CN106649772A

CN106649772A - Method and equipment for accessing data

Info

Publication number: CN106649772A
Application number: CN201611227355.XA
Authority: CN
Inventors: 李玉亮; 任养超; 段晖莉
Original assignee: Upper Marine Infotech Share Co Ltd Of Interrogating
Current assignee: Upper Marine Infotech Share Co Ltd Of Interrogating
Priority date: 2016-12-27
Filing date: 2016-12-27
Publication date: 2017-05-10

Abstract

The application aims to provide a method and equipment for accessing data. A management equipment terminal acquires an authorized user list set by an administrator, wherein the authorized user list comprises an authorized user, data information checked by the authorized user right and a corresponding access time limit, so that right management on data information in a database is effectively realized. When a user needs to access the data information in the database, management equipment receives a data access request sent by the user; and then the management equipment judges whether the user is the authorized user in the authorized user list or not based on the data access request; if so, whether the access time of the data access request is in the corresponding access time limit or not is judged, if so, the data information checked by the corresponding authorized user right is sent to the user. Data are directionally issued to the authorized user with the access right, the efficiency of uniformly managing the data access right is further improved, and meanwhile, the data safety is guaranteed.

Description

A kind of method and apparatus for accessing data

Technical field

The application is related to computer realm, more particularly to a kind of method and apparatus for accessing data.

Background technology

With the development of the 3rd platform with cloud computing, big data, movement and social activity as principal character, data become The core driver of enterprise, enterprise also becomes the core component of its competitiveness for the use of data.In enterprise more It is used in more purposes come more data, for example exploitation, test, quality management and control, data analysis, report generation etc..

The constructive ways of the data used in enterprise are typically all keeper by the number in the database on production line According to what is obtained after being backed up, the Backup Data that backup is obtained is sent to different data and is made by keeper based on different purposes Use personnel.Because the distribution of data is all independent and dispersion is carried out, because the distribution of Backup Data is completed by keeper, And all carried out by way of data copy, so the flow process of the distribution of Backup Data and actual request for data is separation , cause the distribution flow of Backup Data chaotic；Again because data have become enterprise-essential and core assets, and The use scene of data and user of service all rapidly increasing, so for who using which data or be able to can not be used Which data should have clearly control of authority.And prior art can only only from rule for the rights management of Backup Data Aspect is limited up, and but rule can not be attached in actual Backup Data use, causes the management of data permission just as void If, it is impossible to the purpose for allowing correct people to use correct data is reached, the difficulty of kernel business system is increased.Again due to backup Chaotic and data usage rights the management of the distribution flow of data is poorly efficient, and causing the distribution flow and access right of data can not obtain To clear and strict control, the security for causing the core data of enterprise cannot be guaranteed.

The content of the invention

One purpose of the application is to provide a kind of method and apparatus of access data, solves in prior art to database In data be distributed during, caused data distribution is chaotic, the problem that the management of data access authority is poorly efficient, while making Into the low problem of the security of data.

According to the one side of the application, there is provided a kind of method for accessing data at management equipment end, the method includes：

The list of authorized users of Administrator is obtained, wherein, the list of authorized users includes authorized user, authorizes and use Data message, the corresponding access time limit checked in the authority of family；

The data access request that receive user sends；

Judge that whether the user is the authorized user in the list of authorized users based on the data access request,

If so, then judge that the access time of the data access request, if so, will be right whether within the corresponding access time limit The data message checked in the authorized user's authority answered is sent to the user.

Further, it is described to judge whether the user is described awarding based on the data access request in said method After authorized user in power user list, also include：

If it is not, then returning authority to the user based on the data access request does not open information.

Further, in said method, after the list of authorized users for obtaining Administrator, also include：

Obtain and looked into the hosted environment parameter information and authorized user's authority of the preset authorized user of keeper The corresponding database environment parameter information of data message seen.

Further, it is described that the data message checked in corresponding authorized user's authority is sent into institute in said method While stating user, also include：

The hosted environment parameter information and the database environment parameter information are sent into the user.

Further, in said method, methods described also includes：

Operation is updated to the list of authorized users, and operates corresponding renewal Operation Log to send described renewal To audit device.

Further, in said method, the renewal Operation Log includes following at least any one：

The deletion day for changing daily record and data access authority for creating daily record, data access authority of data access authority Will.

According to further aspect of the application, there is provided a kind of method for accessing data at authorized user device end, wherein, Methods described includes：

Data access request is sent to management equipment, so that the management equipment judges institute based on the data access request Whether be authorized user in the list of authorized users, when if so, then judging the access of the data access request if stating user Between whether within the corresponding access time limit, wherein, the list of authorized users includes authorized user, checks in authorized user's authority Data message, corresponding access time limit；

The management equipment is received based on the data access request, is checked in corresponding authorized user's authority of return Data message；

Within the access time limit, operation is carried out to the data message and obtains Operation Log, and by the Operation Log It is sent to audit device.

Further, it is described to send after data access request to management equipment in said method, also include：

Receive the management equipment and information is not opened based on the authority that the data access request is returned.

Further, it is described to receive the management equipment and be based on the data access request in said method, return it is right While the data message checked in the authorized user's authority answered, also include：

Receive hosted environment parameter information and database environment parameter information that the management equipment sends.

Further, it is described within the access time limit in said method, operation is carried out to the data message and is grasped Make daily record, and the Operation Log is sent into audit device, including：

Local host is configured based on the hosted environment parameter information；

Within the access time limit, based on the database environment parameter information, create described in the local host The corresponding database instance of data message；

Operation is carried out to the database instance and obtains Operation Log, and the Operation Log is sent into audit device.

Further, it is described operation is carried out to the database instance to obtain Operation Log in said method, and will be described Operation Log is sent to audit device, including：

The corresponding database positioning of the database instance is operated, state Operation Log is obtained, and by the shape State Operation Log is sent to the audit device.

The data message corresponding to the database instance is operated, and obtains data manipulation daily record, and will be described Data manipulation daily record is sent to the audit device.

According to further aspect of the application, there is provided a kind of management equipment of access data, wherein, the management equipment Including：

Acquisition device, for obtaining the list of authorized users of Administrator, wherein, the list of authorized users includes awarding Data message, the corresponding access time limit checked in power user, authorized user's authority；

Request reception device, for the data access request that receive user sends；

Dispensing device is authorized, for judging whether the user is authorized user's row based on the data access request Authorized user in table,

If so, then judge that the access time of data access request, if so, will be corresponding whether within the corresponding access time limit The data message checked in authorized user's authority is sent to the user.

Further, in above-mentioned management equipment, the mandate dispensing device is additionally operable to：

Further, in above-mentioned management equipment, the acquisition device is additionally operable to：

Further, in above-mentioned management equipment, the management equipment also includes：

Dispensing device is updated, for being updated operation to the list of authorized users, and operation correspondence is updated by described Renewal Operation Log be sent to audit device.

Further, in above-mentioned management equipment, the renewal Operation Log includes following at least any one：

According to further aspect of the application, there is provided a kind of authorized user device of access data, wherein, the mandate User equipment includes：

Send-request unit, for sending data access request to management equipment, so that the management equipment is based on described Data access request judges that whether the user is the authorized user in the list of authorized users, if so, then judges the number According to the access time of access request whether within the corresponding access time limit, wherein, the list of authorized users include authorized user, Data message, the corresponding access time limit checked in authorized user's authority；

Data sink, for receiving the management equipment based on the data access request, the corresponding of return is awarded The data message checked in power user right；

Operation dispensing device, within the access time limit, carrying out operation to the data message and obtaining Operation Log, And the Operation Log is sent into audit device.

Further, in above-mentioned authorized user device, the send-request unit is additionally operable to：

Further, in above-mentioned authorized user device, the data sink is additionally operable to：

Further, in above-mentioned authorized user device, the operation dispensing device is used for：

Compared with prior art, the list of authorized users that the application passes through acquisition Administrator at management equipment end, its In, the list of authorized users includes data message, the corresponding access time limit checked in authorized user, authorized user's authority, Realizing will have the authorized user of data accessed in the database, data message checked in authorized user's authority, corresponding Accessing the time limit is bound, authorized user list, and then is realized and carried out effective land ownership to the data message in database Limit management；When user needs to access the data message in database, data access request is sent to management equipment so that described The data access request that management equipment receive user sends；Then the management equipment judges institute based on the data access request Whether be authorized user in the list of authorized users, when if so, then judging the access of the data access request if stating user Between whether within the corresponding access time limit, if so, the data message checked in corresponding authorized user's authority is sent to described User, realizes effective management of the access rights to the data message in database so that the mandate with access rights is used The data message that can be checked in authorized user's authority that family could access in database, not only realizes data orientation and is distributed to tool There is the authorized user of access rights, also improve the efficiency being managed collectively to data access authority, while ensure that data Security.

Description of the drawings

By reading the detailed description made to non-limiting example made with reference to the following drawings, the application other Feature, objects and advantages will become more apparent upon：

Fig. 1 illustrates a kind of flow chart of the method that data are accessed at management equipment end according to the application one side；

Fig. 2 is illustrated according to further aspect of the application, there is provided a kind of side that data are accessed at authorized user device end The flow chart of method；

Fig. 3 is illustrated according to further aspect of the application, there is provided a kind of system architecture figure of access data；

Fig. 4 is illustrated according to a kind of in the access data procedures at authorized user device end of further aspect of the application WEB tools interfaces schematic diagrames；

Fig. 5 illustrates a kind of structural representation of the management equipment of the access data according to the application one side

Fig. 6 is illustrated according to further aspect of the application, there is provided a kind of knot of the square authorized user device of access data Structure schematic diagram.

Same or analogous reference represents same or analogous part in accompanying drawing.

Specific embodiment

The application is described in further detail below in conjunction with the accompanying drawings.

In one typical configuration of the application, terminal, the equipment of service network and trusted party include one or more Processor (CPU), input/output interface, network interface and internal memory.

Internal memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/or The forms such as Nonvolatile memory, such as read-only storage (ROM) or flash memory (flash RAM).Internal memory is computer-readable medium Example.

Computer-readable medium includes that permanent and non-permanent, removable and non-removable media can be by any method Or technology is realizing information Store.Information can be computer-readable instruction, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electric erasable Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only storage (CD-ROM), Digital versatile disc (DVD) or other optical storages, magnetic cassette tape, magnetic disk storage or other magnetic storage apparatus or Any other non-transmission medium, can be used to store the information that can be accessed by a computing device.Define according to herein, computer Computer-readable recording medium does not include non-temporary computer readable media (transitory media), the such as data-signal and carrier wave of modulation.

Fig. 1 illustrates a kind of flow chart of the method that data are accessed at management equipment end according to the application one side, should For database data using the management equipment end in system, the method includes：Step S11, step S12 and step S13, its In,

Step S11, obtains the list of authorized users of Administrator, wherein, the list of authorized users includes awarding Data message, the corresponding access time limit checked in power user, authorized user's authority；For example, in management equipment, in database Data by before use, the right to use authority of the data of database is dynamically given to mandate and is used by the keeper of database Family, make authorized user it is corresponding access the time limit in, corresponding data message can be checked, realize by the distribution of data with award Power user list is bound, the specification distribution flow of data, and then realizes and have to the data message in database Effect ground rights management, certainly, can also be including the source of the data message checked in authorized user's authority in the list of authorized users The purpose database that database and authorized user are located, to realize the accurate mandate for using of database data；

Step S12, the data access request that receive user sends；For example, need to access in database in user A During data message D1, to management equipment data access request is sent so that the data that the management equipment receive user sends are visited Ask request；

Then step S13, judges whether the user is authorized user's row based on the data access request Authorized user in table, if so, then judges the access time of the data access request whether within the corresponding access time limit, if It is that the data message checked in corresponding authorized user's authority is sent into the user.For example, management equipment is based on the visit Ask that request judges that whether the user A is the authorized user in the list of authorized users, if if, then continue to judge described in Whether the access time of data access request is accessed in the time limit corresponding, if if, just by corresponding authorized user's authority The interior data message D1 that can be checked is sent to the user A, realizes the access rights to the data message in database Effectively management so that the authorized user with access rights could access awarding in database within the restricted access time limit The data message that can be checked in power user right, not only realizes data orientation and is distributed to the authorized user with access rights, The efficiency being managed collectively to data access authority is also improved, while ensure that the security of the data in database.

Further, step S13 judges whether the user is that described mandate is used based on the data access request After authorized user in the list of family, also include：

If it is not, then returning authority to the user based on the data access request does not open information.For example, the step S13 judges that whether the user A is the authorized user in the list of authorized users based on the access request, if not, Then illustrate that the user A does not have the authority for accessing the data in database, i.e. not oriented user A of keeper opens access The authority of the data message in database, then data access request of step S13 based on the user A for receiving is to described User A returns authority and does not open information, to inform that the user A does not have the access right for accessing the data message in database Limit.

Further, step S11 is obtained after the list of authorized users of Administrator, is also included：

It should be noted that the hosted environment parameter information for configuring the main frame that the authorized user uses can include But it is not limited to include following at least any one：Hostname, host IP address (Internet Protocol Address, interconnection FidonetFido address), OS Type, operating system account and operating system password.Certainly, other are existing or from now on may The hosted environment parameter information for configuring the main frame that the authorized user uses for occurring such as is applicable to the application, Within the application protection domain should be included in, and here is incorporated herein by reference.

It should be noted that for configuring the corresponding source database of the data message and the corresponding database of authorized user Database environment parameter information can include following at least any one：Database-name, type of database, Database instance title (SID), database account and database password.Certainly, other institutes that are existing or being likely to occur from now on State for configuring the corresponding source database of the data message and the corresponding wide area information server ambient parameter letter of authorized user Breath is such as applicable to the application, also should be included within the application protection domain, and here is incorporated herein by reference.

In the embodiment of the application one, database data using in system, Administrator list of authorized users it Afterwards, can also the preset authorized user hosted environment parameter information and authorized user's authority in the data message pair checked The database environment parameter information answered so that step S11 is also obtained after the list of authorized users for obtaining Administrator Take the data letter checked in the hosted environment parameter information and authorized user's authority of the preset authorized user of keeper Corresponding database environment parameter information is ceased, during data use, authorized user device being capable of Intrusion Detection based on host so as to subsequently Ambient parameter information and corresponding database environment parameter information, to entering for the data message that can check in authorized user's authority Row is accessed and/operation.

Further, the data message checked in corresponding authorized user's authority is sent to the use by step S13 While family, also include：

In the embodiment of the application one, the data message that step S13 is checked in by corresponding authorized user's authority is sent out While giving the user A of the authorized user belonged in the list of authorized users, the preset master that will be also obtained Machine ambient parameter information and the database environment parameter information are sent to the user A, so that the follow-up user A is based on institute Hosted environment parameter information and the database environment parameter information are stated to the data message checked in authorized user's authority Operated, realize by the hosted environment parameter information and database environment parameter information of preset authorized user exactly under It is sent to corresponding authorized user, it is ensured that the security of follow-up data information operation.

Further, a kind of method for accessing data at management equipment end that the application is provided also includes step S14, its In, step S14 includes：Operation is updated to the list of authorized users, and described renewal is operated into corresponding renewal Operation Log is sent to audit device.For example, because the authorized user in list of authorized users could access within the access time limit Corresponding data message, so that with the change of time, step S14 can be updated operation to the list of authorized users, The data message in the database that authorized user can only could use mandate within the access time limit bound therewith can be realized, if More than the access time limit, then the access rights of the authorized user can be withdrawn such that it is able to which easily control has access database Data authorized user access the time limit in use or operating right in data message so that the data permission of database Management becomes apparent from effectively and ensure that the security of data；Step S14 is being updated operation to list of authorized users When, the corresponding renewal Operation Log of renewal operation can be also recorded, and the renewal Operation Log is sent into design equipment, with after an action of the bowels The data which user accesses data storehouse continuous audit device can find in by the renewal Operation Log of auditing be it is legal or Person is illegal, if illegal then audit device can be reported to the police, to allow management equipment to process the user.

It should be noted that the renewal Operation Log can include following at least any one：Data The modification daily record and the deletion daily record of data access authority etc. that create daily record, data access authority of access rights.It is wherein described Create the authorized user that daily record includes establishment, data message, the source number of the data message checked in authorized user's authority According to the target database belonging to storehouse and authorized user and corresponding access time limit etc.；The modification daily record bag of the data access authority Modification, the corresponding source database of amended data message of data message for include authorized user, checking in authorized user's authority With the modification in the target database belonging to authorized user and corresponding access time limit；The deletion daily record bag of the data access authority The deletion of data message of include the deletion of authorized user, checking in authorized user's authority, the source database of the data message, award Target database and the deletion in corresponding access time limit belonging to power user.Certainly, other are existing or are from now on likely to occur It is described to be such as applicable to the application for configuring the renewal Operation Log, also should be included within the application protection domain, and Here is incorporated herein by reference.

Fig. 2 is illustrated according to further aspect of the application, there is provided a kind of side that data are accessed at authorized user device end The flow chart of method, is applied to the data of database using the management equipment end in system, and the method includes：Step S21, step S22 and step S23, wherein,

Step S21, to management equipment data access request is sent, so that the management equipment is visited based on the data Ask that request judges that whether the user is the authorized user in the list of authorized users, if so, then judge the data access Whether the access time of request is accessed in the time limit corresponding, wherein, the list of authorized users includes authorized user, authorizes and use Data message, the corresponding access time limit checked in the authority of family；

Step S22, receives the management equipment and is based on the data access request, the corresponding authorized user of return The data message checked in authority；

Step S23, within the access time limit, operation is carried out to the data message and obtains Operation Log, and will The Operation Log is sent to audit device, realizes authorized user device when needing to access the data in database, obtains The data message checked in the current grant user right sended over to management equipment, and accessing in the time limit, to the number It is believed that breath carries out operation and obtains Operation Log, realize data message and be accurately issued to corresponding authorized user, it is ensured that visit The security of data message is asked, and Operation Log is sent into audit device, so that audit device is examined the Operation Log Meter judges.

Further, step S21 is sent after data access request to management equipment, is also included：Receive the pipe Reason equipment does not open information based on the authority that the data access request is returned.For example, when user A needs to access in database During a certain data message, data access request is sent to management equipment, so that management equipment is judged based on the data access request Whether the user A is the authorized user in the list of authorized users, if the user A is not awarding in the list of authorized users Power user, then illustrate that the user A does not have the authority for accessing the data in database, i.e. not oriented user A of keeper The authority for accessing the data message in database is opened, management equipment can be based on the data access request to user's A returning rights Limit does not open information, and it is not open-minded based on the authority that the data access request is returned that the user A can receive the management equipment Information, it is ensured that data will not be conducted interviews by the user without access rights, it is ensured that the security of database corresponding data.

Further, step S22 receives the management equipment and is based on the data access request, return it is corresponding While the data message checked in authorized user's authority, also include：

In the embodiment of the application one, in the data of database are using system, when user A needs to access the number in database According to when, to management equipment send data access request after, if management equipment end judge obtain the user A have access number According to authority, and ask access time again it is corresponding access the time limit in, then the management equipment weighs corresponding authorized user The data message D1 checked in limit is sent to the user A, and the user A receives the management equipment in step S22 Based on the data access request, while the data message checked in corresponding authorized user's authority of return, institute is also received The hosted environment parameter information and database environment parameter information of management equipment transmission are stated, so that the user A is based on the master Machine ambient parameter information and the database environment parameter information are carried out to the data message checked in authorized user's authority Operation, the user A for realizing the data access authority with database accurately obtains the authorized user's that management equipment is obtained Hosted environment parameter information and database environment parameter information, it is ensured that the safety of the data message checked in authorized user's authority Property.

Further, step S23 carries out operation to the data message and obtains operating day within the access time limit Will, and the Operation Log is sent into audit device, including：

It should be noted that the database instance created in the local host of authorized user device is in local host One branch, in embodiments herein in, at least one branch can be created in same local host, for referring to Show different user's application targets, wherein, each branch is an independent database instance, and during corresponding to some Between put database state.It is mutually non-interfering between each branch, local host is having the corresponding number of branch When being in starting state according to storehouse example, other branches should then be in halted state；If a branch in starting state and When using another branch, then by startup, another needs the branch for using after the branch being currently up stopping, To realize not interfere with each other between the corresponding database instance of each branch.

In the embodiment of the application one, step S23 is received within the access time limit and is based on data access from management equipment While the data message checked in authorized user's authority that request is returned, the hosted environment that the management equipment sends is got After parameter information and database environment parameter information, first, the user A is located based on the hosted environment parameter information Local host is configured；Then within the access time limit, based on the database environment parameter information in described landlord The corresponding database instance of data message checked in the user A authorities with access rights is created in machine；Then, to institute State database instance and carry out operation and obtain Operation Log, and the Operation Log is sent into audit device, so as to follow-up audit Whether whether equipment be authorized user and be to access in the time limit based on the user A that the Operation Log judges to access data message Access data message and whether user A has done a large amount of inquiries to data message and be not allow operation for carrying out etc..

Further, operation is carried out to the database instance in step S23 and obtains Operation Log, and by the behaviour Audit device is sent to as daily record, including：

It should be noted that the state Operation Log can be including but not limited to include operating personnel, the operating time, Operating database, operating database time and state operating result etc..Wherein, the state operating result can be included but not It is limited to include following any one：Start-up operation, stop operation, forward operation, back operation, reset operation, access operation.Its In, the start-up operation is used to indicate to start the corresponding database instance of branch so that user A is used；It is described to stop Only operation instruction stops the corresponding database instance of branch, terminates the use of user A；The forward operation is used to indicate The corresponding database instance of branch is placed in the state of the previous time point of current corresponding access time point；It is described to retreat behaviour Act on the state of latter time point for indicating that the corresponding database instance of branch is placed in current corresponding access time point； It is described to reset operation for indicating for the corresponding database instance of branch to be reset to corresponding state when branch starts for the first time；Institute Access operation is stated for indicating to call the database instance of local host automatically, and according to the database environment parameter of configuration Information is connected to the database instance of the local host of the user A with access rights, checks the data letter that authority internal medicine is checked Breath.

In the embodiment of the application one, the authorized user's authority internal medicine that creates in a branch in step S23 is looked into After the corresponding database instance of data message seen, user A is operated to the corresponding database positioning of database instance, and Record carries out operating the state Operation Log for obtaining to database positioning, and the state Operation Log of record is sent into described examining Meter equipment, so that audit device judges the database positioning that the database instance is presently in.

Further, the operation that carries out to the database instance in step S23 obtains Operation Log, and will be described Operation Log is sent to audit device, including：

It should be noted that when the data manipulation daily record can include data manipulation type, operation Between, operating personnel and data manipulation result.Certainly, other described data manipulation daily records that are existing or being likely to occur from now on such as may be used Suitable for the application, also should be included within the application protection domain, and here is incorporated herein by reference.

In the embodiment of the application one, the authorized user's authority internal medicine that creates in a branch in step S23 is looked into After the corresponding database instance of data message seen, user A is operated to the corresponding database positioning of database instance, is connect The user A data messages corresponding to the database instance to operate, and record carries out data behaviour to data message The data manipulation daily record that work is obtained, and the data manipulation daily record is sent into the audit device, so as to audit device audit Whether access of the user A to data message is allowed or whether have accessed sensitive information, so that audit device is to data behaviour Processed accordingly.

Fig. 3 is illustrated according to further aspect of the application, there is provided a kind of system architecture figure of access data；It is applied to number According to the data in storehouse using in system, the data of the database include management equipment, the mandate of data, services of data using system The audit device of user equipment and Data Audit, wherein,

The management equipment of the data is mainly used in obtaining list of authorized users, the master to authorized user of Administrator Machine ambient parameter information is configured, database environment parameter information is configured and sent data access request in user When, judge whether the user for sending data access request is whether authorized user and access time are accessing in the time limit, so The data message that can be checked in the authorized user's authority for meeting requirement is sent to afterwards the user for sending data access request, is realized The standardization of data distribution flow process, while page ensure that the rights management of the data message of database becomes to unify, data peace Full property is also greatly improved.

Data message and hosted environment ginseng that the authorized user device of the data, services is sended over for management equipment Number information and database environment parameter information, create the corresponding database instance of data message, and the database instance has as follows Function：Subfunction, startup/stopping function, advancement function, fallback function, function of reset and automatic access function etc., and will Database instance is carried out operating the Operation Log for obtaining to be sent to audit device and is audited.

The audit device of the Data Audit is used for the record of the record to database positioning operation, database access operation And the operation note of list of authorized users etc..

In the embodiment of the application one, the mutually knot of WEB (webpage) instrument used with database by list of authorized users Close so that the authorized user in the authorized user device can in real time see managed devices in WEB interface in pipe Reason person gives the data message of access right, and by WEB instruments the data message in database is carried out dynamic adjustment and Access, it is to avoid need the participation of keeper, reduce the complexity for using of the data message in database.As shown in Figure 4 The operation interface of the corresponding database instance of branch 5 (fenzhi5) for authorized user that shows of WEB interface, the database Not only include branch 5 in example, also including molecule 4 and branch 3 (fenzhi3).Because grant column list and database use WEB works What is had combines, and data user of service can in real time see that the person of being managed gives the data of access right in WEB interface, and By WEB instruments database is dynamically adjusted and accessed, this process just can be completed completely with oneself, it is not necessary to data The participation of library manager, so as to reduce the complexity that data are used.

Fig. 5 illustrates a kind of structural representation of the management equipment of the access data according to the application one side, is applied to The data of database are included using the management equipment end in system, the management equipment：Acquisition device 11, the request and of reception device 12 Dispensing device 13 is authorized, wherein,

The acquisition device 11, for obtaining the list of authorized users of Administrator, wherein, the list of authorized users Including the data message, corresponding access time limit checked in authorized user, authorized user's authority；For example, in management equipment, Before the data of database are by use, the right to use authority of the data of database is dynamically given to and is awarded by the keeper of database Power user, makes authorized user within the corresponding access time limit, can check corresponding data message, realizes the distribution of data Bound with list of authorized users, the specification distribution flow of data, and then realize to enter the data message in database Row effectively rights management, certainly, can also include the data message checked in authorized user's authority in the list of authorized users Source database and authorized user be located purpose database, to realize the accurate mandate for using of database data；

The request reception device 12, for the data access request that receive user sends；For example, need to visit in user A When asking the data message D1 in database, data access request is sent to management equipment so that the management equipment receive user The data access request of transmission；

Then it is described to authorize dispensing device 13, for judging whether the user is described based on the data access request Whether the authorized user in list of authorized users, if so, then judge the access time of the data access request in corresponding visit Ask in the time limit, if so, the data message checked in corresponding authorized user's authority is sent into the user.For example, management sets It is standby to judge that whether the user A is the authorized user in the list of authorized users based on the access request, if if, then Continuation judges the access time of the data access request whether within the corresponding access time limit, if if, just will be corresponding The data message D1 that can be checked in authorized user's authority is sent to the user A, realizes to the data message in database Access rights effective management so that the authorized user with access rights it is restricted access the time limit in, could access The data message that can be checked in authorized user's authority in database, not only realizes data orientation and is distributed to access rights Authorized user, the efficiency being managed collectively to data access authority is also improved, while ensure that the data in database Security.

Further, the mandate dispensing device 13 is additionally operable to：

If it is not, then returning authority to the user based on the data access request does not open information.For example, the mandate Dispensing device 13 judges that whether the user A is the authorized user in the list of authorized users based on the access request, if If no, then illustrate that the user A does not have the authority for accessing the data in database, i.e. not oriented user A of keeper The authority for accessing the data message in database is opened, then the number for authorizing dispensing device 13 based on the user A for receiving Authority is returned according to access request to the user A and do not open information, to inform that the user A does not have the number accessed in database It is believed that the access rights of breath.

Further, the acquisition device 11 is obtained and is additionally operable to：

In the embodiment of the application one, database data using in system, Administrator list of authorized users it Afterwards, can also the preset authorized user hosted environment parameter information and authorized user's authority in the data message pair checked The database environment parameter information answered so that the acquisition device 11 obtain Administrator list of authorized users after, Also obtain the number checked in the hosted environment parameter information and authorized user's authority of the preset authorized user of keeper It is believed that ceasing corresponding database environment parameter information, so as to subsequently, during data use, authorized user device can be based on Hosted environment parameter information and corresponding database environment parameter information, to the data message that can be checked in authorized user's authority Conduct interviews and/operation.

Further, the mandate dispensing device 13 is additionally operable to：

In the embodiment of the application one, the data for authorizing dispensing device 13 to check in by corresponding authorized user's authority It is preset also by what is obtained while information is sent to the user A of the authorized user belonged in the list of authorized users The hosted environment parameter information and the database environment parameter information are sent to the user A, so as to the follow-up user A Based on the hosted environment parameter information and the database environment parameter information to the number checked in authorized user's authority It is believed that breath is operated, realize the hosted environment parameter information of preset authorized user and database environment parameter information is accurate Really it is issued to corresponding authorized user, it is ensured that the security of follow-up data information operation.

Fig. 6 is illustrated according to further aspect of the application, there is provided a kind of knot of the square authorized user device of access data Structure schematic diagram, is applied to the data of database using the management equipment end in system, and the method includes：Send-request unit 21, Step S22 and step S23, wherein,

The send-request unit 21, for sending data access request to management equipment, for the management equipment base Judge that whether the user is the authorized user in the list of authorized users in the data access request, if so, then judge Whether the access time of the data access request is accessed in the time limit corresponding, wherein, the list of authorized users includes awarding Data message, the corresponding access time limit checked in power user, authorized user's authority；

Data sink 22, for receiving the management equipment based on the data access request, return it is corresponding The data message checked in authorized user's authority；

Operation dispensing device 23, obtains operating day within the access time limit, carrying out the data message operation Will, and the Operation Log is sent into audit device, realizing authorized user device is needing to access the data in database When, the data message checked in the current grant user right that management equipment is sended over is got, and accessing in the time limit, it is right The data message carries out operation and obtains Operation Log, realizes data message and is accurately issued to corresponding authorized user, protects Demonstrate,prove and accessed the security of data message, and Operation Log has been sent into audit device, so that audit device is to the Operation Log Carry out audit judgement.

Further, the send-request unit 21 is additionally operable to：Receiving the management equipment please based on the data access The authority for asking return does not open information.For example, when user A needs to access a certain data message in database, set to management Preparation send data access request, so that management equipment judges whether the user A is the mandate based on the data access request Authorized user in user list, if the user A is not the authorized user in the list of authorized users, illustrates the user A There is no the authority for accessing the data in database, i.e. not oriented user A of keeper opens the data accessed in database The authority of information, management equipment can return authority and not open information based on the data access request to the user A, user's A meetings Receive the management equipment and information is not opened based on the authority that the data access request is returned, it is ensured that data will not had The user for having access rights conducts interviews, it is ensured that the security of database corresponding data.

Further, data sink 22 connects and is additionally operable to：

In the embodiment of the application one, in the data of database are using system, when user A needs to access the number in database According to when, to management equipment send data access request after, if management equipment end judge obtain the user A have access number According to authority, and ask access time again it is corresponding access the time limit in, then the management equipment weighs corresponding authorized user The data message D1 checked in limit is sent to the user A, and the user A receives the management in data sink 22 and sets It is standby to be based on the data access request, while the data message checked in corresponding authorized user's authority of return, also receive Hosted environment parameter information and database environment parameter information that the management equipment sends, so that the user A is based on described Hosted environment parameter information and the database environment parameter information enter to the data message checked in authorized user's authority Row operation, the user A for realizing the data access authority with database accurately obtains the authorized user of management equipment acquisition Hosted environment parameter information and database environment parameter information, it is ensured that the safety of the data message checked in authorized user's authority Property.

Further, dispensing device 23 is operated to be used for：

In the embodiment of the application one, operation dispensing device 23 is received within the access time limit is visited from management equipment based on data While asking the data message checked in authorized user's authority that request is returned, the main frame ring that the management equipment sends is got After border parameter information and database environment parameter information, first, the user A is located based on the hosted environment parameter information Local host configured；Then within the access time limit, based on the database environment parameter information described local The corresponding database instance of data message checked in the user A authorities with access rights is created in main frame；Then, it is right The database instance carries out operation and obtains Operation Log, and the Operation Log is sent into audit device, examines so as to follow-up Whether whether meter equipment be authorized user and be to access the time limit based on the user A that the Operation Log judges to access data message It is interior access data message and whether user A has done a large amount of inquiries to data message and has been the operation for not allowing to carry out Deng.

Further, dispensing device 23 is operated to be used for：

In the embodiment of the application one, operate in dispensing device 23 and authorized user's authority internal medicine is created in a branch After the corresponding database instance of data message checked, user A is operated to the corresponding database positioning of database instance, And record carries out operating the state Operation Log for obtaining to database positioning, and the state Operation Log of record is sent to described Audit device, so that audit device judges the database positioning that the database instance is presently in.

Further, the operation dispensing device 23 is used for：

In the embodiment of the application one, operate in dispensing device 23 and authorized user's authority internal medicine is created in a branch After the corresponding database instance of data message checked, user A is operated to the corresponding database positioning of database instance, Then the user A data messages corresponding to the database instance are operated, and record carries out data to data message The data manipulation daily record that operation is obtained, and the data manipulation daily record is sent into the audit device, so that audit device is examined Whether access of the meter user A to data message is allowed or whether have accessed sensitive information, so that audit device is to the data Operation is processed accordingly.

In sum, the application by management equipment end by obtain Administrator list of authorized users, wherein, The list of authorized users includes data message, the corresponding access time limit checked in authorized user, authorized user's authority, realizes There to be data message, the corresponding access for accessing the authorized user of the data in database, checking in authorized user's authority Time limit is bound, authorized user list, and then is realized and carried out effectively authority pipe to the data message in database Reason；When user needs to access the data message in database, data access request is sent to management equipment so that the management The data access request that equipment receive user sends；Then the management equipment judges the use based on the data access request Whether family is the authorized user in the list of authorized users, and the access time for if so, then judging the data access request is It is no if so, the data message checked in corresponding authorized user's authority to be sent into the user within the corresponding access time limit, Realize effective management of the access rights to the data message in database so that the ability of the authorized user with access rights The data message that can be checked in the authorized user's authority in database is accessed, data orientation is not only realized and is distributed to access The authorized user of authority, also improves the efficiency being managed collectively to data access authority, while ensure that the safety of data Property.

Obviously, those skilled in the art can carry out the essence of various changes and modification without deviating from the application to the application God and scope.So, if these modifications of the application and modification belong to the scope of the application claim and its equivalent technologies Within, then the application is also intended to comprising these changes and modification.

It should be noted that the application can be carried out in the assembly of software and/or software with hardware, for example, can adopt Realized with special IC (ASIC), general purpose computer or any other similar hardware device.In one embodiment In, the software program of the application can pass through computing device to realize steps described above or function.Similarly, the application Software program (including related data structure) can be stored in computer readable recording medium storing program for performing, for example, RAM memory, Magnetically or optically driver or floppy disc and similar devices.In addition, some steps or function of the application can employ hardware to realize, example Such as, as coordinating so as to perform the circuit of each step or function with processor.

In addition, the part of the application can be applied to computer program, such as computer program instructions, when its quilt When computer is performed, by the operation of the computer, can call or provide according to the present processes and/or technical scheme. And the programmed instruction of the present processes is called, in being possibly stored in fixed or moveable recording medium, and/or pass through Data flow in broadcast or other signal bearing medias and be transmitted, and/or be stored according to described program instruction operation In the working storage of computer equipment.Here, including a device according to one embodiment of the application, the device includes using In the memory and the processor for execute program instructions of storage computer program instructions, wherein, when the computer program refers to When order is by the computing device, method and/or skill of the plant running based on aforementioned multiple embodiments according to the application is triggered Art scheme.

It is obvious to a person skilled in the art that the application is not limited to the details of above-mentioned one exemplary embodiment, Er Qie In the case of without departing substantially from spirit herein or essential characteristic, the application can be in other specific forms realized.Therefore, no matter From the point of view of which point, embodiment all should be regarded as exemplary, and be nonrestrictive, scope of the present application is by appended power Profit is required rather than described above is limited, it is intended that all in the implication and scope of the equivalency of claim by falling Change is included in the application.Any reference in claim should not be considered as and limit involved claim.This Outward, it is clear that " including ", a word was not excluded for other units or step, and odd number is not excluded for plural number.That what is stated in device claim is multiple Unit or device can also be realized by a unit or device by software or hardware.The first, the second grade word is used for table Show title, and be not offered as any specific order.

Claims

1. it is a kind of management equipment end access data method, wherein, methods described includes：

The list of authorized users of Administrator is obtained, wherein, the list of authorized users includes that authorized user, authorized user weigh Data message, the corresponding access time limit checked in limit；

The data access request that receive user sends；

If so, the access time of data access request is then judged whether within the corresponding access time limit, if so, by corresponding mandate The data message checked in user right is sent to the user.

2. method according to claim 1, wherein, it is described to judge that whether the user is based on the data access request After authorized user in the list of authorized users, also include：

3. method according to claim 1, wherein, after the list of authorized users for obtaining Administrator, also wrap Include：

Obtain what is checked in the hosted environment parameter information and authorized user's authority of the preset authorized user of keeper The corresponding database environment parameter information of data message.

4. method according to claim 3, wherein, it is described to send out the data message checked in corresponding authorized user's authority While giving the user, also include：

5. method according to any one of claim 1 to 4, wherein, methods described also includes：

Operation is updated to the list of authorized users, and it is careful to operate corresponding renewal Operation Log to be sent to the renewal Meter equipment.

6. method according to claim 5, wherein, the renewal Operation Log includes following at least any one：

Establishment daily record, the modification daily record of data access authority and the deletion daily record of data access authority of data access authority.

7. it is a kind of authorized user device end access data method, wherein, methods described includes：

Data access request is sent to management equipment, so that the management equipment judges the use based on the data access request Whether family is the authorized user in the list of authorized users, and the access time for if so, then judging the data access request is It is no to access in the time limit corresponding, wherein, the list of authorized users includes the number checked in authorized user, authorized user's authority It is believed that breath, corresponding access time limit；

The management equipment is received based on the data access request, the data checked in corresponding authorized user's authority of return Information；

Within the access time limit, operation is carried out to the data message and obtains Operation Log, and the Operation Log is sent To audit device.

8. the method according to right wants 7, wherein, it is described to send after data access request to management equipment, also include：

9. method according to claim 7, wherein, it is described to receive the management equipment and be based on the data access request, While the data message checked in the corresponding authorized user's authority for returning, also include：

10. the method according to any one of claim 7 to 9, wherein, it is described within the access time limit, to the number It is believed that breath carries out operation and obtains Operation Log, and the Operation Log is sent into audit device, including：

Within the access time limit, based on the database environment parameter information, the data are created in the local host The corresponding database instance of information；

11. methods according to claim 10, wherein, it is described the database instance is carried out operation obtain operate day Will, and the Operation Log is sent into audit device, including：

The corresponding database positioning of the database instance is operated, state Operation Log is obtained, and the state is grasped The audit device is sent to as daily record.

12. methods according to claim 11, wherein, it is described the database instance is carried out operation obtain operate day Will, and the Operation Log is sent into audit device, including：

The data message corresponding to the database instance is operated, and obtains data manipulation daily record, and by the data Operation Log is sent to the audit device.

A kind of 13. management equipments for accessing data, wherein, the management equipment includes：

Acquisition device, for obtaining the list of authorized users of Administrator, wherein, the list of authorized users includes authorizing to be used Data message, the corresponding access time limit checked in family, authorized user's authority；

Dispensing device is authorized, for judging whether the user is in the list of authorized users based on the data access request Authorized user,

14. management equipments according to claim 13, wherein, the mandate dispensing device is additionally operable to：

15. management equipments according to claim 13, wherein, the acquisition device is additionally operable to：

16. management equipments according to claim 15, wherein, the mandate dispensing device is additionally operable to：

17. management equipments according to any one of claim 13 to 16, wherein, the management equipment also includes：

Dispensing device is updated, it is for being updated operation to the list of authorized users and the renewal operation is corresponding more New Operation Log is sent to audit device.

18. management equipments according to claim 17, wherein, the renewal Operation Log includes following at least any one：

A kind of 19. authorized user devices for accessing data, wherein, the authorized user device includes：

Send-request unit, for sending data access request to management equipment, so that the management equipment is based on the data Access request judges that whether the user is the authorized user in the list of authorized users, if so, then judges that the data are visited The access time of request is asked whether within the corresponding access time limit, wherein, the list of authorized users includes authorized user, authorizes Data message, the corresponding access time limit checked in user right；

Data sink, for receiving the management equipment based on the data access request, the corresponding mandate of return is used The data message checked in the authority of family；

Operation dispensing device, within the access time limit, carrying out operation to the data message Operation Log is obtained, and will The Operation Log is sent to audit device.

20. authorized user devices according to right wants 19, wherein, the send-request unit is additionally operable to：

21. authorized user devices according to claim 19, wherein, the data sink is additionally operable to：

22. authorized user devices according to any one of claim 19 to 21, wherein, the operation dispensing device is used In：

23. authorized user devices according to claim 22, wherein, the operation dispensing device is used for：

24. authorized user devices according to claim 23, wherein, the operation dispensing device is used for：