CN104252454B - A kind of data permission control method and system towards cloud computing multi-tenant pattern - Google Patents

A kind of data permission control method and system towards cloud computing multi-tenant pattern Download PDF

Info

Publication number
CN104252454B
CN104252454B CN201310256343.XA CN201310256343A CN104252454B CN 104252454 B CN104252454 B CN 104252454B CN 201310256343 A CN201310256343 A CN 201310256343A CN 104252454 B CN104252454 B CN 104252454B
Authority
CN
China
Prior art keywords
authority
control
tenant
policy service
service class
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310256343.XA
Other languages
Chinese (zh)
Other versions
CN104252454A (en
Inventor
李引
袁峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Zhongke Yide Technology Co Ltd
Original Assignee
Guangzhou Institute of Software Application Technology Guangzhou GZIS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Institute of Software Application Technology Guangzhou GZIS filed Critical Guangzhou Institute of Software Application Technology Guangzhou GZIS
Priority to CN201310256343.XA priority Critical patent/CN104252454B/en
Publication of CN104252454A publication Critical patent/CN104252454A/en
Application granted granted Critical
Publication of CN104252454B publication Critical patent/CN104252454B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2457Query processing with adaptation to user needs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2143Clearing memory, e.g. to prevent the data from being stolen

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of data permission control method and system towards cloud computing multi-tenant pattern, this method includes being bound mutual corresponding tenant's identity information, data type information and control of authority policy service class so that manipulation authority of the user of the tenant subordinate for the data type can be obtained in control of authority policy service class by tenant's identity information, the subscriber identity information of the tenant subordinate and data type information;The data type information of the corresponding manipulation of user is obtained, control of authority policy service class corresponding to tenant's identity information lookup with reference to belonging to its subscriber identity information, the user;According to the above-mentioned control of authority policy service class found out, manipulation authority of the user for the data type is obtained.The present invention can meet individual demand of the different tenants to rights management under multi-tenant pattern, and largely reduce the consuming of database manipulation time, but also can realize more complicated data permission control.

Description

A kind of data permission control method and system towards cloud computing multi-tenant pattern
Technical field
The invention belongs to cloud computing multi-tenant technical field, and in particular to a kind of data towards cloud computing multi-tenant pattern Authority control method and system.
Background technology
Cloud computing multi-tenant technology (multi-tenancy) is a kind of new software architecture technology, and it is to inquire into and reality Now how identical system or program assembly are shared in the environment of multi-tenant, the isolation of data is same between each user is ensured When, meet the needs of each tenant is personalized.
The one of key of multi-tenant technology is how to handle the individual demand of different tenants, wherein of rights management Property technology is particularly important.
In traditional enterprise information system, rights management is a basis and crucial part.Authority can include two Part:
1) function privilege;2) data permission.Function privilege is and the data to the control that can some functions use in system Authority be to the various data in system whether the control that can be accessed and operate.System once develops completion, and function determines that , so the control of function privilege is clear and definite and fixed.But data permission is different, fortune of the system after the completion of exploitation In row, substantial amounts of data can be produced, these data are needed to be controlled, therefore data permission is dynamic, is had very high Complexity.
In enterprise information system, the management of data permission typically has two ways:
The first normal method is to be fixed the judgement of authority using code.
Such as the expense report of generation can the defending party to the application and financial executive check, then judge that can expense report be checked Logic false code it is as follows:
Another is the mode for employing accesses control list (Action Control List, ACL), by system The relation of authority binding is established with control main body (such as user) per a data so that judging whether certain data can be by During access, corresponding authority can be inquired from authority binding information, so as to control the access of the data.
For example data permission is carried out to expense report using ACL in upper example and controls and will produce following authority binding relationship:
Control object Control main body Authority
The expense report of Zhang San Zhang San It can check
The expense report of Zhang San Financial executive It can check, can delete, can manage
The expense report of Li Si Li Si It can check
The expense report of Li Si Financial executive It can check, can delete, can manage
When judge Zhang San expense report who can read when, Zhang San and financial executive two can be inquired by the relation Individual main body can check.When judge Zhang San expense report who can delete when, only wealth can be inquired by the relation Business supervisor can delete.
Wherein, first way is frequently used in the enterprise information management system, but this kind of mode It can not support under multi-tenant pattern, individual demand of the different tenants to rights management.Such as:
Tenant A is using authority " expense report of generation can the defending party to the application and financial executive check ", and tenant B uses authority " expense report of generation can the defending party to the application and financial attache check ", then tenant A control of authority code is as follows:
And tenant B control of authority code is as follows:
If tenant A and tenant B personalized rights management demand is uniformly handled, then control of authority code is such as Under:
If in the way of more than, then with the increase of tenant's quantity, then corresponding rights management code will Modify, so this way is infeasible.Because this method often increases a tenant, it is necessary to adds one section accordingly Code, the quantity of tenant is dynamic change, if change one tenant will change code, this cannot receive.
Second of ACL mode Control granularity is thinner, any type of business datum can be controlled, can also propped up Cloud computing multi-tenant pattern is held, but this kind of mode has a disadvantage that in itself, is once occurring changing or deleting, then power Limit binding relationship just must modify or delete.For example forms data is submitted an expense account, if 10,000 datas in system be present, then one Denier financial executive substitutes, then needs to be updated authority binding relationship corresponding to this 10,000 data, this will cause data to update The problem of efficiency is low.
At the same time, very complicated authority situation in the enterprise information management system also be present, be difficult to locate by the way of ACL Reason.Such as authority " line manager can check the expense report of member and the member under all subdivisions ", then using ACL side Formula, then once generating a new expense report, then following authority binding relationship list will be produced:
Understand above, this authority causes needs according to organizational structure to generate authority binding relationship.One reimbursement of addition Forms data, it will generation N bar authority binding relationships, while also with the presence of modification or delete the problem of.Once the reimbursement of Zhang San It is single to delete, then will to be all deleted with the authority binding relationship of the reimbursement simple correlation of Zhang San, this will also result in very big data more The difficulty newly operated.
The content of the invention
It is an object of the invention to provide a kind of data permission control method and system towards cloud computing multi-tenant pattern, Cloud computing multi-tenant pattern can not only be supported, additionally it is possible to solve the huge and complicated power of prior art database operating time consuming Limit manages reluctant problem.
In order to realize foregoing invention purpose, the technical solution adopted by the present invention is as follows:
A kind of data permission control method towards cloud computing multi-tenant pattern, including:
Tenant's identity information, data type information and control of authority policy service class are bound corresponding to will be mutual, So that can be in control of authority plan by tenant's identity information, the subscriber identity information of the tenant subordinate and data type information Slightly service in class and obtain manipulation authority of the user of the tenant subordinate for the data type;
The data type information of the corresponding manipulation of user is obtained, with reference to tenant's body belonging to its subscriber identity information, the user Control of authority policy service class corresponding to part information searching;
According to the above-mentioned control of authority policy service class found out, manipulation power of the user for the data type is obtained Limit.
Further, it is described to take mutually corresponding tenant's identity information, data type information and control of authority strategy Business class is bound, and embodies the binding relationship of three particular by one type privilege binding information of generation.
Further, it is described to take mutually corresponding tenant's identity information, data type information and control of authority strategy When business class is bound, a data type, which can correspond to, binds one or more control of authority policy service class.
Further, when a data type, which can correspond to, binds a control of authority policy service class, the basis The above-mentioned control of authority policy service class found out, obtains manipulation authority of the user for the data type, is specifically direct Perform the control of authority policy service class and obtain its manipulation authority;
It is described to be found out according to above-mentioned when a data type, which can correspond to, binds multiple control of authority policy service classes Control of authority policy service class, obtain manipulation authority of the user for the data type, specifically perform what is respectively found out Control of authority policy service class, according to the logical AND between each control of authority policy service class, logic or relation with logic NOT Obtained implementing result, judge whether user has to manipulating authority corresponding to the data type according to the result.
Further, after the control of authority policy service class corresponding to find, in addition to by the control of authority strategy Service class is stored into tenant's type privilege banding cache, so that next time directly can read in the caching.
A kind of data permission control system towards cloud computing multi-tenant pattern, including:
Data type data storehouse, for storing all data type informations;
Authorization policy database, for storing control of authority policy service class, the control of authority policy service class includes Tenant's identity information for binding together, subscriber identity information, data type information corresponding with the subscriber identity information, with And control authority information corresponding with the data type;
Type privilege binding data storehouse, for storage class authority binding information, the type authority binding information includes Tenant's identity information, data type information and the control of authority policy service class bound together;
Data associater, for inciting somebody to action mutually corresponding tenant's identity information, data type information and control of authority strategy Service class carries out binding generation type privilege binding information, and stores to the type privilege binding data storehouse;
Type privilege adaptation, for obtaining the data type information of the corresponding manipulation of user, with reference to its subscriber identity information, Tenant's identity information belonging to the user searched in the authorization policy database corresponding to control of authority policy service class;
Authority determining device, for according to the above-mentioned control of authority policy service class found out, obtaining the user for the number According to the manipulation authority of type.
Further, the data associater will mutually corresponding tenant's identity information, data type information and authority When control strategy service class is bound, a data type, which can correspond to, binds one or more control of authority policy service Class.
Further, when a data type, which can correspond to, binds a control of authority policy service class, the authority Determining device obtains manipulation authority of the user for the data type according to the above-mentioned control of authority policy service class found out, Specifically directly perform the control of authority policy service class and obtain its manipulation authority;
When a data type can correspond to bind multiple control of authority policy service classes when, the authority determining device according to The above-mentioned control of authority policy service class found out, obtains manipulation authority of the user for the data type, specifically performs The control of authority policy service class respectively found out, according to the logical AND between each control of authority policy service class, logic or and is patrolled The implementing result that non-relation obtains is collected, judge whether user has according to the result weighs to being manipulated corresponding to the data type Limit.
Further, tenant's type privilege banding cache, the authority found for storing the type privilege adaptation Control strategy services class, so that next time directly can read in the caching.
The present invention is bound tenant's identity information, data type information and control of authority policy service class, and this is just So that for different tenants, tenant keeper can be directed to the situation of this tenant, carry out the rights management configuration of personalization.Cause This, the control of authority strategy of same data type can be different in different tenants, and which solves " multi-tenant mould The problem of under formula, individual demand of the different tenants to rights management " is supported.
In the present invention, same tenant can include multiple control of authority strategies for same data type, form one Individual set.Each control of authority strategy by logical AND, logic or with three kinds of logical operation relations of logic NOT so that can be by each The logical combination of kind of control strategy realizes more complicated data permission control.
Therefore, the present invention can meet individual demand of the different tenants to rights management under multi-tenant pattern, and The consuming of database manipulation time is largely reduced, but also more complicated data permission control can be realized.
Brief description of the drawings
This illustrates provided picture and is used for aiding in a further understanding of the present invention, forms one of the application Point, inappropriate limitation of the present invention is not formed, in the accompanying drawings:
Fig. 1 is general principle schematic flow sheet corresponding to the inventive method;
Fig. 2 is basic structure schematic diagram corresponding to present system.
Embodiment
As shown in figure 1, present embodiment discloses a kind of data permission control method towards cloud computing multi-tenant pattern, bag Include:
1)Tenant's identity information, data type information and control of authority policy service class are tied up corresponding to will be mutual It is fixed, embody the binding relationship of three particular by one type privilege binding information of generation;So that by tenant's identity information, The subscriber identity information and data type information of the tenant subordinate can be obtained under the tenant in control of authority policy service class Manipulation authority of the user of category for the data type;
This allows for that for different tenants, tenant keeper the situation of this tenant can be directed to, and carries out the power of personalization Limit management configuration.Therefore, the control of authority strategy of same data type can be different in different tenants, and this is just solved The problem of certainly being supported " under multi-tenant pattern, individual demand of the different tenants to rights management ".
Control of authority strategy is the encapsulation for judging data permission operation logic, passes through incoming data to be determined, user Three information, tenant's information parameters determine that certain user of certain tenant has to which type of authority of certain data.
For example tenant A and tenant B is respectively for the control of authority policy service class of expense report control of authority FinalExecutiveAuthorityControlServiceImpl and FinalStaffAuthorityControlServiceI mpl。
The control of authority logic encapsulated in FinalExecutiveAuthorityControlServiceImpl is " such as Fruit is financial executive either expense report applicant, then can be checked ", it is described as follows using false code:
The control of authority logic encapsulated in FinalStaffAuthorityControlServiceImpl be " if Financial attache either expense report applicant, then can be checked ", it is described as follows using false code:
2)The data type information of the corresponding manipulation of user is obtained, with reference to the tenant belonging to its subscriber identity information, the user Identity information search corresponding to control of authority policy service class, be inquire current tenant it is related be directed to the data type Control of authority strategy;
3)According to the above-mentioned control of authority policy service class found out, manipulation power of the user for the data type is obtained Limit.
Preferably, it is described by mutually corresponding tenant's identity information, data type information and control of authority policy service When class is bound, a data type, which can correspond to, binds one or more control of authority policy service class.So data The final result of authority is determined by multiple control of authority policy service class implementing results, multiple control of authority policy service classes Implementing result can be merged using logical operation, therefore can add new data in type privilege binding data storehouse Arrange " logical operator ".
Wherein, it is described according to above-mentioned when a data type, which can correspond to, binds a control of authority policy service class The control of authority policy service class found out, manipulation authority of the user for the data type is obtained, be specifically directly to perform The control of authority policy service class obtains it and manipulates authority.
Wherein, it is described according to above-mentioned when a data type, which can correspond to, binds multiple control of authority policy service classes The control of authority policy service class found out, manipulation authority of the user for the data type is obtained, specifically performs and respectively looks into The control of authority policy service class found out, according to the logical AND between each control of authority policy service class, logic or and logic NOT The obtained implementing result of relation, judge whether user has to manipulating authority corresponding to the data type according to the result. Same tenant can include multiple control of authority strategies for same data type, form a set.Each control of authority Strategy have logical AND, logic or with three kinds of logical operation relations of logic NOT so that the logic of various control strategies can be passed through Combine to realize more complicated data permission control.
Preferably, after the control of authority policy service class corresponding to find, include control of authority strategy clothes Business class is stored into tenant's type privilege banding cache, so that next time directly can read in the caching.Once carried out some After the matching of data type, control of authority policy service class is put into caching, directly postponed when being matched next time Taken in depositing, avoid multiple database manipulation, improve running efficiency of system.
As shown in Fig. 2 the present embodiment also discloses a kind of data permission control system towards cloud computing multi-tenant pattern, Including:
Data type data storehouse 1, for storing all data type informations, such as expense report type, single type etc. of asking for leave.
Authorization policy database 2, for storing control of authority policy service class, the control of authority policy service class includes Tenant's identity information for binding together, subscriber identity information, data type information corresponding with the subscriber identity information, with And control authority information corresponding with the data type;
Control of authority policy service class is write using object-oriented language (such as Java), and it inherits authority control Policy service interface processed, encapsulates authority decision logic wherein.
Using Java language, control of authority policy service interface is defined as:
Wherein method is returned to user and had by two incoming data entity to be judged, user profile userinfo parameters Certain authority Permission [] having.
For example tenant A and the control of authority policy service class of tenant's B expense report controls of authority are respectively FinalExecutiveAuthorityControlServiceImpl and FinalStaffAuthorityControlServiceI Mpl, the two control of authority policy service classes are stored in authorization policy database.
The reality of checkPermission methods in FinalExecutiveAuthorityControlServiceImpl Existing false code is as follows:
The realization of checkPermission methods in FinalStaffAuthorityControlServiceImpl False code is as follows:
Type privilege binding data storehouse 3, for storage class authority binding information, the type authority binding information includes Tenant's identity information, data type information and the control of authority policy service class bound together;
Data associater 4, for inciting somebody to action mutually corresponding tenant's identity information, data type information and control of authority plan Slightly service class carries out binding generation type privilege binding information, and stores to the type privilege binding data storehouse;Such as tenant A It is as shown in the table with the binding information of tenant's B expense report control of authority policy service classes:
Tenant's name Data type Control of authority policy service class name
Tenant A Expense report FinalExecutiveAuthorityControlServiceImpl
Tenant B Expense report FinalStaffAuthorityControlServiceImpl
Type privilege adaptation 5, for obtaining the data type information of the corresponding manipulation of user, believe with reference to its user identity Breath, tenant's identity information belonging to the user searched in the authorization policy database corresponding to control of authority policy service Class;
Authority determining device 6, for according to the above-mentioned control of authority policy service class found out, obtaining the user for the number According to the manipulation authority of type.
Wherein, the data associater will mutually corresponding tenant's identity information, data type information and control of authority When policy service class is bound, a data type, which can correspond to, binds one or more control of authority policy service class. Multiple control of authority demands are had for same data type, it is possible to corresponding multiple control of authority policy service classes, then The final result of data permission is determined, multiple control of authority strategies by multiple control of authority policy service class implementing results The implementing result of service class can be merged using logical operation, therefore can be added in type privilege binding data storehouse new Data row " logical operator ".Such as tenant A with the addition of an expense report control authority " line manager can check member and The expense report of member under all subdivisions ", corresponding control of authority service class is DeparmentMgrAuthorityContro lServiceImpl.The relation of the authority and control of authority policy service class before is the relation of " logic or ", as long as meeting One of which.Information is in type privilege binding data storehouse:
Before logging in system by user operates to data, authority judgement will be carried out.Type privilege adaptation input parameter For data type to be determined, user profile, tenant's information and type privilege binding library, inquiry obtains authority control of the tenant to data Policy service class processed.
For example after tenant A user logs in, the operation of checking of expense report is performed, the parameter data to be determined of input are some Forms data is submitted an expense account, parametric user's information is the information of active user, and parameter tenant information is tenant A, finally matches obtained power It is FinalExecutiveAuthorityControlServiceImpl to limit control strategy service class.
Wherein, when a data type, which can correspond to, binds a control of authority policy service class, the authority judges Device obtains manipulation authority of the user for the data type, specifically according to the above-mentioned control of authority policy service class found out It is directly to perform the control of authority policy service class to obtain its manipulation authority;
Wherein, when a data type, which can correspond to, binds multiple control of authority policy service classes, the authority judges Device obtains manipulation authority of the user for the data type, specifically according to the above-mentioned control of authority policy service class found out It is to perform the control of authority policy service class respectively found out, according to the logical AND between each control of authority policy service class, logic Or the implementing result obtained with the relation of logic NOT, judge whether user has to corresponding to the data type according to the result Manipulate authority.
The control of authority policy service class that authority determining device gets execution type privilege adaptation, if multiple authorities Control strategy service class, then take out each control of authority policy service class corresponding to logical operator calculated.Such as tenant A Line manager when this department's member's expense report is checked, the control of authority policy service class inquired is FinalExecutiveAuthorityControlServiceImpl and DeparmentMgrAuthorityControlServic eImpl.Authority determining device 170 will perform the two service classes successively, and be judged using " logic or " computing.So The result that FinalExecutiveAuthorityControlServiceImpl is returned after performing is false (false), and The result that DeparmentMgrAuthorityControlServiceImpl is returned is true (true), using " logic or " computing Final result is true (true) afterwards, then it represents that the line manager has the right for checking sector member's expense report.
Preferably, the system also includes tenant's type privilege banding cache, is looked into for storing the type privilege adaptation The control of authority policy service class found, so that next time directly can read in the caching.Once carried out some data type After matching, control of authority policy service class is put into caching, directly taken when being matched next time from caching, Multiple database manipulation is avoided, improves running efficiency of system.
Preferred embodiment of the invention described in detail above, it will be appreciated that the ordinary skill of this area is without wound The property made work can makes many modifications and variations according to the design of the present invention.Therefore, all technician in the art According to present inventive concept in prior art basis by logic analysis, reasoning or according to the limited available technology of experiment Scheme, should be among the protection domain determined by the claims.

Claims (9)

  1. A kind of 1. data permission control method towards cloud computing multi-tenant pattern, it is characterised in that including:
    Tenant's identity information, data type information and control of authority policy service class are bound corresponding to will be mutual so that It can be taken by tenant's identity information, the subscriber identity information of the tenant subordinate and data type information in control of authority strategy Manipulation authority of the user of the tenant subordinate for the data type is obtained in business class;
    The data type information of the corresponding manipulation of user is obtained, tenant's identity letter with reference to belonging to its subscriber identity information, the user Control of authority policy service class corresponding to breath lookup;
    According to the above-mentioned control of authority policy service class found out, manipulation authority of the user for the data type is obtained.
  2. 2. the data permission control method according to claim 1 towards cloud computing multi-tenant pattern, it is characterised in that:
    It is described to be bound mutual corresponding tenant's identity information, data type information and control of authority policy service class, The binding relationship of three is embodied particular by one type privilege binding information of generation.
  3. 3. the data permission control method according to claim 1 towards cloud computing multi-tenant pattern, it is characterised in that:
    It is described to be bound mutual corresponding tenant's identity information, data type information and control of authority policy service class When, a data type, which can correspond to, binds one or more control of authority policy service class.
  4. 4. the data permission control method according to claim 3 towards cloud computing multi-tenant pattern, it is characterised in that:
    It is described according to the above-mentioned power found out when a data type, which can correspond to, binds a control of authority policy service class Control strategy service class is limited, manipulation authority of the user for the data type is obtained, specifically directly performs the control of authority Policy service class obtains it and manipulates authority;
    It is described according to the above-mentioned power found out when a data type, which can correspond to, binds multiple control of authority policy service classes Control strategy service class is limited, manipulation authority of the user for the data type is obtained, specifically performs the authority respectively found out Control strategy services class, is obtained according to the logical AND between each control of authority policy service class, logic or with the relation of logic NOT Implementing result, according to the result judge user whether have to manipulating authority corresponding to the data type.
  5. 5. the data permission control method according to claim 1 towards cloud computing multi-tenant pattern, it is characterised in that:
    Stored after control of authority policy service class corresponding to finding, in addition to by the control of authority policy service class to one In tenant's type privilege banding cache, so that next time directly can read in the caching.
  6. A kind of 6. data permission control system towards cloud computing multi-tenant pattern, it is characterised in that including:
    Data type data storehouse, for storing all data type informations;
    Authorization policy database, for storing control of authority policy service class, the control of authority policy service class includes binding Tenant's identity information, subscriber identity information, data type information corresponding with the subscriber identity information, Yi Jiyu together Control authority information corresponding to the data type;
    Type privilege binding data storehouse, for storage class authority binding information, the type authority binding information includes binding Tenant's identity information, data type information and control of authority policy service class together;
    Data associater, for inciting somebody to action mutually corresponding tenant's identity information, data type information and control of authority policy service Class carries out binding generation type privilege binding information, and stores to the type privilege binding data storehouse;
    Type privilege adaptation, for obtaining the data type information of the corresponding manipulation of user, with reference to its subscriber identity information, the use Tenant's identity information belonging to family searched in the authorization policy database corresponding to control of authority policy service class;
    Authority determining device, for according to the above-mentioned control of authority policy service class found out, obtaining the user for the data class The manipulation authority of type.
  7. 7. the data permission control system according to claim 6 towards cloud computing multi-tenant pattern, it is characterised in that:
    The data associater will mutually corresponding tenant's identity information, data type information and control of authority policy service When class is bound, a data type, which can correspond to, binds one or more control of authority policy service class.
  8. 8. the data permission control system according to claim 7 towards cloud computing multi-tenant pattern, it is characterised in that:
    When a data type, which can correspond to, binds a control of authority policy service class, the authority determining device is according to above-mentioned The control of authority policy service class found out, manipulation authority of the user for the data type is obtained, be specifically directly to perform The control of authority policy service class obtains it and manipulates authority;
    When a data type, which can correspond to, binds multiple control of authority policy service classes, the authority determining device is according to above-mentioned The control of authority policy service class found out, manipulation authority of the user for the data type is obtained, specifically performs and respectively looks into The control of authority policy service class found out, according to the logical AND between each control of authority policy service class, logic or and logic NOT The obtained implementing result of relation, judge whether user has to manipulating authority corresponding to the data type according to the result.
  9. 9. the data permission control system according to claim 6 towards cloud computing multi-tenant pattern, it is characterised in that bag Include:
    Tenant's type privilege banding cache, the control of authority policy service found for storing the type privilege adaptation Class, so that next time directly can read in the caching.
CN201310256343.XA 2013-06-25 2013-06-25 A kind of data permission control method and system towards cloud computing multi-tenant pattern Active CN104252454B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310256343.XA CN104252454B (en) 2013-06-25 2013-06-25 A kind of data permission control method and system towards cloud computing multi-tenant pattern

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310256343.XA CN104252454B (en) 2013-06-25 2013-06-25 A kind of data permission control method and system towards cloud computing multi-tenant pattern

Publications (2)

Publication Number Publication Date
CN104252454A CN104252454A (en) 2014-12-31
CN104252454B true CN104252454B (en) 2018-02-27

Family

ID=52187362

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310256343.XA Active CN104252454B (en) 2013-06-25 2013-06-25 A kind of data permission control method and system towards cloud computing multi-tenant pattern

Country Status (1)

Country Link
CN (1) CN104252454B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104537317B (en) * 2015-01-13 2017-11-07 华南师范大学 Control method that tenant is accessed self-defining data storehouse, device and system
CN104778244B (en) * 2015-04-09 2018-08-24 天脉聚源(北京)传媒科技有限公司 The searching method and device of data
CN107360103A (en) * 2016-05-09 2017-11-17 中国移动通信集团四川有限公司 A kind of Operation & Maintenance System and resource regulating method
CN108628769A (en) * 2017-03-17 2018-10-09 华为技术有限公司 A kind of cache allocation method and equipment
CN107682376B (en) * 2017-11-21 2021-03-23 北京顶象技术有限公司 Wind control data interaction method and device
CN108304715A (en) * 2017-12-28 2018-07-20 上海你我贷互联网金融信息服务有限公司 A kind of access control method of the multi-tenant based on strategy
CN111814174B (en) * 2020-09-04 2020-12-08 平安国际智慧城市科技股份有限公司 Data access control method and device and computer equipment
CN115695017B (en) * 2022-11-02 2024-04-23 南方电网数字平台科技(广东)有限公司 Multi-tenant access control method suitable for cloud platform operation

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102609271B (en) * 2012-02-20 2014-09-10 山东大学 Metadata-driven visual SaaS (Software as a Service) application customizing method and metadata-driven visual SaaS application customizing system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《基于租户的访问控制模型T-ARBAC》;曹进等;《计算机科学与应用》;20130331;正文第173-179 *

Also Published As

Publication number Publication date
CN104252454A (en) 2014-12-31

Similar Documents

Publication Publication Date Title
CN104252454B (en) A kind of data permission control method and system towards cloud computing multi-tenant pattern
CN108280365B (en) Data access authority management method, device, terminal device and storage medium
US8931055B2 (en) Enterprise entitlement framework
US8645906B2 (en) Method for enforcing change policy based on project state
US8321460B2 (en) Populating a cache system based on privileges
US20100299362A1 (en) Method for controlling access to data containers in a computer system
DE202011110377U1 (en) System of hierarchical metadata management and application
US20070106629A1 (en) System and method for accessing data
CN107679422A (en) Role-security management method, terminal device and storage medium based on various dimensions
US20140101117A1 (en) Methods and systems for managing records in an on-demand system
CN110765489A (en) Multi-tenant database isolation method and system, electronic device and computer storage medium
CN110263015A (en) Data source tracing method, device, equipment and readable storage medium storing program for executing based on block chain
CN108920914B (en) Authority control method and device
CN109656879A (en) Big data method for managing resource, device, equipment and storage medium
WO2021164194A1 (en) Reward point management method based on blockchain, and related apparatus
US11720607B2 (en) System for lightweight objects
CN109858278A (en) File permission setting method, device, computer equipment and storage medium
CN108846755A (en) A kind of right management method and device based on intelligent contract
CN115238247A (en) Data processing method based on zero trust data access control system
Guermazi et al. Adaptive security for Cloud data warehouse as a service
US8732847B2 (en) Access control model of function privileges for enterprise-wide applications
CN106487770A (en) Method for authenticating and authentication device
US9009731B2 (en) Conversion of lightweight object to a heavyweight object
US11616782B2 (en) Context-aware content object security
GB2431257A (en) System and method for accessing data

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20190408

Address after: 510000 Room 1921, 27 Huanshi Avenue Center, Nansha District, Guangzhou City, Guangdong Province

Patentee after: Guangzhou Zhongke Yide Technology Co., Ltd.

Address before: Room 801, Building A, 1121 Haibin Road, Nansha District, Guangzhou City, Guangdong Province

Patentee before: Institute of Software Application Technology, Guangzhou & Chinese Academy of Sciences

TR01 Transfer of patent right
CP02 Change in the address of a patent holder

Address after: 510000 Room 501, no.221-1, Huanshi Avenue West, Nansha District, Guangzhou City, Guangdong Province (self compiled room 01)

Patentee after: Guangzhou Zhongke Yide Technology Co.,Ltd.

Address before: 510000 Room 1921, 27 Huanshi Avenue Center, Nansha District, Guangzhou City, Guangdong Province

Patentee before: Guangzhou Zhongke Yide Technology Co.,Ltd.

CP02 Change in the address of a patent holder