CN103870763A - Mandatory access control method for ERP (Enterprise Resource Planning) data supporting various security classifications - Google Patents
Mandatory access control method for ERP (Enterprise Resource Planning) data supporting various security classifications Download PDFInfo
- Publication number
- CN103870763A CN103870763A CN201410070663.0A CN201410070663A CN103870763A CN 103870763 A CN103870763 A CN 103870763A CN 201410070663 A CN201410070663 A CN 201410070663A CN 103870763 A CN103870763 A CN 103870763A
- Authority
- CN
- China
- Prior art keywords
- level
- confidentiality
- type
- data
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a mandatory access control method for ERP (Enterprise Resource Planning) data supporting various security classifications, which comprises the following steps: S10: defining a security classification; S11: marking a security attribute for a user; S12: setting a security control message for a business receipt; S13: defining security mandatory access control for business fetch. The mandatory access control method for the ERP data supporting various security classifications, provided by the invention can flexibly meet the mandatory access control requirements for the data in different modules and functions of ERP products.
Description
Technical field
The invention belongs to the MAC(Mandatory access control of data access safety) technical field, relate to a kind of ERP data forced access control method of supporting multiple level of confidentiality type.
Background technology
MAC is that system is the security that guarantees higher degree, according to the requirement of security strategy in TDI/TCSEC standard, and the pressure access audit means of taking.It is not directly perception or control of user.MAC is applicable to those the department of strict and fixing level of confidentiality classification, for example military service or government department to data.
In MAC, whole entities that DBMS manages are divided into the large class of subject and object two.Main body is the mobile body in system, has both comprised the actual user that DBMS manages, and also comprises each process of representative of consumer.Object is the passive entity in system, is that acceptor is actuated, comprises file, base table, index, view etc.For subject and object, DBMS is that their each examples (value) are assigned a susceptibility mark (Label).
Susceptibility mark is divided into some ranks, for example top-secret (Top Secret), secret (Secret), credible (Confidential), open (Public) etc.The susceptibility mark of main body is called clearance levels (Clearance Level), and the susceptibility mark of object is called level of confidentiality (Classification Level).MAC mechanism is exactly by the contrast Label of main body and the Label of object, finally determines whether main body can access object.
In the time that a certain user (or a certain main body) registers into system with mark label, he must follow following rule to the access of any object system requirements: only, in the time that the clearance levels of main body is more than or equal to the level of confidentiality of object, this main body just can read corresponding object; Only, in the time that the clearance levels of main body equals the level of confidentiality of object, this main body just can be write corresponding object.
Force access control (MAC) to carry out level of confidentiality mark to data itself, no matter how data copy, and mark and data are an inseparable entirety, and the user who only meets the requirement of level of confidentiality mark just can manipulation data, thereby the security of higher level is provided.
Summary of the invention
For addressing the above problem, the object of the present invention is to provide a kind of ERP data forced access control method of supporting multiple level of confidentiality type.
For achieving the above object, technical scheme of the present invention is:
An ERP data forced access control method of supporting multiple level of confidentiality type, comprises the steps:
S10: definition level of confidentiality type;
S11: be user's mark level of confidentiality attribute;
S12: for business paper arranges level of confidentiality control information;
S13: the level of confidentiality of definition business peek is forced access control.
Further, in step S10, level of confidentiality type unified definition, when definition level of confidentiality type, need arrange the database table of access classified data, and every type has independent data table stores classified data.
Further, in step S10, classified data storehouse table is carried out to abstract package, definition classified data storehouse table interface, the database table of each level of confidentiality type is inherited this entity interface, has described the basic structure of classified data storehouse table in interface.
Further, in step S11, by data access user's level of confidentiality attribute flags, be the level of confidentiality mark of one or more level of confidentiality types of user's mark as required.
Further, in step S12, the business paper that controlled by level of confidentiality peek, need to arrange level of confidentiality control information for it, the level of confidentiality type of appointment document control, the intensive identity property of document and the corresponding document attribute for the personalized level of confidentiality control of support bills data.
Further, in step S13, provide unified level of confidentiality control interface, every kind of level of confidentiality type all will realize this level of confidentiality control interface.
Compared to prior art, the present invention is a kind of supports the ERP data forced access control method of multiple level of confidentiality type can meet flexibly the each module of ERP product, data that function is different are forced access control demand.
Accompanying drawing explanation
Fig. 1 is flow process diagram of the present invention;
Fig. 2 is data table related structural diagrams of the present invention.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
As shown in Figure 1 and Figure 2, a kind of ERP data forced access control method of supporting multiple level of confidentiality type of the present invention, comprises the following steps:
S10: definition level of confidentiality type
In S10, level of confidentiality type unified definition, when definition level of confidentiality type, need arrange the database table of access classified data.Every type has independent data table stores classified data.The classified data storehouse table of different security level type can be identical, also can be different.Classified data storehouse table is carried out to abstract package, definition classified data storehouse table interface, the database table of each level of confidentiality type is inherited this entity interface, has described the basic structure of classified data storehouse table: table name, classified data ID row, classified data title row, level of confidentiality type i D row, level of confidentiality grade row etc. in interface.The concrete classified data separated maintenance of various level of confidentiality types, classified data entity has unified interface, and every kind of classified data is the concrete class that realizes all.If certain level of confidentiality type has individual requirement to the filtration control of data, independent classified data storehouse table, level of confidentiality entity class can be set.
S11: be user's mark level of confidentiality attribute
User can the multiple levels of confidentiality of mark, but level of confidentiality of an a kind of level of confidentiality type mark.By the level of confidentiality attribute flags of data access main body (user), can be the level of confidentiality mark of one or more level of confidentiality types of user's mark as required.In user's mark level of confidentiality attribute process, can increase extra steering logic, guarantee that user's level of confidentiality grade (labeling process) is restricted.
S12: for business paper arranges level of confidentiality control information
The business paper that controlled by level of confidentiality peek, need to arrange level of confidentiality control information for it, the level of confidentiality type of appointment document control, the intensive identity property of document and the corresponding document attribute for the personalized level of confidentiality control of support bills data.The security information setting of business paper, can not exceed the level of confidentiality type that document is corresponding, the attribute category of level of confidentiality entity structure.For business paper arranges level of confidentiality control information, the stop using/initiate mode of document level of confidentiality control can be set; The different business document that controlled by the peek of same level of confidentiality type, level of confidentiality control that also can variantization arranges; A kind of level of confidentiality control of business paper arranges, and also can, according to different times, business datum that document is relevant etc., adjust, arrange different control results.
S13: the level of confidentiality of definition business peek is forced access control
Every kind of level of confidentiality type has corresponding control to realize, and can guarantee that the level of confidentiality control of different clients, different security level type has corresponding realization, to meet individual requirements.Particularly, provide unified level of confidentiality control interface, every kind of level of confidentiality type all will realize this level of confidentiality control interface.When level of confidentiality control realizes, every kind of level of confidentiality type all will arrange according to the level of confidentiality control of document, and the level of confidentiality control situation that thinning processing is possible, for business peek provides data filtering condition.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any modifications of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.
Claims (6)
1. an ERP data forced access control method of supporting multiple level of confidentiality type, is characterized in that, comprises the steps:
S10: definition level of confidentiality type;
S11: be user's mark level of confidentiality attribute;
S12: for business paper arranges level of confidentiality control letter;
S13: the level of confidentiality of definition business peek is forced access control.
2. support according to claim 1 the ERP data forced access control method of multiple level of confidentiality type, it is characterized in that: in step S10, level of confidentiality type unified definition, when definition level of confidentiality type, the database table of access classified data need be set, and every type has independent data table stores classified data.
3. support according to claim 2 the ERP data forced access control method of multiple level of confidentiality type, it is characterized in that: in step S10, classified data storehouse table is carried out to abstract package, definition classified data storehouse table interface, the database table of each level of confidentiality type is inherited this entity interface, has described the basic structure of classified data storehouse table in interface.
4. support according to claim 3 the ERP data forced access control method of multiple level of confidentiality type, it is characterized in that: in step S11, by data access user's level of confidentiality attribute flags, be the level of confidentiality mark of one or more level of confidentiality types of user's mark as required.
5. support according to claim 4 the ERP data forced access control method of multiple level of confidentiality type, it is characterized in that: in step S12, the business paper that controlled by level of confidentiality peek, need to be for it arranges level of confidentiality control information, the level of confidentiality type of appointment document control, the intensive identity property of document and the corresponding document attribute for the personalized level of confidentiality control of support bills data.
6. the ERP data forced access control method of supporting according to claim 5 multiple level of confidentiality type, is characterized in that: in step S13, provide unified level of confidentiality control interface, every kind of level of confidentiality type all will realize this level of confidentiality control interface.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410070663.0A CN103870763A (en) | 2014-02-28 | 2014-02-28 | Mandatory access control method for ERP (Enterprise Resource Planning) data supporting various security classifications |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410070663.0A CN103870763A (en) | 2014-02-28 | 2014-02-28 | Mandatory access control method for ERP (Enterprise Resource Planning) data supporting various security classifications |
Publications (1)
Publication Number | Publication Date |
---|---|
CN103870763A true CN103870763A (en) | 2014-06-18 |
Family
ID=50909286
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410070663.0A Pending CN103870763A (en) | 2014-02-28 | 2014-02-28 | Mandatory access control method for ERP (Enterprise Resource Planning) data supporting various security classifications |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103870763A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104143020A (en) * | 2014-07-15 | 2014-11-12 | 浪潮通用软件有限公司 | Quick modeling method based on business field template in ERP (Enterprise Resource Planning) system |
CN107133528A (en) * | 2017-05-02 | 2017-09-05 | 山东浪潮通软信息科技有限公司 | The level of confidentiality protection implementation method and device of a kind of database purchase |
CN110232068A (en) * | 2019-06-14 | 2019-09-13 | 中国工商银行股份有限公司 | Data sharing method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6023765A (en) * | 1996-12-06 | 2000-02-08 | The United States Of America As Represented By The Secretary Of Commerce | Implementation of role-based access control in multi-level secure systems |
CN1885297A (en) * | 2006-06-02 | 2006-12-27 | 石杰 | Method for role-based access control model with precise access control strategy |
CN101727545A (en) * | 2008-10-10 | 2010-06-09 | 中国科学院研究生院 | Method for implementing mandatory access control mechanism of security operating system |
CN101763476A (en) * | 2009-12-25 | 2010-06-30 | 中国科学院计算技术研究所 | Multilevel security policy conversion method |
CN102368760A (en) * | 2010-12-31 | 2012-03-07 | 中国人民解放军信息工程大学 | Data secure transmission method among multilevel information systems |
-
2014
- 2014-02-28 CN CN201410070663.0A patent/CN103870763A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6023765A (en) * | 1996-12-06 | 2000-02-08 | The United States Of America As Represented By The Secretary Of Commerce | Implementation of role-based access control in multi-level secure systems |
CN1885297A (en) * | 2006-06-02 | 2006-12-27 | 石杰 | Method for role-based access control model with precise access control strategy |
CN101727545A (en) * | 2008-10-10 | 2010-06-09 | 中国科学院研究生院 | Method for implementing mandatory access control mechanism of security operating system |
CN101763476A (en) * | 2009-12-25 | 2010-06-30 | 中国科学院计算技术研究所 | Multilevel security policy conversion method |
CN102368760A (en) * | 2010-12-31 | 2012-03-07 | 中国人民解放军信息工程大学 | Data secure transmission method among multilevel information systems |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104143020A (en) * | 2014-07-15 | 2014-11-12 | 浪潮通用软件有限公司 | Quick modeling method based on business field template in ERP (Enterprise Resource Planning) system |
CN107133528A (en) * | 2017-05-02 | 2017-09-05 | 山东浪潮通软信息科技有限公司 | The level of confidentiality protection implementation method and device of a kind of database purchase |
CN110232068A (en) * | 2019-06-14 | 2019-09-13 | 中国工商银行股份有限公司 | Data sharing method and device |
CN110232068B (en) * | 2019-06-14 | 2022-04-05 | 中国工商银行股份有限公司 | Data sharing method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20200089895A1 (en) | Proof of ticket consensus processing on a confidential blockchain network | |
US10986239B2 (en) | Method to create a secure distributed data validation system using a distributed storage system and artificial intelligence | |
CN109889503A (en) | Identity management method, electronic device and storage medium based on block chain | |
US20140020045A1 (en) | Data detection and protection policies for e-mail | |
EP3443466B1 (en) | Document automation | |
CN101866360A (en) | Data warehouse authentication method and system based on object multidimensional property space | |
CN104331284A (en) | Method and system for generating and displaying dynamic page | |
CN103870763A (en) | Mandatory access control method for ERP (Enterprise Resource Planning) data supporting various security classifications | |
CN105931016A (en) | Automatic daily audit method and system | |
Minkov | World values survey | |
RU2759210C1 (en) | System and method for protecting electronic documents containing confidential information from unauthorised access | |
CN110956431A (en) | Data authority control method and system, computer device and readable storage medium | |
CN109949432A (en) | A kind of student's special electronic attendance system and method based on radio-frequency technique | |
CN102866986A (en) | Document format conversion system | |
CN111177700A (en) | Method and device for controlling row-level authority | |
Coulson et al. | COVID‐19 and regional economies: An introduction to the special issue | |
KR20160037296A (en) | Biographical writing guide service providing device, controlling method thereof and computer readable medium having computer program recorded therefor | |
CN107169044A (en) | A kind of city talent resource integrated management method | |
CN108171390A (en) | A kind of secrecy department devices account informationization dynamic management system | |
CN101697212A (en) | ERP system and method and device for controlling user permissions thereof | |
CN103761608A (en) | Mold manufacturing management system | |
CN106845921A (en) | A kind of enterprise portal of lightweight and application integration method | |
CN108762693A (en) | A kind of print from the definition design system and method | |
Gaunt | Peel, Robert and the metropolitan police | |
CN108364048A (en) | Verification method, apparatus and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140618 |
|
WD01 | Invention patent application deemed withdrawn after publication |