CN109472159A - Access control method, device, medium and electronic equipment - Google Patents
Access control method, device, medium and electronic equipment Download PDFInfo
- Publication number
- CN109472159A CN109472159A CN201811363123.6A CN201811363123A CN109472159A CN 109472159 A CN109472159 A CN 109472159A CN 201811363123 A CN201811363123 A CN 201811363123A CN 109472159 A CN109472159 A CN 109472159A
- Authority
- CN
- China
- Prior art keywords
- access
- visitor
- functional module
- control
- field
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The present embodiments relate to information technology fields, provide a kind of access control method, device, computer-readable medium and electronic equipment, the access control method includes: to receive the access request from visitor, obtains at least one of the physical entry of the access request sending, the character types of the visitor and functional module of the Accessor Access;At least one of character types and the functional module of the Accessor Access of the physical entry, the visitor that are issued according to the access request carry out corresponding permission control, complete primary access control;If the result of the primary access control is to pass through, the control of field access level is carried out according to the access request, completes second-level access control;Wherein the functional module is to be classified to obtain according to database of the preset rules to requested access.The embodiment of the present invention realizes the secure access to database by the layer-by-layer control to access authority progress multi-layer, improves safety.
Description
Technical field
The present invention relates to information technology fields, in particular to a kind of access control method, device, medium and electronics
Equipment.
Background technique
Health account system provides integrated portal (portal) display of health data at present, and wherein portal technology is emphasized
Process and overall work efficiency are paid attention in customer-centric, provide unified log-in interface, realize the central access of information.
Portal creates an offer and supports message reference, transmitting, and the integrated business environment across organization work.
Portal shows that the information content for including is wide, and sensitive information is more, but due to the access mechanism of central access for access safety with
And in place of information security Shortcomings, and has secure access to the risk that health account system is Information Security Construction and close rule requirement.
Therefore, there is also the places that has much room for improvement in technical solution in the prior art.
It should be noted that information is only used for reinforcing the reason to background of the invention disclosed in above-mentioned background technology part
Solution, therefore may include the information not constituted to the prior art known to persons of ordinary skill in the art.
Summary of the invention
The embodiment of the present invention is designed to provide a kind of access control method, device, medium and electronic equipment, Jin Erzhi
Few disadvantage for overcoming existing access mechanism safety difference to a certain extent.
Other characteristics and advantages of the invention will be apparent from by the following detailed description, or partially by the present invention
Practice and acquistion.
According to a first aspect of the embodiments of the present invention, a kind of access control method is provided, comprising:
The access request from visitor is received, the physical entry, the visitor that the access request issues are obtained
At least one of character types and the functional module of the Accessor Access;
The character types of the physical entry, the visitor that are issued according to the access request and the Accessor Access
At least one of functional module carry out corresponding permission control, complete primary access control;
If the result of the primary access control is to pass through, the control of field access level is carried out according to the access request
System completes second-level access control;
Wherein the functional module is to be classified to obtain according to database of the preset rules to requested access.
In a kind of exemplary embodiment of the disclosure, according to the physical entry of access request sending, the access
At least one of the character types of person and the functional module of the Accessor Access carry out corresponding permission control
Corresponding permission control is carried out according to the physical entry that the access request issues, comprising:
Obtain the network list of secure access permission:
Whether there is access authority according to the physical entry that the network list judges that the access request issues, if institute
Visitor is stated with access authority, then the result of the primary access control is to pass through;
Wherein the network list is to first pass through the mode of fixed IP binding in advance to set or change and obtain.
In a kind of exemplary embodiment of the disclosure, according to the physical entry of access request sending, the access
At least one of the character types of person and the functional module of the Accessor Access carry out corresponding permission control
Corresponding permission control is carried out according to the character types of the visitor, comprising:
Obtain visitor role and access object mapping relations;
According to the visitor role, the character types of the visitor determine access in conjunction with access object mapping relations
Object, the visitor are to pass through to the result of the primary access control of the access object, and the visitor is to the access
The result of the primary access control of interviewee except object is not pass through;
Wherein the visitor role is to preset or change to obtain with access object mapping relations, the access pair
As the interviewee to meet specified requirements in multiple interviewees.
In a kind of exemplary embodiment of the disclosure, according to the physical entry of access request sending, the access
At least one of the character types of person and the functional module of the Accessor Access carry out corresponding permission control
Corresponding permission control is carried out according to the functional module of the Accessor Access, comprising:
Obtain visitor role and functional module mapping relations;
According to the visitor role in conjunction with functional module mapping relations the character types of the visitor determine it is multiple
Visitor described in functional module has the functional module of access authority, and the visitor has the function of access authority to described
The result of the primary access control of module be pass through, the visitor to described in the multiple functional module have access authority
Functional module except functional module primary access control result be do not pass through;
Wherein the visitor role is to preset or change to obtain with functional module mapping relations.
In a kind of exemplary embodiment of the disclosure, according to the physical entry of access request sending, the access
At least one of the character types of person and the functional module of the Accessor Access carry out corresponding permission control
Corresponding permission control is carried out according to the physical entry that the access request issues, is visited if the visitor has
It asks permission, then carries out corresponding permission control according to the character types of the visitor;
If the visitor is to pass through to the result of the access control of access object, according to the Accessor Access's
Functional module carries out corresponding permission control;
If visitor is to pass through to the result of the access control of the functional module with access authority, obtain described
The result of primary access control is to pass through.
In a kind of exemplary embodiment of the disclosure, field access level control packet is carried out according to the access request
It includes:
The division that grade is carried out to the field in the database, is divided into more for whole fields in the database
A data level;
Corresponding access level is set according to the character types of the visitor;
When the access level of the visitor is not less than the data level of the field, the visitor, which has permission, to be checked
The field;When the access level of the visitor is lower than the data level of the field, the field is for the access
The display mode of person is desensitization display.
In a kind of exemplary embodiment of the disclosure, further includes:
Following at least one situation occurs, sends pre-alert notification:
The change frequency for issuing the physical entry of access request to same visitor is monitored, if change frequency is more than
First preset value, then send pre-alert notification;
Person-time frequency of interviewee is monitored in the database described in Accessor Access, if person-time frequency is more than the
Two preset values, then send pre-alert notification;
Data level in the functional module stopped to visitor comprising field is monitored, if individual feature module word
The data level average value of section is greater than third threshold value, then sends pre-alert notification.
In a kind of exemplary embodiment of the disclosure, person-time frequency of interviewee in the database described in Accessor Access
Rate, which is monitored, includes:
Record to Accessor Access's individual access object at the beginning of and the end time;
Access duration is calculated according to the time started and the end time;
Person-time frequency is calculated according to the access duration and access person-time, calculation formula is
Wherein fopt be people's secondary frequencies, N be access person-time, Ti be visitor for it is a certain access object access duration, 1
≤i≤N。
In a kind of exemplary embodiment of the disclosure, to the data etc. in the functional module of visitor's stop including field
Grade is monitored:
The field number in the functional module is obtained according to the functional module;
Obtain the corresponding data level of the functional module field;
The data etc. of individual feature Module field are calculated according to the field number and the corresponding data level of field
Grade average value, calculation formula are
Wherein L is the data level average value of individual feature Module field, and M is the field number in functional module, and Vj is
The data level of a certain field in functional module, 1≤j≤M.
In a kind of exemplary embodiment of the disclosure, the data level average value of the individual feature Module field is greater than
Third threshold value, then sending pre-alert notification includes:
Median is sought according to the data level average value of the individual feature Module field;
If the median is greater than the third threshold value, pre-alert notification is sent;
Wherein the third threshold value is 5.
According to a second aspect of the embodiments of the present invention, a kind of access control apparatus is provided, comprising:
Access request module obtains the physics that the access request issues for receiving the access request from visitor
At least one of entrance, the character types of the visitor and functional module of the Accessor Access;
Primary control module, the character types of physical entry, the visitor for being issued according to the access request
And at least one of functional module of the Accessor Access carries out corresponding permission control, completes primary access control;
Two-stage control module, for when the result of the primary access control of the primary control module be by when, according to
The access request carries out the control of field access level, completes second-level access control;
Wherein the functional module is to be classified to obtain according to database of the preset rules to requested access.
According to a third aspect of the embodiments of the present invention, a kind of computer-readable medium is provided, computer journey is stored thereon with
Sequence, the step of above-described access control method is realized when described program is executed by processor.
According to a fourth aspect of the embodiments of the present invention, a kind of electronic equipment is provided, comprising:
One or more processors;
Storage device, for storing one or more programs, when one or more of programs are one or more of
When processor executes, so that one or more of processors realize above-described access control method.
Technical solution provided in an embodiment of the present invention can include the following benefits:
In the technical solution provided by some embodiments of the present invention, on the one hand, by carrying out multilayer to access authority
The secure access to database is realized in the layer-by-layer control of grade, improves safety.On the other hand, it is recorded simultaneously in entire access process
The access trace for tracking visitor, issues pre-alert notification to abnormal access, to make quick processing to abnormal conditions in real time.
It should be understood that above general description and following detailed description be only it is exemplary and explanatory, not
It can the limitation present invention.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows and meets implementation of the invention
Example, and be used to explain the principle of the present invention together with specification.It should be evident that the accompanying drawings in the following description is only the present invention
Some embodiments for those of ordinary skill in the art without creative efforts, can also basis
These attached drawings obtain other attached drawings.In the accompanying drawings:
Fig. 1 shows a kind of flow diagram of access control method of embodiment according to the present invention;
Fig. 2 shows the flow diagrams of step S103 in embodiment according to the present invention Fig. 1;
Fig. 3 shows the flow diagram of the access control method provided in an embodiment according to the present invention;
Fig. 4 shows the schematic diagram of the access control method provided in an embodiment according to the present invention;
Fig. 5 shows the structural schematic diagram of the access control apparatus of embodiment according to the present invention;
Fig. 6 shows the structural schematic diagram for being suitable for the computer system for the electronic equipment for being used to realize the embodiment of the present invention.
Specific embodiment
Example embodiment is described more fully with reference to the drawings.However, example embodiment can be with a variety of shapes
Formula is implemented, and is not understood as limited to example set forth herein;On the contrary, thesing embodiments are provided so that the present invention will more
Fully and completely, and by the design of example embodiment comprehensively it is communicated to those skilled in the art.
In addition, described feature, structure or characteristic can be incorporated in one or more implementations in any suitable manner
In example.In the following description, many details are provided to provide and fully understand to the embodiment of the present invention.However,
It will be appreciated by persons skilled in the art that technical solution of the present invention can be practiced without one or more in specific detail,
Or it can be using other methods, constituent element, device, step etc..In other cases, it is not shown in detail or describes known side
Method, device, realization or operation are to avoid fuzzy each aspect of the present invention.
Block diagram shown in the drawings is only functional entity, not necessarily must be corresponding with physically separate entity.
I.e., it is possible to realize these functional entitys using software form, or realized in one or more hardware modules or integrated circuit
These functional entitys, or these functional entitys are realized in heterogeneous networks and/or processor device and/or microcontroller device.
Flow chart shown in the drawings is merely illustrative, it is not necessary to including all content and operation/step,
It is not required to execute by described sequence.For example, some operation/steps can also decompose, and some operation/steps can close
And or part merge, therefore the sequence actually executed is possible to change according to the actual situation.
In disclosure related embodiment, health account permission pipe can be realized by role+functional module authority configuration
Reason, such as the role of visitor is set, and the visitor of a certain role can only access corresponding functional module,
But other function module cannot be accessed.Although this mode can solve some drawbacks of central access to a certain extent,
But accessed field data hierarchical management is not accounted for, the data generated in more entire access process are not passed through rule pipe
Reason is got up, in order to for the abnormal phenomenon in real-time early warning access process.
For this purpose, the disclosure provides a kind of access control method, device, medium and electronic equipment, to solve the above problems, under
Specific introduction is done in face of the technical solution of the disclosure.
Fig. 1 shows the flow diagram of the access control method of embodiment according to the present invention, with reference to Fig. 1, the access
Control method includes:
Step S101 receives the access request from visitor, obtains physical entry that the access request issues, described
At least one of the character types of visitor and the functional module of the Accessor Access.Wherein the functional module be by
Classified to obtain according to database of the preset rules to requested access.
Step S102, the physical entry issued according to the access request, the character types of the visitor and described
At least one of functional module of Accessor Access carries out corresponding permission control, completes primary access control.
Step S103 carries out field according to the access request if the result of the primary access control is to pass through
Second-level access control is completed in access level control.
In technical solution provided by embodiment shown in Fig. 1, on the one hand, by access authority carry out multi-layer by
Layer control, realizes the secure access to database, improves safety.On the other hand, it is recorded in entire access process and tracks visit
The access trace for the person of asking, issues pre-alert notification to abnormal access in real time, to make quick processing to abnormal conditions.
The specific implementation of each step of embodiment illustrated in fig. 1 is described in detail below:
In step s101, receive the access request from visitor, obtain physical entry that the access request issues,
At least one of the character types of the visitor and the functional module of the Accessor Access.
In a kind of exemplary embodiment of the disclosure, for each access request, information wherein included has following several
A aspect, such as: face includes that (the namely IP address of equipment, uses ip- to the physical entry that issues of the access request above hardware
Address is indicated);The identity information of visitor, including visitor's coding, are indicated with access-ID, for the ease of distinguishing, are visited
The character types for the person of asking have corresponding coding, and encoding access-role-ID with visitor role indicates;Access the phase of object
Information, such as functional module of access, access object, interviewee are closed, wherein functional module herein is according to preset rules
The database of requested access is classified to obtain, it is a group that access object, which is interviewee's group classification, is accessed
Person is the individual being specifically accessed to.
In a kind of exemplary embodiment of the disclosure, multiple functional modules in database are with the shape of functional module list
Formula exists, and also has corresponding coding for each functional module in list, is indicated with EHR-module-ID, each accessed
Person also has corresponding coding, is indicated with customer-ID.
Using certain hospital or health center as background in the present embodiment, it is using health account system as accessed database
Example is introduced, and functional module therein includes physical examination module, surgical modules and evaluation module, the character types packet of visitor
Include: president, physical examination section doctor, operative branch doctor etc., interviewee are then to have built up archives in the hospital or health center
Patient or client.
In step s 102, according to the access request issue physical entry, the visitor character types and
At least one of functional module of the Accessor Access carries out corresponding permission control, completes primary access control.
In a kind of exemplary embodiment of the disclosure, it can be entered according to the physics that the access request issues in the step
Mouth carries out corresponding permission control, comprising:
Firstly, the network list of secure access permission is obtained, wherein the network list is to first pass through fixed IP binding in advance
Mode set or change and obtain.The equipment for specifically setting which IP can according to need for Accessor Access's database
It is set, such as setting IP address is in a certain range or IP address belongs to some enterprise etc., it can also be right as needed
The IP of binding is modified, to meet the needs of variation.
Then, whether access authority is had according to the physical entry that the network list judges that the access request issues,
If the physical entry that access request issues in the network list, illustrates that visitor has access authority, then the primary
The result of access control is to pass through;And if access request issue physical entry no longer network list in, illustrate the equipment because
Health account system cannot be accessed by being limited by network, then the visitor logged in using the equipment is also just without access authority.
The hardware device for initiating access request is limited in this way, can be limited by network, and then to using equipment
The claim of visitor limit, therefore visitor only has and could be accessed using in network list by the equipment of fixed IP
Health account system.
Realize that the process for carrying out corresponding permission control according to the physical entry that access request issues is as follows:
Entering ginseng can be IP address, i.e. ip-address, and ginseng is the mark of ip-address and access success or not out, i.e.,
Access-true (expression allows to access) or access-false (expression is forbidden accessing).
In a kind of exemplary embodiment of the disclosure, in the step can also according to the character types of the visitor into
The corresponding permission control of row, comprising:
Firstly, visitor role and access object mapping relations are obtained, wherein the visitor role is reflected with access object
Penetrating relationship is to preset or change to obtain, and the access object is to meet being accessed for specified requirements in multiple interviewees
Person.For example, premium customers (referred to as high visitor), common can be divided into as desired for the interviewee in health account system
Client (referred to as general visitor), employee etc., wherein the division condition of high visitor and general visitor can be account preliminary filling amount of money etc. when filing, or
Be divided into chronic disease, tumour, blood disease etc. according to the disease type of patient, or according to patient age section be divided into infant,
Teenager, youth, middle age, old age etc..In short, access object is a group, belong to the system of the crowd with some same characteristics
Claim.
In addition, each visitor role generally set has the access pair of access authority because of the difference of visitor role
Be divided into A, B, C, D as also not identical, such as the role of visitor, the crowd in health account system be divided into high visitor, employee,
General visitor, other, it is assumed that mapping relations setting are as follows: role A accessible crowd includes employee and Pu visitor, and role B is accessible
Crowd include high visitor, employee and Pu visitor, then the visitor with role A can not just access the health of the client of high objective identity
Archives, and the visitor with role B can access the health account of the client of high objective identity.Visitor role and access pair
Mapping relations as between, which can according to need, to be configured, and also be can according to need and is modified.
Then, according to the visitor role, the character types of the visitor are determined in conjunction with access object mapping relations
Object is accessed, the visitor is to pass through to the result of the primary access control of the access object, and the visitor is to described
The result of the primary access control of interviewee except access object is not pass through.
In this way, being distinguished to visitor's orange by doing listener clustering to interviewee in database, passing through configuration access
Person role and access object mapping relations, control visitor role check range, even with identical physical entry (or
Same equipment), the crowd for the health account that the visitor of different role can check also is different.Still for above-mentioned, role A
Visitor can be logged in the equipment for binding fixed IP, but can only see the information of employee and Pu visitor after logging in, and angle
The visitor of color B can log in the equipment for binding fixed IP, and the health account letter of employee and Pu visitor can be checked after login
Breath can also check the health account information of high visitor.
Realize that the process for carrying out corresponding permission control according to the character types of visitor is as follows:
Enter ginseng: (visitor role encodes access-role-ID to token information, visitor encodes access-ID, client
Encode customer-ID)
Join out: the access single-row table of customer name (interviewee encodes customer-ID, into single interviewee's archives when
Between access-begin-time, exit single interviewee file time access-end-time).
Wherein interviewee encodes the unique encodings that customer-ID is a UUID, the client that can be exactly accessed
ID, access object (i.e. crowd) ID are the set of interviewee ID, and crowd ID is the ID code set of all interviewees, still
Health account system is accessed each time, due to being all the access of designated other side, can only return to an interviewee ID, if
It has permission to access, then returning the result is interviewee ID, that is, has returned the result value, if do not had permission to access, is returned
It as a result is exactly sky, that is, null.
It should be noted that by the Access Integration of health account system in this present embodiment in other operation systems, industry
In business system from all interviewee (an interviewee ID is selected in the crowd ID of operation system) according to scene need by
Secondary access, access one by one, that return this when is exactly interviewee ID, while available access interviewee
At the beginning of and the end time, entering ginseng should have interviewee to encode customer-ID.
It, can be according to the functional module of the Accessor Access in the step in a kind of exemplary embodiment of the disclosure
Carry out corresponding permission control, comprising:
Firstly, visitor role and functional module mapping relations are obtained, wherein the visitor role is reflected with functional module
Penetrating relationship is to preset or change to obtain.In general, the visitor of a certain role is able to access that in the mapping relations of setting
Functional module is related with its identity, and the identity of role determines that the range of his real work, the range of work just determine that he can
With the functional module of operation.
Still by taking health account system as an example, for example, it can be set to the role A of visitor can be president, corresponding mapping
Relationship is physical examination module, surgical modules, evaluation module, and the role B for setting visitor can be physical examination section doctor, corresponding to reflect
The relationship of penetrating is physical examination module, surgical modules, evaluation module
Then, it is determined according to the character types of visitor role visitor in conjunction with functional module mapping relations
Visitor described in multiple functional modules has a functional module of access authority, and the visitor is to described with access authority
The result of the primary access control of functional module be pass through, the visitor to described in the multiple functional module have access
The result of the primary access control of functional module except the functional module of permission is not pass through.
Functional module corresponding to the health account of a certain client C1 therein includes: physical examination module, surgical modules, assessment
Module, visitor A are presidents, then A can check the physical examination module of C1, the relevant information of surgical modules, evaluation module;Access
Person B is physical examination section doctor, then B can only access the relevant information of the physical examination module of client C1, even if the health account of client C1
It also include surgical modules, since visitor B is physical examination section doctor, he does not have the access authority of surgical modules.
In this way, configuring by doing functional module division to database according to functional module permission, visitor is controlled
Check region, even if that is, visitor role it is the same, but if functional module authority configuration is different, access
The region that person can check in health account is also different.
Realize that the process for carrying out corresponding permission control according to the functional module of Accessor Access is as follows:
Enter ginseng: visitor encodes access-ID, encoder client customer-ID;
Join out: health account functional module list (functional module encodes EHR-module-ID).
In step s 103, it if the result of the primary access control is to pass through, is carried out according to the access request
Second-level access control is completed in the control of field access level.
In a kind of exemplary embodiment of the disclosure, Fig. 2 shows the flow charts of step S103, and step S103 is according to
Access request carry out the control of field access level specifically includes the following steps:
As shown in Fig. 2, in step s 201, the division of grade is carried out to the field in the database, for the number
Multiple data levels are divided into according to whole fields in library.
For example, finding out to all fields in the background data base of health account system, each field is then marked
Data level may have access to field identification data level field-grade-value.
As shown in Fig. 2, setting corresponding access level according to the character types of the visitor in step S202.
For example, setting its access level, i.e. access-grade-value to the character types of each visitor.In order to
Convenient for comparing and distinguishing, can the access level of data level and visitor to field marked using identical number
Note, i.e., the data level of field is marked with 1,2,3 ... respectively, and access level is also marked with 1,2,3 ... respectively, still
It is not limited thereto, can also be marked according to preset rules with the number or letter with certain corresponding relationship, such as field
Data level marked respectively with 1,2,3 ..., access level is also marked with A, B, C ... respectively.
As shown in Fig. 2, in step S203, when the access level of the visitor is not less than the data level of the field
When, the visitor, which has permission, checks the field;When the access level of the visitor is lower than the data level of the field
When, the field is desensitization display for the display mode of the visitor.
Wherein desensitization display can combine the inquiry operation rights management requirement of " fraction divides domain, classification ", to customer information
(information of interviewee) carries out partly shielding effect processing, and limitation shows (information desensitization process to all or part of sensitive information
Refer to deformation, encryption or the shielding that certain sensitive informations are carried out with data by desensitization rule, realizes the reliable of privacy-sensitive data
Protection).The form of information desensitization process is exemplified below:
Birthdate in client identity information is hidden, is replaced with *;
To the cell or street name in customer address and thereafter information is hidden, and is replaced with *;
It carries out part to called number in client's call list to hide, such as by the inverse of called number the 3rd, the 4th with * generation
For etc..
Based on above-mentioned, the data level of the grade that accesses and field relatively during, need to use and set to mark
When identical principle be compared, to obtain grade comparison result, such as all with numeral mark access level and number
According to field grade when, then comparison result directly can be obtained according to the comparison of two numbers.And use different mark modes pair
When the field grade of numeral mark access level and data is marked, then need to carry out the processes such as coding accordingly, by it
It is compared again after normalizing to mark mode of the same race, comparison result is obtained with this.
Realize that the process for carrying out the control of field access level according to access request is as follows:
Enter ginseng: visitor encodes access level access-grade-value, the health account of access-ID, visitor
Functional module encodes EHR-module-ID;
Out join: each functional module accessible field list of health account (profile module encode EHR-module-ID, can
Access field identification data level field-grade-value).
This mode can manage the access authority of the corresponding field of certain sensitive informations, only part access level
Higher than the content that the visitor of the data level of field can just check these sensitive informations, and other visitors are for sensitive information
It can not check its content.
It is the physical entry that is issued in embodiment of the disclosure step S102 according to the access request, described based on above-mentioned
At least one of the character types of visitor and the functional module of the Accessor Access carry out corresponding permission control,
It can exactly choose any one kind of them, the control of two or three of claim is as primary access control.
No matter using which kind of above-mentioned primary access control scheme, primary access control is further continued for carrying out second-level access after passing through
Control carries out the control of field access level according to the access request.With above-mentioned three kinds of access privilege controls in the present embodiment
For existing simultaneously, secure access can be realized by the access control of multi-layer.
Fig. 3 shows the flow diagram of the access control method provided in one embodiment of the invention, comprising the following steps:
As shown in figure 3, carrying out corresponding permission control according to the physical entry that the access request issues in step S301
System goes to step S302 if the visitor has access authority.
As shown in figure 3, in step s 302, carrying out corresponding permission control according to the character types of the visitor, such as
Visitor described in fruit is to pass through to the result of the access control of access object, then goes to step S303.
As shown in figure 3, carrying out corresponding permission control according to the functional module of the Accessor Access in step S303
System so far obtains described if visitor is to pass through to the result of the access control of the functional module with access authority
The result of primary access control is to pass through, and goes to step S304.
As shown in figure 3, in step s 304, the control of field access level is carried out according to the access request, if described
The access level of visitor is not less than the data level of the field, then the visitor, which has permission, checks the field, second level
The result of access control is to pass through.
Based on step S301 to step S304, by the layer-by-layer access control of multi-layer, increase access from multiple dimensions
Safety, wherein second-level access control in consider field data grade, if the access level of visitor is not high enough, to comprising
The field of sensitive information carries out desensitization and shows, ensures information security.
In addition, the data that can also generate to each level record during above-mentioned multi-layer access control, with
The access trace of track record access person is shown by the information that early warning rule sends pre-alert notification to suspicious visitor to administrator
It is alert.
In a kind of exemplary embodiment of the disclosure, early warning rule therein is specifically that following at least one feelings occur
Condition sends pre-alert notification:
1) the change frequency that the physical entry of access request is issued to same visitor is monitored, if change frequency is super
The first preset value is crossed, then sends pre-alert notification.
Whether monitoring visitor's physical entry change frequency is abnormal in this case: by identifying that the same visitor continuously steps on
Whether consistent record IP rule, rule can be for example old-ip-address ≠ new-ip-address, if the same access
Person this log in IP be different from it is last log in IP, then send pre-alert notification to system manager, the mode of pre-alert notification can be with
For other instant messages such as short message.
For example, can send out a short message automatically to system manager, content is that " hello by administrator, the access of health account
This access physical entry of person FW1 and last time are different, please pay close attention to ".
2) person-time frequency of interviewee is monitored in the database described in Accessor Access, if a person-time frequency is more than
Second preset value, then send pre-alert notification.
Person-time frequency of interviewee is monitored and includes: in the database described in Accessor Access in this case
21) record to Accessor Access's individual access object at the beginning of and the end time;
22) access duration is calculated according to the time started and the end time;
23) person-time frequency is calculated according to the access duration and access person-time, calculation formula is
Wherein fopt be people's secondary frequencies, N be access person-time, Ti be visitor for it is a certain access object access duration, 1
≤ i≤N, Ti=(access-end-time)-(access-begin-time), the Dan Wen for accessing duration is minute.
It is whether abnormal that frequency is continuously checked by monitoring visitor, if person-time frequency being calculated is more than second threshold
(such as setting second threshold fopt-value as 0.2), i.e., if fopt > fopt-value, send pre-alert notification to system
The mode of administrator, pre-alert notification can be other instant messages such as short message.
3) data level comprising field is monitored in the functional module stopped to visitor, if individual feature module
The data level average value of field is greater than third threshold value, then sends pre-alert notification.
Data level in the functional module stopped in this case to visitor comprising field is monitored:
31) field number in the functional module is obtained according to the functional module;
32) the corresponding data level of the functional module field is obtained;
33) data of individual feature Module field are calculated according to the field number and the corresponding data level of field
Grade average value, calculation formula are
Wherein L is the data level average value of individual feature Module field, and M is the field number in functional module, and Vj is
The data level of a certain field in functional module, 1≤j≤M.
The data level average value of individual feature Module field is greater than third threshold value, then sends pre-alert notification, obtaining list
After the data level average value of a functional module field, further includes:
34) median, i.e. Median (L are sought according to the data level average value of the individual feature Module fieldj);
If 35) median is greater than the third threshold value (i.e. Median (Lj) > security-value), it sends pre-
For alert notice to system manager, the mode of pre-alert notification can be other instant messages such as short message.Wherein the third threshold value can
Think 5, can also be adjusted according to actual needs.
The data level average value of individual feature Module field is monitored, if visitor in access process,
It is rested on for a long time comprising in the functional module where the higher field of data level, for example contains ID card information, cell-phone number
When information, family history information, it is also desirable to make early warning rapidly, pre-alert notification is sent to administrator, reminding it to pay close attention to should
The subsequent action of visitor, and do and put on record, accomplish to prevent trouble before it happens.And since the monitoring of each level has record information,
It may be implemented to trace to the source.
Fig. 4 shows the schematic diagram of the access control method of the embodiment of the present invention offer, specifically includes the following steps:
First part, the monitoring of multi-layer access authority, comprising:
Step S401, is monitored physical entry;
Step S402, is monitored visitor role;
Step S403 is monitored the functional module of access;
Step S404 is monitored the data level of access field.
Second part during stating multi-layer monitoring in realization, carries out regular early warning according to access trace, comprising:
Whether the change frequency of step S405, the physical entry of access are abnormal, issue pre-alert notification if there is abnormal;
Step S406, whether person-time frequency that visitor checks is abnormal, issues pre-alert notification if there is abnormal;
Step S407, whether the data level that visitor stops the field of functional module is abnormal, just sends out if there is abnormal
Pre-alert notification out.
It should be noted that the pre-alert notification in the present embodiment is intended for system manager automatically, system will not be direct
Direct action is done to visitor, after system manager receives pre-alert notification, the verification work under a line can be done.For example, monitoring
To a certain old key health center a doctor in less than 10 minutes the elder of more than 10 endowment communities of connected reference it is strong
Health archives are investigated after administrator receives early warning adjustment by personal considerations of the backstage to doctor, need to be in view of whether there is
Occupation job-hopping obtains the possibility of data occupation pickpocket, and follow-up management means for example can directly force to allow this visitor on backstage
It exits, to prevent the further leakage of data information.
For being monitored to the physical entry of access and early warning, target is not that directly to change IP inaccessible, generally may be used
It is doctor, the house keeper for community of supporting parents etc. in hospital to log in the visitor of health account system, their working environment is related
Fixed (usually just in office), the IP of the PC of each doctor or house keeper is routinely binding, is entered if there is physics
It is mouthful different, it is possible to there are the risk that login name is usurped by other people, by monitoring can with call-on back by phone visitor (or other
Mode and visitor verify), it notes abnormalities if verified, the access of abnormal IP can be closed from the background immediately.
In conclusion using access control method provided in an embodiment of the present invention, on the one hand, by being carried out to access authority
The secure access to database is realized in the layer-by-layer control of multi-layer, improves safety.On the other hand, remember in entire access process
The access trace for recording and tracking visitor, issues pre-alert notification to abnormal access in real time, to make quick place to abnormal conditions
Reason.
The device of the invention embodiment introduced below can be used for executing the above-mentioned access control method of the present invention.
Fig. 5 shows the structural schematic diagram of the access control apparatus of embodiment according to the present invention, with reference to Fig. 5, access control
Device 500 processed, comprising: access request module 501, primary control module 502 and Two-stage control module 503.
Access request module 501 obtains the object that the access request issues for receiving the access request from visitor
At least one of entrance, the character types of the visitor and functional module of the Accessor Access are managed, wherein described
Functional module is to be classified to obtain according to database of the preset rules to requested access;Primary control module 502 is used for root
Physical entry, the character types of the visitor and the functional module of the Accessor Access issued according to the access request
At least one of carry out corresponding permission control, complete primary access control;Two-stage control module 503 is used to work as the primary
The result of the primary access control of control module be by when, according to the access request carry out the control of field access level, it is complete
It is controlled at second-level access.
Each functional module and above-mentioned access control method due to the access control apparatus of example embodiments of the present invention
Example embodiment the step of it is corresponding, therefore for undisclosed details in apparatus of the present invention embodiment, please refer in the present invention
The embodiment for the access control method stated.
Below with reference to Fig. 6, it illustrates the computer systems 600 for the electronic equipment for being suitable for being used to realize the embodiment of the present invention
Structural schematic diagram.The computer system 600 of electronic equipment shown in Fig. 6 is only an example, should not be to the embodiment of the present invention
Function and use scope bring any restrictions.
As shown in fig. 6, computer system 600 includes central processing unit (CPU) 601, it can be read-only according to being stored in
Program in memory (ROM) 602 or be loaded into the program in random access storage device (RAM) 603 from storage section 608 and
Execute various movements appropriate and processing.In RAM 603, it is also stored with various programs and data needed for system operatio.CPU
601, ROM 602 and RAM 603 is connected with each other by bus 604.Input/output (I/O) interface 605 is also connected to bus
604。
I/O interface 605 is connected to lower component: the importation 606 including keyboard, mouse etc.;It is penetrated including such as cathode
The output par, c 607 of spool (CRT), liquid crystal display (LCD) etc. and loudspeaker etc.;Storage section 608 including hard disk etc.;
And the communications portion 609 of the network interface card including LAN card, modem etc..Communications portion 609 via such as because
The network of spy's net executes communication process.Driver 610 is also connected to I/O interface 605 as needed.Detachable media 611, such as
Disk, CD, magneto-optic disk, semiconductor memory etc. are mounted on as needed on driver 610, in order to read from thereon
Computer program be mounted into storage section 608 as needed.
Particularly, according to an embodiment of the invention, may be implemented as computer above with reference to the process of flow chart description
Software program.For example, the embodiment of the present invention includes a kind of computer program product comprising be carried on computer-readable medium
On computer program, which includes the program code for method shown in execution flow chart.In such reality
It applies in example, which can be downloaded and installed from network by communications portion 609, and/or from detachable media
611 are mounted.When the computer program is executed by central processing unit (CPU) 601, executes and limited in the system of the application
Above-mentioned function.
It should be noted that computer-readable medium shown in the present invention can be computer-readable signal media or meter
Calculation machine readable storage medium storing program for executing either the two any combination.Computer readable storage medium for example can be --- but not
Be limited to --- electricity, magnetic, optical, electromagnetic, infrared ray or semiconductor system, device or device, or any above combination.Meter
The more specific example of calculation machine readable storage medium storing program for executing can include but is not limited to: have the electrical connection, just of one or more conducting wires
Taking formula computer disk, hard disk, random access storage device (RAM), read-only memory (ROM), erasable type may be programmed read-only storage
Device (EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD-ROM), light storage device, magnetic memory device,
Or above-mentioned any appropriate combination.In the present invention, computer readable storage medium can be it is any include or storage journey
The tangible medium of sequence, the program can be commanded execution system, device or device use or in connection.And at this
In invention, computer-readable signal media may include in a base band or as carrier wave a part propagate data-signal,
Wherein carry computer-readable program code.The data-signal of this propagation can take various forms, including but unlimited
In electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be that computer can
Any computer-readable medium other than storage medium is read, which can send, propagates or transmit and be used for
By the use of instruction execution system, device or device or program in connection.Include on computer-readable medium
Program code can transmit with any suitable medium, including but not limited to: wireless, electric wire, optical cable, RF etc. are above-mentioned
Any appropriate combination.
Flow chart and block diagram in attached drawing are illustrated according to the system of various embodiments of the invention, method and computer journey
The architecture, function and operation in the cards of sequence product.In this regard, each box in flowchart or block diagram can generation
A part of one module, program segment or code of table, a part of above-mentioned module, program segment or code include one or more
Executable instruction for implementing the specified logical function.It should also be noted that in some implementations as replacements, institute in box
The function of mark can also occur in a different order than that indicated in the drawings.For example, two boxes succeedingly indicated are practical
On can be basically executed in parallel, they can also be executed in the opposite order sometimes, and this depends on the function involved.Also it wants
It is noted that the combination of each box in block diagram or flow chart and the box in block diagram or flow chart, can use and execute rule
The dedicated hardware based systems of fixed functions or operations is realized, or can use the group of specialized hardware and computer instruction
It closes to realize.
Being described in unit involved in the embodiment of the present invention can be realized by way of software, can also be by hard
The mode of part realizes that described unit also can be set in the processor.Wherein, the title of these units is in certain situation
Under do not constitute restriction to the unit itself.
As on the other hand, present invention also provides a kind of computer-readable medium, which be can be
Included in electronic equipment described in above-described embodiment;It is also possible to individualism, and without in the supplying electronic equipment.
Above-mentioned computer-readable medium carries one or more program, when the electronics is set by one for said one or multiple programs
When standby execution, so that the electronic equipment realizes such as above-mentioned access control method as described in the examples.
For example, the electronic equipment may be implemented as shown in Figure 1: step S101: receiving the visit from visitor
It asks request, obtains the physical entry of the access request sending, the character types of the visitor and the Accessor Access
At least one of functional module, wherein the functional module is to carry out according to database of the preset rules to requested access
Classification obtains;Step S102: the physical entry that is issued according to the access request, the character types of the visitor and described
At least one of functional module of Accessor Access carries out corresponding permission control, completes primary access control;Step S103:
When the result of the primary access control of the primary control module be by when, field access etc. is carried out according to the access request
Second-level access control is completed in grade control.
It should be noted that although being referred to several modules or list for acting the equipment executed in the above detailed description
Member, but this division is not enforceable.In fact, embodiment according to the present invention, it is above-described two or more
Module or the feature and function of unit can embody in a module or unit.Conversely, an above-described mould
The feature and function of block or unit can be to be embodied by multiple modules or unit with further division.
Through the above description of the embodiments, those skilled in the art is it can be readily appreciated that example described herein is implemented
Mode can also be realized by software realization in such a way that software is in conjunction with necessary hardware.Therefore, according to the present invention
The technical solution of embodiment can be embodied in the form of software products, which can store non-volatile at one
Property storage medium (can be CD-ROM, USB flash disk, mobile hard disk etc.) in or network on, including some instructions are so that a calculating
Equipment (can be personal computer, server, touch control terminal or network equipment etc.) executes embodiment according to the present invention
Method.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to of the invention its
Its embodiment.This application is intended to cover any variations, uses, or adaptations of the invention, these modifications, purposes or
Person's adaptive change follows general principle of the invention and including the undocumented common knowledge in the art of the present invention
Or conventional techniques.The description and examples are only to be considered as illustrative, and true scope and spirit of the invention are by following
Claim is pointed out.
It should be understood that the present invention is not limited to the precise structure already described above and shown in the accompanying drawings, and
And various modifications and changes may be made without departing from the scope thereof.The scope of the present invention is limited only by the attached claims.
Claims (13)
1. a kind of access control method characterized by comprising
The access request from visitor is received, the physical entry of the access request sending, the role of the visitor are obtained
At least one of type and the functional module of the Accessor Access;
Physical entry, the character types of the visitor and the function of the Accessor Access issued according to the access request
At least one of energy module carries out corresponding permission control, completes primary access control;
If the result of the primary access control is to pass through, the control of field access level is carried out according to the access request,
Complete second-level access control;
Wherein the functional module is to be classified to obtain according to database of the preset rules to requested access.
2. the method according to claim 1, wherein the physical entry, described issued according to the access request
At least one of the character types of visitor and the functional module of the Accessor Access carry out corresponding permission control packet
It includes:
Corresponding permission control is carried out according to the physical entry that the access request issues, comprising:
Obtain the network list of secure access permission:
Whether there is access authority according to the physical entry that the network list judges that the access request issues, if the visit
The person of asking has access authority, then the result of the primary access control is to pass through;
Wherein the network list is to first pass through the mode of fixed IP binding in advance to set or change and obtain.
3. the method according to claim 1, wherein the physical entry, described issued according to the access request
At least one of the character types of visitor and the functional module of the Accessor Access carry out corresponding permission control packet
It includes:
Corresponding permission control is carried out according to the character types of the visitor, comprising:
Obtain visitor role and access object mapping relations;
According to the visitor role, the character types of the visitor determine access object in conjunction with access object mapping relations,
The visitor to it is described access object primary access control result be pass through, the visitor to the access object it
The result of the primary access control of outer interviewee is not pass through;
Wherein the visitor role is to preset or change to obtain with access object mapping relations, and the access object is
Meet the interviewee of specified requirements in multiple interviewees.
4. the method according to claim 1, wherein the physical entry, described issued according to the access request
At least one of the character types of visitor and the functional module of the Accessor Access carry out corresponding permission control packet
It includes:
Corresponding permission control is carried out according to the functional module of the Accessor Access, comprising:
Obtain visitor role and functional module mapping relations;
According to the visitor role, the character types of the visitor determine multiple functions in conjunction with functional module mapping relations
Visitor described in module has the functional module of access authority, and the visitor is to the functional module with access authority
Primary access control result be pass through, the visitor to described in the multiple functional module with access authority function
The result of the primary access control of functional module except energy module is not pass through;
Wherein the visitor role is to preset or change to obtain with functional module mapping relations.
5. the method according to claim 1, wherein the physical entry, described issued according to the access request
At least one of the character types of visitor and the functional module of the Accessor Access carry out corresponding permission control packet
It includes:
Corresponding permission control is carried out according to the physical entry that the access request issues, if the visitor has access right
Limit then carries out corresponding permission control according to the character types of the visitor;
If the visitor is to pass through to the result of the access control of access object, according to the function of the Accessor Access
Module carries out corresponding permission control;
If visitor is to pass through to the result of the access control of the functional module with access authority, the primary is obtained
The result of access control is to pass through.
6. method according to any one of claims 1 to 5, which is characterized in that carry out field visit according to the access request
Ask that grade control includes:
The division that grade is carried out to the field in the database, is divided into multiple numbers for whole fields in the database
According to grade;
Corresponding access level is set according to the character types of the visitor;
When the access level of the visitor is not less than the data level of the field, the visitor have permission check it is described
Field;When the access level of the visitor is lower than the data level of the field, the field is for the visitor's
Display mode is desensitization display.
7. according to the method described in claim 6, it is characterized by further comprising:
Following at least one situation occurs, sends pre-alert notification:
The change frequency for issuing the physical entry of access request to same visitor is monitored, if change frequency is more than first
Preset value then sends pre-alert notification;
Person-time frequency of interviewee is monitored in the database described in Accessor Access, if person-time frequency is more than second pre-
If value, then send pre-alert notification;
Data level in the functional module stopped to visitor comprising field is monitored, if individual feature Module field
Data level average value is greater than third threshold value, then sends pre-alert notification.
8. the method according to the description of claim 7 is characterized in that in the database described in Accessor Access interviewee people
Secondary frequencies, which are monitored, includes:
Record to Accessor Access's individual access object at the beginning of and the end time;
Access duration is calculated according to the time started and the end time;
Person-time frequency is calculated according to the access duration and access person-time, calculation formula is
Wherein fopt is people's secondary frequencies, and N is access person-time, and Ti is access duration of the visitor for a certain access object, 1≤i
≤N。
9. according to the method described in claim 6, it is characterized in that, including the number of field in the functional module stopped to visitor
It is monitored according to grade:
The field number in the functional module is obtained according to the functional module;
Obtain the corresponding data level of the functional module field;
The data level that individual feature Module field is calculated according to the field number and the corresponding data level of field is flat
Mean value, calculation formula are
Wherein L is the data level average value of individual feature Module field, and M is the field number in functional module, and Vj is function
The data level of a certain field in module, 1≤j≤M.
10. according to the method described in claim 9, it is characterized in that, the data level of the individual feature Module field is average
Value is greater than third threshold value, then sending pre-alert notification includes:
Median is sought according to the data level average value of the individual feature Module field;
If the median is greater than the third threshold value, pre-alert notification is sent;
Wherein the third threshold value is 5.
11. a kind of access control apparatus characterized by comprising
Access request module, for receiving the access request from visitor, obtain physical entry that the access request issues,
At least one of the character types of the visitor and the functional module of the Accessor Access;
Primary control module, the character types of physical entry, the visitor for being issued according to the access request and
At least one of functional module of the Accessor Access carries out corresponding permission control, completes primary access control;
Two-stage control module, for when the result of the primary access control of the primary control module be by when, according to described
Access request carries out the control of field access level, completes second-level access control;
Wherein the functional module is to be classified to obtain according to database of the preset rules to requested access.
12. a kind of computer-readable medium, is stored thereon with computer program, which is characterized in that described program is held by processor
The step of access control method as described in any one of claims 1 to 10 is realized when row.
13. a kind of electronic equipment characterized by comprising
One or more processors;
Storage device, for storing one or more programs, when one or more of programs are by one or more of processing
When device executes, so that one or more of processors realize the access control side as described in any one of claims 1 to 10
Method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811363123.6A CN109472159A (en) | 2018-11-15 | 2018-11-15 | Access control method, device, medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811363123.6A CN109472159A (en) | 2018-11-15 | 2018-11-15 | Access control method, device, medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109472159A true CN109472159A (en) | 2019-03-15 |
Family
ID=65673483
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811363123.6A Pending CN109472159A (en) | 2018-11-15 | 2018-11-15 | Access control method, device, medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109472159A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110096892A (en) * | 2019-04-29 | 2019-08-06 | 武汉中锐源信息技术开发有限公司 | Database Properties access control method and system |
| CN110263278A (en) * | 2019-06-20 | 2019-09-20 | 上海上湖信息技术有限公司 | A kind of data processing method and device |
| CN110298195A (en) * | 2019-07-03 | 2019-10-01 | 中国工商银行股份有限公司 | Access control method, object control device, managing device and electronic equipment |
| CN110401655A (en) * | 2019-07-23 | 2019-11-01 | 宿州星尘网络科技有限公司 | Access control right management system based on user and role |
| CN110781494A (en) * | 2019-10-22 | 2020-02-11 | 武汉极意网络科技有限公司 | Data abnormity early warning method, device, equipment and storage medium |
| CN111083135A (en) * | 2019-12-12 | 2020-04-28 | 深圳天源迪科信息技术股份有限公司 | Method for processing data by gateway and security gateway |
| CN111400765A (en) * | 2020-03-25 | 2020-07-10 | 支付宝(杭州)信息技术有限公司 | Private data access method and device and electronic equipment |
| CN112269982A (en) * | 2020-11-19 | 2021-01-26 | 四川长虹电器股份有限公司 | Data access control method based on authority configuration |
| CN112699407A (en) * | 2020-12-31 | 2021-04-23 | 北京字跳网络技术有限公司 | Service data access method, device, equipment and storage medium |
| CN113051614A (en) * | 2021-03-26 | 2021-06-29 | 支付宝(杭州)信息技术有限公司 | Information access processing method, device, equipment and system |
| CN113206845A (en) * | 2021-04-28 | 2021-08-03 | 的卢技术有限公司 | Network access control method, device, computer equipment and storage medium |
| CN114091107A (en) * | 2021-11-30 | 2022-02-25 | 腾讯科技(深圳)有限公司 | Information processing method, device, equipment, storage medium and product |
| CN114499901A (en) * | 2020-10-26 | 2022-05-13 | 中国移动通信有限公司研究院 | Information processing method and device, server, terminal and data platform |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102611699A (en) * | 2012-02-22 | 2012-07-25 | 浪潮(北京)电子信息产业有限公司 | Method and system for access control in cloud operation system |
| CN103475637A (en) * | 2013-04-24 | 2013-12-25 | 携程计算机技术(上海)有限公司 | Network access control method and system based on IP access behaviors |
| CN105787381A (en) * | 2014-12-26 | 2016-07-20 | 北大医疗信息技术有限公司 | Data access control method and apparatus |
| CN105827663A (en) * | 2016-06-02 | 2016-08-03 | 中国联合网络通信集团有限公司 | Access control method and system |
| CN107403106A (en) * | 2017-07-18 | 2017-11-28 | 北京计算机技术及应用研究所 | Database fine-grained access control method based on terminal user |
| CN108040046A (en) * | 2017-12-07 | 2018-05-15 | 中国银行股份有限公司 | Data access control method and device |
-
2018
- 2018-11-15 CN CN201811363123.6A patent/CN109472159A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102611699A (en) * | 2012-02-22 | 2012-07-25 | 浪潮(北京)电子信息产业有限公司 | Method and system for access control in cloud operation system |
| CN103475637A (en) * | 2013-04-24 | 2013-12-25 | 携程计算机技术(上海)有限公司 | Network access control method and system based on IP access behaviors |
| CN105787381A (en) * | 2014-12-26 | 2016-07-20 | 北大医疗信息技术有限公司 | Data access control method and apparatus |
| CN105827663A (en) * | 2016-06-02 | 2016-08-03 | 中国联合网络通信集团有限公司 | Access control method and system |
| CN107403106A (en) * | 2017-07-18 | 2017-11-28 | 北京计算机技术及应用研究所 | Database fine-grained access control method based on terminal user |
| CN108040046A (en) * | 2017-12-07 | 2018-05-15 | 中国银行股份有限公司 | Data access control method and device |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110096892B (en) * | 2019-04-29 | 2021-07-02 | 武汉中锐源信息技术开发有限公司 | Database attribute access control method and system |
| CN110096892A (en) * | 2019-04-29 | 2019-08-06 | 武汉中锐源信息技术开发有限公司 | Database Properties access control method and system |
| CN110263278A (en) * | 2019-06-20 | 2019-09-20 | 上海上湖信息技术有限公司 | A kind of data processing method and device |
| CN110298195A (en) * | 2019-07-03 | 2019-10-01 | 中国工商银行股份有限公司 | Access control method, object control device, managing device and electronic equipment |
| CN110401655A (en) * | 2019-07-23 | 2019-11-01 | 宿州星尘网络科技有限公司 | Access control right management system based on user and role |
| CN110781494A (en) * | 2019-10-22 | 2020-02-11 | 武汉极意网络科技有限公司 | Data abnormity early warning method, device, equipment and storage medium |
| CN111083135A (en) * | 2019-12-12 | 2020-04-28 | 深圳天源迪科信息技术股份有限公司 | Method for processing data by gateway and security gateway |
| CN111400765B (en) * | 2020-03-25 | 2021-11-02 | 支付宝(杭州)信息技术有限公司 | Private data access method and device and electronic equipment |
| CN111400765A (en) * | 2020-03-25 | 2020-07-10 | 支付宝(杭州)信息技术有限公司 | Private data access method and device and electronic equipment |
| CN114499901A (en) * | 2020-10-26 | 2022-05-13 | 中国移动通信有限公司研究院 | Information processing method and device, server, terminal and data platform |
| CN112269982A (en) * | 2020-11-19 | 2021-01-26 | 四川长虹电器股份有限公司 | Data access control method based on authority configuration |
| CN112699407A (en) * | 2020-12-31 | 2021-04-23 | 北京字跳网络技术有限公司 | Service data access method, device, equipment and storage medium |
| CN113051614A (en) * | 2021-03-26 | 2021-06-29 | 支付宝(杭州)信息技术有限公司 | Information access processing method, device, equipment and system |
| CN113206845A (en) * | 2021-04-28 | 2021-08-03 | 的卢技术有限公司 | Network access control method, device, computer equipment and storage medium |
| CN113206845B (en) * | 2021-04-28 | 2023-08-11 | 西藏宁算科技集团有限公司 | Network access control method, device, computer equipment and storage medium |
| CN114091107A (en) * | 2021-11-30 | 2022-02-25 | 腾讯科技(深圳)有限公司 | Information processing method, device, equipment, storage medium and product |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109472159A (en) | Access control method, device, medium and electronic equipment | |
| US20230076019A1 (en) | Smart pest trap as iot in policy fabric and sharing system for enabling multi-party data processing in an iot environment | |
| US11276131B2 (en) | Property management system utilizing a blockchain network | |
| US10262149B2 (en) | Role access to information assets based on risk model | |
| US10003663B2 (en) | Inmate network priming | |
| CN104240342B (en) | Access control method and device based on identity authentication | |
| CN110909073B (en) | Method and system for sharing private data based on intelligent contract | |
| US9626816B2 (en) | Physical access request authorization | |
| US9311679B2 (en) | Enterprise social media management platform with single sign-on | |
| US11669571B2 (en) | Predicted data use obligation match using data differentiators | |
| US20160191484A1 (en) | Secure Inmate Digital Storage | |
| US9038134B1 (en) | Managing predictions in data security systems | |
| US9871760B2 (en) | Message transmission scheme in a controlled facility | |
| JP2018537022A (en) | System and method for managing digital identities | |
| US20240121086A1 (en) | Security key for geographical locations | |
| US8601540B2 (en) | Software license management | |
| AU2017254084A1 (en) | Rotation of authorization rules in memory of authorization system | |
| US20200234310A1 (en) | Identity proofing for online accounts | |
| DE102016105062A1 (en) | Sew-based authorization check for cross-unit distributed data | |
| US20210104326A1 (en) | Detecting prescription drug abuse using a distributed ledger and machine learning | |
| JP2023520212A (en) | Privacy-centric data security in cloud environments | |
| US9886588B2 (en) | Dynamically constructed capability for enforcing object access order | |
| US10304270B2 (en) | Secured communication system and data model to facilitate authorization to access rental property | |
| CN110264220A (en) | Ways and means, device, electronic equipment and storage medium based on block chain | |
| US11270292B2 (en) | Key pair authentication in a label tracking system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190315 |
|
| RJ01 | Rejection of invention patent application after publication |