CN109815654A

CN109815654A - A kind of data access control method and device

Info

Publication number: CN109815654A
Application number: CN201910062322.1A
Authority: CN
Inventors: 纪鹏
Original assignee: Shandong Inspur Genersoft Information Technology Co Ltd
Current assignee: Inspur General Software Co Ltd
Priority date: 2019-01-23
Filing date: 2019-01-23
Publication date: 2019-05-28
Anticipated expiration: 2039-01-23
Also published as: CN109815654B

Abstract

The present invention provides a kind of data access control method and devices, this method comprises: constructing to scheme to express the entity relationship diagram of entity relationship for data structure；It determines to scheme the authorization rule expressed for data structure, authorization rule has the feature that schemes to indicate the relationship between physical prototypes with one or more, allows on the basis of this determine whether that a kind of authorisation body is allowed to carry out an operation to a kind of authorized object；Figure is using physical prototypes as vertex, using the relationship between physical prototypes as side；Figure includes one or more paths, and path starting point is the prototype of authorisation body, and path termination is the prototype of authorized object；Data access request outside reception system；Data access control result is determined using the traversal path of figure and the comparison in path according to data access request, entity relationship diagram and authorization rule.This programme realizes intuitive expression authorization rule, so that authorization rule be allowed to include the complex rules such as level authorization, multi-stage authentication.

Description

A kind of data access control method and device

Technical field

The present invention relates to field of computer technology, in particular to a kind of data access control method and device.

Background technique

It include proof of identification in the access control (access control) of computer safety field, broad sense (identification), (authentication), authorization (authorization), access approval (access are authenticated Approval) and (audit) is audited.The access control of narrow sense can only include access approval, in this process, be based on main body Authorized accessible content, system determines to allow or refusal has authenticated the access request of main object.

In access control model, in systems execution movement entity be referred to as based on (subject), those need to control The entity for making the resource of its access is referred to as object (object), and authorization (authorization) specifies what main body can do, It is related to defining the access rights of main body.Authorization rule, which has determined main body in systems, allows the operation of execution.

Data access control system generally use access control based roles (Role-based access control, RBAC) or the permission based on attribute controls (Attribute-based access control, ABAC).

There is currently method intuitive express authorization rule in terms of, and realize multiple level entity authorization in terms of exist not Foot.

Summary of the invention

The present invention provides a kind of data access control method and devices, realize intuitive expression authorization rule, thus Allowing authorization rule includes the complex rules such as level authorization, multi-stage authentication.

In order to achieve the above object, the present invention is achieved through the following technical solutions:

On the one hand, the present invention provides a kind of data access control methods, construct entity relationship diagram, the entity relationship diagram To scheme to express entity relationship for data structure；

It determines to scheme the authorization rule expressed for data structure, wherein the authorization rule has following 3 spies Sign:

A1. the relationship between physical prototypes is indicated with one or more figures, allow to determine whether to allow on the basis of this A kind of authorisation body carries out an operation to a kind of authorized object；

A2. figure is using physical prototypes as vertex, using the relationship between physical prototypes as side；

A3. figure includes one or more paths, and path starting point is the prototype of authorisation body, and path termination is authorized object Prototype；

Further include:

Data access request outside reception system；

According to the data access request, the entity relationship diagram and the authorization rule, using figure traversal path and The comparison in path determines data access control result.

Further, the entity relationship diagram has following 3 features:

B1. the relationship between entity instance is indicated with one or more figures, allow to this to input and awarding referring to described Power rule determines whether that an authorisation body example is allowed to carry out an operation to an authorized object example；

B2. figure is using entity instance as vertex, using the relationship between entity instance as side；

B3. figure includes one or more paths, and path starting point is an example of authorisation body, and path termination is authorization visitor One example of body.

Further, described according to the data access request, the entity relationship diagram and the authorization rule, utilize figure Traversal path and path comparison, determine data access control result, comprising:

A1: judging whether user, resource and the operation of the data access request meet preset extent of competence, if so, The figure of the authorization rule of authorized main body prototype, authorized object prototype and expression operation, and execute A2；

A2: it according to the data access request, traverses in the figure of the authorization rule of the expression operation with authorisation body original Type is starting point, using authorized object prototype as the path of terminal, using as Prototype trail, if the quantity of the Prototype trail is greater than 0, execute A3；

A3: it according to the data access request, traverses in the entity relationship diagram using authorisation body as starting point, to authorize visitor Body is the path of terminal, if the quantity in the example path is greater than 0, to execute A4 as example path；

A4: the example path is compared with the Prototype trail；

If existing simultaneously at least one example path and at least one Prototype trail, example path can match prototype road Diameter then determines that authorization is set up；

It is mutually matched if there is no any one example path with any one Prototype trail, then determines to authorize invalid.

Further, the authorization rule includes: at least one operation and each operates at least one corresponding path, And each path includes at least one oriented relationship of ordered arrangement.

Further, the structure feature of the entity relationship diagram includes:

Vertex includes system user, Business Entity, Business Entity attribute；

While including business relations and authorization relationship；

Wherein, the business relations include: that incidence relation, Business Entity and business between Business Entity and Business Entity are real The hierarchical relationship inside master-slave relationship, Business Entity set between body attribute；

The authorization relationship includes: the authorization relationship between the system user of system assignments and other entities.

Further, the construction entity relationship diagram, comprising: from addressable data, extract and push up according to extracting rule Point and side, to construct entity relationship diagram；

Wherein, addressable data are from system authorization and the addressable business datum of system；

The extracting rule on the vertex of extraction entity relationship diagram includes: that the entity class on definition vertex includes system user, business Entity, Business Entity attribute, and entity sets are traversed, so that each of described entity sets example is respectively a top Point；

The extracting rule for extracting the side of entity relationship diagram includes: to define entity class mutual relationship and decision rule； The entity sets are traversed, combination of two determines whether to have association, the corresponding vertex of entity if two entities have association Between there are sides.

Further, before the construction entity relationship diagram, further comprise: determining the extent of competence of setting, wherein The extent of competence includes: to serve as the physical prototypes of authorisation body, the physical prototypes that serve as authorized object, allow to serve as authorization and close The entity relationship set of system；

After the construction entity relationship diagram, further comprise: according to the extent of competence, by removing the entity Each of relational graph degenerate processing to the entity relationship diagram without edge closing and unrelated vertex to obtain directed acyclic Figure, wherein the oriented relationship of any no edge closing instruction is not present in the entity relationship set, any unrelated top Point is not connected side；

It is described according to the data access request, the entity relationship diagram and the authorization rule, utilize the path time of figure The comparison with path is gone through, determines data access control result, comprising: according to the data access request, the directed acyclic graph Data access control result is determined using the traversal path of figure and the comparison in path with the authorization rule.

Further, the data access request includes: the first authorisation body, the first authorized object and the first operation；

The extent of competence includes: the authorization intermediary of the entity class of authorisation body, the entity class of authorized object and permission Entity class；

The A1 includes: to judge whether first authorisation body belongs to the entity class of the authorisation body, and described Whether one authorized object belongs to the entity class of the authorized object, if being, executes A2；

The A3 includes: the traversal entity relationship diagram to obtain the first path of the first quantity, first traversed The number in path is first quantity, the intermediate vertex of the second quantity involved in the first path, in the first path The number for the intermediate vertex being related to is second quantity, and first quantity and second quantity are positive integer, described The vertex example of the initial vertex of first path is first authorisation body, and the vertex on the termination vertex of the first path is real Example is first authorized object, and when second quantity is not 0, any intermediate vertex involved in the first path Vertex example belongs to the entity class of the authorization intermediary；When first quantity is not 0, each road that traversal obtains is generated The path prototype of diameter, using as example path；

The A4 includes: to input each example path each Prototype trail ratio corresponding with first operation respectively It is right, if compared successfully, the data access control result for allowing the data access request is generated, and terminate；If each Example path can not compare success with Prototype trail, then generate the data access control knot for refusing the data access request Fruit.

Further, the data access request includes: the second authorisation body, the second authorized object；

The A1 includes: to judge whether second authorisation body belongs to the entity class of the authorisation body, and described Whether two authorized objects belong to the entity class of the authorized object, if being, execute A2；

The A2 includes: the traversal entity relationship diagram to obtain the second path of third quantity, second traversed The number in path is the third quantity, the intermediate vertex of the 4th quantity involved in second path, in second path The number for the intermediate vertex being related to is the 4th quantity, and the third quantity and the 4th quantity are positive integer, described The vertex example of the initial vertex in the second path is second authorisation body, and the vertex on the termination vertex in second path is real Example is second authorized object, and when the 4th quantity is not 0, any intermediate vertex involved in second path Vertex example belongs to the entity class of the authorization intermediary；When the third quantity is not 0, each road that traversal obtains is generated The path prototype of diameter, using as example path；

The A4 include: input each example path respectively it is corresponding with operation each in the authorization rule each Prototype trail compares, if there are the example paths of a Prototype trail and input to compare success for an operation, generating allows Second authorisation body carries out the data access control result of the operation to second authorized object.

Further, the data access request includes: third authorisation body, the second operation；

The A1 includes: to judge whether the third authorisation body belongs to the entity class of the authorisation body, if so, executing A2；

The A3 comprises determining that each of entity relationship diagram representative points, and the vertex of the representative points is real Example belongs to the entity class of the authorized object；Be performed both by for representative points described in each: traverse the entity relationship diagram with The third path of the 5th quantity is obtained, the number in the third path traversed is the 5th quantity, in the third path It is related to the intermediate vertex of the 6th quantity, the number of intermediate vertex involved in the third path is the 6th quantity, described 5th quantity and the 6th quantity are positive integer, and the vertex example of the initial vertex in the third path is that the third is awarded Main body is weighed, the vertex example on the termination vertex in the third path is the vertex example on current goal vertex, and the described 6th counts When amount is not 0, the vertex example of any intermediate vertex involved in the third path belongs to the entity of the authorization intermediary Class；When 5th quantity is not 0, the path prototype in each path that traversal obtains is generated, using as example path；

The A4 includes: to input each example path each Prototype trail ratio corresponding with second operation respectively It is right, if for second operation, there are the example paths of a Prototype trail and input to compare success, if so, generating allows The third authorisation body carries out the data access control result of second operation to target authorized object, wherein the mesh Mark the vertex example that authorized object is the current goal vertex.

Further, the path prototype for generating each path that traversal obtains, comprising:

It for each path that traversal obtains, is performed both by: omitting each of current path vertex, it is oriented to obtain The ordered sequence of relationship, wherein the current path by each vertex on the current path vertex example and described work as The oriented relationship that each side indicates on preceding path, is arranged successively and forms, and followed order and the current path Move towards consistent；

The oriented relationship of each of ordered sequence of oriented relationship level is omitted, to generate the current path Path prototype, wherein oriented between two vertex when vertex example on two vertex belongs to relationship between superior and subordinate and identical example classification Relationship is the oriented relationship of level.

On the other hand, the present invention provides a kind of data access controls for executing any of the above-described data access control method Device processed, comprising:

Entity relationship diagram structural unit, for constructing entity relationship diagram, the entity relationship diagram is to scheme to come for data structure Express entity relationship；

Authorization rule determination unit, for determining to scheme the authorization rule expressed for data structure, wherein described to award Power rule has following 3 features:

Data access control unit, for the data access request outside reception system；According to the data access request, institute Entity relationship diagram and the authorization rule are stated, using the traversal path of figure and the comparison in path, determines data access control result.

The present invention provides a kind of data access control method and devices, this method comprises: construction is to scheme as data structure To express the entity relationship diagram of entity relationship；Determine that authorization rule has to scheme the authorization rule expressed for data structure Following feature: the relationship between physical prototypes is indicated with one or more figures, allows to determine whether to allow one on the basis of this Class authority main body carries out an operation to a kind of authorized object；Figure is using physical prototypes as vertex, with the relationship between physical prototypes For side；Figure includes one or more paths, and path starting point is the prototype of authorisation body, and path termination is the prototype of authorized object； Data access request outside reception system；According to data access request, entity relationship diagram and authorization rule, the path time of figure is utilized The comparison with path is gone through, determines data access control result.The present invention realizes intuitive expression authorization rule, to allow to award Power rule includes the complex rules such as level authorization, multi-stage authentication.

Detailed description of the invention

In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is the present invention Some embodiments for those of ordinary skill in the art without creative efforts, can also basis These attached drawings obtain other attached drawings.

Fig. 1 is a kind of flow chart for data access control method that one embodiment of the invention provides；

Fig. 2 is a kind of schematic diagram for authorization rule that one embodiment of the invention provides；

Fig. 3 is the schematic diagram for another authorization rule that one embodiment of the invention provides；

Fig. 4 is a kind of schematic diagram for entity relationship diagram that one embodiment of the invention provides；

Fig. 5 is a kind of schematic diagram for directed acyclic graph that one embodiment of the invention provides；

Fig. 6 is a kind of signal for data access control device based on directed acyclic graph that one embodiment of the invention provides Figure；

Fig. 7 is a kind of schematic diagram for topological sorting that one embodiment of the invention provides；

Fig. 8 is a kind of schematic diagram for relational graph example that one embodiment of the invention provides；

Fig. 9 is the schematic diagram for another relational graph example that one embodiment of the invention provides；

Figure 10 is the schematic diagram for another topological sorting that one embodiment of the invention provides；

Figure 11 is the schematic diagram for another relational graph example that one embodiment of the invention provides.

Specific embodiment

In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments, based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.

As shown in Figure 1, may comprise steps of the embodiment of the invention provides a kind of data access control method:

Step 101: construction entity relationship diagram, the entity relationship diagram is to scheme to express entity relationship for data structure.

Step 102: determining to scheme the authorization rule expressed for data structure, wherein the authorization rule has such as Lower 3 features:

A3. figure includes one or more paths, and path starting point is the prototype of authorisation body, and path termination is authorized object Prototype.

Step 103: the data access request outside reception system.

Step 104: according to the data access request, the entity relationship diagram and the authorization rule, utilizing the road of figure The comparison of diameter traversal and path, determines data access control result.

The embodiment of the invention provides a kind of data access control methods, this method comprises: construction is to scheme as data structure To express the entity relationship diagram of entity relationship；Determine that authorization rule has to scheme the authorization rule expressed for data structure Following feature: the relationship between physical prototypes is indicated with one or more figures, allows to determine whether to allow one on the basis of this Class authority main body carries out an operation to a kind of authorized object；Figure is using physical prototypes as vertex, with the relationship between physical prototypes For side；Figure includes one or more paths, and path starting point is the prototype of authorisation body, and path termination is the prototype of authorized object； Data access request outside reception system；According to data access request, entity relationship diagram and authorization rule, the path time of figure is utilized The comparison with path is gone through, determines data access control result.The embodiment of the present invention realizes intuitive expression authorization rule, thus Allowing authorization rule includes the complex rules such as level authorization, multi-stage authentication.

In the embodiment of the present invention, authorization rule is to scheme for data structure expression.Some permissions are defined in authorization rule Operation.For example, these operations can be the operation for project, for example may include: to check project information, change project Information, adjusted iterm resource, for any one or more in project report work.

For checking project information, it is assumed that general rule are as follows: if user checks project information permission to project, The user, which also has the sub-project of the project, checks project information permission；Based on this, can also be corresponding with down in authorization rule State rule 1 and rule 2:

Rule 1:

The project manager of project can check project information；

Rule 2:

The line manager of the accounting department of project can check project information；

The line manager of the parent organization of the accounting department of project can check project information.

It is referred in above-mentioned a1, one or more can scheme to indicate the relationship between physical prototypes.

Therefore, in an embodiment of the invention, referring to FIG. 2, limiting the pass indicated between physical prototypes with a figure When being, correspond to above-mentioned general rule, rule 1 and rule 2, authorization rule can be as shown in Figure 2.In Fig. 2, a figure is comprising more A Prototype trail.

Accordingly, in an embodiment of the invention, referring to FIG. 3, limiting is indicated between physical prototypes with multiple figures When relationship, correspond to above-mentioned general rule, rule 1 and rule 2, authorization rule can be as shown in Figure 3.In Fig. 3, a figure includes One Prototype trail.

Fig. 2 and Fig. 3 are please referred to it is found that the embodiment of the present invention is to scheme to characterize authorization rule for data structure；Authorization rule institute The figure used is using physical prototypes as vertex, using entity relationship as side；Figure includes one or more paths, and path starting point is authorization master The prototype of body, path termination are the prototype of authorized object.Therefore, this method realizes intuitive expression authorization rule, to permit Perhaps authorization rule includes the complex rules such as level authorization, multi-stage authentication.

Based on above content, in an embodiment of the invention, the authorization rule include: at least one operation and it is each It is a to operate at least one corresponding path, and each path includes at least one oriented relationship of ordered arrangement.

In detail, relationship oriented between oriented relationship i.e. two vertex.For example, referring to FIG. 2, authorization rule includes a behaviour Make, that is, check project information, which is corresponding with 2 paths, the oriented relationship that a path includes are as follows: [line manager calculates Department], the oriented relationship that another path includes are as follows: [project manager].The path for including by determining authorization rule, after facilitating The continuous comparison for carrying out path, therefore, it is determined that data access control result.

Corresponding with the figure of authorization rule, figure used in entity relationship is using entity instance as vertex, with entity relationship For side.In this way, entity relationship is equally levied to scheme as data structure table to scheme to characterize authorization rule for data structure, therefore can benefit With the traversal path of figure and the contrast conting Authorization result in path.

Based on this, in an embodiment of the invention, the entity relationship diagram has following 3 features:

In the embodiment of the present invention, the entity relationship diagram of construction is the figure of data structure, wherein the vertex representation entity of figure, It for example may include system user, Business Entity and Business Entity attribute；Relationship of the side of figure between entity.For example, member Work A and tissue B is exactly two entities, and employee A is that the department head of tissue B is relationship between two entities.

For example, when constructing entity relationship diagram, for " department head that employee A is tissue B " this example, it may be said that Bright: vertex there are two may exist in entity relationship diagram, the vertex example or entity instance on the two vertex are respectively employee A and tissue B；Since there are oriented relationships between employee A and tissue B, then between the two vertex there are one side, the two of the side End is connected separately with the two vertex, and it is department head, the direction on the side that side instruction, which has the oriented relationship between the two vertex, For employee A → tissue B.

It is in an embodiment of the invention, real in order to illustrate a kind of possibility for constructing entity relationship diagram based on above content Existing mode, so, the construction entity relationship diagram includes: to extract vertex and side according to extracting rule from addressable data, To construct entity relationship diagram；

As it can be seen that in the embodiment of the present invention, the feature for extracting the method on the vertex of entity relationship diagram can be with are as follows:

1) entity class on vertex is defined, can be system user, Business Entity or Business Entity attribute；

2) entity sets are traversed, each example is a vertex；

The feature for extracting the method on the side of entity relationship diagram can be with are as follows:

1) entity class mutual relationship and decision rule are defined；

2) entity sets are traversed, combination of two determines whether to have association；

It is associated with 3) if two entities exist, there are sides between the corresponding vertex of entity.

In the embodiment of the present invention, the information of entity relationship is from system authorization and the addressable business datum of system. In this way, vertex and side directly can be extracted according to extracting rule, to construct entity relationship diagram from addressable data.As it can be seen that Other than authorization relationship needs are manually specified, other data of entity relationship diagram are constructed without being manually specified, but from business According to rule extraction in data, therefore human cost can be greatlyd save.

Based on above-mentioned entity relationship diagram make, the entity relationship diagram of data structure can be constructed.As shown in figure 4, Fig. 4 can be with an entity relationship diagram to construct.It include several vertex and several in entity relationship diagram shown in Fig. 4 Oriented side, the both ends of any side are all connected with there are two vertex.

In an embodiment of the invention, the structure feature of the entity relationship diagram includes:

Vertex includes system user, Business Entity, Business Entity attribute；

While including business relations and authorization relationship；

For example, entity relationship diagram shown in Fig. 4 is please referred to, the entity class on vertex can be real for system user or business Body.For example, vertex example is the vertex of system user U1, that is, belong to this entity class of system user, the vertex example person of being respectively The vertex of work E1, tissue O1, project P1, that is, belong to this entity class of Business Entity.

In entity relationship diagram shown in Fig. 4, the entity class on side can be business relations or authorization relationship.For example, for top Side between the vertex that the point example vertex for being system user U1 and vertex example are employee E1, oriented relationship indicated by the side are System authorization belongs to authorization and is related to this entity class, indicated oriented relationship be respectively organizational member, line manager, on Each side of grade tissue, accounting department etc., that is, belong to this entity class of business relations.Wherein, for example, line manager this Oriented relationship corresponds to the incidence relation between Business Entity and Business Entity, and it is real that this oriented relationship of parent organization corresponds to business Hierarchical relationship inside body set.

In other embodiments of the present invention, the entity class on vertex can be equally Business Entity attribute, and accordingly may be used With there are some sides, the entity class on these sides can master-slave relationship between Business Entity and Business Entity attribute.

In the embodiment of the present invention, example path is assisted using business datum as primary information resource with the authorization of system assignments Relationship, therefore independently of authorization rule.When authorization rule changes, example path is had no need to change.System is example road Diameter creation index, can externally provide high performance batch data access request.When business datum changes, system update Index, to reach batch control quasi real time.For single request, the method that still can take traversal path provides reality When control.

In detail, to simplify subsequent path ergodic process, to avoid excessive unrelated traversal path operation, Ke Yi is executed Under the constraint of extent of competence, entity relationship diagram is degenerated for directed acyclic graph.

Referring to FIG. 4, entity relationship diagram shown in Fig. 4 does not have ring, but other relational graphs can have ring.For there is ring With acyclic relational graph, when carrying out degeneration of the entity relationship diagram to directed acyclic graph, the corresponding authority range of setting can slightly have Difference.In the following, being directed to acyclic entity relationship diagram, illustrate that one kind that relational graph is degenerated to obtain directed acyclic graph can the side of being able to achieve Formula.

In an embodiment of the invention, before the construction entity relationship diagram, further comprise: determining the power of setting Limit range, wherein the extent of competence includes: to serve as the physical prototypes of authorisation body, the physical prototypes that serve as authorized object, permit Permitted to serve as the entity relationship set of authorization relationship；

Since entity relationship diagram shown in Fig. 4 is acyclic, therefore defined topological sorting can be not provided in extent of competence.

In the embodiment of the present invention, based on the oriented set of relationship in extent of competence, entity relationship diagram is degenerated to obtain oriented After acyclic figure, path obtained from the subsequent traversing operation through path needs to compare with authorization rule, to generate data access Control result.In this way, in entity relationship diagram, each oriented relationship that authorization rule is related to, should usually be retained in oriented nothing In ring figure.As it can be seen that the oriented set of relationship allowed can be for all set for having edge closing.

It is assumed that the oriented set of relationship allowed includes system authorization, line manager, parent organization, accounting department, project warp Reason, parent project, and do not include organizational member, immediate superior, program member, therefore it is based on the oriented set of relationship, it can incite somebody to action Relational graph degeneration shown in Fig. 4 is processed into directed acyclic graph as shown in Figure 5.

As can be seen that specifically, can be excluded based on exclusive method to obtain directed acyclic graph in the embodiment of the present invention Fall the vertex on the relatively unrelated side of those in entity relationship diagram, to be beneficial to simplify subsequent traversal path operation.

On the basis of above-mentioned implementation, for there is the relational graph of ring, to avoid eliminating without edge closing and unrelated vertex Figure afterwards still has ring, and cannot obtain directed acyclic graph, therefore defined topological sorting can be set.Such as the entity for having ring Relational graph, when degenerating entity relationship diagram for directed acyclic graph, other than the oriented set of relationship of permission, extent of competence may be used also To include defined topological sorting.In this way, then removing should when the direction of the relationship indicated by the side does not meet the topological sorting Side.As it can be seen that the purpose that this topological sorting is arranged is further to remove unrelated vertex and without edge closing, to reach acyclic mesh 's.Certainly, this topological sorting can be arranged on demand by staff.

In conclusion by degenerating entity relationship diagram for directed acyclic graph, and then number is controlled based on directed acyclic graph According to access request, therefore it can realize efficient data access control.

In an embodiment of the invention, implementation is controlled in order to illustrate a kind of possible data access, so, it is described According to the data access request, the entity relationship diagram and the authorization rule, the traversal path of figure and the ratio in path are utilized It is right, determine data access control result, comprising:

A4: the example path is compared with the Prototype trail；

In detail, when carrying out data access control, in A1, it is necessary first to determine data access request in defined permission model In enclosing, follow-up processing flow is just executed.

It compares, can be obtained accordingly based on authorization rule in A2 for convenience of the authorization between authorization rule and entity relationship diagram Prototype trail, and entity relationship diagram can be based in A3 to obtain respective instance path, so as to be based on original in A4 Comparison between type path and example path, to determine data access control result.

If data access request meets extent of competence, execution route traversing operation is to traverse to obtain the data access request The feasible each Prototype trail of institute and each example path.Certainly, through path traversing operation, it is also possible to not obtain any feasible Path, therefore the number of paths that above-mentioned traversal obtains can be 0,1,2,3, etc..

In detail, for each example path traversed out, its path prototype can be generated respectively.The path prototype of generation It is mainly used for comparing with the Prototype trail in authorization rule.For example, when the path prototype generated is present in authorization rule When, illustrate that user can carry out data access by the corresponding path of the path prototype, conversely, being then not available for corresponding data visit It asks.

Under normal conditions, data access request generally involves which kind of operation is main object execute, in this way, request of data Access request may include main body, object, some or all of in operation.Data access request is different, generates data access control The process of result processed is accordingly different.In the following, being divided by following manner 1 to mode 3 for different data access requests It Xian Ding not explanation.

Mode 1: data access request includes main body, object and operation, that is, needs to determine that can the main body hold the object The row operation；

Mode 2: data access request includes subject and object, that is, needs to determine that can the main body execute behaviour to the object Make, and which kind of operation can be performed；

Mode 3: data access request includes main body and operation, that is, needs to determine which object is the main body can execute and be somebody's turn to do Operation.

Mode 1:

In an embodiment of the invention, the data access request include: the first authorisation body, the first authorized object and First operation；

In the embodiment of the present invention, in A3, it can traverse to obtain each example path based on entity relationship diagram.Certainly, when In the presence of by entity relationship diagram degenerate directed acyclic graph out when, it is preferable that can traverse to obtain based on directed acyclic graph each Example path.

For example, referring to FIG. 5, by taking project Working hours management system as an example, system includes three Business Entities: employee, Tissue and project.

Wherein, employee (employee), business datum of the data from manpower system, attribute include it is affiliated tissue, directly under Supervisor etc.；It organizes (organization), business datum of the data from manpower system, attribute includes parent tissue, tissue master Pipe etc.；Project (project), business datum of the data from operation system, attribute include the accounting department of project, sale group It knits, employees' association such as weave connections, the person in charge of the project, business responsible person, the project manager such as delivery organization.

Operation for project includes: to check project information；Change project information；Adjusted iterm resource；For project report work.

Extent of competence include: authorisation body entity class be system user, authorized object entity class be project, allow The entity class for authorizing intermediary includes employee and tissue.

Prototype trail in authorization rule is as shown in the left content of following table 1.

Table 1

Assuming that it is U1 that externally input data access request, which includes: authorisation body, authorized object P1 is operated to check item Mesh information.

Firstly, through judging, U1 belongs to the entity class " system user " of authorisation body, and P1 belongs to authorized object in A1 Entity class " project ", therefore execute A2.

In A2, the quantity for the Prototype trail for checking project information this operation is 2, therefore executable A3.

In A3, the feasible path of each from U1 to P1 is traversed according to directed acyclic graph.It is found that under can traversing out State two paths:

Path 1: system user U1- system authorization-employee E1- line manager-tissue O1- parent organization-tissue O2- is calculated Department-project P1；

Path 2: system user U1- system authorization-employee E1- project manager-project P1.

As it can be seen that employee E1 involved in path 1, tissue O1, tissue these three intermediate vertexs of O2, and these three intermediate vertexs Vertex example belongs to the entity class of the authorization intermediary allowed.This intermediate vertex of employee E1 involved in path 1, and among this The vertex example on vertex belongs to the entity class of the authorization intermediary allowed.

Assuming that in an alternative embodiment of the invention, the entity class of the authorization intermediary of permission only includes employee without including group It knits, is then exactly traverse path failure when traversing above-mentioned path 1, in this way, the path traversed out will only be above-mentioned path 2.

Due to traversing out 2 paths, i.e., above-mentioned destination number is not 0, therefore in A3, it can further generate path 1 and road The path prototype of diameter 2, i.e. generation example path.

As shown in the right content of above-mentioned table 1, it is assumed that two path prototypes of generation are respectively as follows:

The path prototype 1:[line manager in path 1 calculates department]

The path prototype 2:[project manager in path 2].

It is corresponding with project information this operation is checked in authorization rule respectively through path prototype 1 and path prototype 2 in A4 Each Prototype trail compare, data access control result can be obtained.Through above-mentioned table 1 it is found that the data access control generated Result processed can be with are as follows: allows data access request, the i.e. project information that permission U1 checks P1.

Mode 2:

In an embodiment of the invention, the data access request includes: the second authorisation body, the second authorized object；

Based on the illustration in mode 1, it is assumed that in the embodiment of the present invention, externally input data access request is by " awarding Power main body is U1, and authorized object P1 operates to check project information " become " authorisation body U1, authorized object P1 ", then Based on similar realization principle, through above-mentioned A1 to A4, the data access control result of generation can be with are as follows:

It requests [U1, P1 check project information]: allowing

Request [U1, P1 change project information]: allow

It requests [U1, P1, adjusted iterm resource]: allowing

Request [U1, P1 are project report work]: refusal.

Mode 3:

In an embodiment of the invention, the data access request includes: third authorisation body, the second operation；

Based on the illustration in mode 1, it is assumed that in the embodiment of the present invention, externally input data access request is by " awarding Power main body is U1, and authorized object P1 operates to check project information " become that " authorisation body U1 operates to check that project is believed Breath ".

Based on similar realization principle, it is assumed that in A3, other than traversing out above-mentioned path 1 and path 2, under also traversing out State path 3 and path 4.

Path 3: system user U1- system authorization-employee E1- line manager-tissue O1- parent organization-tissue O2- is calculated Department-project P1- parent project-project P2；

Path 4: system user U1- system authorization-employee E1- project manager-project P1- parent project-project P2.

Assuming that other than above-mentioned path prototype 1 and path prototype 2 can be generated, also generating has following paths former in A3 Type 3 and path prototype 4.

The path prototype 3:[line manager in path 3 calculates department]

The path prototype 4:[project manager in path 4].

In this way, in A4, the data access control result of generation can be with are as follows:

It requests [U1, P1 check project information]: allowing

It requests [U1, P2 check project information]: allowing.

Certainly, in addition to aforesaid way 1 to mode 3, in other embodiments of the present invention, there may also be the visits of other data It asks request, for example, data access request includes object and operation, that is, needs to determine that the object can be executed the operation, and Which main body can execute the operation to the object.Due to being based on similar realization principle, therefore this hair with aforesaid way 1 to mode 3 It will not be described in detail here for bright embodiment.

Based on aforesaid way 1 into mode 3 any the embodiment described, in an embodiment of the invention, the generation Traverse the path prototype in each obtained path, comprising:

In detail, since the corresponding Prototype trail of operation each in authorization rule is several oriented relationships of ordered arrangement, It, can be for each coordinates measurement respective instance path traversed out for convenience of comparison judgement.In this way, Prototype trail and reality can be carried out Comparison judgement between example path judges that operation is more direct, clear.

Based on this, in an embodiment of the invention, the entity class of the authorisation body is system user；

The entity class for the oriented relationship that side indicates in the entity relationship diagram includes: the system user and business of system assignments Authorization relationship between entity；

Before the path prototype for generating the current path, further comprise: omitting having for the oriented relationship Authorization relationship in sequence sequence, between the system user and Business Entity of the system assignments.

Above-mentioned path 1 to path 4 is please referred to, includes vertex example in path, therefore these vertex examples can be eliminated first, To generate the ordered sequence of oriented relationship.

For example, path 1 becomes through eliminating vertex example: [system authorization, line manager, parent organization calculate department]；

Path 2 becomes: [system authorization, project manager].

It is then possible to the effective relationship of level is further eliminated, to obtain:

Path 1 is corresponding: [system authorization, line manager calculate department]；

Path 2 is corresponding: [system authorization, project manager].

Furthermore, it is possible to authorization relationship is further eliminated, to obtain:

The path prototype 1:[line manager in path 1 calculates department]

The path prototype 2:[project manager in path 2].

Certainly, due to and not all embodiment in, can have each system user of system assignments and corresponding service is real Authorization relationship between body, and can be using system user as the entity class of authorisation body, so that the path that traversal obtains in extent of competence The authorization relationship being related between the system user of system assignments and Business Entity.Therefore, when the entity of authorisation body in extent of competence When class is not system user, when generating path prototype, it can be not present in the ordered sequence for omitting oriented relationship, system assignments System user and Business Entity between authorization relationship the step for, path prototype can be obtained.

In conclusion the embodiment of the present invention can figure be data structure characterization authorization rule, equally to scheme as data knot Structure characterizes entity relationship, to utilize the traversal path of figure and the contrast conting Authorization result in path.Used in authorization rule Figure is using physical prototypes as vertex, using entity relationship as side；Figure used in entity relationship is closed using entity instance as vertex with entity System is side.The information of entity relationship may be from system authorization and the addressable business datum of system, and in extent of competence Entity relationship diagram is degenerated for directed acyclic graph under constraint.When receiving the data access request outside system, system is according to data User, resource and operation triplet sets, the judgement knot as authorization is calculated in access request, authorization rule and entity relationship Fruit.Therefore, the embodiment of the present invention at least may exist following contribution: first, intuitive expression authorization rule is realized, to permit Perhaps authorization rule includes the complex rules such as level authorization, multi-stage authentication；Second, it is based on directed acyclic graph, realizes efficient number According to access control；Third allows flexible data access request type.

As shown in fig. 6, the embodiment of the invention provides a kind of numbers for executing any of the above-described data access control method According to access control apparatus, may include:

Entity relationship diagram structural unit 601, for constructing entity relationship diagram, the entity relationship diagram is to scheme as data structure To express entity relationship；

Authorization rule determination unit 602, for determining to scheme the authorization rule expressed for data structure, wherein institute Authorization rule is stated with following 3 features:

Data access control unit 603, for the data access request outside reception system；It is asked according to the data access It asks, the entity relationship diagram and the authorization rule, utilizes the traversal path of figure and the comparison in path, determine data access control As a result.

The contents such as the information exchange between each unit, implementation procedure in above-mentioned apparatus, due to implementing with the method for the present invention Example is based on same design, and for details, please refer to the description in the embodiment of the method for the present invention, and details are not described herein again.

Based on above content, in an embodiment of the invention, please refer to Fig. 7, Fig. 8 and Fig. 9, can also using role and Attribute realizes access control.For example, permission demand are as follows:

1) Program Executive of system permission technology department checks the project information of all product items；

2) Program Executive of system permission operational department checks the project information of all client's projects.

In this way, entity type project category can be increased in extent of competence, increase role Program Executive.Assuming that topological Sequence as shown in fig. 7, in this way, consider entity type project category and role Program Executive, therefore when based on as Fig. 8 and Fig. 9 this When the corresponding path of two relational graph examples, corresponding data access request is just licensed and agrees to.

For example, it is all that system allows the Program Executive of technology department to check based on the corresponding path of relational graph example shown in Fig. 8 The project information of product item；Based on the corresponding path of relational graph example shown in Fig. 9, system allows the Program Executive of operational department to look into See the project information of all client's projects.

In an embodiment of the invention, Figure 10 and Figure 11 are please referred to, cross-cutting authorization can also be carried out.For example, business Scene and permission demand are as follows:

Business Entity: business opportunity comes from CRM (Customer Relationship Management, customer relation management) System.

Sales force creates business opportunity in crm system, and operation system creates client's intermediate item according to business opportunity, and sales force can be with Check the information of project associated therewith.

As it can be seen that crm system and operation system are the systems of two different fields.

As an example it is assumed that topological sorting is as shown in Figure 10.In view of cross-cutting authorization, therefore when based on such as this pass Figure 11 When being the corresponding path of figure example, corresponding data access request is just licensed and agrees to.

For example, based on the corresponding path of relational graph example shown in Figure 11, the founder of permissible business opportunity O1, i.e. personnel P1, Check the project P1 using business opportunity O1 as information source.

In addition, multiple extents of competence, and due authority range can be established simultaneously when the above scene needs to meet simultaneously Between for intersection or union logical relation, the final Authorization result of decision systems.

In conclusion the embodiment of the present invention have it is at least following the utility model has the advantages that

1, it in the embodiment of the present invention, constructs to scheme to express the entity relationship diagram of entity relationship for data structure；Determine with Figure is the authorization rule that data structure is expressed, and authorization rule has the feature that former with one or more figure presentation-entity Relationship between type allows on the basis of this determine whether that a kind of authorisation body is allowed to carry out a behaviour to a kind of authorized object Make；Figure is using physical prototypes as vertex, using the relationship between physical prototypes as side；Figure includes one or more paths, path starting point For the prototype of authorisation body, path termination is the prototype of authorized object；Data access request outside reception system；It is visited according to data It asks request, entity relationship diagram and authorization rule, using the traversal path of figure and the comparison in path, determines data access control knot Fruit.The embodiment of the present invention realizes intuitive expression authorization rule, so that authorization rule be allowed to include level authorization, multi-stage authentication Equal complex rules.

2, in the embodiment of the present invention, vertex and side directly can be extracted according to extracting rule from addressable data, with Construct entity relationship diagram.As it can be seen that other data for constructing entity relationship diagram are not necessarily to other than authorization relationship needs are manually specified It is manually specified, but according to rule extraction from business datum, therefore human cost can be greatlyd save.

3, in the embodiment of the present invention, example path assists awarding with system assignments using business datum as primary information resource Power relationship, therefore independently of authorization rule.When authorization rule changes, example path is had no need to change.System is example Path creation index, can externally provide high performance batch data access request.When business datum changes, system is more New index, to reach batch control quasi real time.For single request, the method that still can take traversal path is provided Control in real time.

4, it in the embodiment of the present invention, based on exclusive method to obtain directed acyclic graph, specifically, can exclude in relational graph The vertex on those relatively unrelated sides, to be beneficial to simplify subsequent traversal path operation.

5, in the embodiment of the present invention, since the corresponding Prototype trail of operation each in authorization rule is the several of ordered arrangement Oriented relationship can be for each coordinates measurement respective instance path traversed out for convenience of comparison judgement.In this way, original can be carried out Comparison judgement between type path and example path judges that operation is more direct, clear.

6, in the embodiment of the present invention, can figure be data structure characterization authorization rule, equally to scheme as data structure table Entity relationship is levied, to utilize the traversal path of figure and the contrast conting Authorization result in path.Figure used in authorization rule with Physical prototypes are vertex, using entity relationship as side；Figure used in entity relationship is using entity instance as vertex, with entity relationship Side.The information of entity relationship may be from system authorization and the addressable business datum of system, and in the constraint of extent of competence It is lower that entity relationship diagram is degenerated for directed acyclic graph.When receiving the data access request outside system, system is according to data access User, resource and operation triplet sets, the judgement result as authorization is calculated in request, authorization rule and entity relationship. Therefore, the embodiment of the present invention at least may exist following contribution: first, intuitive expression authorization rule is realized, to allow Authorization rule includes the complex rules such as level authorization, multi-stage authentication；Second, it is based on directed acyclic graph, realizes efficient data Access control；Third allows flexible data access request type.

It should be noted that, in this document, such as first and second etc relational terms are used merely to an entity Or operation is distinguished with another entity or operation, is existed without necessarily requiring or implying between these entities or operation Any actual relationship or order.Moreover, the terms "include", "comprise" or its any other variant be intended to it is non- It is exclusive to include, so that the process, method, article or equipment for including a series of elements not only includes those elements, It but also including other elements that are not explicitly listed, or further include solid by this process, method, article or equipment Some elements.In the absence of more restrictions, the element limited by sentence " including one ", is not arranged Except there is also other identical factors in the process, method, article or apparatus that includes the element.

Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through The relevant hardware of program instruction is completed, and program above-mentioned can store in computer-readable storage medium, the program When being executed, step including the steps of the foregoing method embodiments is executed；And storage medium above-mentioned includes: ROM, RAM, magnetic disk or light In the various media that can store program code such as disk.

Finally, it should be noted that the foregoing is merely presently preferred embodiments of the present invention, it is merely to illustrate skill of the invention Art scheme, is not intended to limit the scope of the present invention.Any modification for being made all within the spirits and principles of the present invention, Equivalent replacement, improvement etc., are included within the scope of protection of the present invention.

Claims

1. a kind of data access control method, which is characterized in that

Entity relationship diagram is constructed, the entity relationship diagram is to scheme to express entity relationship for data structure；

It determines to scheme the authorization rule expressed for data structure, wherein the authorization rule has following 3 features:

A1. the relationship between physical prototypes is indicated with one or more figures, allow to determine whether to allow one kind on the basis of this Authorisation body carries out an operation to a kind of authorized object；

A3. figure includes one or more paths, and path starting point is the prototype of authorisation body, and path termination is the original of authorized object Type；

Further include:

Data access request outside reception system；

Traversal path and path according to the data access request, the entity relationship diagram and the authorization rule, using figure Comparison, determine data access control result.

2. the method according to claim 1, wherein

The entity relationship diagram has following 3 features:

B1. the relationship between entity instance is indicated with one or more figures, allow to this and advise for input and referring to the authorization Then, determine whether that an authorisation body example is allowed to carry out an operation to an authorized object example；

B3. figure includes one or more paths, and path starting point is an example of authorisation body, and path termination is authorized object One example.

3. the method according to claim 1, wherein

It is described according to the data access request, the entity relationship diagram and the authorization rule, using figure traversal path and The comparison in path determines data access control result, comprising:

A1: judging whether user, resource and the operation of the data access request meet preset extent of competence, if so, obtaining The figure of the authorization rule of authorisation body prototype, authorized object prototype and expression operation, and execute A2；

A2: according to the data access request, it is with authorisation body prototype in the figure of the authorization rule of the traversal expression operation Starting point, using authorized object prototype as the path of terminal, to be held as Prototype trail if the quantity of the Prototype trail is greater than 0 Row A3；

A3: it according to the data access request, traverses in the entity relationship diagram and is as starting point, with authorized object using authorisation body The path of terminal, if the quantity in the example path is greater than 0, to execute A4 as example path；

A4: the example path is compared with the Prototype trail；

If existing simultaneously at least one example path and at least one Prototype trail, example path can match Prototype trail, Then determine that authorization is set up；

4. the method according to claim 1, wherein

The authorization rule includes: at least one operation and each operates at least one corresponding path, and each path It include at least one oriented relationship of ordered arrangement.

5. according to the method described in claim 2, it is characterized in that,

The structure feature of the entity relationship diagram includes:

Vertex includes system user, Business Entity, Business Entity attribute；

While including business relations and authorization relationship；

Wherein, the business relations include: incidence relation, Business Entity and the Business Entity category between Business Entity and Business Entity Master-slave relationship between property, the hierarchical relationship inside Business Entity set；

6. according to the method described in claim 2, it is characterized in that,

The construction entity relationship diagram, comprising: from addressable data, vertex and side are extracted according to extracting rule, with construction Entity relationship diagram；

Extract entity relationship diagram vertex extracting rule include: define vertex entity class include system user, Business Entity, Business Entity attribute, and entity sets are traversed, so that each of described entity sets example is respectively a vertex；

The extracting rule for extracting the side of entity relationship diagram includes: to define entity class mutual relationship and decision rule；Traversal The entity sets, combination of two determine whether to have association, if two entities have association between the corresponding vertex of entity There are sides.

7. according to the method described in claim 2, it is characterized in that,

Before the construction entity relationship diagram, further comprise: determining the extent of competence of setting, wherein the extent of competence It include: the physical prototypes for serving as authorisation body, the physical prototypes for serving as authorized object, the entity relationship for allowing to serve as authorization relationship Set；

After the construction entity relationship diagram, further comprise: according to the extent of competence, by removing the entity relationship Without edge closing and unrelated vertex, degenerate to the entity relationship diagram is handled to obtain directed acyclic graph each of figure, In, the oriented relationship of any no edge closing instruction is not present in the entity relationship set, and any unrelated vertex is equal It is not connected to have side；

It is described according to the data access request, the entity relationship diagram and the authorization rule, using figure traversal path and The comparison in path determines data access control result, comprising: according to the data access request, the directed acyclic graph and institute Authorization rule is stated, using the traversal path of figure and the comparison in path, determines data access control result.

8. according to the method described in claim 3, it is characterized in that,

The data access request includes: the first authorisation body, the first authorized object and the first operation；

The extent of competence includes: the entity of the authorization intermediary of the entity class of authorisation body, the entity class of authorized object and permission Class；

The A1 includes: to judge whether first authorisation body belongs to the entity class of the authorisation body, and described first awards Whether power object belongs to the entity class of the authorized object, if being, executes A2；

The A3 includes: the traversal entity relationship diagram to obtain the first path of the first quantity, the first path traversed Number be first quantity, the intermediate vertex of the second quantity involved in the first path, involved in the first path Intermediate vertex number be second quantity, first quantity and second quantity are positive integer, described first The vertex example of the initial vertex in path is first authorisation body, and the vertex example on the termination vertex of the first path is First authorized object, and when second quantity is not 0, the vertex of any intermediate vertex involved in the first path Example belongs to the entity class of the authorization intermediary；When first quantity is not 0, each path that traversal obtains is generated Path prototype, using as example path；

The A4 includes: that each Prototype trail corresponding with first operation compares respectively in input each example path, If compared successfully, the data access control result for allowing the data access request is generated, and terminate；If each example Path can not compare success with Prototype trail, then generate the data access control result for refusing the data access request；

Or,

The data access request includes: the second authorisation body, the second authorized object；

The A1 includes: to judge whether second authorisation body belongs to the entity class of the authorisation body, and described second awards Whether power object belongs to the entity class of the authorized object, if being, executes A2；

The A2 includes: the traversal entity relationship diagram to obtain the second path of third quantity, the second path traversed Number be the third quantity, the intermediate vertex of the 4th quantity involved in second path, involved in second path Intermediate vertex number be the 4th quantity, the third quantity and the 4th quantity are positive integer, described second The vertex example of the initial vertex in path is second authorisation body, and the vertex example on the termination vertex in second path is Second authorized object, and when the 4th quantity is not 0, the vertex of any intermediate vertex involved in second path Example belongs to the entity class of the authorization intermediary；When the third quantity is not 0, each path that traversal obtains is generated Path prototype, using as example path；

The A4 includes: to input each example path each prototype corresponding with operation each in the authorization rule respectively Path compares, if there are the example paths of a Prototype trail and input to compare success for an operation, generates described in allowing Second authorisation body carries out the data access control result of the operation to second authorized object；

Or,

The data access request includes: third authorisation body, the second operation；

The A3 comprises determining that each of entity relationship diagram representative points, the vertex example category of the representative points In the entity class of the authorized object；It is performed both by for representative points described in each: traversing the entity relationship diagram to obtain The third path of 5th quantity, the number in the third path traversed are the 5th quantity, involved in the third path The intermediate vertex of 6th quantity, the number of intermediate vertex involved in the third path are the 6th quantity, the described 5th Quantity and the 6th quantity are positive integer, and the vertex example of the initial vertex in the third path is the third authorization master The vertex example of body, the termination vertex in the third path is the vertex example on current goal vertex, and the 6th quantity is not When being 0, the vertex example of any intermediate vertex involved in the third path belongs to the entity class of the authorization intermediary；Institute When to state the 5th quantity be not 0, the path prototype in each path that traversal obtains is generated, using as example path；

The A4 includes: that each Prototype trail corresponding with second operation compares respectively in input each example path, If for second operation, there are the example paths of a Prototype trail and input to compare success, if so, generating allows institute State the data access control result that third authorisation body carries out second operation to target authorized object, wherein the target Authorized object is the vertex example on the current goal vertex.

9. according to the method described in claim 8, it is characterized in that,

The path prototype for generating each path that traversal obtains, comprising:

It for each path that traversal obtains, is performed both by: each of current path vertex is omitted, to obtain oriented relationship Ordered sequence, wherein vertex example and the current road of the current path by each vertex on the current path The oriented relationship that each side indicates on diameter, is arranged successively and forms, and the trend of followed order and the current path It is consistent；

The oriented relationship of each of ordered sequence of oriented relationship level is omitted, to generate the path of the current path Prototype, wherein the oriented relationship when vertex example on two vertex belongs to relationship between superior and subordinate and identical example classification, between two vertex For the oriented relationship of level.

10. a kind of data access control device of execution data access control method as described in any in claim 1 to 9, It is characterized in that, comprising:

Entity relationship diagram structural unit, for constructing entity relationship diagram, the entity relationship diagram is to scheme to express for data structure Entity relationship；

Authorization rule determination unit, for determining to scheme the authorization rule expressed for data structure, wherein the authorization rule Then there is following 3 features:

Data access control unit, for the data access request outside reception system；According to the data access request, the reality Body relational graph and the authorization rule determine data access control result using the traversal path of figure and the comparison in path.