CN107403106B - Database fine-grained access control method based on terminal user - Google Patents

Database fine-grained access control method based on terminal user Download PDF

Info

Publication number
CN107403106B
CN107403106B CN201710585913.8A CN201710585913A CN107403106B CN 107403106 B CN107403106 B CN 107403106B CN 201710585913 A CN201710585913 A CN 201710585913A CN 107403106 B CN107403106 B CN 107403106B
Authority
CN
China
Prior art keywords
database access
database
access control
data
access request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710585913.8A
Other languages
Chinese (zh)
Other versions
CN107403106A (en
Inventor
沈德峰
石波
吴朝雄
胡佳
谢小明
郭江
沈艳林
孙琦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Computer Technology and Applications
Original Assignee
Beijing Institute of Computer Technology and Applications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Computer Technology and Applications filed Critical Beijing Institute of Computer Technology and Applications
Priority to CN201710585913.8A priority Critical patent/CN107403106B/en
Publication of CN107403106A publication Critical patent/CN107403106A/en
Application granted granted Critical
Publication of CN107403106B publication Critical patent/CN107403106B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to a database fine-grained access control method based on a terminal user, and belongs to the technical field of database security protection. The invention prevents illegal access users by identifying legal terminal users, and simultaneously achieves the fine-grained access request control capability to the terminal users by loading the fine-grained access control rules to the database access request sentences initiated by the terminal users. The access authority control realized by the method can realize identity authentication of the terminal user, and can carry out row-column-level database fine-grained access control on the terminal user under the condition of not encrypting and decrypting data, thereby effectively enhancing the protection capability of the database and maintaining the safety of an information system.

Description

Database fine-grained access control method based on terminal user
Technical Field
The invention relates to the technical field of database security protection, in particular to a database fine-grained access control method based on a terminal user.
Background
With the development of information technology, databases are increasingly widely used in various industries. The database is increasingly becoming an important attack target for lawless persons while bearing important data. In order to improve the security protection capability of the database, the risk resistance capability of the database can be enhanced by performing data fine-grained access control according to different data access authorities owned by different terminal users on the basis of the existing database security mechanism.
The database fine-grained access control technology based on the terminal users realizes the database access control capability by identifying the terminal users initiating the database access requests and loading database row-column level data access control rules according to the data access authorities of different terminal users. By the technology, the range of the terminal user accessing the core data can be accurately controlled, and an effective protection means is provided for protecting the safety of the core data.
At present, the following ideas are mainly used for developing database security protection research: firstly, encryption and decryption control is directly performed on a database, and the encryption and decryption can be performed on the whole database, tables in the database, data in the tables and the like, so that the data security is ensured; secondly, an access control middleware is added between the user and the database in a middleware mode, and the database access control is realized through encryption and decryption data, table-level access authority control and the like; thirdly, a database firewall is connected in series between the application server and the database in a network firewall-like principle mode, so that access control such as blocking of database user access, limitation of returned data and the like is realized; however, the current research has the following defects: the encryption and decryption processes of the database usually consume computing resources, and the encrypted data column cannot be normally indexed, so that the retrieval result of the database is influenced; access control of rank-level data is not achieved; database access control to end users cannot be achieved.
Disclosure of Invention
Technical problem to be solved
The technical problem to be solved by the invention is as follows: how to design a database fine-grained access control method based on a terminal user effectively enhances the database protection capability and maintains the information system security.
(II) technical scheme
In order to solve the technical problem, the invention provides a database fine-grained access control method based on an end user, which comprises the following steps:
step 1: configuring legal terminal user, creating database access control rule
The database access control rules are used for realizing authority control of row-column-level data, and comprise a row control rule, a row control rule and a field data control rule according to different data protection modes, wherein each type of rules comprises four parts, namely table names, operation authorities, protection data and protection requirements;
step 2: creating roles and completing role-based database access control rule authorization
Creating different roles, associating the terminal user with the roles, and associating the roles with the database access control rules to finish the authorization of the database access control rules based on the roles;
and step 3: intercepting database access request to obtain terminal user identity information
When the application system responds to the operation of the terminal user and initiates a database access request, intercepting the database access request sent by the application system and acquiring the identity information of the terminal user;
and 4, step 4: loading the obtained terminal user identity information into an intercepted database access request statement;
and 5: analyzing the database access request statement to extract the identity information of the terminal user and analyze the database access request statement so as to load the database access control rule based on the terminal user;
step 6: carrying out legal identity authentication on the extracted terminal user identity information, determining whether to allow continuous access according to an identity authentication result, if the identity authentication is passed, releasing the database access request, and continuously executing the step 7, otherwise, preventing the continuous access and returning the result;
and 7: role query is carried out according to the identity information of the terminal user by utilizing the authorization result of the access control rule finished in the step 2, and a database access control rule assigned to the role is searched based on the queried role;
and 8: rewriting the database access request statement successfully analyzed and completed in the step 5 according to the database access control rule inquired in the step 7, and loading the database access control rule to generate a new database access request statement;
and step 9: and executing the new database access request statement and returning an execution result.
Preferably, the database access control rules include the contents of table 1:
TABLE1
Figure GDA0002430667200000031
Wherein "TABLE 1" represents a data TABLE to be protected;
"SELECT" indicates that there is only query operation permission on the protected data;
"attr 1, attr 2" is the name of the column attribute that needs to be column-wise protected against TABLE1, so "spaced;
"return x" means that when an unauthorized end user accesses protected data, the data is returned in a return form specified by the protection requirements, where the return x replaces the protected data;
“keya,keyb"is the row data key that needs to be protected for the entire row for TABLE1, so" spaced;
“attr3:keyc,attr4:keyd"is configuration data for field data protection required for TABLE1, where attr3 represents column attribute name, key in TABLE1cAttr3 key, a row data key representing the field data that needs to be protectedcThe two are combined to determine the field data to be protected, attr4 keydAnother field data needing to be protected can be determined, and different field data are also separated by 'a distance';
for the case of a possible rule conflict, namely, only having SELECT permission for the attr1 of the TABLE TABLE1 and configuring the key of the row of the TABLE TABLE1aHaving only DELETE rights, when field data attr1 keyaA conflict arises with both the SELECT and DELETE permissions, and is resolved by setting rule priorities, i.e., specifying that protection for a column is prioritized over row protection.
Preferably, in step 3, the real terminal user information of the application system corresponding to the terminal user is obtained by modifying the login page of the application system.
Preferably, in step 4, the end user identity information is injected into the database access request statement in the form of an annotation.
Preferably, in step 5, the parsing of the database access request statement includes lexical, syntactic and semantic analysis.
Preferably, in step 6, the terminal user identity information extracted from step 5 is verified to be legitimate or not by parsing, comparing and analyzing with the legitimate terminal user configured in step 1.
Preferably, in step 9, the new database access request statement loaded with the database access control rule is sent to the database, the new database access request statement is executed, and the execution result is returned.
(III) advantageous effects
The invention prevents illegal access users by identifying legal terminal users, and simultaneously achieves the fine-grained access request control capability to the terminal users by loading the fine-grained access control rules to the database access request sentences initiated by the terminal users. The access authority control realized by the method can realize identity authentication of the terminal user, and can carry out row-column-level database fine-grained access control on the terminal user under the condition of not encrypting and decrypting data, thereby effectively enhancing the protection capability of the database and maintaining the safety of an information system.
Drawings
Fig. 1 is a schematic view of an application scenario of the present invention.
FIG. 2 is a flow chart of a method of the present invention;
fig. 3 is a schematic diagram of the role-based access control rule authorization process of the present invention.
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
The invention provides a database fine-grained access control method based on terminal users, which prevents illegal access users by presetting terminal user identity information and realizes fine-grained access request control by combining access authority control rules of row-column-level data. The illegal request is identified by integrating the terminal user identity information verification and the rank-level data access authority verification, so that the database protection capability is enhanced, and the information system safety is maintained.
The application scenario of the present invention can be represented by fig. 1, and the whole application process of the present invention is as follows: the method comprises the steps that a terminal user sends an access request to an application system deployed on an application server, and the application system initiates the access request to a database deployed in a database server after receiving the access request initiated by the terminal user; the database executes the access request and returns the result to the application system, and the application system displays the result to the terminal user after data processing.
The invention enhances the security protection capability of the database by identifying the terminal user in the application system and realizing the control of the data access request based on the fine-grained access control rule of the terminal user, the flow is shown as figure 2, and the specific steps are as follows:
step 1: and configuring a terminal legal user, and creating an access control rule (database access control rule).
The terminal user can be a terminal host address, an application system user or a KEY value bound with the terminal host, and can also be a biological characteristic identification code of the terminal host user and the like. Here, the legitimate end user is replaced with RUsern, and n denotes the nth end user.
The database access control rule is an access control authority rule based on addition, deletion, modification, check and the like of row-column-level data, is created based on a database table structure according to core data needing protection actually, and can realize authority control of the row-column-level data. The rule can be divided into a column control rule, a row control rule and a field data control rule according to different data protection modes. Each rule is divided into four parts, namely table name, operation authority, protection data and protection requirement.
The database access control rules are shown in table 1:
table1 database access control rules
Figure GDA0002430667200000061
Wherein "TABLE 1" represents a data TABLE to be protected;
"SELECT" indicates that there is only query operation permission on the protected data;
"attr 1, attr 2" is the name of the column attribute that needs to be column-wise protected against TABLE1, so "spaced;
"return" means that when an unauthorized user accesses protected data, the data is returned in a return form specified by the protection requirements, where the "return" replaces the protected data. Protection requirements can be diversified, such as returning null, partial data set, and the like;
“keya,keyb"is the row data key that needs to be protected for the entire row for TABLE1, so" spaced;
“attr3:keyc,attr4:keyd"is the configuration data for which field data protection is required for TABLE1. Wherein attr3 represents the column attribute name, key in Table TABLE1cAttr3 key, a row data key representing the field data that needs to be protectedcThe two combine to determine the field data that needs to be protected. In a similar manner, attr4: keydAnother field data that needs to be protected may be determined. Different field data are also spaced apart.
For situations where rule conflicts may occur. If it is configured that column attr1 of TABLE1 has only SELECT privilege, while row key of TABLE1 is configuredaHaving only DELETE rights, when field data attr1 keyaThere is only the SELECT right and only the DELETE right, and a contradiction occurs. This can be solved by setting rule priorities, such as specifying that protection for a column is prioritized over row protection.
Step 2: and creating roles and completing role-based access control rule authorization.
For the convenience of subsequent authorization, different roles can be created, and the terminal user is associated with the roles, and the roles are associated with the database access control rules, so that the association authorization of the user-roles-access control rules is completed. As shown in fig. 3.
Among them, RUser1, RUser2, RUser3, RUser4 represent real end users; users 1, 2, 3 and 4 represent configured end users, and the user information corresponds to real end user information one by one; the role1 and the role2 respectively represent different roles and are mainly used for permission division; rule1, rule2 and rule3 respectively represent different database access control rules, wherein rule3 is the column control rule shown in table1.
The role-based access control rule authorization procedure is to authorize the configured access control rules rule1, rule2, and rule3 to the created roles role1 and role2, and then assign roles to the configured users user1, user2, user3, and user 4.
And step 3: and intercepting a database access request to obtain the identity information of the terminal user.
When the application system responds to the operation of the terminal user and initiates a database access request, the SQL access request sent by the application system is intercepted, and the identity information of the terminal user is obtained. The information of the user RUser4 of the application system corresponding to the terminal user can be obtained by modifying the login page of the application system and the like.
And 4, step 4: loading the obtained terminal user identity information into an intercepted SQL access request statement;
and (3) adding the information of the terminal user RUser4 intercepted in the step (3) into an SQL access request statement initiated by the user so as to carry out identity authentication and access control rule loading according to the terminal user in the following. End user RUser4 information additions may be injected in the form of comments into the SQL access request statement, such as select/. multidot. RUser 4/. multidot. attr1 from TABLE1.
And 5: analyzing the SQL access request statement to extract the RUser4 information of the terminal user and analyze the SQL access request statement so as to load rules based on the terminal user in the following;
and analyzing the SQL access request statement, and completing the extraction of the RUser4 information of the terminal user and the lexical, syntactic and semantic analysis of the SQL access request statement. For example, for the SQL access request statement select/. about. RUser 4/. about. attr1 from TABLE1, after parsing is complete, end user RUser4 and column attribute field attr1 are obtained.
Step 6: and carrying out legal identity authentication on the extracted terminal user, and determining whether to allow continuous access according to an identity authentication result. If the identity authentication is passed, the access request is released, and the step 7 is continuously executed, otherwise, the continuous access is prevented, and the result is returned. The identity of the database access requester can be verified, so that illegal users can be effectively prevented from accessing the database.
And (4) comparing and analyzing with the terminal legal user configured in the step (1) to verify whether the terminal user extracted from the step (5) is legal or not. If the terminal user RUser4 fails, the SQL access request statement initiated by the user is prevented from continuing to execute the next operation, otherwise, the operation is released.
And 7: role query is carried out according to the identity information of the terminal user by utilizing the authorization result of the access control rule finished in the step 2, and the access control rule assigned to the role is searched based on the queried role;
for user4, the corresponding role is role2 and the access control rule3 is granted to role 2. Thus, the database access control rule configuring end user4 corresponding to real end user RUser4 is rule 3.
And 8: rewriting the SQL sentences successfully analyzed and completed in the step 5 according to the access control rules inquired in the step 7, and loading the access control rules to generate new SQL access request sentences;
from step 7, end user RUser4 is assigned rule 3. The SQL access request statement can therefore be rewritten as: select substr (taber 1.attr1,1, taber. attr1-4) |'. is × tab 1.attr 1. from table1. If attr1 is an 11-digit mobile phone number, if one of the data is 13345678901, the returned result data is 1334567.
And step 9: and executing the new SQL access request statement and returning an execution result.
And sending the SQL access request statement for loading the database access control rule to the database, executing the SQL access request statement, and returning a result, so that the database row and column level fine-grained access control process of the terminal user can be completed.
The invention can realize the database row-column level fine-grained authority control capability and can set different database data access authorities for different terminal users on the basis of the terminal users and the access authority control rules. The method can effectively enhance the protection capability of the database data on the basis of the existing database protection mechanism, has general popularization value, and has important significance for maintaining an information system, particularly protecting the core database data.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (6)

1.A fine-grained access control method for a database based on an end user is characterized by comprising the following steps:
step 1: configuring legal terminal user, creating database access control rule
The database access control rules are used for realizing authority control of row-column-level data, and comprise a row control rule, a row control rule and a field data control rule according to different data protection modes, wherein each type of rules comprises four parts, namely table names, operation authorities, protection data and protection requirements;
step 2: creating roles and completing role-based database access control rule authorization
Creating different roles, associating the terminal user with the roles, and associating the roles with the database access control rules to finish the authorization of the database access control rules based on the roles;
and step 3: intercepting database access request to obtain terminal user identity information
When the application system responds to the operation of the terminal user and initiates a database access request, intercepting the database access request sent by the application system and acquiring the identity information of the terminal user;
and 4, step 4: loading the obtained terminal user identity information into an intercepted database access request statement;
and 5: analyzing the database access request statement to extract the identity information of the terminal user and analyze the database access request statement so as to load the database access control rule based on the terminal user;
step 6: carrying out legal identity authentication on the extracted terminal user identity information, determining whether to allow continuous access according to an identity authentication result, if the identity authentication is passed, releasing the database access request, and continuously executing the step 7, otherwise, preventing the continuous access and returning the result;
and 7: role query is carried out according to the identity information of the terminal user by utilizing the authorization result of the access control rule finished in the step 2, and a database access control rule assigned to the role is searched based on the queried role;
and 8: rewriting the database access request statement successfully analyzed and completed in the step 5 according to the database access control rule inquired in the step 7, and loading the database access control rule to generate a new database access request statement;
and step 9: executing the new database access request statement and returning an execution result;
the database access control rules include the contents of table 1:
TABLE1
Figure FDA0002430667190000021
Wherein "TABLE 1" represents a data TABLE to be protected;
"SELECT" indicates that there is only query operation permission on the protected data;
"attr 1, attr 2" is the name of the column attribute that needs to be column-wise protected against TABLE1, so "spaced;
"return x" means that when an unauthorized end user accesses protected data, the data is returned in a return form specified by the protection requirements, where the return x replaces the protected data;
“keya,keyb"is the row data key that needs to be protected for the entire row for TABLE1, so" spaced;
“attr3:keyc,attr4:keyd"is configuration data for field data protection required for TABLE1, where attr3 represents column attribute name, key in TABLE1cAttr3 key, a row data key representing the field data that needs to be protectedcThe two are combined to determine the field data to be protected, attr4 keydAnother field data needing to be protected can be determined, and different field data are also separated by 'a distance';
for the case of a possible rule conflict, namely, only having SELECT permission for the attr1 of the TABLE TABLE1 and configuring the key of the row of the TABLE TABLE1aHaving only DELETE rights, when field data attr1 keyaA conflict arises with both the SELECT and DELETE permissions, and is resolved by setting rule priorities, i.e., specifying that protection for a column is prioritized over row protection.
2. The method of claim 1, wherein in step 3, the actual end user information of the end user corresponding to the application system is obtained by modifying the application system landing page.
3. The method of claim 1, wherein in step 4, the end user identity information is injected into the database access request statement in the form of an annotation.
4. The method of claim 1, wherein in step 5, the database access request statement parsing includes lexical, syntactic and semantic analysis.
5. The method of claim 1, wherein in step 6, the identity information of the end user extracted from step 5 is verified to be legitimate through analysis and comparison with the legitimate end user configured in step 1.
6. The method according to any one of claims 1 to 5, wherein in step 9, a new database access request statement loaded with the database access control rule is sent to the database, the new database access request statement is executed, and the execution result is returned.
CN201710585913.8A 2017-07-18 2017-07-18 Database fine-grained access control method based on terminal user Active CN107403106B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710585913.8A CN107403106B (en) 2017-07-18 2017-07-18 Database fine-grained access control method based on terminal user

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710585913.8A CN107403106B (en) 2017-07-18 2017-07-18 Database fine-grained access control method based on terminal user

Publications (2)

Publication Number Publication Date
CN107403106A CN107403106A (en) 2017-11-28
CN107403106B true CN107403106B (en) 2020-06-02

Family

ID=60400869

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710585913.8A Active CN107403106B (en) 2017-07-18 2017-07-18 Database fine-grained access control method based on terminal user

Country Status (1)

Country Link
CN (1) CN107403106B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11868500B2 (en) 2021-03-24 2024-01-09 International Business Machines Corporation Fine-grained access control of column-major relational database management systems

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108874863B (en) 2018-04-19 2022-03-25 华为技术有限公司 Data access control method and database access device
CN108629201A (en) * 2018-04-24 2018-10-09 山东华软金盾软件股份有限公司 A method of database illegal operation is blocked
CN109766686A (en) * 2018-04-25 2019-05-17 新华三大数据技术有限公司 Rights management
CN109144978B (en) * 2018-08-15 2020-12-01 新华三大数据技术有限公司 Authority management method and device
CN109409113B (en) * 2018-10-25 2020-10-02 国家电网有限公司 Power grid data safety protection method and distributed power grid data safety protection system
CN109472159A (en) * 2018-11-15 2019-03-15 泰康保险集团股份有限公司 Access control method, device, medium and electronic equipment
CN110096892B (en) * 2019-04-29 2021-07-02 武汉中锐源信息技术开发有限公司 Database attribute access control method and system
CN110175464A (en) * 2019-06-05 2019-08-27 中国民用航空总局第二研究所 Data access control method, device, storage medium and electronic equipment
CN110232068B (en) * 2019-06-14 2022-04-05 中国工商银行股份有限公司 Data sharing method and device
CN110569667B (en) * 2019-09-10 2022-03-15 北京字节跳动网络技术有限公司 Access control method and device, computer equipment and storage medium
CN110598445B (en) * 2019-09-12 2022-05-20 金蝶蝶金云计算有限公司 Database access control method, system and related equipment
CN111159729A (en) * 2019-12-13 2020-05-15 中移(杭州)信息技术有限公司 Authority control method, device and storage medium
CN111209592A (en) * 2020-01-02 2020-05-29 广东金赋科技股份有限公司 Method and system for controlling data authority based on spliced SQL (structured query language) statement
CN111611555B (en) * 2020-05-19 2023-06-16 北京金山云网络技术有限公司 Physical layer authorization and access method and device
CN111767572A (en) * 2020-06-28 2020-10-13 北京天融信网络安全技术有限公司 Method and device for safely accessing database
CN111931234B (en) * 2020-08-13 2024-06-04 中国民航信息网络股份有限公司 Data access control method and system
CN112100415B (en) * 2020-09-14 2023-03-17 哈尔滨工业大学(威海) Implementation method of high-reliability large graph database system of heterogeneous platform
CN113452683A (en) * 2021-06-15 2021-09-28 郑州云智信安安全技术有限公司 Method and system for controlling row-column-level authority of database
CN113934995A (en) * 2021-09-15 2022-01-14 南方电网深圳数字电网研究院有限公司 Rank authority setting method and device applied to data access
CN114840521B (en) * 2022-04-22 2023-03-21 北京友友天宇系统技术有限公司 Database authority management and data protection method, device, equipment and storage medium
CN114880702A (en) * 2022-04-25 2022-08-09 北京科杰科技有限公司 Request processing method and device based on rank-level authority, electronic equipment and medium
CN114969811B (en) * 2022-05-16 2023-04-07 贵州领航视讯信息技术有限公司 Data authority control method based on data segmentation

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101478536A (en) * 2008-12-08 2009-07-08 山东浪潮齐鲁软件产业股份有限公司 Method for solving access control in authority management
US7913300B1 (en) * 2005-04-08 2011-03-22 Netapp, Inc. Centralized role-based access control for storage servers
CN104484617A (en) * 2014-12-05 2015-04-01 中国航空工业集团公司第六三一研究所 Database access control method on basis of multi-strategy integration

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120131646A1 (en) * 2010-11-22 2012-05-24 International Business Machines Corporation Role-based access control limited by application and hostname

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7913300B1 (en) * 2005-04-08 2011-03-22 Netapp, Inc. Centralized role-based access control for storage servers
CN101478536A (en) * 2008-12-08 2009-07-08 山东浪潮齐鲁软件产业股份有限公司 Method for solving access control in authority management
CN104484617A (en) * 2014-12-05 2015-04-01 中国航空工业集团公司第六三一研究所 Database access control method on basis of multi-strategy integration

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"一种基于角色的数据库访问控制系统设计";孙先友;《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》;20060415;第16-34页,第45-48页,图3.1-4.6,表4.2-4.14 *
"分级的行列级权限系统的设计和实现";冯志亮 谭景信;《计算机工程与设计》;20111016;第32卷(第10期);第3275-3276页 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11868500B2 (en) 2021-03-24 2024-01-09 International Business Machines Corporation Fine-grained access control of column-major relational database management systems

Also Published As

Publication number Publication date
CN107403106A (en) 2017-11-28

Similar Documents

Publication Publication Date Title
CN107403106B (en) Database fine-grained access control method based on terminal user
CN107342992B (en) System authority management method and device and computer readable storage medium
US5283830A (en) Security mechanism for a computer system
US7702693B1 (en) Role-based access control enforced by filesystem of an operating system
US8307406B1 (en) Database application security
US8886672B2 (en) Providing access in a distributed filesystem
CN104735091B (en) A kind of user access control method and apparatus based on linux system
US10432642B2 (en) Secure data corridors for data feeds
CN113468576B (en) Role-based data security access method and device
US11783016B2 (en) Computing system and method for verification of access permissions
US9516031B2 (en) Assignment of security contexts to define access permissions for file system objects
CN112328982A (en) Data access control method, device, equipment and storage medium
CN111931140A (en) Authority management method, resource access control method and device and electronic equipment
CN114422197A (en) Permission access control method and system based on policy management
US10432641B2 (en) Secure data corridors
CN112613075A (en) Permission determination method and device, storage medium and electronic device
CN115550010B (en) Key environment access control method based on block chain
Delessy et al. Patterns for access control in distributed systems
CN115618378A (en) Column-level hive access control system and method
CN115422526A (en) Role authority management method, device and storage medium
Jensen et al. SDDM-a prototype of a distributed architecture for database security
KR930004434B1 (en) Data accessing method
WO2018125991A1 (en) Secure data corridors for data feeds
US11983580B2 (en) Real-time modification of application programming interface behavior
Carter et al. Code Injection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant