CN102222193A - Data permission setting device and data permission setting method - Google Patents
Data permission setting device and data permission setting method Download PDFInfo
- Publication number
- CN102222193A CN102222193A CN201110177241XA CN201110177241A CN102222193A CN 102222193 A CN102222193 A CN 102222193A CN 201110177241X A CN201110177241X A CN 201110177241XA CN 201110177241 A CN201110177241 A CN 201110177241A CN 102222193 A CN102222193 A CN 102222193A
- Authority
- CN
- China
- Prior art keywords
- data permission
- expression formula
- statement
- business object
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a data permission setting device which comprises a permission setting management model, an analysis model, a combination module and an analysis execution module, wherein the permission setting management model is used for generating a data permission expression formula of a business object, the analysis model is used for analyzing an input business processing logic into a business processing statement, the combination module is used for combining the data permission expression formula and the business processing statement to obtain a combination statement, and the analysis execution module is used for analyzing the combination statement and executing the analyzed combination statement in a database so as to control the data permission. The invention also provides a data permission control method. The invention highly abstracts the complex requirements of a user on the data permission management and control, simplifies the setting of the data permission, and fully separates the setting, the authentication permission and the business logic development of a software system to the data permission, so that the data permission setting is more flexible; and as the dynamic permission expression formula is used, the flexibility and expandability of the data permission can be improved, and the coupling of the permission and business development is reduced.
Description
Technical field
The present invention relates to field of computer technology, in particular to a kind of data permission setting device and data permission method to set up.
Background technology
Popularizing and the ease for operation of computing machine of computing machine, allow infosystem software use more and more widely, the existing information system software is generally based on the method to set up of data item detail or based on the method to set up of combination condition the definition of data authority.The detailed method that is provided with of data item under the bigger situation of amount of user data, can cause permissions data storage excessive, the problem such as Authority Verification efficient is lower that takes up room; Compressed the storage that authority is provided with based on the method to set up of combination condition, relatively comparatively flexible based on the method to set up of data item detail, can realize simple " logical and ", " logical OR ", " logic NOT " and comparison operators commonly used " greater than ", " equal ", " less than " etc. combination condition, do logic relatively with some constants, solved the detailed method to set up of logarithmic data item takies excessive storage space under the excessive situation of data volume problem to a certain extent, and it is also comparatively flexible comparatively speaking, can be according to simple logical condition filtering data, it is little that but authority is provided with condition and range, can only realize some demands of fixing, dumb, at some authority the setting that demand need be done a large amount of similar repetitions is set, data permission demand complicated and changeable also can't realize.
For example certain enterprise requires all sales forces to login into system can only to read, revise the sales bill of doing in person, if the data filter condition all is set at each sales force, then workload is huge, loaded down with trivial details, for example use the method to set up of data item detail, then can't realize this demand, because bills data is constantly newly-increased, the authority setting can't be predicted newly-increased data, so can only do authority managing and controlling to data with existing, if use the method to set up of combination condition, can head it off, but also need do a setting at each selling operation person, workload is bigger, for example selling operation person A is then needed to be provided with the condition of " business personnel=A ", selling operation person B is then needed to be provided with the condition of " business personnel=B ", need in the workload of setting and the system to be directly proportional by the data volume of the object of management and control.
In addition, also can't realize the authority managing and controlling demand that some are complicated, for example require the user of login can only read and revise the document of the sales department of sales order for this user corresponding service person's affiliated function.
Therefore, need a kind of data permission that technology is set, can solve the problem that in the information software use, occurs about data permission.
Summary of the invention
Technical matters to be solved by this invention is, according to an aspect of the present invention, a kind of data permission setting device is provided, according to a further aspect in the invention, a kind of data permission method to set up is provided, solve the problem about data permission that occurs in the existing information system software, the present invention is achieved by the following technical solutions:
One aspect of the present invention discloses a kind of data permission control device, and can comprise: authority is provided with administration module, is used to generate the data permission expression formula of business object; Parsing module is used for the business processing logic of input is resolved to the business processing statement; Merge module, be used for described data permission expression formula and described business processing statement are merged, obtain merge statement; Resolve execution module, resolve described merge statement, and the described merge statement after execution is resolved in database is to control described data permission.
In technique scheme, preferably, described authority is provided with the data permission expression formula that administration module generates described business object according to the business object attribute and the self-defining function of rights expression syntax rule, definition; Described merging module merges according to merging a plurality of described data permission expression formula of rule to same described business object.
In technique scheme, preferably, described business object attribute is tree-shaped institutional framework, and described data permission expression formula can also comprise connector and/or comparison operators.
In technique scheme, preferably, can also comprise: storer is used to store the data permission expression formula of the described business object of generation.
In technique scheme, preferably, described business processing logic can comprise inquiry, modification, deletion and/or increase.
Utilize data permission control device of the present invention can realize complicated data permission control flexibly, simplify the setting of authority.
On the other hand, the invention also discloses a kind of data permission control method, can comprise: step 402, the data permission expression formula of generation business object; Step 404 resolves to the business processing statement with the business processing logic of importing; Step 406 merges described data permission expression formula and described business processing statement, obtains merge statement; Step 408 is resolved described merge statement, and the described merge statement after execution is resolved in database is to control described data permission.
In technique scheme, preferably, described step 402 can also comprise: the data permission expression formula that generates described business object according to the business object attribute and the self-defining function of rights expression syntax rule, definition merges a plurality of described data permission expression formula of same described business object.
In technique scheme, preferably, described business object attribute is tree-shaped institutional framework, and described data permission expression formula can also comprise connector and/or comparison operators.
In technique scheme, preferably, described step 402 can also comprise: the data permission expression formula of the described business object that storage generates.
In technique scheme, preferably, described business processing logic can comprise inquiry, modification, deletion and/or increase.
Utilize data permission control method of the present invention can realize complicated data permission control flexibly, simplify the setting of authority.
Description of drawings
Fig. 1 shows the synoptic diagram according to the data permission control device of the embodiment of the invention;
Fig. 2 shows the principle of work synoptic diagram of data permission control device according to another embodiment of the present invention
Fig. 3 shows the generation synoptic diagram according to the data permission expression formula of the embodiment of the invention;
Fig. 4 shows the process flow diagram according to the data permission control method of the embodiment of the invention;
Fig. 5 shows the process flow diagram according to the data permission control method of further embodiment of this invention;
Fig. 6 shows the synoptic diagram that is provided with according to the data permission expression formula of the embodiment of the invention;
Fig. 7 shows the result schematic diagram of returning according to the embodiment of the invention after being provided with of data permission expression formula;
Fig. 8 shows the result schematic diagram that reads document according to the use data permission control device of the embodiment of the invention; And
Fig. 9 shows the result schematic diagram that reads document according to the use data permission control device of the embodiment of the invention.
Embodiment
In order more to be expressly understood above-mentioned purpose of the present invention, feature and advantage, the present invention is further described in detail below in conjunction with the drawings and specific embodiments.
Set forth a lot of details in the following description so that fully understand the present invention, still, the present invention can also adopt other to be different from other modes described here and implement, and therefore, the present invention is not limited to the restriction of following public specific embodiment.
As shown in Figure 1, one aspect of the present invention discloses a kind of data permission control device 100, can comprise: authority is provided with administration module 102, is used to generate the data permission expression formula of business object; Parsing module 104 is used for the business processing logic of input is resolved to the business processing statement; Merge module 106, be used for described data permission expression formula and described business processing statement are merged by merging rule; Resolve execution module 108, resolve described merge statement, and the described merge statement after execution is resolved in database is to control described data permission.Like this, the data permission of business object can be combined with the practical business processing logic, obtain satisfactory data permission, satisfactory data permission can be resolved, resolve to the statement that to carry out at the platform database of correspondence at different platforms.
In technique scheme, preferably, described authority is provided with the data permission expression formula that administration module 102 generates described business object according to the business object attribute and the self-defining function of rights expression syntax rule, definition; Described merging module merges according to merging a plurality of described data permission expression formula of rule to same described business object.Fig. 3 shows the generation synoptic diagram according to the data permission expression formula of the embodiment of the invention, as shown in Figure 3, in authority administration module 102 is set, the user is according to business object Pterostyrax property and self-defining function, the setting of rights expression syntax rule meets the expression formula of this business object grammer and stores, in order to using for merging module 106 in the later stage operation, wherein, the business object set of properties is woven to tree-shaped, be convenient to user's click expression formula is set, more flexible, cooperate self-defining function and logical connector commonly used, comparison operators etc. are realized data permission definite condition flexibly, have so just improved the dirigibility and the extensibility of data permission definition greatly.
In technique scheme, preferably, described business object attribute is tree-shaped institutional framework, and described data permission expression formula also comprises connector and/or comparison operators.The tree-shaped interface that is provided with for example shown in Figure 6 is provided with reading conditions to sales order and can only reads the document of oneself making for the login people, and the result of setting realizes data permission definite condition flexibly as shown in Figure 7.After authority is applied to certain customers, the user logins the sales order node can only read the document of oneself making: as shown in Figure 8, sales order is checked in demo user's login, can only read the founder is the document of demo, for example shown in Figure 9 again, sales order is checked in demo1 user's login, and can only read the founder is the document of demo1.
In technique scheme, preferably, can also comprise: storer 110 is used to store the data permission expression formula of the described business object of generation.
In technique scheme, preferably, described business processing logic can comprise inquiry, modification, deletion and/or increase.
Utilize data permission control device of the present invention can realize complicated data permission control flexibly, simplify the setting of authority.
Fig. 2 shows the principle of work synoptic diagram according to another data permission device of the embodiment of the invention.
As shown in Figure 2, the data permission device of embodiments of the invention can comprise that authority is provided with administration module 202 (for example the authority among Fig. 1 is provided with administration module 102), parsing module 204 (for example parsing module among Fig. 1 104), merges module 206 (for example merging module 106 among Fig. 1) and resolves execution module 208 (for example parsing execution module 108 among Fig. 1).At first, authority is provided with administration module 202 can be used for the data permission that the user is provided with business object, generates the data permission expression formula of business object, and the data permission expression formula of this business object of being provided with is stored in the database, so that use in the Authority Verification stage, reach the data permission management and control.If at same business object a plurality of data permission expression formulas are arranged, merging module 206 so can should a plurality of data permission expression formulas merge according to merging rule, obtains the final data permission expression formula at this business object.The user carries out business processing in infosystem, parsing module 204 receives users' operation, user's operation logic is for example inquired about, revises, is deleted action such as document and resolve to data manipulation statement (business processing statement).Merge module 206 and the user is provided with the business processing statement that the default data permission expression formula of administration module and parsing module 204 resolve in authority merges, use for the Authority Verification stage.Parsing execution module 208 will merge the statement of module 206 merging resolves, and promptly is responsible at run duration OO rights expression being resolved to the statement that can carry out on database, finally realizes the management and control of data permission.
The data permission method to set up of embodiments of the invention is described below in conjunction with Fig. 4 and Fig. 5.
As shown in Figure 4, the data permission control method can comprise according to an embodiment of the invention: step 402, the data permission expression formula of generation business object; Step 404 resolves to the business processing statement with the business processing logic of importing; Step 406 merges described data permission expression formula and described business processing statement, obtains merge statement; Step 408 is resolved described merge statement, and the described merge statement that execution is resolved in database is to control described data permission.Like this, the data permission of business object can be combined with the practical business processing logic, obtain satisfactory data permission, satisfactory data permission can be resolved, resolve to the statement that to carry out at the platform database of correspondence at different platforms.
In technique scheme, preferably, described step 402 can also comprise: the data permission expression formula that generates described business object according to the business object attribute and the self-defining function of rights expression syntax rule, definition merges a plurality of described data permission expression formula of same described business object.
In technique scheme, preferably, described business object attribute is tree-shaped institutional framework, and such setting is convenient to user's click expression formula is set, and is convenient flexible; Described in addition data permission expression formula also comprises connector and/or comparison operators, makes authority definition more flexible, and extensibility is improved.
In technique scheme, preferably, described step 402 also comprises: the data permission expression formula of the described business object that storage generates, the checking of authority and merge with the business processing statement after being used for.
In technique scheme, preferably, described business processing logic comprises inquiry, modification, deletion and/or increases, increased the operability of business processing.
By technique scheme, highly the condition of abstract data authority realizes that the data permission of user's complexity is provided with demand.
As shown in Figure 5, the data permission expression formula of at first default business object if having a plurality of data permission expression formulas at same business object, should merge individual data rights expression so, and store for follow-up use.
In step 502, the user carries out business processing in infosystem, for example inquires about, revises, action such as deletion.
In step 504, the action that the user is managed business is converted into the data manipulation statement.
In step 506, the data permission expression formula and the data manipulation statement of default business object merged.
In step 508, resolve the statement after merging, be adapted at the merge statement after this parsing of execution in the relative operation system, reach the purpose of data permission management and control.
Utilize data permission control device of the present invention and method can realize complicated data permission control flexibly, simplify the setting of authority.As shown in Figure 6, the tree type result on the left side such as sales order and following sub-directory are business object, the user can for example be provided with the data permission expression formula of business object for the founder in this layout setting authority among Fig. 6, also have some logic symbol fortune, operator etc. to select for the user.Fig. 7 then returns result according to the data permission that is provided with.According to the data permission that is provided with, can obtain meeting the data weights that each side requires in conjunction with user's business operation, after being provided with as data permission,, the user operates when checking if will logining sales order at Fig. 7, and the user can only read the document of own making.As shown in Figure 8, user demo can only read the document of its making, and as shown in Figure 9, user demo1 can only read the document of its making.
Below in conjunction with the accompanying drawings technical scheme is according to an embodiment of the invention had been described in detail, the invention provides a kind of brand-new data permission control device and method, the setting of authority that it is easy, the highly abstract condition of data permission has realized that the data permission of client's complexity is provided with demand.On the one hand, use the authority set-up mode of business object tree and expression formula, highly abstract authority condition, make authority condition reusable, simplified the setting of authority, reduced the workload that data permission is provided with, realize the dynamic authentication of authority according to infosystem running software information, make authority more flexibly, can expand, realize during the running software, the client is to the height change of data authority managing and controlling, the demand of high complexity, and need not software is made any modification again, increased the extensibility of software data authority reply changes in demand; On the other hand, the checking of data permission in the software systems and the exploitation of service logic are separated, the exploitation of service logic need not to consider the problem of authority, reduced the degree of coupling of service logic exploitation and Authority Verification, service logic developer need not to consider the authority problem, has simplified performance history and difficulty.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. a data permission control device is characterized in that, comprising:
Authority is provided with administration module, is used to generate the data permission expression formula of business object;
Parsing module is used for the business processing logic of input is resolved to the business processing statement;
Merge module, be used for described data permission expression formula and described business processing statement are merged, obtain merge statement;
Resolve execution module, be used to resolve described merge statement, the described merge statement after execution is resolved in database is to control described data permission.
2. data permission control device according to claim 1 is characterized in that, described authority is provided with the data permission expression formula that administration module generates described business object according to the business object attribute and the self-defining function of rights expression syntax rule, definition;
Described merging module merges according to merging a plurality of described data permission expression formula of rule to same described business object.
3. data permission control device according to claim 2 is characterized in that, described business object attribute is tree-shaped institutional framework, and described data permission expression formula also comprises connector and/or comparison operators.
4. data permission control device according to claim 1 is characterized in that, also comprises: storer is used to store the data permission expression formula of the described business object of generation.
5. according to each described data permission control device in the claim 1 to 4, it is characterized in that described business processing logic comprises inquiry, modification, deletion and/or increases.
6. a data permission control method is characterized in that, comprising:
Step 402, the data permission expression formula of generation business object;
Step 404 resolves to the business processing statement with the business processing logic of importing;
Step 406 merges described data permission expression formula and described business processing statement, gets 4 to merge statement;
Step 408 is resolved described merge statement, and the described merge statement after execution is resolved in database is to control described data permission.
7. data permission control method according to claim 6, it is characterized in that, described step 402 also comprises: the data permission expression formula that generates described business object according to the business object attribute and the self-defining function of rights expression syntax rule, definition merges a plurality of described data permission expression formula of same described business object.
8. data permission control method according to claim 7 is characterized in that, described business object attribute is tree-shaped institutional framework, and described data permission expression formula also comprises connector and/or comparison operators.
9. data permission control method according to claim 6 is characterized in that, described step 402 also comprises: the data permission expression formula of the described business object that storage generates.
10. according to each described data permission control method in the claim 6 to 9, it is characterized in that described business processing logic comprises inquiry, modification, deletion and/or increases.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110177241XA CN102222193A (en) | 2011-06-28 | 2011-06-28 | Data permission setting device and data permission setting method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110177241XA CN102222193A (en) | 2011-06-28 | 2011-06-28 | Data permission setting device and data permission setting method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102222193A true CN102222193A (en) | 2011-10-19 |
Family
ID=44778743
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110177241XA Pending CN102222193A (en) | 2011-06-28 | 2011-06-28 | Data permission setting device and data permission setting method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102222193A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103810408A (en) * | 2014-03-18 | 2014-05-21 | 北京中电普华信息技术有限公司 | Method and device for generating permission object |
| CN103810438A (en) * | 2012-11-06 | 2014-05-21 | 金蝶软件(中国)有限公司 | Data isolating method and system |
| CN105740724A (en) * | 2016-01-28 | 2016-07-06 | 浪潮通用软件有限公司 | Authority management method and device |
| CN109492383A (en) * | 2018-11-09 | 2019-03-19 | 四川长虹电器股份有限公司 | A kind of analytic method of data permission |
| CN111343172A (en) * | 2020-02-20 | 2020-06-26 | 中国建设银行股份有限公司 | Network access authority dynamic processing method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1885223A (en) * | 2005-06-24 | 2006-12-27 | 北京振戎融通通信技术有限公司 | Digital copyright protection method for mobile information terminal |
| CN1967560A (en) * | 2006-11-09 | 2007-05-23 | 华为技术有限公司 | Controlling method of business operations competence and generating method of relational database |
| CN101587439A (en) * | 2009-06-24 | 2009-11-25 | 用友软件股份有限公司 | Service system, authority system and data authority control method for service system |
| US20100138894A1 (en) * | 2008-12-03 | 2010-06-03 | Fuji Xerox Co., Ltd. | Information processing apparatus, information processing method, and computer readable medium |
-
2011
- 2011-06-28 CN CN201110177241XA patent/CN102222193A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1885223A (en) * | 2005-06-24 | 2006-12-27 | 北京振戎融通通信技术有限公司 | Digital copyright protection method for mobile information terminal |
| CN1967560A (en) * | 2006-11-09 | 2007-05-23 | 华为技术有限公司 | Controlling method of business operations competence and generating method of relational database |
| US20100138894A1 (en) * | 2008-12-03 | 2010-06-03 | Fuji Xerox Co., Ltd. | Information processing apparatus, information processing method, and computer readable medium |
| CN101587439A (en) * | 2009-06-24 | 2009-11-25 | 用友软件股份有限公司 | Service system, authority system and data authority control method for service system |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103810438A (en) * | 2012-11-06 | 2014-05-21 | 金蝶软件(中国)有限公司 | Data isolating method and system |
| CN103810438B (en) * | 2012-11-06 | 2016-12-21 | 金蝶软件(中国)有限公司 | Data isolation method and system |
| CN103810408A (en) * | 2014-03-18 | 2014-05-21 | 北京中电普华信息技术有限公司 | Method and device for generating permission object |
| CN103810408B (en) * | 2014-03-18 | 2017-01-25 | 国家电网公司 | Method and device for generating permission object |
| CN105740724A (en) * | 2016-01-28 | 2016-07-06 | 浪潮通用软件有限公司 | Authority management method and device |
| CN109492383A (en) * | 2018-11-09 | 2019-03-19 | 四川长虹电器股份有限公司 | A kind of analytic method of data permission |
| CN111343172A (en) * | 2020-02-20 | 2020-06-26 | 中国建设银行股份有限公司 | Network access authority dynamic processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Letelier | A framework for requirements traceability in UML-based projects | |
| CN103380423B (en) | For the system and method for private cloud computing | |
| US20130304788A1 (en) | Application component decomposition and deployment | |
| US20140096188A1 (en) | System and method for policy generation | |
| CN104769607B (en) | Using predefined inquiry come filtered view | |
| US9558215B2 (en) | Governing information | |
| CN102542045A (en) | Unified access to resources | |
| US10007682B2 (en) | Dynamically maintaining data structures driven by heterogeneous clients in a distributed data collection system | |
| CN102222193A (en) | Data permission setting device and data permission setting method | |
| CN102594899A (en) | Storage service method and storage server using the same | |
| CN103177329A (en) | Rule-based determination and validation in business object processing | |
| CN105719329A (en) | Accounting voucher generating method and accounting voucher generating system | |
| CN103577165A (en) | Form generation method and form generator | |
| CN110888636A (en) | ETL Web application system architecture method based on button | |
| CN115993966B (en) | Application development system and method | |
| Bhattacharjee et al. | A model-driven approach to automate the deployment and management of cloud services | |
| Bose | Component based development | |
| CN101763340A (en) | Business bill conversion method, device and system | |
| KR101681154B1 (en) | Method of constructing data collector, server performing the same and storage medium for the same | |
| CN104081381B (en) | Method and apparatus for implementing concept service | |
| US10025838B2 (en) | Extract transform load input suggestion | |
| Mao et al. | Conceptual abstraction of attack graphs-A use case of securiCAD | |
| CN103383683A (en) | Optimization and management method of knowledge base in IT operation and maintenance system | |
| EP2815331A1 (en) | Topological query in multi-tenancy environment | |
| US11983755B2 (en) | Digital twin exchange filtering of digital resources based on owned assets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20111019 |