CN109684873B - Data access control method and device, computer equipment and storage medium - Google Patents

Data access control method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN109684873B
CN109684873B CN201811642631.8A CN201811642631A CN109684873B CN 109684873 B CN109684873 B CN 109684873B CN 201811642631 A CN201811642631 A CN 201811642631A CN 109684873 B CN109684873 B CN 109684873B
Authority
CN
China
Prior art keywords
access
control information
server
request
access control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811642631.8A
Other languages
Chinese (zh)
Other versions
CN109684873A (en
Inventor
吴泽强
刘勇
陈丹
王要深
况子昭
曾晓天
胡心怡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kingdee Software China Co Ltd
Original Assignee
Kingdee Software China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kingdee Software China Co Ltd filed Critical Kingdee Software China Co Ltd
Priority to CN201811642631.8A priority Critical patent/CN109684873B/en
Publication of CN109684873A publication Critical patent/CN109684873A/en
Application granted granted Critical
Publication of CN109684873B publication Critical patent/CN109684873B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The application relates to a data access control method, a data access control device, computer equipment and a storage medium. The method comprises the following steps: acquiring a data access request carrying an access user account; generating a virtual access bill corresponding to the data access request; sending the generated virtual access bill to a server corresponding to the data access request; acquiring a control information acquisition request generated by the server according to the received virtual access bill; and when the control information acquisition request is verified to pass according to the generated virtual access ticket, returning access control information corresponding to the account of the access user to the server so as to perform access control on the data access request according to the access control information through the server. According to the method, the server can acquire the access control information corresponding to the user access account by sending the virtual access bill to the server and receiving the control information acquisition request generated by the server according to the virtual access bill, so that the coupling degree with the server is reduced.

Description

Data access control method and device, computer equipment and storage medium
Technical Field
The present application relates to the field of computers, and in particular, to a data access control method, apparatus, computer device, and storage medium.
Background
With the development of computer technology, Software-as-a-Service (SaaS) appears, that is, a manufacturer deploys application Software on its own server, receives a data access request sent by an account of an access user under a tenant (that is, an administrator account of a client organization in the SaaS mode) through the internet, and provides a data access function.
However, in the conventional SaaS mode, a control server of a manufacturer needs to verify a logged-in access user account, store a session after the verification is passed, and share the session to the server, where the shared session includes access control information corresponding to the access user account, and the server performs access control on a data access request of the access user account according to the access control information. Because of the existence of the sharing session, the control server is tightly coupled with the server, which is not beneficial to the modification and expansion of the control server and the server.
Disclosure of Invention
In view of the above, it is desirable to provide a data access control method, apparatus, computer device, and storage medium capable of reducing the coupling.
A method of data access control, the method comprising:
acquiring a data access request carrying an access user account;
generating a virtual access bill corresponding to the data access request;
sending the generated virtual access bill to a server corresponding to the data access request;
acquiring a control information acquisition request generated by the server according to the received virtual access bill; and when the control information acquisition request is verified according to the generated virtual access ticket, returning access control information corresponding to the access user account to the server so as to perform access control on the data access request through the server according to the access control information.
A data access control apparatus, the apparatus comprising:
the request acquisition module is used for acquiring a data access request carrying an account of an access user;
the bill generating module is used for generating a virtual access bill corresponding to the data access request;
the bill sending module is used for sending the generated virtual access bill to the server corresponding to the data access request;
the request acquisition module is used for acquiring a control information acquisition request generated by the server according to the received virtual access bill;
and the information returning module is used for returning the access control information corresponding to the access user account to the server when the control information acquisition request is verified according to the generated virtual access ticket so as to perform access control on the data access request through the server according to the access control information.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
acquiring a data access request carrying an access user account;
generating a virtual access bill corresponding to the data access request;
sending the generated virtual access bill to a server corresponding to the data access request;
acquiring a control information acquisition request generated by the server according to the received virtual access bill;
and when the control information acquisition request is verified according to the generated virtual access ticket, returning access control information corresponding to the access user account to the server so as to perform access control on the data access request through the server according to the access control information.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
acquiring a data access request carrying an access user account;
generating a virtual access bill corresponding to the data access request;
sending the generated virtual access bill to a server corresponding to the data access request;
acquiring a control information acquisition request generated by the server according to the received virtual access bill;
and when the control information acquisition request is verified according to the generated virtual access ticket, returning access control information corresponding to the access user account to the server so as to perform access control on the data access request through the server according to the access control information.
The data access control method, the data access control device, the computer equipment and the storage medium acquire the data access request carrying the account number of the access user, and generate the virtual access bill corresponding to the data access request, wherein the virtual access bill is used for determining the authority of the access user for data access; sending the generated virtual access bill to a server corresponding to the data access request, and verifying the acquired control information acquisition request according to the generated virtual access bill when acquiring the control information acquisition request generated by the server according to the received virtual access bill; and when the verification is passed, determining that the virtual access bill in the control information acquisition request is generated by the current equipment, and returning access control information corresponding to the access user account to the server so as to perform access control on the data access request through the server according to the access control information. The access control information corresponding to the account of the access user can be sent to the server through the virtual access bill, so that the coupling degree with the server is reduced.
Drawings
FIG. 1 is a diagram of an application environment of a data access control method in one embodiment;
FIG. 2 is a flow diagram illustrating a method for data access control in one embodiment;
FIG. 3 is a flow diagram that illustrates the steps of adding an invited user account in one embodiment;
FIG. 4 is a flowchart illustrating steps of storing access control information in one embodiment;
FIG. 5 is a diagram illustrating storage of access control information in one embodiment;
FIG. 6 is a flowchart illustrating steps for validating a control information acquisition request in one embodiment;
FIG. 7 is a flowchart illustrating the steps of querying access control information in one embodiment;
FIG. 8 is a flowchart illustrating steps for extracting access control information in one embodiment;
FIG. 9 is a timing diagram of a data access control method in one embodiment;
FIG. 10 is a block diagram showing the construction of a data access control device according to an embodiment;
FIG. 11 is a diagram illustrating an internal structure of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The data access control method provided by the application can be applied to the application environment shown in fig. 1. The terminal 110 accessing the user account login and the SaaS cloud platform 120 communicate with each other through a network. The SaaS cloud platform 120 is composed of a control server 122 and a server 124, where the control server 122 is configured to control login of an access user account and send access control information to the server 124; the server 124 is configured to respond to a data access request sent by the terminal 110 accessing the user account login according to the access control information. Control server 122 and server 124 communicate over a network. It is to be understood that the servers illustrated in fig. 1 are merely exemplary, not limiting, and that many more servers may be included in the SaaS cloud platform. The terminal 110 accessing the user account login may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the control server 122 and the server 124 may be implemented by an independent server or a server cluster composed of a plurality of servers.
In one embodiment, as shown in fig. 2, a data access control method is provided, which is described by taking the method as an example applied to the control server in fig. 1, and includes the following steps:
step 202, acquiring a data access request carrying an access user account.
The data access request is sent by a terminal logged in by an access user account and is used for data access. The data access request may include at least one of a read access request and a write access request.
Specifically, a terminal logged in by an account of an accessing user acquires a data access instruction triggered by the accessing user in a control page, generates a data access request according to the account of the accessing user and the data access instruction, and sends the data access request to a control server through a network. And the control server receives a data access request carrying an access user account.
In one embodiment, the control server corresponds to a control page, and an access user accesses the control page at a terminal and can log in through an access user account and an account password. The control server verifies the access user account and the account password, when the verification is passed, the access user account is successfully logged in, and the control server saves the conversation with the access user account.
In one embodiment, the control page displays multiple categories of data access functions. The access user can trigger a data access instruction by clicking a link or a virtual button corresponding to the data access function in the control page, and the terminal logged in by the access user account acquires the access user account and the triggered data access instruction to generate a data access request.
And step 204, generating a virtual access ticket corresponding to the data access request.
The virtual access ticket is used for determining an account of an access user and performing data access authority.
Specifically, after the control server obtains the data access request, the obtained data access request is analyzed to obtain an access user account in the data access request. And the control server generates a virtual access bill according to the access user account obtained by analysis.
And step 206, sending the generated virtual access ticket to the server corresponding to the data access request.
Specifically, the SaaS cloud platform provides multiple classes of data access functions, and different classes of data access functions can be implemented by different servers. After the control server analyzes the data access request, the data access instruction is extracted, the data access function corresponding to the data access instruction is determined, and then the server corresponding to the data access function is determined. And the control server sends the generated virtual access ticket to the determined server.
In one embodiment, the control server sends the data access request and the virtual access ticket to the server corresponding to the data access request simultaneously.
And step 208, acquiring a control information acquisition request generated by the server according to the received virtual access ticket.
The control information acquisition request is a request for accessing the access control information of the user account, and is generated by the server.
Specifically, after receiving the virtual access ticket sent by the control server, the server acquires the server identifier. And after generating a control information acquisition request according to the server identifier and the received virtual access bill, the server sends the control information acquisition request to the control server. And the control server receives a control information acquisition request sent by the server.
And step 210, when the control information acquisition request is verified according to the generated virtual access ticket, returning access control information corresponding to the access user account to the server so as to perform access control on the data access request through the server according to the access control information.
The access control information is authority information for accessing the user account to access data.
Specifically, after receiving a control information acquisition request sent by a server, the control server verifies whether a virtual access ticket in the control information acquisition request is generated by the control server. When the virtual access ticket in the authentication control information acquisition request is generated by the control server, the control information acquisition request is authenticated. And the control server inquires the access user account corresponding to the virtual access bill and determines access control information corresponding to the inquired access user account. And the server sends the access user account and the access control information corresponding to the access user account to the server, and the server performs access control on the data access request according to the access control information.
In one embodiment, after receiving the access control information, the server sends access page data to the terminal logged in by the access user account according to the data access request, and the terminal logged in by the access user account displays the access page according to the received access page data. And the terminal logged in by the access user account receives an access operation request triggered by the access user in the access page, and sends the access operation request to the server. And the server determines whether the user account has the authority corresponding to the access operation request according to the access control information. And when the access user account is verified to have the right, the server responds to the access operation request and returns an operation result to the terminal logged in by the access user account.
In the embodiment, a data access request carrying an account of an accessing user is acquired, and a virtual access bill corresponding to the data access request is generated, wherein the virtual access bill is used for determining the authority of the account of the accessing user for data access; sending the generated virtual access bill to a server corresponding to the data access request, and verifying the acquired control information acquisition request according to the generated virtual access bill when acquiring the control information acquisition request generated by the server according to the received virtual access bill; and when the verification is passed, determining that the virtual access bill in the control information acquisition request is generated by the current equipment, and returning access control information corresponding to the access user account to the server so as to perform access control on the data access request through the server according to the access control information. The access control information corresponding to the account of the access user can be sent to the server through the virtual access bill, so that the coupling degree with the server is reduced.
As shown in fig. 3, in an embodiment, step 202 further includes a step of adding an invited user account, which specifically includes the following steps:
step 302, receiving a group invitation request sent by a first terminal logged in by a group administrator account.
In the SaaS mode, an organization with the SaaS use authority can comprise at least one user group; the account number having management authority for each user account number and user group in the organization is the group administrator account number. The group invitation request is a request sent by the group administrator account to the invited user account to join a specified user group.
Specifically, a first terminal logged in with a group administrator account receives user invitation information input by the group administrator in a user invitation page, wherein the user invitation information comprises an invited user account and a user group identifier. When the first terminal detects that an invitation button in a user invitation page is clicked, the input user invitation information is obtained, a group invitation request is generated according to the user invitation information and an account number of a group administrator, and the group invitation request is sent to the control server. The control server receives a group invitation request sent by the first terminal.
In one embodiment, when a first terminal logged in with a group administrator account detects that a user invitation page button in a control page is triggered, user invitation page data is sent to the first terminal, the first terminal displays a user invitation page according to the user invitation page data, and user invitation information input in the user invitation page is received.
Step 304, the invited user account and the user group identification in the group invitation request are extracted.
The invited user account is the account of the group administrator, and invites the user accounts of the user groups. The user group identification is a unique identification of the user group and may be at least one of a group name and a group number of the user group. The group number may be a string of characters combined by letters, numbers, special symbols, and the like.
Specifically, after receiving the group invitation request, the control server parses the group invitation request to obtain the invited user account and the user group identifier in the group invitation request.
Step 306, sending the group invitation request to the second terminal logged in by the invited user account.
Specifically, after extracting the invited user account and the user group identifier in the group invitation request, the control server determines a second terminal logged in by the invited user account, and sends the group invitation request to the second terminal logged in by the invited user account.
In one embodiment, before the first terminal logged in with the group administrator account sends the group invitation request, the user a registers with the user entity information through the access control page at the second terminal. And after the user A is registered, the user A becomes a platform-level user of the SaaS cloud platform and becomes a user in a user pool of the SaaS cloud platform. After the user a is registered, the user account of the user a may become the invited user account.
And 308, receiving the group admission information returned by the second terminal according to the group admission invitation request.
The group agreement information is information returned to the control server by the second terminal logged in by the invited user account, and identifies that the invited user account accepts the group invitation request.
Specifically, after receiving the group invitation request, the second terminal logged in by the invited user account displays the received group invitation request through the display screen. And when the second terminal detects an acceptance instruction triggered by the invited user, generating group agreement information according to the acceptance instruction, the account of the invited user and the user group identification, and sending the generated group agreement information to the control server. And the control server receives the group admission information returned by the second terminal.
In step 310, the invited user account is added to the user group account set corresponding to the user group identity.
The user group account set is a set of all user accounts in the user group.
Specifically, after receiving group joining agreement information returned by the second terminal according to the group joining invitation request, the control server extracts an invited user account and a user group identifier in the group joining agreement information, acquires a user group account set corresponding to the user group identifier, and adds the extracted invited user account to the user group account set corresponding to the user group identifier.
In one embodiment, after the second terminal returns the group admission information, the control server sends the group admission information to the first terminal. The first terminal adds the invited user account to an organization account set according to the received group joining agreement information, and then adds the invited user account to a user group account set corresponding to the user group identification; it is understood that the user group account set to which the first terminal adds the invited user account is a user group account set stored in the first terminal and corresponding to the user group identity. The organization account set is a set of all user accounts in an organization, and the group administrator account has management authority over the user accounts in the organization account set.
In the embodiment, a group invitation request sent by a first terminal logged in by a group administrator account is received, wherein the group invitation request is a request for inviting an invited user account to join a user group; after the invited user account and the user group identification in the group invitation request are extracted, the group invitation request is sent to a second terminal logged in by the invited user account; and after the invited user account accepts the group invitation request, group information returned by the second terminal is received, the invited user account is added to a user group account set corresponding to the user group identification according to the group information, the user account cannot be added at will, and the safety of the invited user account in joining the user group is improved.
As shown in fig. 4, in an embodiment, after the step 310, a step of storing the access control information is further included, where the step specifically includes the following steps:
step 402, generating a group entry notification according to the invited user account.
The group entry notification is notification information generated by the control server after the invited user account is added to the user group account set corresponding to the user group identifier.
Specifically, the control server adds the invited user account to a user group account set corresponding to the user group identifier, and then generates a group entering notification according to the invited user account and the user group identifier.
Step 404, sending the group entry notification to the first terminal.
Specifically, after the control server generates a group entry notification according to the invited user account and the user group identifier, the generated group entry notification is sent to the first terminal logged in by the group administrator account.
And step 406, receiving the access control information returned by the first terminal according to the group entry notification.
Specifically, after the first terminal logged in with the group administrator account receives the group entry notification, the group administrator account may modify the access control information of the user group. And after the group administrator account modifies the access control information, sending the access control information to the control server through the first terminal.
In an embodiment, a group administrator account creates a new user group, and the group administrator may set access control information of the user group after adding an invited user account to a user group account set corresponding to a user group identifier, and send the access control information of the new user group to the control server through the first terminal.
Step 408, storing the received access control information corresponding to the user group identification of the user group to which the invited user account belongs.
Specifically, after receiving the access control information returned by the first terminal according to the group entry notification, the control server extracts the user group identifier in the access control information, that is, the user group identifier of the user group to which the invited account belongs, and stores the access control information and the user group identifier of the user group to which the invited account belongs correspondingly.
FIG. 5 is a diagram illustrating storage of access control information, in one embodiment. Specifically, referring to fig. 5, a user a, a user B, and a user C are all users in the SaaS cloud platform user pool. The method comprises the steps that a first terminal which logs in through a group administrator account sends a group invitation request to a second terminal which logs in through a user account of a user A, after the user account of the user A accepts the group invitation request, the group administrator account adds the user account of the user A into an organization account set, and then the user account of the user A is added into a first user group account set. The group administrator account may identify the user account of user a as a collaborative user account, and may add the collaborative user account to a plurality of user group account sets.
And the group administrator account combines the first data access function and the second data access function through the first terminal to obtain a data access item. The first data access function and the second data access function are different classes of data access functions. The first data access function includes a first resource and a second resource, and the second data access function includes a third resource and a fourth resource. And the group administrator account sets access control information of the data access item through the first terminal and correspondingly stores the access control information and the user group identification of the first user group. Each user account in the set of user group accounts may have the same access control information. The access control information may also be stored in correspondence with user group identities of a plurality of user groups.
The access control information is as follows:
Figure BDA0001931406940000101
the access control information corresponding to the user group to which the user account of the user A belongs comprises data access function category identification, resources, access range, access authority and detailed access authority. Wherein the data access function category identification is a category identification of the data access function. The resources are all resources under the data access function. The access scope includes: owner, team and all, when the access scope is owner, the user account of the user A only can access the resource created by the user account of the user A under the data access item; when the access range is team, the user account of the user A can access resources created by each user account in the user group to which the user account of the user A belongs under the data access item; when the access scope is identified as all, it indicates that the user account representing the user a can access all resources under the data access item. The access rights include: full, limit and readonly, when the access right is full, the user account of the user A has all kinds of data access rights to the resource; when the access right is limit, the user account of the user A has partial data access rights to the resource; when the access right is readonly, the user account representing the user a has only read-only right to the resource.
The detailed access rights are set by the kind of resource. When the resource category is a container instance, the detailed operation authority may include: create, delete, stop, restart, and start; when the resource is an image, the detailed access right may include pull and push, and is validated when the access right is limit.
In the embodiment, a group entering notification is generated according to an invited user account, the group entering notification is sent to the first terminal, and access control information returned by the first terminal according to the group entering notification is received, wherein the access control information is authority information for data access of the user accounts in a user group to which the invited user account belongs; and storing the received access control information corresponding to the user group identification of the user group to which the invited user account belongs, so that the storage order of the access control information is ensured.
As shown in fig. 6, in an embodiment, the step 210 further includes a step of verifying the control information acquisition request, where the step includes the following steps:
step 602, the control information obtaining request is analyzed to obtain a virtual access ticket.
Specifically, after receiving a control information acquisition request generated by the server, the control server triggers a request verification instruction, and analyzes the received control information acquisition request according to the request verification instruction to obtain a virtual access bill in the control information acquisition request.
And step 604, extracting the ticket number in the obtained virtual access ticket.
The ticket number is a number of the virtual access ticket, and may be a character string combined by letters, numbers, special symbols, and the like.
Specifically, the control server extracts the ticket number from the virtual access ticket after obtaining the virtual access ticket by analyzing the control information acquisition request.
Step 606, the extracted ticket number is inquired in the ticket number list including the ticket number corresponding to the generated virtual access ticket.
The ticket number list is a list of the ticket numbers of all the virtual access tickets generated by the storage control server.
Specifically, the control server reads a stored ticket number list in which the ticket numbers of all virtual access tickets generated by the control server are stored. And the control server inquires the extracted bill number in the read bill number list.
And 608, returning access control information corresponding to the access user account to the server when the extracted bill number is inquired, so as to perform access control on the data access request through the server according to the access control information.
Specifically, when the control server queries the extracted ticket number in the ticket number list, the virtual access ticket in the verification control information acquisition request is generated by the control server, and the control information acquisition request is verified. And the control server inquires the access user account corresponding to the virtual access bill and determines access control information corresponding to the access user account. And the control server sends the access control information to the server, and the server performs access control on the data access request according to the access control information.
In one embodiment, the virtual access ticket is deleted when the control server verifies the control information acquisition request. And when the account of the access user logs in again and initiates a data access request through the terminal, the control server regenerates the virtual access bill.
In the embodiment, the control information acquisition request is analyzed to obtain a virtual access bill, and a bill number is extracted from the obtained virtual access bill; inquiring the extracted bill number in a bill number list, wherein the bill number list stores the bill number corresponding to the generated virtual access bill; and when the extracted bill number is inquired, the verification virtual access bill is generated by the current equipment, the control information acquisition request is verified to be passed, and the access control information corresponding to the access user account is returned to the server. The control information acquisition request is verified by inquiring the unique bill number, so that the verification accuracy is improved.
As shown in fig. 7, in an embodiment, the step 210 further includes a step of querying access control information, where the step includes the following steps:
step 702, when the control information acquisition request is verified according to the generated virtual access ticket, determining the user group identification of the user group to which the access user account belongs.
Specifically, when the control server passes the verification of the control information acquisition request according to the generated virtual access ticket, the control server queries an access user account corresponding to the ticket number according to the ticket number in the virtual access ticket, determines a user group to which the access user account belongs, and extracts a user group identifier of the user group to which the access user account belongs.
Step 704, the access control information corresponding to the determined user group identification is queried.
Specifically, the control server stores the user group identifier and the access control information corresponding to the user group identifier in a corresponding manner. And after determining the user group identification of the user group to which the access user account belongs, the control server inquires the pre-stored access control information corresponding to the determined user group identification.
Step 706, sending the queried access control information to the server, so as to perform access control on the data access request through the server according to the access control information.
Specifically, after the control server queries the access control information corresponding to the determined user group identifier, the access control information is sent to the server. And after receiving the access control information, the server performs access control on the data access request according to the access control information.
In the embodiment, when the control information acquisition request is verified according to the generated virtual access ticket, the user group identifier of the user group to which the access user account belongs is determined, and the user group identifier and the access control information corresponding to the user group identifier are correspondingly stored, so that the access control information corresponding to the user group identifier can be quickly inquired, and the inquired access control information is sent to the server, and the speed of inquiring the access control information is improved.
As shown in fig. 8, in an embodiment, the step 706 further includes a step of extracting access control information, where the step includes the following steps:
step 802, obtaining the server identifier in the control information obtaining request.
Specifically, the control information acquisition request generated by the server includes a server identifier. And after the control server inquires the access control information, extracting the server identification from the control information acquisition request.
Step 804, extracting the access control information acting on the server corresponding to the server identifier from the queried access control information.
Specifically, the data access request may be access-controlled by a plurality of servers, and the access control information may be composed of a plurality of sets of access control information corresponding to different servers. And after extracting the server identification from the control information acquisition request, the control server extracts the access control information acting on the server corresponding to the server identification from the inquired access control information according to the server identification.
Step 806, sending the extracted access control information to a server corresponding to the server identifier, so as to perform access control on the data access request through the server according to the access control information.
Specifically, the control server extracts the access control information acting on the server corresponding to the server identifier from the queried access control information, and then sends the extracted access control information to the server corresponding to the server identifier. And the server performs access control on the data access request according to the received access control information.
The access control information inquired by the control server is as follows:
Figure BDA0001931406940000131
Figure BDA0001931406940000141
the access control information queried by the control server may be composed of a plurality of groups of access control information corresponding to different servers, and each group of access control information may include a data access function category identifier, a resource, an access range, an access right, and a detailed access right.
The access control information extracted by the control server is as follows:
"[ data Access function class 1 ]", [ data Access function class 1] "
Figure BDA0001931406940000142
The access control information extracted by the control server can comprise data access function category identification, resources, access scope, access authority and detailed access authority.
In this embodiment, the server identifier in the control information acquisition request may be acquired, according to the server identifier, from the queried access control information including information about access control to the plurality of servers, the access control information applied to the server corresponding to the server identifier may be accurately extracted, and the extracted access control information may be sent to the server corresponding to the server identifier, so that accuracy of extracting the access control information is improved.
As shown in fig. 9, in one embodiment, includes: and accessing the terminal 110 logged in by the user account and the SaaS cloud platform 120. The SaaS cloud platform is composed of a control server 122 and a server 124, wherein the control server 122 is used for controlling login of an access user account and sending access control information to the server 124; the server 124 is configured to respond to a data access request sent by the terminal 110 accessing the user account login according to the access control information. The embodiment specifically includes the following contents:
the terminal 110 logged in by the access user account logs in through the control server 122, the control server 122 saves the session with the terminal 110 logged in by the access user account after the authentication of the access user account is passed, and sends a login success notification to the terminal 110 logged in by the access user account. The terminal 110 logged in by the access user account transmits a data access request to the control server 122, the control server 122 generates a virtual access ticket corresponding to the data access request, and transmits the generated virtual access ticket to the server 124 corresponding to the data access request.
Upon receiving the virtual access ticket, the server 124 generates a control information acquisition request and transmits the generated control information acquisition request to the control server 122. When the control information acquisition request is verified, the control server 122 extracts the access control information acting on the server 124, and returns the access user account and the access control information acting on the server 124 to the server 124. After saving the returned access user account and the access control information acting on the server 124, the server 124 sends access page data to the terminal 110 logged in by the access user account, and the terminal 110 logged in by the access user account displays the access page according to the received access page data. The terminal 110 logged in by the access user account receives an access operation request triggered by the access user in the access page, and sends the access operation request to the server 124. The server 124 determines whether the access user account has the authority corresponding to the access operation request according to the access control information. When the access user account is verified to have the right, the server 124 responds to the access operation request and returns an operation result to the terminal 110 logged in by the access user account.
It should be understood that although the various steps in the flow charts of fig. 2-4 and 6-8 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2-4 and 6-8 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in rotation or alternation with other steps or at least some of the sub-steps or stages of other steps.
In one embodiment, as shown in fig. 10, there is provided a data access control device 1000 comprising: a request acquisition module 1002, a ticket generation module 1004, a ticket sending module 1006, a request acquisition module 1008, and an information return module 1010, wherein:
a request obtaining module 1002, configured to obtain a data access request carrying an account of an accessing user;
the bill generating module 1004 is configured to generate a virtual access bill corresponding to the data access request;
the bill sending module 1006 is configured to send the generated virtual access bill to the server corresponding to the data access request;
a request obtaining module 1008, configured to obtain a control information obtaining request generated by the server according to the received virtual access ticket;
and an information returning module 1010, configured to, when the control information obtaining request is verified according to the generated virtual access ticket, return access control information corresponding to the access user account to the server, so as to perform access control on the data access request according to the access control information.
In the embodiment, a data access request carrying an account of an accessing user is acquired, and a virtual access bill corresponding to the data access request is generated, wherein the virtual access bill is used for determining the authority of the account of the accessing user for data access; sending the generated virtual access bill to a server corresponding to the data access request, and verifying the acquired control information acquisition request according to the generated virtual access bill when acquiring the control information acquisition request generated by the server according to the received virtual access bill; and when the verification is passed, determining that the virtual access bill in the control information acquisition request is generated by the current equipment, and returning access control information corresponding to the access user account to the server so as to perform access control on the data access request through the server according to the access control information. The access control information corresponding to the account of the access user can be sent to the server through the virtual access bill, so that the coupling degree with the server is reduced.
In one embodiment, the data access control device 1000 further comprises: the device comprises a request receiving module, an extracting module, a request sending module, an information receiving module and an account adding module, wherein:
the request receiving module is used for receiving a group invitation request sent by a first terminal logged in by a group administrator account.
And the extraction module is used for extracting the invited user account and the user group identification in the group invitation request.
And the request sending module is used for sending the group invitation request to a second terminal logged in by the invited user account.
And the information receiving module is used for receiving the group joining agreement information returned by the second terminal according to the group joining invitation request.
And the account adding module is used for adding the invited user account to the user group account set corresponding to the user group identification.
In the embodiment, a group invitation request sent by a first terminal logged in by a group administrator account is received, wherein the group invitation request is a request for inviting an invited user account to join a user group; after the invited user account and the user group identification in the group invitation request are extracted, the group invitation request is sent to a second terminal logged in by the invited user account; and after the invited user account accepts the group invitation request, group information returned by the second terminal is received, the invited user account is added to a user group account set corresponding to the user group identification according to the group information, the user account cannot be added at will, and the safety of the invited user account in joining the user group is improved.
In one embodiment, the data access control device 1000 further comprises: the device comprises a notification generation module, a notification sending module, a control receiving module and an information storage module, wherein:
and the notification generation module is used for generating a group entering notification according to the invited user account.
And the notification sending module is used for sending the group entering notification to the first terminal.
And the control receiving module is used for receiving the access control information returned by the first terminal according to the group entering notification.
And the information storage module is used for storing the received access control information corresponding to the user group identification of the user group to which the invited user account belongs.
In the embodiment, a group entering notification is generated according to an invited user account, the group entering notification is sent to the first terminal, and access control information returned by the first terminal according to the group entering notification is received, wherein the access control information is authority information for data access of the user accounts in a user group to which the invited user account belongs; and storing the received access control information corresponding to the user group identification of the user group to which the invited user account belongs, so that the storage order of the access control information is ensured.
In one embodiment, the information returning module 1010 is further configured to parse the control information obtaining request to obtain a virtual access ticket; extracting the bill number in the obtained virtual access bill; inquiring the extracted bill number in a bill number list comprising the bill number corresponding to the generated virtual access bill; and when the extracted bill number is inquired, returning access control information corresponding to the account of the access user to the server so as to perform access control on the data access request through the server according to the access control information.
In the embodiment, the control information acquisition request is analyzed to obtain a virtual access bill, and a bill number is extracted from the obtained virtual access bill; inquiring the extracted bill number in a bill number list, wherein the bill number list stores the bill number corresponding to the generated virtual access bill; and when the extracted bill number is inquired, the verification virtual access bill is generated by the current equipment, the control information acquisition request is verified to be passed, and the access control information corresponding to the access user account is returned to the server. The control information acquisition request is verified by inquiring the unique bill number, so that the verification accuracy is improved.
In one embodiment, the information returning module 1010 is further configured to determine a user group identifier of a user group to which the access user account belongs when the control information acquisition request is verified according to the generated virtual access ticket; inquiring access control information corresponding to the determined user group identification; and sending the inquired access control information to a server so as to perform access control on the data access request through the server according to the access control information.
In the embodiment, when the control information acquisition request is verified according to the generated virtual access ticket, the user group identifier of the user group to which the access user account belongs is determined, and the user group identifier and the access control information corresponding to the user group identifier are correspondingly stored, so that the access control information corresponding to the user group identifier can be quickly inquired, and the inquired access control information is sent to the server, and the speed of inquiring the access control information is improved.
In one embodiment, the information returning module 1010 is further configured to obtain a server identifier in the control information obtaining request; extracting access control information acting on a server corresponding to the server identifier from the inquired access control information; and sending the extracted access control information to a server corresponding to the server identification so as to perform access control on the data access request through the server according to the access control information.
In this embodiment, the server identifier in the control information acquisition request may be acquired, according to the server identifier, from the queried access control information including information about access control to the plurality of servers, the access control information applied to the server corresponding to the server identifier may be accurately extracted, and the extracted access control information may be sent to the server corresponding to the server identifier, so that accuracy of extracting the access control information is improved.
For specific limitations of the data access control device, reference may be made to the above limitations of the data access control method, which are not described herein again. The respective modules in the data access control device may be implemented wholly or partially by software, hardware, and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a control server, and its internal structure diagram may be as shown in fig. 11. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing data for data access control. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a data access control method.
Those skilled in the art will appreciate that the architecture shown in fig. 11 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of the above-described data access control method. The steps of the data access control method herein may be steps in the data access control methods of the various embodiments described above.
In one embodiment, a computer readable storage medium is provided, storing a computer program which, when executed by a processor, causes the processor to perform the steps of the above-described data access control method. The steps of the data access control method herein may be steps in the data access control methods of the various embodiments described above.
In the embodiment, a data access request carrying an account of an accessing user is acquired, and a virtual access bill corresponding to the data access request is generated, wherein the virtual access bill is used for determining the authority of the account of the accessing user for data access; sending the generated virtual access bill to a server corresponding to the data access request, and verifying the acquired control information acquisition request according to the generated virtual access bill when acquiring the control information acquisition request generated by the server according to the received virtual access bill; and when the verification is passed, determining that the virtual access bill in the control information acquisition request is generated by the current equipment, and returning access control information corresponding to the access user account to the server so as to perform access control on the data access request through the server according to the access control information. The access control information corresponding to the account of the access user can be sent to the server through the virtual access bill, so that the coupling degree with the server is reduced.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A method of data access control, the method comprising:
acquiring a data access request carrying an access user account; generating a virtual access bill corresponding to the data access request;
analyzing the data access request to obtain a data access instruction, determining a data access function corresponding to the data access instruction, determining a server corresponding to the data access function, and sending a generated virtual access bill to the server;
acquiring a control information acquisition request generated by the server according to the received virtual access bill;
and when the control information acquisition request is verified according to the generated virtual access ticket, returning access control information corresponding to the access user account to the server so as to perform access control on the data access request through the server according to the access control information.
2. The method of claim 1, wherein before the obtaining of the data access request carrying the access user account, the method further comprises:
receiving a group invitation request sent by a first terminal logged in by a group administrator account;
extracting an invited user account and a user group identifier in the group invitation request;
sending the group invitation request to a second terminal logged in by the invited user account;
receiving group admission agreement information returned by the second terminal according to the group admission invitation request;
and adding the invited user account to a user group account set corresponding to the user group identification.
3. The method of claim 2, wherein after adding the invited user account to the set of user group accounts corresponding to the user group identity, further comprising:
generating a group entering notification according to the invited user account;
sending the group entry notification to the first terminal;
receiving access control information returned by the first terminal according to the group entry notification;
and storing the received access control information corresponding to the user group identification of the user group to which the invited user account belongs.
4. The method of claim 1, wherein when the control information acquisition request is verified according to the generated virtual access ticket, returning access control information corresponding to the access user account to the server, so as to perform access control on the data access request according to the access control information through the server, comprises:
analyzing the control information acquisition request to obtain a virtual access bill;
extracting the bill number in the obtained virtual access bill;
inquiring the extracted bill number in a bill number list comprising the bill number corresponding to the generated virtual access bill;
and when the extracted bill number is inquired, returning access control information corresponding to the account of the access user to the server, so that the server can perform access control on the data access request according to the access control information.
5. The method of claim 1, wherein when the control information acquisition request is verified according to the generated virtual access ticket, returning access control information corresponding to the access user account to the server, so as to perform access control on the data access request according to the access control information through the server, comprises:
when the control information acquisition request is verified according to the generated virtual access ticket, determining a user group identifier of a user group to which the access user account belongs;
inquiring access control information corresponding to the determined user group identification;
and sending the inquired access control information to the server so as to perform access control on the data access request through the server according to the access control information.
6. The method of claim 5, wherein sending the queried access control information to the server to perform access control on the data access request according to the access control information by the server comprises:
acquiring a server identifier in the control information acquisition request;
extracting access control information acting on a server corresponding to the server identifier from the inquired access control information;
and sending the extracted access control information to a server corresponding to the server identification so as to perform access control on the data access request through the server according to the access control information.
7. A data access control apparatus, characterized in that the apparatus comprises:
the request acquisition module is used for acquiring a data access request carrying an account of an access user;
the bill generating module is used for generating a virtual access bill corresponding to the data access request;
the bill sending module is used for analyzing the data access request to obtain a data access instruction, determining a data access function corresponding to the data access instruction, determining a server corresponding to the data access function, and sending the generated virtual access bill to the server;
the request acquisition module is used for acquiring a control information acquisition request generated by the server according to the received virtual access bill;
and the information returning module is used for returning the access control information corresponding to the access user account to the server when the control information acquisition request is verified according to the generated virtual access ticket so as to perform access control on the data access request through the server according to the access control information.
8. The apparatus of claim 7, wherein the information returning module comprises:
the request analysis module is used for analyzing the control information acquisition request to obtain a virtual access bill;
the serial number extraction module is used for extracting the bill serial numbers in the obtained virtual access bills;
the serial number query module is used for querying the extracted bill serial number in a bill serial number list comprising the bill serial numbers corresponding to the generated virtual access bills;
and the control returning module is used for returning access control information corresponding to the account of the access user to the server when the extracted bill number is inquired, so that the server can perform access control on the data access request according to the access control information.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 6 are implemented when the computer program is executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.
CN201811642631.8A 2018-12-29 2018-12-29 Data access control method and device, computer equipment and storage medium Active CN109684873B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811642631.8A CN109684873B (en) 2018-12-29 2018-12-29 Data access control method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811642631.8A CN109684873B (en) 2018-12-29 2018-12-29 Data access control method and device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN109684873A CN109684873A (en) 2019-04-26
CN109684873B true CN109684873B (en) 2020-12-29

Family

ID=66191376

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811642631.8A Active CN109684873B (en) 2018-12-29 2018-12-29 Data access control method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN109684873B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111079104B (en) * 2019-11-21 2023-07-11 腾讯科技(深圳)有限公司 Authority control method, device, equipment and storage medium
CN111190738B (en) * 2019-12-31 2023-09-08 北京仁科互动网络技术有限公司 User mirroring method, device and system under multi-tenant system
CN111324846B (en) * 2020-03-04 2024-02-23 北京奇艺世纪科技有限公司 Information processing method, information processing device, electronic equipment and computer readable storage medium
CN111629029B (en) * 2020-04-17 2023-06-20 金蝶软件(中国)有限公司 Service release method and system
CN112905978B (en) * 2021-02-20 2023-06-06 成都新希望金融信息有限公司 Authority management method and device
CN117009353A (en) * 2023-07-28 2023-11-07 达州领投信息技术有限公司 Financial big data information storage method and equipment based on cloud platform

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103051631A (en) * 2012-12-21 2013-04-17 国云科技股份有限公司 Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system
CN105577665A (en) * 2015-12-24 2016-05-11 西安电子科技大学 Identity and access control and management system and method in cloud environment
CN105721420A (en) * 2015-12-11 2016-06-29 中国地质调查局发展研究中心 Access authority control method and reverse agent server
CN108769041A (en) * 2018-06-06 2018-11-06 深圳壹账通智能科技有限公司 Login method, system, computer equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10089801B1 (en) * 2017-05-15 2018-10-02 Amazon Technologies, Inc. Universal access control device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103051631A (en) * 2012-12-21 2013-04-17 国云科技股份有限公司 Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system
CN105721420A (en) * 2015-12-11 2016-06-29 中国地质调查局发展研究中心 Access authority control method and reverse agent server
CN105577665A (en) * 2015-12-24 2016-05-11 西安电子科技大学 Identity and access control and management system and method in cloud environment
CN108769041A (en) * 2018-06-06 2018-11-06 深圳壹账通智能科技有限公司 Login method, system, computer equipment and storage medium

Also Published As

Publication number Publication date
CN109684873A (en) 2019-04-26

Similar Documents

Publication Publication Date Title
CN109684873B (en) Data access control method and device, computer equipment and storage medium
US10462118B2 (en) Systems and methods for login and authorization
CN110602052B (en) Micro-service processing method and server
CN107135218B (en) Login state obtaining and sending method, credential configuration method, client and server
CN105323253B (en) Identity verification method and device
CN110363026B (en) File operation method, device, equipment, system and computer readable storage medium
WO2020181809A1 (en) Data processing method and system based on interface checking, and computer device
CN111523102B (en) Applet login method, device, equipment and computer readable storage medium
CN109547426B (en) Service response method and server
CN108287823B (en) Message data processing method and device, computer equipment and storage medium
CN109118291B (en) User authentication method and device in advertisement task popularization and computer equipment
CN111259358A (en) Login method, login device, computer equipment and storage medium
CN112118238A (en) Method, device, system, equipment and storage medium for authentication login
US20180039771A1 (en) Method of and server for authorizing execution of an application on an electronic device
CN107645474B (en) Method and device for logging in open platform
CN108418797B (en) Webpage access method and device, computer equipment and storage medium
CN112187465B (en) Non-inductive login method, device, computer equipment and storage medium
US20220058278A1 (en) Using machine learning to bypass activities of a secure document workflow based on recipient profile
CN112769674B (en) Mailbox signature generation method and device, readable storage medium and computer equipment
CN111666567A (en) Detection method, device, computer program and medium for malicious modification of application program
CN108965335B (en) Method for preventing malicious access to login interface, electronic device and computer medium
CN115022047B (en) Account login method and device based on multi-cloud gateway, computer equipment and medium
CN114978671B (en) Method, device, computer equipment and storage medium for front-end resource access
CN114780977A (en) File processing method, device, equipment and storage medium
CN115543646A (en) Contact processing method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant