made as S
A
B) inquire the type of document to be visited, be made as O
A
C) check at S
AIn the exercisable object O is arranged
A?
D) if C) step result is "Yes", carries out G) go on foot content;
E) if C) the step result is "No", then checks at O
AExercisable access role in S is arranged
A?
F) if E) step result is "Yes", carries out G) go on foot content;
G) if E) the step result is "No", denied access then;
H) allow visitor S
AAccess document O
A
2. according to the control method of the described document access authority of claim 1, it is characterized in that be a definite bivariate table case relation between the access role that the addressable Doctype of described each access role and each Doctype allow to operate.
3. according to the control method of claim 1 or 2 described document access authorities, it is characterized in that when described access role has new visitor to generate, at first judging whether it is new access role? then add existing access role as "No"; Then create new role as "Yes", define/import its addressable document classification.
4. according to the control method of claim 1 or 2 described document access authorities, it is characterized in that when described document has new document to generate, judging that at first its document belongs to existing certain classification? then add existing document classification as "Yes"; Then create new Doctype as "No", define/import the visitor role who allows visit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910048081A CN101847197A (en) | 2009-03-24 | 2009-03-24 | Method for controlling document access authority |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910048081A CN101847197A (en) | 2009-03-24 | 2009-03-24 | Method for controlling document access authority |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101847197A true CN101847197A (en) | 2010-09-29 |
Family
ID=42771815
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910048081A Pending CN101847197A (en) | 2009-03-24 | 2009-03-24 | Method for controlling document access authority |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101847197A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102096785A (en) * | 2011-02-24 | 2011-06-15 | 北京书生国际信息技术有限公司 | Authority control method and device |
| CN102456105A (en) * | 2010-10-29 | 2012-05-16 | 镇江雅迅软件有限责任公司 | Permission setting method based on file management system |
| WO2013063944A1 (en) * | 2011-10-31 | 2013-05-10 | 腾讯科技(深圳)有限公司 | Right management method and system, and computer storage medium |
| CN103488948A (en) * | 2013-09-17 | 2014-01-01 | 北京思特奇信息技术股份有限公司 | Method and device for achieving data security of operation system |
| CN106709370A (en) * | 2016-12-31 | 2017-05-24 | 北京明朝万达科技股份有限公司 | Long word identification method and system based on text contents |
| CN107515879A (en) * | 2016-06-16 | 2017-12-26 | 伊姆西公司 | Method and electronic equipment for file retrieval |
| CN107682376A (en) * | 2017-11-21 | 2018-02-09 | 北京顶象技术有限公司 | Air control data interactive method and device |
| CN108009444A (en) * | 2017-12-15 | 2018-05-08 | 广州市齐明软件科技有限公司 | Authority control method, device and the computer-readable recording medium of full-text search |
| CN108230225A (en) * | 2017-12-29 | 2018-06-29 | 中国地质大学(武汉) | A kind of hierarchical access control method towards ground big data |
| CN108280353A (en) * | 2017-01-05 | 2018-07-13 | 珠海金山办公软件有限公司 | A kind of judgment method and device of security document operation |
| CN108632238A (en) * | 2017-09-18 | 2018-10-09 | 北京视联动力国际信息技术有限公司 | A kind of method and apparatus of permission control |
-
2009
- 2009-03-24 CN CN200910048081A patent/CN101847197A/en active Pending
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102456105A (en) * | 2010-10-29 | 2012-05-16 | 镇江雅迅软件有限责任公司 | Permission setting method based on file management system |
| CN102096785A (en) * | 2011-02-24 | 2011-06-15 | 北京书生国际信息技术有限公司 | Authority control method and device |
| CN102096785B (en) * | 2011-02-24 | 2012-12-19 | 北京书生电子技术有限公司 | Authority control method and device |
| WO2013063944A1 (en) * | 2011-10-31 | 2013-05-10 | 腾讯科技(深圳)有限公司 | Right management method and system, and computer storage medium |
| CN103488948A (en) * | 2013-09-17 | 2014-01-01 | 北京思特奇信息技术股份有限公司 | Method and device for achieving data security of operation system |
| CN107515879B (en) * | 2016-06-16 | 2021-03-19 | 伊姆西Ip控股有限责任公司 | Method and electronic equipment for document retrieval |
| CN107515879A (en) * | 2016-06-16 | 2017-12-26 | 伊姆西公司 | Method and electronic equipment for file retrieval |
| US10943023B2 (en) | 2016-06-16 | 2021-03-09 | EMC IP Holding Company LLC | Method for filtering documents and electronic device |
| CN106709370B (en) * | 2016-12-31 | 2019-10-29 | 北京明朝万达科技股份有限公司 | A kind of long word recognition method and system based on content of text |
| CN106709370A (en) * | 2016-12-31 | 2017-05-24 | 北京明朝万达科技股份有限公司 | Long word identification method and system based on text contents |
| CN108280353A (en) * | 2017-01-05 | 2018-07-13 | 珠海金山办公软件有限公司 | A kind of judgment method and device of security document operation |
| CN108280353B (en) * | 2017-01-05 | 2021-12-28 | 珠海金山办公软件有限公司 | Method and device for judging security document operation |
| CN108632238A (en) * | 2017-09-18 | 2018-10-09 | 北京视联动力国际信息技术有限公司 | A kind of method and apparatus of permission control |
| CN107682376A (en) * | 2017-11-21 | 2018-02-09 | 北京顶象技术有限公司 | Air control data interactive method and device |
| CN107682376B (en) * | 2017-11-21 | 2021-03-23 | 北京顶象技术有限公司 | Wind control data interaction method and device |
| CN108009444A (en) * | 2017-12-15 | 2018-05-08 | 广州市齐明软件科技有限公司 | Authority control method, device and the computer-readable recording medium of full-text search |
| CN108230225A (en) * | 2017-12-29 | 2018-06-29 | 中国地质大学(武汉) | A kind of hierarchical access control method towards ground big data |
| CN108230225B (en) * | 2017-12-29 | 2020-11-27 | 中国地质大学(武汉) | Geoscience big data-oriented hierarchical access control method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101847197A (en) | Method for controlling document access authority | |
| Abouelmehdi et al. | Big healthcare data: preserving security and privacy | |
| Abouelmehdi et al. | Big data security and privacy in healthcare: A Review | |
| US9411977B2 (en) | System and method for enforcing role membership removal requirements | |
| CN107111702B (en) | Access blocking for data loss prevention in a collaborative environment | |
| JP5722337B2 (en) | Resource access control based on resource properties | |
| Ubale Swapnaja et al. | Analysis of dac mac rbac access control based models for security | |
| US9438632B2 (en) | Healthcare privacy breach prevention through integrated audit and access control | |
| EP2521066A1 (en) | Fine-grained relational database access-control policy enforcement using reverse queries | |
| US20110219425A1 (en) | Access control using roles and multi-dimensional constraints | |
| CN102347958A (en) | Dynamic hierarchical access control method based on user trust | |
| CN107358122A (en) | The access management method and system of a kind of data storage | |
| US11630924B2 (en) | Sharing data with a particular audience | |
| CN103763369A (en) | Multi-permission distribution method based on SAN storage system | |
| WO2019244036A1 (en) | Method and server for access verification in an identity and access management system | |
| Ma et al. | RCBAC: A risk-aware content-based access control model for large-scale text data | |
| US20100223576A1 (en) | Electronic data classification system | |
| CN111368286A (en) | Authority control method, device, equipment and storage medium | |
| Zhang et al. | Improved Bell–LaPadula model with break the glass mechanism | |
| Gkioulos et al. | Enhancing usage control for performance: An architecture for systems of systems | |
| JP2019175374A (en) | Information management device, method for managing information, and information management program | |
| Nayak et al. | Standardization of big data and its policies | |
| Akkuzu et al. | Data-driven Chinese walls | |
| Grandison et al. | The impact of industry constraints on model-driven data disclosure controls | |
| Wu et al. | Enterprise data security storage integrating blockchain and artificial intelligence technology in investment risk management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20100929 |