Disclosure of Invention
In view of this, embodiments of the present invention provide a data export system to solve the problem of low security in a data export process.
A first aspect of the present invention provides a data export system, comprising: the first processing subsystem is used for receiving a data export application and a first approval of the data export application, sending the data export application when the first approval result is an approval, and copying data to be exported to a first storage position;
and the second processing subsystem is used for receiving the data export application sent by the first processing subsystem and carrying out second approval on the data export application, copying the data to be exported in the first storage position to a second storage position to be exported when the result of the second approval is agreement, and exporting the data to be exported from the second storage position to an external server.
Optionally, the first processing subsystem comprises: the first approval terminal is used for approving the data export application to obtain a first approval result and sending the first approval result to a first server;
the first server is used for receiving the first approval result sent by the first approval terminal, sending the data export application to the second processing subsystem when the first approval result is an approval, and copying the data to be exported to the first storage position;
the second processing subsystem comprises: the second approval terminal is used for approving the data export application sent by the first processing subsystem to obtain a second approval result and sending the second approval result to a second server;
and the second server is used for receiving the second approval result sent by the second approval terminal, copying the data to be exported in the first storage position to a second storage position when the second approval result is approved, and exporting the data to be exported from the second storage position to an external server.
Optionally, the approving, by the second processing subsystem, the data export application sent by the first processing subsystem includes:
the second server judges the login authority of the second approval terminal;
and when the login authority of the second approval terminal meets a preset authority, the second approval terminal approves the data to be exported in the first storage position.
Optionally, the second approval terminal approves the data to be exported in the first storage location through the second server, including: the second approval terminal judges whether the data to be exported contain a target grammatical structure;
when the data to be exported contains a target syntax structure and is not stated in the data export application, the result of the second approval is disagreement.
Optionally, the first storage location is a file directory located in the first server, and the second storage location is a file directory located in the second server.
Optionally, the first approval terminal is further configured to obtain user login information, authenticate according to the login information, and allow the login user to perform read-write operation on the first storage location when the authentication is passed.
Optionally, the second approval terminal is further configured to obtain user login information, authenticate according to the login information, and allow the login user to perform read-write operation on the first storage location and the second storage location when the authentication is passed.
Optionally, the exporting, by the second processing subsystem, the data to be exported from the second storage location to an external server includes:
and the second processing subsystem exports the data to be exported to a third storage position of an external server, and the third storage position is in one-to-one correspondence with an applicant of the data export application.
Optionally, when the result of the first approval is disagreement, the first processing subsystem sends the result of the first approval to the applicant according to the contact way of the applicant who derives the application from the data;
and/or the presence of a gas in the gas,
and when the second approval is finished, the second processing subsystem derives the contact way of the applicant according to the data and sends the second approval result to the applicant.
Optionally, when the result of the second approval is disagreement, the second processing subsystem deletes the data to be exported in the first storage location.
The technical scheme provided by the invention has the following beneficial effects:
1. according to the data export system, the second processing subsystem is arranged on the basis of the first processing subsystem for carrying out the first approval on the data to be exported, the data to be processed after the approval of the first processing subsystem is subjected to the second approval, and the data to be processed after the second approval is exported to the external server. According to the data export system, a two-stage approval mechanism is arranged, and meanwhile, in different approval processes, the storage positions of data to be exported are different, so that the data export safety is improved. In addition, the system also has the functions of data backup and whole-course log recording, so that the whole data export process has traceability.
2. According to the data export system provided by the invention, whether the data to be exported contains the target grammatical structure is judged in the second approval terminal, and the data to be exported is classified according to the judgment result, so that the approval efficiency and the approval accuracy can be improved.
3. According to the data export system provided by the invention, only the application party of the data to be exported is available in the data export system, and the first approval party and the second approval party can participate in the data export system, so that the safety of the data export system is greatly improved.
4. According to the data export system, the login authority is set for the second server, namely, the login authority is only provided for the second approver, so that the safety of the data to be exported is further ensured.
5. According to the data export system provided by the invention, all log records are recorded in the first approval and second approval processes of the data to be exported, so that the problem tracking and query are facilitated.
6. According to the data export system provided by the invention, when the first approval and the second approval pass, the storage positions of the corresponding data to be exported are classified, the corresponding read-write permission is strictly limited, and the safety of the data to be exported can be improved.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
The present embodiment provides a data export system, as shown in fig. 1, for exporting data to be exported in a first processing subsystem 10 connected to an intranet to an external server 30. Specifically, the system includes a first processing subsystem 10, a second processing subsystem 20, and an external server 30. The first processing subsystem 10 and the second processing subsystem 20 are connected to an intranet, and the external server 30 is connected to an extranet. That is, when the applicant who initiates the data export application needs to export the data to be exported, the data can only be obtained from the external server 30, and cannot be directly obtained from the first processing subsystem 10 or the second processing subsystem 20.
The first processing subsystem 10 is configured to receive a data export application and a first approval for the data export application, send the data export application to the second processing subsystem 20 when a result of the first approval is an agreement, and copy data to be exported to a first storage location.
Wherein, the data export application may include: information of an applicant who initiates a data export application, an export destination of data to be exported, an export path of the data to be exported, and the like. Furthermore, the data to be exported, which are stored in the first memory location, may have attached to them information of the first processing subsystem, such as: information of the approver who performed the first approval, the time of the first approval, and the like.
And the second processing subsystem 20 is configured to receive the data export application sent by the first processing subsystem 10, perform second approval on the data export application, copy the data to be exported in the first storage location to the second storage location to be exported when a result of the second approval is an agreement, and export the data to be exported from the second storage location to an external server.
In this case, information of the second processing subsystem 20, for example information of the approving party performing the second approval, the time of the second approval, etc., can be added to the data to be exported in the second storage location.
Furthermore, the first processing subsystem 10 can export the data to be exported to the external server 30 only through the second processing subsystem 20, and the second processing subsystem 20 and the external server 30 are in a one-way communication mode, that is, the second processing subsystem 20 can only send the data to be exported to the external server 30, and the external server 30 cannot send the data to the second processing subsystem 20.
On the basis of carrying out first approval on the data to be exported by the first processing subsystem 10, the second processing subsystem 20 is arranged, so that the data to be processed after approval by the first processing subsystem 10 is subjected to second approval, and the data to be processed after the second approval is exported to an external server. Specifically, the data export system improves the safety of data export by setting a two-stage approval mechanism and different storage positions of data to be exported in different approval processes. In addition, the system also has the functions of data backup and whole-course log recording, so that the whole data export process has traceability.
Example 2
The present embodiment provides a data export system, including: a first processing subsystem 10, a second processing subsystem 20, and an external server 30.
As shown in fig. 2, the first processing subsystem 10 includes a first approval terminal 121, first approval terminals 122 and …, and a first approval terminal 12 m. The first approval terminal is used for approving the data export application to obtain a first approval result and sending the first approval result to the first server; namely, the first approval party approves the data export application through the first approval terminal, and after the first approval result is obtained, the first approval terminal sends the first approval result to the first server.
The first processing subsystem 10 includes a first server 111, first servers 112, …, and a first server 11n, i.e. the first server 111 to the first server 11n can be mutually accessed, for example, all the first servers may be collectively referred to as a first server pool, and the first servers in the first server pool can be mutually accessed. And all the first approval terminals are connected with the first server pool. The number of the first servers in the first server pool may be specifically set according to actual requirements, or only one first server may be set.
The first server is configured to receive a first approval result sent by the first approval terminal, send a data export application to the second processing subsystem 20 when the first approval result is an agreement, and copy data to be exported to the first storage location.
Specifically, as shown in fig. 3, the first server is divided into two types of file directories corresponding to different storage locations: the server comprises a personal file directory and a specific file directory, wherein the specific file directory is a first storage position in a first server.
The personal file directories correspond to the application parties of the data to be exported one by one, and the application party and the first approval party corresponding to each personal file directory have the read-write permission of the personal file directory. Specifically, when a user logs in the first approval terminal, the first approval terminal acquires login information of the logged-in user, performs authentication according to the login information of the user, namely determines login authority of the user, and judges whether the user is an applicant or a first approval party. When the login user is determined to be the first approving party, the first approving terminal allows the first approving party to perform read-write operation on the first storage position; namely, the first auditor has the read-write permission of the first storage position.
For example, the applicant a corresponds to the personal file directory 1, and then, for the personal file directory, only the applicant a and the first approver have the read-write permission of the personal file directory 1; corresponding to the application party a, the application party a only has the read-write permission of the personal file directory 1; corresponding to the first auditor, the first auditor has the read-write authority of all personal file directories corresponding to the authority of the first server.
The read-write permission of the specific file directory is limited to a first examining and approving party and a second examining and approving party, the applying party does not have the read-write permission of the specific file directory, and the permission level of the second examining and approving party is higher than that of the first examining and approving party. When the result of the first approval is an approval, the first server copies the data to be exported in the corresponding personal file directory into the specific file directory, and information of the first approving party (which may include the name of the first approving party, the approval result, and the like) may be attached to the data to be exported after or before the data to be exported is copied into the specific file directory. For example, the applicant a applies for the data to be exported, wherein the data to be exported is stored in the personal file directory 1, and the approval result of the first approving party is an approval, then the first server copies the data to be exported in the personal file directory 1 to a specific file directory for subsequent secondary approval.
The first processing subsystem 10 submits applications of data to be exported during use, for example, an applicant a and an applicant b, and stores the data to be exported in the personal file directory 1 and the personal file directory 2 respectively; after the application is submitted by the application party a and the application party b, the first server notifies the first approver to carry out the first approval according to the contact way of the first approver (for example, the contact way can be mail, telephone number, WeChat and the like). For example, the first server notifies the first approver to perform the first approval by an email according to an email address of the first approver stored therein, and the email is appended with application information of data to be exported of an applicant a or an application b, including: the name of the applicant, the storage location of the data to be exported, etc. After receiving the approval notification sent by the first server, the first approval party checks the data to be exported in the corresponding personal file directory in the first server through the first approval terminal, and approves the data to be exported to obtain a first approval result. For example, when a first approval party confirms that a result of the first approval corresponding to the applicant a is approved on a first approval terminal, the first server copies the data to be exported in the corresponding personal file directory 1 into a specific file directory, and notifies a second approval party of performing a second approval according to a contact manner (e.g., a mail, a telephone number, a WeChat, etc.) of the second approval party; and when the first approval party confirms that the first approval result corresponding to the applicant b is not agreed on the first approval terminal, the first server informs the applicant b of the first approval result according to the contact way of the applicant b.
As shown in fig. 4, the second processing subsystem 20 includes a second server 210, and a second approval terminal 221, second approval terminals 221, …, and a second approval terminal 22 k. The access right of the second server 210 is limited to the second approval terminal, and neither the applicant nor the first approval terminal can access the second server 210.
After receiving the approval notification sent by the first server, the second approval terminal logs in the second server 210. The second server 210 determines the login right of the second approval terminal, and the second approval terminal can log in the second server 210 only when the login right of the second approval terminal meets the second approval right. Specifically, the user logs in the second approval terminal, and the second approval terminal obtains the login information of the login user, authenticates the login information, and allows the login user to log in the second server 210 when the login user is determined to be the second approval party.
And the second approval party checks the data to be exported from the specific file directory of the corresponding first server through the second approval terminal according to the storage position of the data to be exported in the data export application, and approves the data to be exported to obtain a second approval result. When the second approving party confirms that the result of the second approval is an agreement on the second approval terminal, the second server 210 directly copies the data to be exported in the specific file directory to the second server 210. As shown in fig. 5, the second server includes the file directory to be exported, that is, when the result of the second approval is an agreement, the second server 210 copies the data to be exported in the specific file directory to the file directory to be exported, and the second server 210 sends the result of the second approval to the corresponding approver according to the contact manner (for example, the contact manner may be a mail, a telephone number, a WeChat, and the like) of the applicant in the data export application. The file directory to be exported is a second storage location in the second server 210, and the read-write permission of the file directory to be exported is limited to the second approval terminal. Before or after the second server 210 copies or packs and compresses the data to be exported, the information of the second approver (which may include the name of the second approver, the approval time, etc.) is attached to the data to be copied. When the result of the second approval is disagreement, the second server 210 deletes the data to be exported in the specific file directory in the first server, and the second server 210 sends the result of the second approval to the corresponding applicant according to the contact manner of the applicant who applies for exporting the data.
In addition, when the second approval terminal approves the data to be exported, the second approval terminal also judges whether the data to be exported contains a target grammatical structure; and when the second approval terminal confirms that the data to be exported contains the target grammar structure and is not declared in the data export application, the result of the second approval is disagreement. And if the data to be exported contains the target grammar structure but is explicitly stated in the data export application, the corresponding second approval result is the approval.
Specifically, the second approval terminal reads the data to be exported, extracts keywords in the data to be exported (for example, when the target grammar is VHDL, the keywords include architecture, entity, signal, and the like), namely, performs initial judgment on whether the data to be exported contains a target grammar structure by judging whether the data to be exported contains the keywords corresponding to the target grammar, and performs initial classification; in the preliminary classification, the data to be exported which obviously does not contain the target grammar structure can be excluded; then, a second determination may be performed, the data to be exported may be imported or written into software capable of recognizing the target syntactic structure (for example, EDA software may be selected corresponding to the VHDL structure), and if the data to be exported may be imported or written into the EDA software, it may be determined that the data to be exported definitely includes the target syntactic structure; if the data cannot be imported or written, the data to be exported may contain the target syntax structure.
By judging whether the data to be exported contain a target grammar structure, the data to be exported can be classified into three types: the target grammar structure is contained, the target grammar structure is possibly contained, and the target grammar structure is not contained; after the data to be exported are classified, the approval efficiency can be improved.
When the result of the second approval is an agreement, the second server copies the data to be exported from the specific file directory of the first server, and can copy the data to be exported into the file directory to be exported of the second server; or the data to be exported can be packed and compressed into a directory of the file to be exported; and if the data to be exported needs to be encrypted, the second server encrypts, packs and compresses the data to be exported into the file directory to be exported.
After copying the data to be exported to the file directory to be exported, the second server exports the data to be exported to an external server according to the application information in the data export application sent to the second server by the first server, namely the second server exports the data to be exported to a third storage position of a third server connected with an external network, and the third storage position is in one-to-one correspondence with an applicant of the data export application.
The third server includes a plurality of file directories, where the file directories are set in one-to-one correspondence with the application parties of the data export application, for example, the names of the file directories may be names of the application parties or other names capable of uniquely identifying the application parties.
After the second server exports the data to be exported to the third server, only the applicant corresponding to the data to be exported has the read-only permission corresponding to the file directory.
In this embodiment, the first storage location is located in the first server, and the read-write permission is limited to the first approval terminal and the second approval terminal; the second storage position is positioned in the second server, and the read-write authority of the second storage position is limited to the second approval terminal; the login authority of the second server is limited to the second approval terminal. The security of the data to be exported can be improved by the isolation storage mechanism and the corresponding permission setting of the data to be exported in different approval stages.
Example 3
The present embodiment provides a specific application example of the data export system in the embodiments 1 and 2, as follows:
the data to be exported and the approval terminals (including the first approval terminal and the second approval terminal) are in the same environment, an application party automatically starts an application interface when the terminals run, the application party needs to accurately fill application information according to requirements, and submits the application information after the application party confirms that the application information is correct, and an export data list file and an approval process file are automatically generated. And after the application is submitted, the application is sent to respective first-level approvers, wherein the first approver can only approve the application within the authority of the first approver.
The first examining and approving party automatically enters a primary examining and approving interface through the first examining and approving terminal, can open a first server in the primary examining and approving interface, check and check source files in a personal file directory corresponding to the applicant, fill in examination and approving opinions after the check is completed, and then submit a first examining and approving result. If the result of the first approval is not passed: the first server informs the application party through the mail, and the process is finished; if the result of the first approval is that: and the examination and approval is transferred to the second-level examination and approval, and the first server copies the data to be exported to a specified authority directory (namely the first server copies the data to be exported in the personal file directory to a specific file directory), wherein only the first examining and approving party and the second examining and approving party have read-write authority in the specific file directory. And when the result of the first examination and approval is passed, the first server informs the second examination and approval party through an email.
After receiving the mail notification, the second approval party logs in a second server, only the second approval party has login permission, the second server automatically enters a second-level approval interface through a second approval terminal, the second-level approval party can open data to be exported under a specific file directory in the first server on the second-level approval interface to check a source file, and meanwhile the second approval terminal also has a function of classifying the data to be exported, so that the second approval party is reminded of paying attention to sensitive data, and the approval efficiency is improved. And after the second-level examination and approval is finished, filling in examination and approval opinions and submitting examination and approval results. If the result of the second approval is not passed: the second server informs the application party through the mail, and the process is finished; if the second approval is passed: and the second server packages the data to be exported (automatically encrypts if the data to be exported needs to be encrypted), puts the packaged and compressed data to be exported into an export file directory in the second server, generates an export data flag file, and notifies an applicant of the file.
And the second server uploads the corresponding data to the corresponding directory on the corresponding file server in real time according to the exported data flag file and the data to be exported. The applicant or the export object can log in the corresponding server to obtain data, and only the authority of the applicant or the export object is used for obtaining own data for ensuring data security.
If the first examining and approving party and the second examining and approving party leave for holidays or business trips and the data to be exported cannot be examined and approved, each examining and approving party is provided with an agent examining and approving party so as to authorize the agent examining and approving party to carry out the agent examination and approval when the examining and approving party cannot carry out the examination and approval in time.
And the first server and the second server record the whole approval process through whole-course logs.
The specific process is as follows:
preparing data: the applicant places the data to be exported under a single file directory.
Application filling: the application party runs the software, fills application information on an interface, generates a data list file after submitting the application information, and records log information.
Primary examination and approval: after receiving the application, the first approval party operates the first approval terminal, can see the application to be approved (displayed by a pull-down menu), selects the application to be approved, checks the data for approval, fills in approval opinions and submits approval results.
And (3) secondary approval: and after the first approval is passed, the mail informs the second approval party. And after receiving the notification, the second approval party operates the second approval terminal, can see the application to be approved (displayed by a pull-down menu), selects the application to be approved, approves by means of the data classification function in the second approval terminal, fills in the approval opinions and submits the approval result.
Application refute: the first approval is not passed or the first approval is passed but the second approval is not passed, the process is ended, and the applicant receives corresponding mail notification. The mail content comprises: application information and approval opinions.
The application is successful: after the first examination and the second examination and approval, the second server packs the data to be exported to the export file directory, the data export system uploads the data in the export file directory to the server communicated with the external network, and the application party is notified by the mail. The mail content comprises application information, a data acquisition mode, approval opinions, encrypted data and a data decryption password.
Data acquisition: and after the application and approval are successful, the applicant or the export object logs in a server communicated with the external network to obtain data, and the process is finished.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a Random Access Memory (RAM), or the like.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.