CN103530568A - Authority control method, device and system - Google Patents

Authority control method, device and system Download PDF

Info

Publication number
CN103530568A
CN103530568A CN201210228214.5A CN201210228214A CN103530568A CN 103530568 A CN103530568 A CN 103530568A CN 201210228214 A CN201210228214 A CN 201210228214A CN 103530568 A CN103530568 A CN 103530568A
Authority
CN
China
Prior art keywords
data
application
function
authority
user profile
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201210228214.5A
Other languages
Chinese (zh)
Other versions
CN103530568B (en
Inventor
郎中锋
周春雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201210228214.5A priority Critical patent/CN103530568B/en
Publication of CN103530568A publication Critical patent/CN103530568A/en
Application granted granted Critical
Publication of CN103530568B publication Critical patent/CN103530568B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an authority control method, device and system. The method includes the steps of obtaining user information of a log-in user, combining the user information with an application data access entry identification needing data authority inquiry so as to obtain a data authority verification parameter, sending a data authority verification request carrying the data authority verification parameter to a public authority server to carry out data authority inquiry so that a data visit rule object corresponding to the application data access entry identification can be obtained, receiving and analyzing the data visit rule object so as to obtain a data authority inquiry condition, and inserting the data authority inquiry condition into an authority inquiry SQL statement corresponding to the application data access entry identification so that a new inquiry statement under the control of data authority can be obtained and a data inquiry result corresponding to the user information can be obtained according to the new inquiry statement. According to the authority control method, management authority service can be independently deployed and uniformly configured, and fine-grained data authority control is achieved.

Description

Authority control method, Apparatus and system
Technical field
The application relates to computer realm, in particular to a kind of authority control method, Apparatus and system.
Background technology
In complicated supply chain system cluster, need to carry out data permission control to complicated user type at present.When a system has polytype user, system requires different to the control of the data permission of different user, the sale flow system of Yi Ge enterprise for example, data permission restriction to the different position users in the organization structure of the enterprise is different, same query function is for sales director, regional manager, common sales clerk, and result, scope and the content of the sales data that inquiry obtains all can be had any different.
In the implementation process of controlling at data permission, when systemic-function is simple to data demand, data permission can be controlled in each functional unit that is placed on application service in application server and made to be more conducive to reduce cost, be that system does not need independent data permission service, application server system self completes data permission checking, to carry out different operating.But when systemic-function is complicated, and user type is when also complicated, if still add complicated user right decision logic in the service logic of application server system, can allow become too fat to move and easy care not of application system in application server; And if during the demand change that data permission is controlled, need to spend a large amount of costs and go modification to be scattered in the authority decision logic in application system function.
Concrete, the implementation that existing data permission is controlled in the industry has two kinds, the one, according to user right, select different functional entrances to inquire about different data sets, the 2nd, at functional entrance, import user profile parameter into and use dynamic sql assembled, obtain different pieces of information collection.
For the first scheme, be applicable to data permission and control and to require fairly simple application, most of web station systems for example, user is simply divided into visitor and member, and the more rich website of function ratio has member's rank as Taobao etc.It is simply many that but the user type of this system is compared with supply chain system, in supply chain system cluster, owing to using the people of system to have a plurality of business team various rolls, also have a lot of complicated level and responsibility incidence relations, so use multi-functional entrance, control data permission, it is upper that application system is placed on authority judgement by a lot of energy of division, is unfavorable for service logic combing, is also difficult to safeguard complexity simultaneously and adapts to variable data permission regulatory requirement.
For first scheme, be applicable to single system application, such application seldom cooperates with other application, and the data source of using is single.But for supply chain system cluster, have the data interaction between system, if made in this way, first all remote interfaces all need to add the assembled necessary customer parameter of dynamic sql, make complex interfaces, secondly the service of data source is provided for a plurality of application, by being difficult to adapt to these, apply different data permission demands, the authority judgement being finally scattered in dynamic sql will more be difficult to management, and equally also be difficult to adapt to variable rights management demand.
For the data permission control system of correlation technique, safeguard complexity at present, and cannot meet problem complicated, fine-grained data control of authority function, not yet propose at present effective solution.
Summary of the invention
For the data permission control system of correlation technique, safeguard complicated, and cannot meet problem complicated, fine-grained data control of authority function, effective solution is not yet proposed at present, for this reason, the application's fundamental purpose is to provide a kind of authority control method, Apparatus and system, to address the above problem.
To achieve these goals, according to the application aspect, provide a kind of authority control method, the method comprises: application server obtains the user profile of login user; Application server combines user profile and the application data access entrance sign that need to carry out data permission inquiry, to obtain data permission certificate parameter; Application server is sent to public authority server by the data permission checking request that carries data permission certificate parameter, carries out data permission inquiry, to obtain application data access entrance, identifies corresponding data access rule objects; Application server receives and resolution data access rule object, to obtain data permission querying condition; Application server identifies corresponding authority query SQL statement by data permission querying condition incision application data access entrance, to obtain the new query statement that controlled by data permission, and obtain the corresponding data query result of user profile according to this new query statement inquiry.
Further, at application server, user profile and the application data access entrance sign that need to carry out data permission inquiry are combined, before obtaining data permission certificate parameter, method also comprises: application server loads interception mark to carrying out the application data access entrance sign of data permission inquiry, and data permission interception tangent plane is set in class library; After trigger data Authority Verification function, application server, by identification the first interception mark, takes trigger data authority interception tangent plane, and the application data access entrance that has loaded this first interception mark to tackle identifies corresponding authority query SQL statement.
Further, application server is sent to public authority server by the data permission checking request that carries data permission certificate parameter, carry out data permission inquiry, the step that identifies corresponding data access rule objects to obtain application data access entrance comprises: public authority server receives data permission checking request; Public authority server is identified in data permission list of rules and inquires about according to the user profile in data permission certificate parameter and application data access entrance, to obtain the corresponding data access rule objects of current data Authority Verification request; Wherein, data permission list of rules is the tables of data setting in advance, for preserving the mapping incidence relation between one or more groups user profile, application data access entrance sign and data access rule objects.
Further, after application server obtains the user profile of login user, method also comprises: application server carries out subscriber authentication according to user profile; In the situation that subscriber authentication is passed through, enter the step of obtaining data permission checking request; Wherein, the step that application server carries out subscriber authentication according to user profile comprises: obtain the user rs authentication request that client is sent, user rs authentication request comprises user profile; User profile is sent to common user's server and inquires about, to confirm that active user verifies that whether the user identity in request is legal.
Further, at application server, user profile and the application data access entrance sign that need to carry out data permission inquiry are combined, before obtaining data permission certificate parameter, method also comprises: application server carries out function privilege checking according to user profile; Wherein, the step of carrying out function privilege checking according to user profile comprises: application server combines the user profile getting and the application function entrance sign that need to carry out function privilege checking, to obtain function privilege certificate parameter; The function privilege checking request that carries function privilege certificate parameter is sent to the checking that public authority server carries out function privilege, to obtain function privilege the result corresponding to function privilege checking request.
Further, the user profile getting and the application function entrance sign that need to carry out function privilege checking are being combined, before obtaining function privilege certificate parameter, method also comprises: application server loads the second interception mark to carrying out the application function entrance sign of function privilege checking, and function privilege interception tangent plane is set in class library; After Trigger Function Authority Verification function, application server, by identification the second interception mark, takes Trigger Function authority interception tangent plane, and the application function entrance that has loaded this second interception mark to tackle identifies corresponding authority query SQL statement.
Further, the function privilege checking request that carries function privilege certificate parameter is sent to the checking that public authority server carries out function privilege, to obtain the step of function privilege the result corresponding to function privilege checking request, comprises: the request of public authority server receiving function Authority Verification; Public authority server is identified in function privilege list of rules and inquires about according to the user profile in function privilege certificate parameter and application function entrance, to obtain the corresponding function privilege the result of current function privilege checking request; Wherein, function privilege list of rules is the tables of data setting in advance, for preserving the mapping incidence relation between one or more groups user profile, application function entrance sign and function privilege the result.
To achieve these goals, according to the application on the other hand, provide a kind of permission control device, this device comprises: acquisition module, for obtaining the user profile of login user; The first composite module, for user profile and the application data access entrance sign that need to carry out data permission inquiry are combined, to obtain data permission certificate parameter; Enquiry module, for the data permission checking request that carries data permission certificate parameter is sent to public authority server, carries out data permission inquiry, to obtain application data access entrance, identifies corresponding data access rule objects; Parsing module, for receiving and resolution data access rule object, to obtain data permission querying condition; Processing module, for application server, data permission querying condition incision application data access entrance is identified to corresponding authority query SQL statement, to obtain the new query statement that controlled by data permission, and obtain the corresponding data query result of user profile according to this new query statement inquiry.
Further, device also comprises: first arranges module, for loading interception mark to carrying out the application data access entrance sign of data permission inquiry, and data permission interception tangent plane is set in class library; The first blocking module, for after trigger data Authority Verification function, by identifying the first interception mark, take trigger data authority interception tangent plane, the application data access entrance that has loaded this first interception mark to tackle identifies corresponding authority query SQL statement.
Further, device also comprises: authentication module, for carrying out subscriber authentication according to user profile; Authentication module comprises: acquisition module, and the user rs authentication request of sending for obtaining client, user rs authentication request comprises user profile; Identity query module, inquires about for user profile being sent to common user's server, to confirm that active user verifies that whether the user identity in request is legal.
Further, device also comprises: function privilege authentication module, carries out function privilege checking according to user profile; Wherein, function privilege authentication module comprises: the second composite module, for the user profile getting and the application function entrance sign that need to carry out function privilege checking are combined, to obtain function privilege certificate parameter; Functional inquiry module, for being sent to by the function privilege checking request that carries function privilege certificate parameter the checking that public authority server carries out function privilege, to obtain function privilege the result corresponding to function privilege checking request.
Further, device also comprises: second arranges module, for loading the second interception mark to carrying out the application function entrance sign of function privilege checking, and function privilege interception tangent plane is set in class library; The second blocking module, for after Trigger Function Authority Verification function, by identifying the second interception mark, takes Trigger Function authority interception tangent plane, and the application function entrance that has loaded this second interception mark to tackle identifies corresponding authority query SQL statement.
To achieve these goals, according to the application on the other hand, a kind of authority control system is provided, this packet system is drawn together: application server, for obtaining the user profile of login user, and user profile and the application data access entrance sign that need to carry out data permission inquiry are combined, to obtain data permission certificate parameter; Public authority server, for receiving the data permission checking request that carries data permission certificate parameter being sent by application server, and carry out data permission inquiry according to data permission checking request, to obtain the corresponding data access rule objects of data permission checking request; Wherein, application server is after receiving the data access rule objects that public authority server returns, resolution data access rule object, to obtain data permission querying condition, and data permission querying condition incision application data access entrance is being identified to corresponding authority query SQL statement, after obtaining the new query statement that is subject to data permission control, according to this new query statement inquiry, obtain the corresponding data query result of user profile.
Further, application server loads interception mark to carrying out the application data access entrance sign of data permission inquiry, and data permission interception tangent plane is set in class library, and after trigger data Authority Verification function, by identifying the first interception mark, take trigger data authority interception tangent plane, the application data access entrance that has loaded this first interception mark to tackle identifies corresponding authority query SQL statement.
Further, system also comprises: common user's server, and the user rs authentication request of sending for obtaining application server, user rs authentication request comprises user profile, and carry out query manipulation according to user profile, to confirm that active user verifies that whether the user identity in request is legal.
Further, public authority server also comprises: function privilege demo plant, for receiving the function privilege checking request that carries function privilege certificate parameter being sent by application server, and carry out the checking of function privilege according to function privilege checking request, to obtain function privilege the result corresponding to function privilege checking request; Wherein, application server is by the user profile getting and the application function entrance sign that need to carry out function privilege checking are combined, to obtain function privilege certificate parameter.
By the application, adopt application server to obtain the user profile of login user, application server combines user profile and the application data access entrance sign that need to carry out data permission inquiry, to obtain data permission certificate parameter, application server is sent to public authority server by the data permission checking request that carries data permission certificate parameter, carries out data permission inquiry, to obtain application data access entrance, identifies corresponding data access rule objects, application server receives and resolution data access rule object, to obtain data permission querying condition, application server identifies corresponding authority query SQL statement by data permission querying condition incision application data access entrance, to obtain the new query statement that controlled by data permission, and obtain the corresponding data query result of user profile according to this new query statement inquiry, above-described embodiment provides a public authority server being independent of outside each application subsystem, by this public authority server, realize the unified control and management of data permission, after getting user profile and application data access entrance sign, just can carry out the checking of data permission, to obtain active user's data access rule objects, for determining whether active user carries out the data permission function of triggering, and carry out corresponding query function, thereby after application server receives the data access rule objects returning, can realize the data permission that will implement according to this data access rule objects and control function, because the control of data permission is unified configuration management and setting by public authority server, the data permission control system that has solved related art is safeguarded complicated, and cannot meet complicated, the problem of fine-grained data control of authority function, and then realized and can independently dispose and unify the rights service of configuration management, reached the effect that fine-grained data permission is controlled.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide further understanding of the present application, forms the application's a part, and the application's schematic description and description is used for explaining the application, does not form the improper restriction to the application.In the accompanying drawings:
Fig. 1 is according to the structural representation of the authority control system of the embodiment of the present application;
Fig. 2 is according to the framed structure schematic diagram of data permission regulation management embodiment illustrated in fig. 1;
Fig. 3 is according to the framed structure schematic diagram of Fig. 1 and data access rule embodiment illustrated in fig. 2;
Fig. 4 is according to the process flow diagram of the authority control method of the embodiment of the present application;
Fig. 5 is according to the detailed business process map about order authority control method embodiment illustrated in fig. 4;
Fig. 6 carries out the detail flowchart of data permission checking SQL interception according to application server end embodiment illustrated in fig. 4;
Fig. 7 is according to the structural representation of the permission control device of the embodiment of the present application.
Embodiment
It should be noted that, in the situation that not conflicting, embodiment and the feature in embodiment in the application can combine mutually.Describe below with reference to the accompanying drawings and in conjunction with the embodiments the application in detail.
Fig. 1 is according to the structural representation of the authority control system of the embodiment of the present application.
As shown in Figure 1, this authority control system comprises: application server, for obtaining the user profile of login user, and combines user profile and the application data access entrance sign that need to carry out data permission inquiry, to obtain data permission certificate parameter; Public authority server, for receiving the data permission checking request that carries described data permission certificate parameter being sent by application server, and carry out the inquiry of data permission according to data permission checking request, to obtain the corresponding data access rule objects of data permission checking request; Wherein, application server is after receiving the data access rule objects that public authority server returns, resolution data access rule object, to obtain data permission querying condition, and data permission querying condition incision application data access entrance is being identified to corresponding authority query SQL statement, after obtaining the new query statement that is subject to data permission control, according to this new query statement inquiry, obtain the corresponding data query result of user profile.
The above embodiments of the present application provide a public authority server being independent of outside each application subsystem for authority control system, by this public authority server, realize the unified control and management of data permission, after getting user profile and application data access entrance sign, just can carry out the checking of data permission, to obtain active user's data access rule objects, for determining whether active user carries out the data permission function of triggering, and carry out corresponding data query function, thereby after application server receives the data access rule objects returning, can realize the data permission that will implement according to this data access rule objects and control function, because the control of data permission is unified configuration management and setting by public authority server, the data permission control system that therefore can solve related art is safeguarded complicated, and cannot meet complicated, the problem of fine-grained data control of authority function, and then realized and can independently dispose and unify the rights service of configuration management, reached the effect that fine-grained data permission is controlled.Because the control of authority function of supply chain system is complicated, user type is various, stricter again to the requirement of data permission, therefore needs public authority server to carry out unified data permission control and management.
Preferably, application server loads interception mark to carrying out the application data access entrance sign of data permission inquiry, and data permission interception tangent plane is set in class library, and after trigger data Authority Verification function, by identifying the first interception mark, take trigger data authority interception tangent plane, the application data access entrance that has loaded this first interception mark to tackle identifies corresponding authority query SQL statement.In this embodiment, mainly used SQL Interception Technology, for SQL query statement is analyzed dynamically and revised, realized and when data access, cut data permission control information.
Concrete, public authority server in embodiment illustrated in fig. 1 is in multisystem cluster application, be independent of outside each application system, the system of public rights management and the service for checking credentials is provided, i.e. unification configures and manages the authority information of other application systems, and remote interface and the realization of Authority Verification are provided, the class library (i.e. two side storehouses) providing for realizing public authority service can be provided in application server, (programming towards tangent plane is that the query function in business procession is extracted to the tangent plane of verifying by data permission herein, the query function of certain aspect is extracted and separated, to obtain in logical process the isolation effect of low coupling between each several part) data Authority Verification functional entrance is tackled, and carry out data permission checking by visit data Authority Verification interface, to obtain active user's authority license and authority information, by authority, permit and determine whether execution function, by authority information (being data access rule objects), revise the SQL query statement on application server.
In the above embodiments of the present application, public authority server is realized the function of the inquiry of data permission, can adopt according to user profile that in data permission checking request, data permission certificate parameter records and application data access entrance and be identified in data permission list of rules and inquire about, thereby obtain the corresponding data access rule objects of current data Authority Verification request, wherein, data permission list of rules is the tables of data setting in advance, be used for preserving one or more groups user profile, mapping incidence relation between application data access entrance sign and data access rule objects.
Fig. 2 is according to the framed structure schematic diagram of data permission regulation management embodiment illustrated in fig. 1; Fig. 3 is according to the framed structure schematic diagram of Fig. 1 and data access rule embodiment illustrated in fig. 2.
In above-described embodiment, common user's service system of public authority server is carried out unified configuration management to the authority of the application service system of all application servers, and provides unified Authority Verification service for it; Common user's service system provides user rs authentication service for application service system, for the system of public authority server provides the service of obtaining of the required user profile of configuration authority; Application service system need to configure the service of obtaining of required data access rule objects for public authority service system provides data permission.
Wherein, as shown in Figure 2, data permission configuration management is the configuration management that public authority server system is unified the data permission of application server system, in the process of configuration data authority, need to obtain user profile and the information of the data access rule objects in application server system, the then mapping relations of recording user rule information and data object information access rule in common user's service system.
As shown in Figure 2, the core of the data permission management in the embodiment of the present application is data access list of rules, this data permission list of rules is used for preserving the mapping relations of user profile rule and data rule object, be used for the data permission of analysis user, the content that mainly comprises three aspects:: data access entrance, user object rule, data access rule objects.Public authority service system is when configuration data authority, need to from the system of common user's server, obtain the user profile of user object, from application service system, obtain the information of data object, data access entrance is the comspec of data Layer access, by reflex mechanism, obtain the user profile of user object and the data structure of application system data object, fill out respectively in user object rule and data access rule objects, data access entrance is used for the SQL of unique identification application server data access, in addition permission system provides one group of mapping mode as equated, be greater than and be less than, in scope, character match etc.
Concrete, in conjunction with the embodiment shown in Fig. 1 and 2, the detailed step of data permission proof procedure comprises:
A. application service system obtains user profile from common user system, and this user profile is called to the data permission service for checking credentials that public authority service system provides in conjunction with application data access entrance sign as query argument;
B. public authority service system is carried out the list of the data query rules of competence according to query argument, and match user rule information also returns to the data access rule objects that obtains of inquiry to application service system;
C. application service system is used the class library (authority two side storehouses) that public authority service system provides, data access rule objects is resolved to SQL fragment, and tackle authority query SQL statement and implanted, thereby by on-the-fly modifying data object field or the querying condition of SQL, to realize data permission, control.
As shown in Figure 3, the application be take order project and is that example describes the layoutprocedure of data permission in detail, i.e. the generative process of data access rule, wherein, data access entrance: check order list; User object rule: supply chain apparel industry is responsible for the personnel of each classification operation; Data access rule objects: to check the relevant order of the responsible classification of own industry oneself, can not check clearing price field only.The concrete steps of the layoutprocedure of data permission are as follows:
1. configuration data access entrance: consistent with the ID of the SQL of application server end data access, for example this ID is: lpscm.order.get_orders_by_query。
2. user object is regular: owing to using industry and classification information to do the user policy of data permission, the system of common user's server need to provide the incidence relation of user and industry classification, and provide the class libraries of this aggregate entities, public authority service system obtains user's industry and classification attribute field by reflection, for example this attribute field is: UserRule:User.cat.
3. data access rule objects: owing to using industry and classification information to do the data access rule objects of data permission, order application service need to provide the incidence relation of order and industry classification, and provide the class libraries of this aggregate entities, permission system obtains industry and the classification attribute field of order by reflection, for example this attribute field is: WhereClause:Order.Cat; SelectClause:Order.settle.
4. mapping ruler: condition restriction match-type WhereMatchType is configured to Equal, represents that user policy mates by equating mode with data object access rule; The rule of Field Sanitization SelectFileType is Cut, represents in Query Result, the settle field of Order object to be removed.
Preferably, as shown in Figure 1, above-mentioned Authority Verification system can also comprise: common user's server, for obtaining the user rs authentication request that application server sends, user rs authentication request comprises user profile, and carry out query manipulation according to user profile, to confirm that active user verifies that whether the user identity in request is legal.In this embodiment of the application, for the user rs authentication request of application server, adopted third-party common user's server to complete authentication process itself, common user's server, after getting the result, can return to application server by the result.Current, in concrete implementation process, also can realize application server and in this locality, carry out authentication process itself.
Preferably, as shown in Figure 1, after application server completes authentication and obtains the user profile of login user, before public authority server carries out data permission authentication function, can carry out carrying out function privilege checking according to user profile, and at function privilege the result for be verified in the situation that, obtain data permission checking request, enter data permission authentication function.Be that public authority server in the above embodiments of the present application can also comprise: function privilege demo plant, for receiving the function privilege checking request that carries function privilege certificate parameter being sent by application server, and carry out the checking of function privilege according to function privilege checking request, to obtain function privilege the result corresponding to function privilege checking request; Wherein, application server is by the user profile getting and the application function entrance sign that need to carry out function privilege checking are combined, to obtain function privilege certificate parameter.This embodiment of the application is realizing on the basis that data permission that user conducts interviews to system data object controls, control that can also practical function authority, the authority that user conducts interviews to system certain page or function.
In the above embodiments of the present application, function privilege checking for application server, adopted third-party public authority server to complete the proof procedure of function privilege, public authority server, after getting the result, can return to application server by the result.Current, in concrete implementation process, also can realize application server and in this locality, carry out the proof procedure of function privilege.
As from the foregoing, the application is by providing public authority to serve for system cluster; In realization by the data permission information of match user and the data object rule of accessing, the SQL fragment that the dynamic rights of using service of interception mechanism of using Spring to provide is returned is revised SQL statement, make application system needn't pay close attention to user profile, use in the situation of same functional entrance, different user can obtain different pieces of information authority.Both customer service use dependence and the dependency of middleware to application, can provide independent and dispose and the rights service of unified configuration management; Also on traditional RBAC control of authority scheme basis, innovate and expand, can this data access behavior be managed by mapping user policy and the list of data object access rule, accomplishing fine-grained data permission control.
Fig. 4 is according to the process flow diagram of the authority control method of the embodiment of the present application.
As shown in Figure 4, the method comprises the steps:
Step S102, obtains the user profile of login user by the application server in Fig. 1.
Step S104, the application server in Fig. 1 combines this user profile and the application data access entrance sign that need to carry out data permission inquiry, to obtain data permission certificate parameter.
Step S106, the application server in Fig. 1 will carry this data permission certificate parameter data permission and verify that request is sent to public authority server and carries out data permission inquiry, to obtain application data access entrance, identify corresponding data access rule objects.
Step S108, the application server in Fig. 1 receives and resolution data access rule object, to obtain new data permission querying condition.
Step S110, application server data permission querying condition in Fig. 1 is cut this application data access entrance and is identified corresponding authority query SQL statement, to obtain the new query statement that controlled by data permission, and obtain the corresponding data query result of user profile according to this new query statement inquiry.
In the above embodiments of the present application, the public authority server being independent of outside each application subsystem that is verified of the data permission of carrying out on application server is realized, owing to having realized the unified control and management of data permission on this public authority server, therefore, when application server is sending to public authority server by user profile and application data access entrance sign, public authority server carries out the checking of data permission according to the user profile receiving and application data access entrance sign, determining that active user need to carry out the data permission function of triggering, and after carrying out corresponding data query function, public authority server returns to the active user's who gets data access rule objects, thereby after application server receives the data access rule objects returning, can realize the data permission that will implement according to this data access rule objects and control function, because the control of data permission is unified configuration management and setting by public authority server, the data permission control system that therefore can solve related art is safeguarded complicated, and cannot meet complicated, the problem of fine-grained data control of authority function, and then realized and can independently dispose and unify the rights service of configuration management, reached the effect that fine-grained data permission is controlled.
In the above embodiments of the present application, at application server, user profile and the application data access entrance sign that need to carry out data permission inquiry are combined, before obtaining data permission certificate parameter, method can also comprise the steps: that application server carries out mark to carrying out the application data access entrance of data permission inquiry, and data permission interception order is set in class library; After trigger data Authority Verification function, application server is by identification the first interception mark, take trigger data authority interception tangent plane, the application data access entrance that has loaded this first interception mark with interception identifies the application data access entrance sign in corresponding authority query SQL statement (can be also independently data permission query SQL statement), and sends this application data access entrance sign to public caching server.Above-described embodiment provides remote interface and the realization of data permission checking, the class library (i.e. two side storehouses) providing for realizing public authority service can be provided in application server, the tangent plane of verifying by data permission is tackled data Authority Verification functional entrance, and carry out data permission checking by visit data Authority Verification interface, to obtain active user's authority license and authority information, by authority, permit and determine whether execution function, by authority information (being data access rule objects), revise the SQL query statement on application server, last according to the query statement acquisition data verification Query Result newly obtaining.
In the above embodiments of the present application, application server is sent to public authority server by the data permission checking request that carries above-mentioned data permission certificate parameter and carries out data permission inquiry, and the step that identifies corresponding data access rule objects to obtain application data access entrance can comprise: public authority server receives data permission checking request; Public authority server is identified in data permission list of rules and inquires about according to user profile that in data permission checking request, data permission certificate parameter records and application data access entrance, to obtain the corresponding data access rule objects of current data Authority Verification request; Wherein, data permission list of rules is the tables of data setting in advance, for preserving the mapping incidence relation between one or more groups user profile, application data access entrance sign and data access rule objects.
Above-described embodiment provides the list of data rules of competence, this data permission list of rules is, by common user's service system of public authority server, the data permission of the application service system of all application servers is carried out to unified configuration management, and provide the unified data permission service for checking credentials for it, in the process of configuration data authority, need to obtain user profile and the information of the data access rule objects in application server system, the then mapping relations of recording user rule information and data object information access rule in common user's service system.And, send data permission checking request on application server after, by data permission, verify that the user profile of record in request and application data access entrance are identified in data permission list of rules and inquire about, thereby obtain the corresponding data access rule objects of current data Authority Verification request.
In the above embodiments of the present application, after application server obtains the user profile of login user, method can also comprise the steps: that application server carries out subscriber authentication according to user profile; In the situation that subscriber authentication is passed through, enter the step of obtaining data permission checking, can tackle corresponding authority query SQL statement according to interception mark; Wherein, the step that application server carries out subscriber authentication according to the user profile receiving can comprise: application server obtains the user rs authentication request that client is sent, and user rs authentication request comprises user profile; User profile is sent to common user's server and inquires about, to confirm that active user verifies that whether the user identity in request is legal.In this embodiment, common user's service system provides user rs authentication service for application service system, for the system of public authority server provides the service of obtaining of the required user profile of configuration authority.
In the above embodiments of the present application, at application server, user profile and the application data access entrance sign that need to carry out data permission inquiry are combined, before obtaining data permission certificate parameter, can also comprise the steps: that application server preserves this user profile; Application server, in the situation that user profile is verified, carries out function privilege checking according to the user profile of record.Concrete, the step that this user profile according to record is carried out function privilege checking can comprise the steps: that application server combines the user profile getting and the application function entrance sign that need to carry out function privilege checking, to obtain function privilege certificate parameter; The function privilege checking request that carries this function privilege certificate parameter is sent to the checking that public authority server carries out function privilege, to obtain function privilege the result corresponding to function privilege checking request.In this embodiment, application service system has further been realized in the situation that realizing data permission checking, need to carry out function privilege checking, and configure required function privilege authentication-access list of rules.
Hence one can see that, the above embodiments of the present application can realize, before data permission checking, carry out user right checking and/or function privilege checking, be that application server can directly enter the proof procedure of data permission according to the user profile getting, or need to first carry out the checking of subscriber authentication and/or function privilege after, and at the result for be verified in the situation that, enter and obtain the step that data are verified request completely, and start the data permission checking request of sending.
Preferably.In the above embodiments of the present application, the user profile getting and the application function entrance sign that need to carry out function privilege checking are being combined, before obtaining function privilege certificate parameter, method can also comprise: application server loads the second interception mark to carrying out the application function entrance sign of described function privilege checking, and function privilege interception tangent plane is set in class library, and after Trigger Function Authority Verification function, application server is by described the second interception mark of identification, take Trigger Function authority interception tangent plane, the application function entrance that has loaded this second interception mark with interception identifies corresponding authority query SQL statement (can be also the function privilege query SQL statement of functional independence), last sending function Authority Verification parameter is to public caching server.
In the above embodiments of the present application, the function privilege checking request that carries function privilege certificate parameter is sent to the checking that public authority server carries out function privilege, to obtain the step of function privilege the result corresponding to function privilege checking request, comprises: the request of public authority server receiving function Authority Verification; This public authority server is identified in function privilege list of rules and inquires about according to user profile that in function privilege checking request, function privilege certificate parameter records and application function entrance, to obtain the corresponding function privilege the result of current function privilege checking request; Wherein, function privilege list of rules is the tables of data setting in advance, for preserving the mapping incidence relation between one or more groups user profile, application function entrance sign and function privilege the result.
Above-described embodiment provides a function privilege list of rules, this function privilege list of rules is, by common user's service system of public authority server, the function privilege of the application service system of all application servers is carried out to unified configuration management, and provide the unified function privilege service for checking credentials for it, in the process of configuration feature authority, need to obtain user profile and the information of the functional verification result in application server system, the then mapping relations of recording user information and functional verification result in common user's service system.
Fig. 5 is according to the detailed business process map about order authority control method embodiment illustrated in fig. 4; Fig. 6 carries out the detail flowchart of data permission checking SQL interception according to application server end embodiment illustrated in fig. 4.
As shown in Figure 5, the application is described in detail the application based on order application example, when household industry is responsible for clothing object personnel at form ordering system inquiry order, the process that order application system is used public authority service system to carry out Authority Verification comprises the steps, comprising authentication process itself, function privilege proof procedure, and data permission proof procedure.Concrete implementation step is as follows:
First, user logins the order application system on application server, and the common user system that order application system is called on common user's server is carried out identifying user identity, and authentication is also system recording user information by entering order function.
Then, user can trigger order query function by the function button of clicking in order application system, thereby obtain function privilege checking request, now, function privilege checking tangent plane in the authority two side storehouses that the function privilege checking request meeting that order application system is sent has been introduced is tackled, function privilege checking tangent plane calls the function privilege inquiry system in public authority server, the user profile that function privilege checking request is comprised and application function entrance sign (comprising site identity and Url sign two parts content) send to public authority server, function privilege inquiry system is according to the user profile receiving and application function entrance sign query function authority configuration record, authentication function authority is also returned to the result being verified, thereby make order application system continue downward executing data query function.
Then, at function privilege the result for be verified in the situation that, user starts execution of order data permission query function by this order application system, when calling " order data Object Query entrance ", data permission checking tangent plane in the authority two side storehouses that order application system can be introduced into is tackled, the execution that data permission checking tangent plane can be tackled SQL query statement, call permission system service and carry out data permission checking, the user profile that data permission checking request is comprised and application data access entrance sign (being order data Object Query entrance sign SQL_id) send to public authority server, data permission inquiry system can be according to the user profile receiving and the list of order data Object Query entrance sign data query access rule, verification msg authority return data access rule object are to the order application system in application server.
Finally, the authority two side's database data Authority Verification tangent planes in order application system, resolve the data access rule objects returning, and SQL fragment is cut to original SQL statement, on-the-fly modify rear execution inquiry, thereby get data permission the result.
Concrete, as shown in Figure 6, in the above embodiments of the present application, in the data permission proof procedure of order application system, principle and the process of SQL interception and incision comprise following implementation step:
First, tangent plane interception has been done to the SQLExecutor of Spring in authority two side storehouses, and when order application system is called order data entrance and carried out SQLExecutor, data permission tangent plane can take out SQL statement to keep in SQL object.For example, SQL intercepted content can be as follows herein:
Figure BDA00001843074300111
Then, data permission tangent plane calls permission system and carries out data permission checking, in the data access rule objects obtaining, can take sql fragment.In data access rule objects in example, comprise where alteration ruler and select alteration ruler two parts: WhereRule:Order.cat=#user.cat#SelectRule:settle[CUT].After resolving where rule, in original sql, increase order.cat#user.cat#, wherein user.cat can the value of checking out be " fuzhuang " from user object, so the where in sql partly cuts " and cat=' jia ju.chufang ' "; Resolve after select rule, can remove inquiring about " settle " field in original sql, this field value of the result of finding is like this for empty.Concrete, what in the present embodiment, SQL dynamically cut thes contents are as follows:
Figure BDA00001843074300121
Finally, continue to carry out amended sql statement, just reached and only inquired household industry kitchen articles class order record now, and result set is by the effect of clearing price shielding, has realized the control to household industry kitchen articles classification personnel inquiry order data authority.
Wherein, when the Er Fangku in the above embodiments of the present application refers between system cooperation mutually, offer some class libraries of serving user, to meet service function, realize.
It should be noted that, in the step shown in the process flow diagram of accompanying drawing, can in the computer system such as one group of computer executable instructions, carry out, and, although there is shown logical order in flow process, but in some cases, can carry out shown or described step with the order being different from herein.
Fig. 7 is according to the structural representation of the permission control device of the embodiment of the present application.As shown in Figure 7, the application also provides a kind of permission control device, and concrete can be the application server in the above embodiments of the present application.
This permission control device comprises: acquisition module 10, for obtaining the user profile of login user; The first composite module 30, for user profile and the application data access entrance sign that need to carry out data permission inquiry are combined, to obtain data permission certificate parameter; Enquiry module 50, for the data permission checking request that carries data permission certificate parameter is sent to public authority server, carries out data permission inquiry, to obtain application data access entrance, identifies corresponding data access rule objects; Parsing module 70, for receiving and resolution data access rule object, to obtain data permission querying condition; Processing module 90, for application server, data permission querying condition incision application data access entrance is identified to corresponding authority query SQL statement, to obtain the new query statement that controlled by data permission, and obtain the corresponding data query result of user profile according to this new query statement inquiry.(50 in Fig. 7,70 need to do corresponding modify)
The above embodiments of the present application provide a public authority server being independent of outside each application subsystem for authority control system, by this public authority server, realize the unified control and management of data permission, after getting user profile and application data access entrance sign, just can carry out the checking of data permission, to obtain active user's data access rule objects, for determining whether active user carries out the data permission function of triggering, and carry out corresponding query function, thereby after application server receives the data access rule objects returning, can realize the data permission that will implement according to this data access rule objects and control function, because the control of data permission is unified configuration management and setting by public authority server, the data permission control system that therefore can solve related art is safeguarded complicated, and cannot meet complicated, the problem of fine-grained data control of authority function, and then realized and can independently dispose and unify the rights service of configuration management, reached the effect that fine-grained data permission is controlled.
The device of the above embodiments of the present application can also comprise: first arranges module, for loading interception mark to carrying out the application data access entrance sign of data permission inquiry, and data permission interception tangent plane is set in class library; The first blocking module, for after trigger data Authority Verification function, by identifying the first interception mark, take trigger data authority interception tangent plane, the application data access entrance that has loaded this first interception mark to tackle identifies corresponding authority query SQL statement.
The device of the above embodiments of the present application can also comprise: authentication module 110, and for carrying out subscriber authentication according to user profile.This authentication module can comprise: acquisition module, and the user rs authentication request of sending for obtaining client, user rs authentication request comprises user profile; Identity query module, inquires about for user profile being sent to common user's server, to confirm that active user verifies that whether the user identity in request is legal.
The device of the above embodiments of the present application can also comprise: preserve module, for preserving this user profile; Function privilege authentication module 130: carry out function privilege checking according to user profile.Wherein, this function privilege authentication module can comprise: the second composite module, for the user profile getting and the application function entrance sign that need to carry out function privilege checking are combined, to obtain function privilege certificate parameter; Functional inquiry module, for being sent to by the function privilege checking request that carries function privilege certificate parameter the checking that public authority server carries out function privilege, to obtain function privilege the result corresponding to function privilege checking request.
Preferably, the above embodiments of the present application are in specific implementation process, and application server, in the situation that user profile is verified, is preserved the user profile getting.
The device of the above embodiments of the present application can also comprise: second arranges module, for loading the second interception mark to carrying out the application function entrance sign of function privilege checking, and function privilege interception tangent plane is set in class library; The second blocking module, for after Trigger Function Authority Verification function, by identifying the second interception mark, takes Trigger Function authority interception tangent plane, and the application function entrance that has loaded this second interception mark to tackle identifies corresponding authority query SQL statement.
As can be seen from the above description, the application has realized following technique effect:.Can provide public authority service for system cluster, permission system independent part is deployed on other application systems, by access unification user service acquisition user profile, the interface of access application obtains the object structure that need to carry out data permission control, carry out user data objects association coupling, realize unified configuration and the management of data permission.
But the authority control method of realizing in the application, the data object of reverse concern application bottom, the data object structure that needs the sudden and violent bottom drain layer of application needs of data permission control, makes permission system can pass through configuration data access rule, and this fine-grained authority is controlled.Such as two sales forces can inquire about trading order form record, but because both affiliated areas are different, can only check the order in own region, or both ranks are different, manager can check all orders, and sales force can only check one's own order, can only newly-built dealing money lower than the order of certain value, under the control of authority conditions of demand of this complexity, the rights management of RBAC mode just cannot meet.
Obviously, those skilled in the art should be understood that, each module of above-mentioned the application or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on the network that a plurality of calculation elements form, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in memory storage and be carried out by calculation element, or they are made into respectively to each integrated circuit modules, or a plurality of modules in them or step are made into single integrated circuit module to be realized.Like this, the application is not restricted to any specific hardware and software combination.
The preferred embodiment that the foregoing is only the application, is not limited to the application, and for a person skilled in the art, the application can have various modifications and variations.All within the application's spirit and principle, any modification of doing, be equal to replacement, improvement etc., within all should being included in the application's protection domain.

Claims (16)

1. an authority control method, is characterized in that, comprising:
Application server obtains the user profile of login user;
Described application server combines described user profile and the application data access entrance sign that need to carry out data permission inquiry, to obtain data permission certificate parameter;
Described application server is sent to described public authority server by the data permission checking request that carries described data permission certificate parameter, carries out data permission inquiry, to obtain described application data access entrance, identifies corresponding data access rule objects;
Described application server receives and resolves described data access rule objects, to obtain data permission querying condition;
Described application server is cut described application data access entrance by described data permission querying condition and is identified corresponding authority query SQL statement, to obtain the new query statement that controlled by data permission, and obtain the corresponding data query result of described user profile according to this new query statement inquiry.
2. method according to claim 1, it is characterized in that, at described application server, described user profile and the application data access entrance sign that need to carry out data permission inquiry are combined, before obtaining data permission certificate parameter, described method also comprises:
Described application server loads interception mark to carrying out the application data access entrance sign of described data permission inquiry, and data permission interception tangent plane is set in class library;
After trigger data Authority Verification function, described application server is by described the first interception mark of identification, trigger described data permission interception tangent plane, the application data access entrance that has loaded this first interception mark to tackle identifies corresponding authority query SQL statement.
3. method according to claim 1 and 2, it is characterized in that, described application server is sent to described public authority server by the data permission checking request that carries described data permission certificate parameter, carry out data permission inquiry, to obtain the step that described application data access entrance identifies corresponding data access rule objects, comprise:
Described public authority server receives described data permission checking request;
Described public authority server is identified in data permission list of rules and inquires about according to the described user profile in described data permission certificate parameter and application data access entrance, to obtain the corresponding data access rule objects of current data Authority Verification request;
Wherein, described data permission list of rules is the tables of data setting in advance, for preserving the mapping incidence relation between one or more groups user profile, application data access entrance sign and data access rule objects.
4. method according to claim 1, is characterized in that, after application server obtains the user profile of login user, described method also comprises:
Described application server carries out subscriber authentication according to described user profile;
In the situation that described subscriber authentication is passed through, enter the step of obtaining described data permission checking request;
Wherein, the step that described application server carries out subscriber authentication according to described user profile comprises: obtain the user rs authentication request that client is sent, described user rs authentication request comprises user profile; Described user profile is sent to common user's server and inquires about, to confirm that active user verifies that whether the user identity in request is legal.
5. according to the method described in claim 1 or 4, it is characterized in that, at described application server, described user profile and the application data access entrance sign that need to carry out data permission inquiry are combined, before obtaining data permission certificate parameter, described method also comprises:
Described application server carries out function privilege checking according to described user profile;
Wherein, the step of carrying out function privilege checking according to described user profile comprises: described application server combines the user profile getting and the application function entrance sign that need to carry out function privilege checking, to obtain function privilege certificate parameter; The function privilege checking request that carries described function privilege certificate parameter is sent to described public authority server and carries out the checking of function privilege, to obtain function privilege the result corresponding to described function privilege checking request.
6. method according to claim 5, is characterized in that, the user profile getting and the application function entrance sign that need to carry out function privilege checking are being combined, and before obtaining function privilege certificate parameter, described method also comprises:
Described application server loads the second interception mark to carrying out the application function entrance sign of described function privilege checking, and function privilege interception tangent plane is set in class library;
After Trigger Function Authority Verification function, described application server is by described the second interception mark of identification, trigger described function privilege interception tangent plane, the application function entrance that has loaded this second interception mark to tackle identifies corresponding authority query SQL statement.
7. method according to claim 6, it is characterized in that, the function privilege checking request that carries described function privilege certificate parameter is sent to described public authority server and carries out the checking of function privilege, to obtain the step of function privilege the result corresponding to described function privilege checking request, comprise:
Described public authority server receives described function privilege checking request;
Described public authority server is identified in function privilege list of rules and inquires about according to the described user profile in described function privilege certificate parameter and application function entrance, to obtain the corresponding function privilege the result of current function privilege checking request;
Wherein, described function privilege list of rules is the tables of data setting in advance, for preserving the mapping incidence relation between one or more groups user profile, application function entrance sign and function privilege the result.
8. a permission control device, is characterized in that, comprising:
Acquisition module, for obtaining the user profile of login user;
The first composite module, for described user profile and the application data access entrance sign that need to carry out data permission inquiry are combined, to obtain data permission certificate parameter;
Enquiry module, for the data permission checking request that carries described data permission certificate parameter is sent to described public authority server, carries out data permission inquiry, to obtain described application data access entrance, identifies corresponding data access rule objects;
Parsing module, for receiving and resolve described data access rule objects, to obtain data permission querying condition;
Processing module, for described application server, described data permission querying condition is cut to described application data access entrance and identify corresponding authority query SQL statement, to obtain the new query statement that controlled by data permission, and obtain the corresponding data query result of described user profile according to this new query statement inquiry.
9. device according to claim 8, is characterized in that, described device also comprises:
First arranges module, for loading interception mark to carrying out the application data access entrance sign of described data permission inquiry, and data permission interception tangent plane is set in class library;
The first blocking module, for after trigger data Authority Verification function, by identifying described the first interception mark, trigger described data permission interception tangent plane, the application data access entrance that has loaded this first interception mark to tackle identifies corresponding authority query SQL statement.
10. device according to claim 8, is characterized in that, described device also comprises:
Authentication module, for carrying out subscriber authentication according to described user profile;
Described authentication module comprises:
Acquisition module, the user rs authentication request of sending for obtaining client, described user rs authentication request comprises user profile;
Identity query module, inquires about for described user profile being sent to described common user's server, to confirm that active user verifies that whether the user identity in request is legal.
11. devices according to claim 8, is characterized in that, described device also comprises:
Function privilege authentication module, carries out function privilege checking according to described user profile;
Wherein, described function privilege authentication module comprises: the second composite module, for the user profile getting and the application function entrance sign that need to carry out function privilege checking are combined, to obtain function privilege certificate parameter; Functional inquiry module, carries out the checking of function privilege for the function privilege checking request that carries described function privilege certificate parameter is sent to described public authority server, to obtain function privilege the result corresponding to described function privilege checking request.
12. devices according to claim 8, is characterized in that, described device also comprises:
Second arranges module, for loading the second interception mark to carrying out the application function entrance sign of described function privilege checking, and function privilege interception tangent plane is set in class library;
The second blocking module, for after Trigger Function Authority Verification function, by identifying described the second interception mark, trigger described function privilege interception tangent plane, the application function entrance that has loaded this second interception mark to tackle identifies corresponding authority query SQL statement.
13. 1 kinds of authority control systems, is characterized in that, comprising:
Application server, for obtaining the user profile of login user, and combines described user profile and the application data access entrance sign that need to carry out data permission inquiry, to obtain data permission certificate parameter;
Public authority server, for receiving the data permission checking request that carries described data permission certificate parameter being sent by described application server, and carry out data permission inquiry according to described data permission checking request, to obtain the corresponding data access rule objects of described data permission checking request;
Wherein, described application server is after receiving the data access rule objects that described public authority server returns, resolve described data access rule objects, to obtain data permission querying condition, and identify corresponding authority query SQL statement described data permission querying condition being cut to described application data access entrance, after obtaining the new query statement that is subject to data permission control, according to this new query statement inquiry, obtain the corresponding data query result of described user profile.
14. systems according to claim 13, it is characterized in that, described application server loads interception mark to carrying out the application data access entrance sign of described data permission inquiry, and data permission interception tangent plane is set in class library, and after trigger data Authority Verification function, by identifying described the first interception mark, trigger described data permission interception tangent plane, the application data access entrance that has loaded this first interception mark to tackle identifies corresponding authority query SQL statement.
15. systems according to claim 13, is characterized in that, described system also comprises:
Common user's server, for obtaining the user rs authentication request that described application server sends, described user rs authentication request comprises user profile, and carries out query manipulation according to described user profile, to confirm that active user verifies that whether the user identity in request is legal.
16. systems according to claim 13, is characterized in that, described public authority server also comprises:
Function privilege demo plant, for receiving the function privilege checking request that carries function privilege certificate parameter being sent by described application server, and carry out the checking of function privilege according to described function privilege checking request, to obtain function privilege the result corresponding to described function privilege checking request;
Wherein, described application server is by the user profile getting and the application function entrance sign that need to carry out function privilege checking are combined, to obtain described function privilege certificate parameter.
CN201210228214.5A 2012-07-02 2012-07-02 Authority control method, Apparatus and system Active CN103530568B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210228214.5A CN103530568B (en) 2012-07-02 2012-07-02 Authority control method, Apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210228214.5A CN103530568B (en) 2012-07-02 2012-07-02 Authority control method, Apparatus and system

Publications (2)

Publication Number Publication Date
CN103530568A true CN103530568A (en) 2014-01-22
CN103530568B CN103530568B (en) 2016-01-20

Family

ID=49932570

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210228214.5A Active CN103530568B (en) 2012-07-02 2012-07-02 Authority control method, Apparatus and system

Country Status (1)

Country Link
CN (1) CN103530568B (en)

Cited By (40)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104217283A (en) * 2014-08-20 2014-12-17 广东建邦计算机软件有限公司 Data sharing device and data sharing system
CN105100051A (en) * 2015-05-29 2015-11-25 北京京东尚科信息技术有限公司 Method and system for realizing data resource access right control
CN106815234A (en) * 2015-11-30 2017-06-09 中国移动通信集团公司 A kind of method for sharing health data, device and data sharing automotive engine system
CN107038388A (en) * 2017-02-23 2017-08-11 深圳市先河系统技术有限公司 A kind of multi-user operating system operation method, device and computer equipment
CN107292188A (en) * 2016-04-12 2017-10-24 北京明略软件系统有限公司 A kind of method and apparatus for controlling access privilege
CN107342992A (en) * 2017-06-27 2017-11-10 努比亚技术有限公司 A kind of System right management method, apparatus and computer-readable recording medium
CN107465641A (en) * 2016-06-02 2017-12-12 上海海典软件股份有限公司 Based on three-tier architecture software systems and its data request method
CN107544999A (en) * 2016-06-28 2018-01-05 百度在线网络技术(北京)有限公司 Sychronisation and synchronous method, searching system and method for searching system
CN107689949A (en) * 2017-03-31 2018-02-13 平安科技(深圳)有限公司 Data base authority management method and system
CN108170860A (en) * 2018-01-22 2018-06-15 北京小度信息科技有限公司 Data query method, apparatus, electronic equipment and computer readable storage medium
CN108196837A (en) * 2017-12-25 2018-06-22 国云科技股份有限公司 A kind of system authority control method
CN108268798A (en) * 2017-06-30 2018-07-10 勤智数码科技股份有限公司 A kind of data item authority distributing method and system
CN108304581A (en) * 2018-03-05 2018-07-20 贵州工程应用技术学院 A kind of self-service fetching engine and access method based on data permission control
CN109189494A (en) * 2018-07-27 2019-01-11 阿里巴巴集团控股有限公司 Configure gray scale dissemination method, device, equipment and computer readable storage medium
CN109558751A (en) * 2018-11-30 2019-04-02 深圳市盟天科技有限公司 A kind of access method of application program, device, server and storage medium
CN109784088A (en) * 2018-12-18 2019-05-21 深圳壹账通智能科技有限公司 Purview certification method and device for authentication
CN109800561A (en) * 2018-12-29 2019-05-24 360企业安全技术(珠海)有限公司 Drive authority control method, client, system and storage medium
CN109815731A (en) * 2018-12-29 2019-05-28 深圳云天励飞技术有限公司 Permission processing method and relevant device
CN109815717A (en) * 2019-01-17 2019-05-28 平安科技(深圳)有限公司 Data permission management method, data access method, device, equipment and medium
CN109829331A (en) * 2018-12-28 2019-05-31 金螳螂家装电子商务(苏州)有限公司 A kind of data managing method based on finishing chain employee unified rights
CN110162994A (en) * 2019-04-16 2019-08-23 深圳壹账通智能科技有限公司 Authority control method, system, electronic equipment and computer readable storage medium
CN110232068A (en) * 2019-06-14 2019-09-13 中国工商银行股份有限公司 Data sharing method and device
CN110298192A (en) * 2019-06-05 2019-10-01 中国长江三峡集团有限公司 A kind of classification rights manager component of the management information system of adapted to multi-type tissue
CN110390008A (en) * 2019-07-25 2019-10-29 东莞市盟大塑化科技有限公司 Report method for pushing, device, computer equipment and storage medium
WO2019206211A1 (en) * 2018-04-25 2019-10-31 新华三大数据技术有限公司 Permission management method and device
CN110637449A (en) * 2017-09-29 2019-12-31 华为技术有限公司 Method and device for accessing equipment identifier
CN110750766A (en) * 2019-10-12 2020-02-04 平安医疗健康管理股份有限公司 Authority verification method and device, computer equipment and storage medium
CN111191210A (en) * 2019-12-10 2020-05-22 未鲲(上海)科技服务有限公司 Data access right control method and device, computer equipment and storage medium
CN111339524A (en) * 2020-02-26 2020-06-26 浪潮软件股份有限公司 Multi-tenant permission control method and device
CN111385264A (en) * 2018-12-29 2020-07-07 卓望数码技术(深圳)有限公司 Communication service data access system and method
CN111414643A (en) * 2020-03-17 2020-07-14 深圳市前海随手财富管理有限公司 Data authority control method, device, server and storage medium
CN111506611A (en) * 2020-04-21 2020-08-07 北京同邦卓益科技有限公司 Data query method, device, equipment and storage medium
CN112149107A (en) * 2020-09-01 2020-12-29 珠海市卓轩科技有限公司 Unified authority management method, system, device and storage medium
CN112217774A (en) * 2019-07-11 2021-01-12 中移(苏州)软件技术有限公司 Authority control system and method, server and storage medium
CN112528656A (en) * 2020-12-23 2021-03-19 安徽航天信息有限公司 Authority control method, device and system based on conditional participle and storage medium
CN113076502A (en) * 2021-04-23 2021-07-06 南京始云网络科技有限公司 Parameter control method and system based on request identification
CN113553316A (en) * 2021-07-23 2021-10-26 中信银行股份有限公司 Multi-mode data query modeling method and system
CN113612730A (en) * 2021-07-05 2021-11-05 苏州裕太微电子有限公司 ACL access rule control method, processing device and system
CN113626863A (en) * 2021-08-11 2021-11-09 杭州橙鹰数据技术有限公司 Data processing method and device
CN114697396A (en) * 2020-12-29 2022-07-01 北京国双科技有限公司 Request processing method and device, electronic equipment and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1666171A (en) * 2002-05-31 2005-09-07 李树软件公司 Managing secure resources in web resources that are accessed by multiple portals
CN101572630A (en) * 2009-05-22 2009-11-04 中兴通讯股份有限公司 Privilege management system and method based on objects
CN101582767A (en) * 2009-06-24 2009-11-18 阿里巴巴集团控股有限公司 Authorization control method and authorization server
US20110093925A1 (en) * 2009-10-20 2011-04-21 Thomson Reuters (Markets) Llc Entitled Data Cache Management

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1666171A (en) * 2002-05-31 2005-09-07 李树软件公司 Managing secure resources in web resources that are accessed by multiple portals
CN101572630A (en) * 2009-05-22 2009-11-04 中兴通讯股份有限公司 Privilege management system and method based on objects
CN101582767A (en) * 2009-06-24 2009-11-18 阿里巴巴集团控股有限公司 Authorization control method and authorization server
US20110093925A1 (en) * 2009-10-20 2011-04-21 Thomson Reuters (Markets) Llc Entitled Data Cache Management

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王晓超 等: "《基于元数据和角色控制的用户权限管理》", 《计算机技术与发展》 *

Cited By (52)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104217283A (en) * 2014-08-20 2014-12-17 广东建邦计算机软件有限公司 Data sharing device and data sharing system
CN105100051A (en) * 2015-05-29 2015-11-25 北京京东尚科信息技术有限公司 Method and system for realizing data resource access right control
CN105100051B (en) * 2015-05-29 2019-04-26 上海京东到家元信信息技术有限公司 Realize the method and system of data resource access permission control
CN106815234A (en) * 2015-11-30 2017-06-09 中国移动通信集团公司 A kind of method for sharing health data, device and data sharing automotive engine system
CN107292188A (en) * 2016-04-12 2017-10-24 北京明略软件系统有限公司 A kind of method and apparatus for controlling access privilege
CN107465641A (en) * 2016-06-02 2017-12-12 上海海典软件股份有限公司 Based on three-tier architecture software systems and its data request method
CN107544999A (en) * 2016-06-28 2018-01-05 百度在线网络技术(北京)有限公司 Sychronisation and synchronous method, searching system and method for searching system
CN107038388A (en) * 2017-02-23 2017-08-11 深圳市先河系统技术有限公司 A kind of multi-user operating system operation method, device and computer equipment
CN107689949B (en) * 2017-03-31 2020-03-17 平安科技(深圳)有限公司 Database authority management method and system
CN107689949A (en) * 2017-03-31 2018-02-13 平安科技(深圳)有限公司 Data base authority management method and system
US11455415B2 (en) 2017-03-31 2022-09-27 Ping An Technology (Shenzhen) Co., Ltd. Method, system, and device for managing database permissions, and computer-readable storage medium
CN107342992A (en) * 2017-06-27 2017-11-10 努比亚技术有限公司 A kind of System right management method, apparatus and computer-readable recording medium
CN108268798A (en) * 2017-06-30 2018-07-10 勤智数码科技股份有限公司 A kind of data item authority distributing method and system
CN108268798B (en) * 2017-06-30 2023-09-05 勤智数码科技股份有限公司 Data item authority allocation method and system
US11910192B2 (en) 2017-09-29 2024-02-20 Huawei Technologies Co., Ltd. Device identifier access method and apparatus
US11190938B2 (en) 2017-09-29 2021-11-30 Huawei Technologies Co., Ltd. Device identifier access method and apparatus
CN110637449B (en) * 2017-09-29 2020-12-15 华为技术有限公司 Method and device for accessing equipment identifier
CN110637449A (en) * 2017-09-29 2019-12-31 华为技术有限公司 Method and device for accessing equipment identifier
CN108196837A (en) * 2017-12-25 2018-06-22 国云科技股份有限公司 A kind of system authority control method
CN108170860A (en) * 2018-01-22 2018-06-15 北京小度信息科技有限公司 Data query method, apparatus, electronic equipment and computer readable storage medium
CN108304581A (en) * 2018-03-05 2018-07-20 贵州工程应用技术学院 A kind of self-service fetching engine and access method based on data permission control
WO2019206211A1 (en) * 2018-04-25 2019-10-31 新华三大数据技术有限公司 Permission management method and device
CN109189494A (en) * 2018-07-27 2019-01-11 阿里巴巴集团控股有限公司 Configure gray scale dissemination method, device, equipment and computer readable storage medium
CN109558751A (en) * 2018-11-30 2019-04-02 深圳市盟天科技有限公司 A kind of access method of application program, device, server and storage medium
CN109784088A (en) * 2018-12-18 2019-05-21 深圳壹账通智能科技有限公司 Purview certification method and device for authentication
CN109829331A (en) * 2018-12-28 2019-05-31 金螳螂家装电子商务(苏州)有限公司 A kind of data managing method based on finishing chain employee unified rights
CN109815731A (en) * 2018-12-29 2019-05-28 深圳云天励飞技术有限公司 Permission processing method and relevant device
CN109800561A (en) * 2018-12-29 2019-05-24 360企业安全技术(珠海)有限公司 Drive authority control method, client, system and storage medium
CN111385264A (en) * 2018-12-29 2020-07-07 卓望数码技术(深圳)有限公司 Communication service data access system and method
CN109815717A (en) * 2019-01-17 2019-05-28 平安科技(深圳)有限公司 Data permission management method, data access method, device, equipment and medium
CN110162994A (en) * 2019-04-16 2019-08-23 深圳壹账通智能科技有限公司 Authority control method, system, electronic equipment and computer readable storage medium
CN110298192A (en) * 2019-06-05 2019-10-01 中国长江三峡集团有限公司 A kind of classification rights manager component of the management information system of adapted to multi-type tissue
CN110232068A (en) * 2019-06-14 2019-09-13 中国工商银行股份有限公司 Data sharing method and device
CN112217774A (en) * 2019-07-11 2021-01-12 中移(苏州)软件技术有限公司 Authority control system and method, server and storage medium
CN110390008A (en) * 2019-07-25 2019-10-29 东莞市盟大塑化科技有限公司 Report method for pushing, device, computer equipment and storage medium
CN110750766A (en) * 2019-10-12 2020-02-04 平安医疗健康管理股份有限公司 Authority verification method and device, computer equipment and storage medium
CN110750766B (en) * 2019-10-12 2022-11-04 深圳平安医疗健康科技服务有限公司 Authority verification method, device, computer equipment and storage medium
CN111191210B (en) * 2019-12-10 2022-09-27 未鲲(上海)科技服务有限公司 Method and device for controlling data access authority, computer equipment and storage medium
CN111191210A (en) * 2019-12-10 2020-05-22 未鲲(上海)科技服务有限公司 Data access right control method and device, computer equipment and storage medium
CN111339524A (en) * 2020-02-26 2020-06-26 浪潮软件股份有限公司 Multi-tenant permission control method and device
CN111414643A (en) * 2020-03-17 2020-07-14 深圳市前海随手财富管理有限公司 Data authority control method, device, server and storage medium
CN111506611A (en) * 2020-04-21 2020-08-07 北京同邦卓益科技有限公司 Data query method, device, equipment and storage medium
CN112149107A (en) * 2020-09-01 2020-12-29 珠海市卓轩科技有限公司 Unified authority management method, system, device and storage medium
CN112149107B (en) * 2020-09-01 2024-06-07 珠海市卓轩科技有限公司 Unified authority management method, system, device and storage medium
CN112528656A (en) * 2020-12-23 2021-03-19 安徽航天信息有限公司 Authority control method, device and system based on conditional participle and storage medium
CN114697396A (en) * 2020-12-29 2022-07-01 北京国双科技有限公司 Request processing method and device, electronic equipment and readable storage medium
CN113076502A (en) * 2021-04-23 2021-07-06 南京始云网络科技有限公司 Parameter control method and system based on request identification
CN113612730A (en) * 2021-07-05 2021-11-05 苏州裕太微电子有限公司 ACL access rule control method, processing device and system
CN113612730B (en) * 2021-07-05 2023-04-07 裕太微电子股份有限公司 ACL access rule control method, processing device and system
CN113553316A (en) * 2021-07-23 2021-10-26 中信银行股份有限公司 Multi-mode data query modeling method and system
CN113553316B (en) * 2021-07-23 2024-05-17 中信银行股份有限公司 Multi-mode data query modeling method and system
CN113626863A (en) * 2021-08-11 2021-11-09 杭州橙鹰数据技术有限公司 Data processing method and device

Also Published As

Publication number Publication date
CN103530568B (en) 2016-01-20

Similar Documents

Publication Publication Date Title
CN103530568B (en) Authority control method, Apparatus and system
US9479494B2 (en) Flexible authentication framework
US8943208B2 (en) Controlling access to resources by hosted entities
US7299171B2 (en) Method and system for processing grammar-based legality expressions
US9251364B2 (en) Search hit URL modification for secure application integration
US8433712B2 (en) Link analysis for enterprise environment
US8595255B2 (en) Propagating user identities in a secure federated search system
US8005816B2 (en) Auto generation of suggested links in a search system
US8725770B2 (en) Secure search performance improvement
US8132231B2 (en) Managing user access entitlements to information technology resources
US8027982B2 (en) Self-service sources for secure search
US8868540B2 (en) Method for suggesting web links and alternate terms for matching search queries
US7941419B2 (en) Suggested content with attribute parameterization
US7096219B1 (en) Method and apparatus for optimizing a data access customer service system
US11128660B2 (en) Methods and systems for accessing a resource with multiple user identities
US20100017415A1 (en) Data access control method and data access control apparatus
US11516203B2 (en) System and method for identity management of cloud based computing services in identity management artificial intelligence systems
US20230229802A1 (en) Secure sharing of stage data of a data exchange listing
US10268721B2 (en) Protected handling of database queries
US11372859B2 (en) Efficiently supporting value style access of MOBs stored in SQL LOB column by providing value based semantics for LOBs in RDBMS
Preuveneers et al. SparkXS: Efficient access control for intelligent and large-scale streaming data applications
Costantino et al. Are photos on social networks really private?
US20220050912A1 (en) Security semantics for database queries
Praciano et al. Purpose Scan: A Purpose-Aware Access Method
Basso et al. A database framework for expressing and enforcing personal privacy preferences

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant