CN110135146A - A kind of data base authority management method and system - Google Patents
A kind of data base authority management method and system Download PDFInfo
- Publication number
- CN110135146A CN110135146A CN201910359595.2A CN201910359595A CN110135146A CN 110135146 A CN110135146 A CN 110135146A CN 201910359595 A CN201910359595 A CN 201910359595A CN 110135146 A CN110135146 A CN 110135146A
- Authority
- CN
- China
- Prior art keywords
- module
- user
- security
- safety officer
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
The invention proposes a kind of data base authority management method and systems, by creating three management users, respectively system manager, safety officer and auditor, three management users are respectively provided with different administration authorities, it mutually restricts, system security official distributes security role to each service-user, and each security role has different permissions, user only activates security role by the security credence (such as password or digital certificate) that application system provides, and could access database.The present invention provides a kind of idea in management of more safe and convenient for the rights management of database, has good security performance and application prospect.
Description
Technical field
The present invention relates to database security administrative skill field more particularly to a kind of data base authority management method and it is
System.
Background technique
In traditional Database Systems, all there is root administrator, root administrator possesses all permissions of database,
That is once the account of root administrator is stolen, any data in database will be all leaked.To avoid root from managing
The permission of member is excessive, further increases the security performance and routine safety management of database, it would be desirable to data base authority
Implement disperse management.
In traditional database, user can access database after inputting username and password, the application for multilayered structure
For system, these systems are all to connect database with individually shared user, on the one hand, the password of the user is with unsafe side
Formula stores on the server, easily leaks out, and on the other hand, the user right is excessive, is unfavorable for permission between different application systems
Separation.
Summary of the invention
In view of this, the invention proposes one kind effectively to weaken, disperses root administrator right, while user being visited
It asks permission and the associated data base authority management method of application system security voucher (such as password or digital certificate) and is
System.
The technical scheme of the present invention is realized as follows: the present invention provides a kind of data base authority management methods, including
Following steps:
Step 1: pre-creating three users, respectively system manager, safety officer and audit in system initialization
Member;
Step 2: pre-creating three security attributes in system initialization, three security attributes are authorized to system pipes respectively
Reason person, safety officer and auditor, three security attributes respectively correspond the administration authority of three subsystems;
Step 3: all permissions of tables of data are distributed to safety officer in system initialization, safety officer is used
In delegation permission;
Step 4: disabling the original power user root of system in system initialization;
Step 5: system manager creates user and database table and system resource, safety officer is user's distribution
Data base authority, and security role is assigned to user;
Step 6: safety officer's configuration database access control strategy, safety officer is that security role configures role
Activate credential requirement;
Step 7: user connects database, and safety is activated using the Role Activation credential requirement of safety officer's configuration
Role, and carry out data access;
Step 8: auditor checks the operation note of user, system manager and safety officer.
On the basis of above technical scheme, it is preferred that in step 2, three security attributes are respectively system administration
Member's security attribute, safety officer's security attribute and auditor's security attribute.
On the basis of above technical scheme, it is preferred that in step 2, the system manager is for managing data base set
The creation of all resources, authorizing for self contained navigation permission are distributed with role in uniting, and system manager has system manager
Security attribute can only execute system management operation, be unable to accessing database data.
On the basis of above technical scheme, it is preferred that in step 2, the safety officer accesses for management attribute
Control, designated user, database and table attribute, formulate Access control strategy, safety officer have safety officer
Security attribute can only execute safety management operation, be unable to accessing database data.
Still more preferably, in step 2, auditor is responsible for the operation of all users in audit database, all users
Including system manager and safety officer, auditor has auditor's security attribute, and can only audit operation, cannot access
Database data.
On the basis of above technical scheme, it is preferred that three security attributes are incompatible, system manager, bursting tube
Reason person and auditorial permission are independent from each other, and the user with security attribute can only be managed operation, are unable to access number
According to library table data.
On the basis of above technical scheme, it is preferred that after user's log database system, only there is connection permission, use
Family is obtaining security credence, and the access authority by that could obtain access database table after security credence activation security role.
The present invention also provides a kind of data base authority management systems, including user, system manager's module, safety management
Member's module and auditor's module, system manager's module are used to manage user, and to safety officer's module and auditor's module
Authority distribution is carried out, safety officer's module is that user formulates access strategy, and production safety Role Activation voucher, auditor's mould
Block is used to manage the operation of user, system manager's module and safety officer's module.
On the basis of above technical scheme, it is preferred that system manager's module further includes user management module, money
Source control module and tables of data module, the user management module give user's allocation database permission for creating user, money
Source control module is for creating and managing database table resource, and tables of data module is for distributing tables of data permission to safety officer
Module and auditor's module.
On the basis of above technical scheme, it is preferred that safety officer's module further include policy management module and
Security role credentials module, the policy management module are used for configuration database access control strategy, security role credentials module
For configuring security role, and configure the credential requirement of security role activation.
Data base authority management method of the invention and system have the advantages that compared with the existing technology
(1) data base authority management method of the invention and system provide a kind of rights management thinking of permission, pass through
Weaken the permission of database administrator account, and an account management mode is divided into three accounts and is managed, each account
Family obtains one or more independent and unique administration authorities.In such a way that three accounts progress permissions are managed independently, reduce
The security risk of one account management;
(2) data base authority management method of the invention and system divide the connection permission of user and data library access authority
It leaves and, user establishes Connection Pool after connecting database, guarantees the high speed access channel of data, different application systems pass through
Security credence possessed by the application system, such as password or digital certificate are activated, to obtain different from other application system
Dynamic rights.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is the management block diagram of user in data base authority management method of the present invention;
Fig. 2 is the connection block diagram of each functional module in data base authority management system of the present invention.
Specific embodiment
Below in conjunction with embodiment of the present invention, the technical solution in embodiment of the present invention is carried out clearly and completely
Description, it is clear that described embodiment is only some embodiments of the invention, rather than whole embodiments.Base
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts all
Other embodiments shall fall within the protection scope of the present invention.
As shown in Figure 1, data base authority management method of the invention comprising following steps:
Step 1: pre-creating three users, respectively system manager, safety officer and audit in system initialization
Member;
Step 2: pre-creating three security attributes in system initialization, three security attributes are authorized to system pipes respectively
Reason person, safety officer and auditor, three security attributes respectively correspond the administration authority of three subsystems;
Step 3: all permissions of tables of data are distributed to safety officer in system initialization, safety officer is used
In delegation permission;
Step 4: disabling the original power user root of system in system initialization;
Step 5: system manager creates user and database table and system resource, safety officer is user's distribution
Data base authority, and security role is assigned to user;
Step 6: safety officer's configuration database access control strategy, safety officer is that security role configures role
Activate credential requirement;
Step 7: user connects database, and safety is activated using the Role Activation credential requirement of safety officer's configuration
Role, and carry out data access;
Step 8: auditor checks the operation note of user, system manager and safety officer.
In embodiment of above, it is one that user is managed in routine data depositary management, and a management user is split as three by the present invention
It is a, while all permissions of attribute access Controlling model tables of data are distributed into safety officer, it is realized by safety officer
The attribute access of data store internal is controlled, three security attributes limit corresponding administrator and can only execute accordingly
Management operation, cannot access the data in database table.
In a specific embodiment, in step 2, three security attributes are respectively system manager's security attribute, peace
Full administrator's security attribute and auditor's security attribute.
In a specific embodiment, in step 2, the system manager is for managing all resources in Database Systems
Creation, self contained navigation permission authorize and role distribution, system manager have system manager's security attribute, can only
System management operation is executed, accessing database data is unable to.
In embodiment of above, system manager is for being managed resource and user, the asset creation in database
It needs to carry out by system manager, while user's access, firstly the need of self contained navigation is passed through, system manager can be right
The permission of self contained navigation is authorized, and carries out role's distribution to user.
In a specific embodiment, in step 2, the safety officer is used for management attribute access control, specifies and uses
Family, database and table attribute, formulate Access control strategy, safety officer have safety officer's security attribute, only
Safety management operation can be executed, accessing database data is unable to.
In embodiment of above, safety officer is used for management attribute access control, can be with logarithm by safety officer
Attribute formulation is carried out according to the resource in library and user, and corresponding Access control strategy is formulated according to corresponding attribute, thus
The access authority for refining user, refines the management of secure access, improves the security performance of data.
In a specific embodiment, in step 2, auditor is responsible for the operation of all users in audit database, and institute is useful
Family includes system manager and safety officer, and auditor has auditor's security attribute, and can only audit operation, Bu Nengfang
Ask database data.
In embodiment of above, auditor is mainly managed the operation of user, while can also be to system manager
Operation with safety officer is managed, to achieve the purpose that the operation of system for restricting administrator and safety officer, is prevented
The account of locking system administrator and safety officer are stolen, while auditor can only also carry out the management of user's operation,
Practical operation can not be carried out to the resource in database.
In embodiment of above, system manager, safety officer and auditor is each is responsible for certain permission are not rushed mutually
Prominent, unless three accounts are stolen simultaneously, otherwise the resource of database can not be leaked.
In a specific embodiment, three security attributes are incompatible, system manager, safety officer and auditorial
Permission is independent from each other, and the user with security attribute can only be managed operation, cannot access database table data.
In a specific embodiment, after user's log database system, only have connection permission, user obtain safety with
Card, and the access authority by the way that access database table could be obtained after security credence activation security role.
As shown in Fig. 2, the present invention also provides a kind of data base authority management system, including user, system manager's mould
Block, safety officer's module and auditor's module, system manager's module for managing user, and to safety officer's module and
Auditor's module carry out authority distribution, safety officer's module be user formulate access strategy, and production safety Role Activation with
Card, auditor's module are used to manage the operation of user, system manager's module and safety officer's module.
In a specific embodiment, system manager's module further include user management module, resource management module and
Tables of data module, the user management module give user's allocation database permission for creating user, and resource management module is used
In creating and managing database table resource, tables of data module is for distributing tables of data permission to safety officer's module and auditor
Module.
In a specific embodiment, safety officer's module further includes policy management module and security role voucher mould
Block, the policy management module are used for configuration database access control strategy, and security role credentials module is for configuring safety angle
Color, and configure the credential requirement of security role activation.
The foregoing is merely better embodiments of the invention, are not intended to limit the invention, all of the invention
Within spirit and principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.
Claims (10)
1. a kind of data base authority management method, which comprises the steps of:
Step 1: pre-creating three users, respectively system manager, safety officer and auditor in system initialization;
Step 2: pre-create three security attributes in system initialization, by three security attributes authorize respectively system manager,
Safety officer and auditor, three security attributes respectively correspond the administration authority of three subsystems;
Step 3: all permissions of tables of data are distributed to safety officer in system initialization, safety officer is for turning
Authorization limit;
Step 4: disabling the original power user root of system in system initialization;
Step 5: system manager creates user and database table and system resource, safety officer is that user distributes data
Library permission, and security role is assigned to user;
Step 6: safety officer's configuration database access control strategy, safety officer is that security role configures Role Activation
Credential requirement;
Step 7: user connects database, and security role is activated using the Role Activation credential requirement of safety officer's configuration,
And carry out data access;
Step 8: auditor checks the operation note of user, system manager and safety officer.
2. data base authority management method as described in claim 1, which is characterized in that in step 2, three safety belongs to
Property is respectively system manager's security attribute, safety officer's security attribute and auditor's security attribute.
3. data base authority management method as claimed in claim 2, which is characterized in that in step 2, the system manager
For managing the creation of all resources in Database Systems, authorizing for self contained navigation permission is distributed with role, system administration
Member has system manager's security attribute, can only execute system management operation, be unable to accessing database data.
4. data base authority management method as claimed in claim 2, which is characterized in that in step 2, the safety officer
For management attribute access control, designated user, database and table attribute, formulate Access control strategy, safety management
Member has safety officer's security attribute, can only execute safety management operation, be unable to accessing database data.
5. data base authority management method as claimed in claim 2, which is characterized in that in step 2, auditor is responsible for audit
The operation of all users in database, all users include system manager and safety officer, and auditor pacifies with auditor
Full attribute, can only audit operation, be unable to accessing database data.
6. data base authority management method as claimed in claim 2, which is characterized in that three security attributes are incompatible, are
System administrator, safety officer and auditorial permission are independent from each other, and the user with security attribute can only be managed
Operation, cannot access database table data.
7. data base authority management method as claimed in claim 2, which is characterized in that after user's log database system, only
With connection permission, user is obtaining security credence, and could obtain access data after activating security role by security credence
The access authority of library table.
8. a kind of data base authority management system, which is characterized in that including user, system manager's module, safety officer's mould
Block and auditor's module, system manager's module are carried out for managing user, and to safety officer's module and auditor's module
Authority distribution, safety officer's module are that user formulates access strategy, and production safety Role Activation voucher, and auditor's module is used
In the operation of management user, system manager's module and safety officer's module.
9. a kind of data base authority management system as claimed in claim 8, which is characterized in that system manager's module is also
Including user management module, resource management module and tables of data module, the user management module is given and is used for creating user
Family allocation database permission, resource management module is for creating and managing database table resource, and tables of data module is for distributing number
According to table permission to safety officer's module and auditor's module.
10. a kind of data base authority management system as claimed in claim 8, which is characterized in that safety officer's module
It further include policy management module and security role credentials module, the policy management module controls plan for configuration database access
Slightly, security role credentials module is for configuring security role, and configures the credential requirement of security role activation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910359595.2A CN110135146B (en) | 2019-04-29 | 2019-04-29 | Database authority management method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910359595.2A CN110135146B (en) | 2019-04-29 | 2019-04-29 | Database authority management method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110135146A true CN110135146A (en) | 2019-08-16 |
CN110135146B CN110135146B (en) | 2021-04-02 |
Family
ID=67575881
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910359595.2A Active CN110135146B (en) | 2019-04-29 | 2019-04-29 | Database authority management method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110135146B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110417820A (en) * | 2019-09-05 | 2019-11-05 | 曙光信息产业(北京)有限公司 | Processing method, device and the readable storage medium storing program for executing of single-node login system |
CN111222161A (en) * | 2019-12-31 | 2020-06-02 | 航天信息股份有限公司 | Picture library management method and device based on authority control |
CN111914295A (en) * | 2020-08-04 | 2020-11-10 | 北京金山云网络技术有限公司 | Database access control method and device and electronic equipment |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040221157A1 (en) * | 2000-02-22 | 2004-11-04 | Microsoft Corporation | Methods and systems for accessing networks methods and systems for accessing the internet |
CN1858740A (en) * | 2006-05-31 | 2006-11-08 | 武汉华工达梦数据库有限公司 | 'Three powers separation' safety method for data bank safety management |
US20070168678A1 (en) * | 2006-01-18 | 2007-07-19 | Sybase, Inc. | Secured Database System with Built-in Antivirus Protection |
CN102184355A (en) * | 2011-04-11 | 2011-09-14 | 浪潮电子信息产业股份有限公司 | Method for realizing separation of three powers by using kernel technology |
CN102411689A (en) * | 2011-12-21 | 2012-04-11 | 北京人大金仓信息技术股份有限公司 | Method for controlling authority of database administrator |
CN102891840A (en) * | 2012-06-12 | 2013-01-23 | 北京可信华泰信息技术有限公司 | Three power separation-based information security management system and information security management method |
CN103838719A (en) * | 2012-11-20 | 2014-06-04 | 镇江鼎拓科技信息有限公司 | Design method for database connection middleware |
CN106850512A (en) * | 2015-12-07 | 2017-06-13 | 北京航天长峰科技工业集团有限公司 | A kind of information system design method for meeting cascade protection requirement |
CN107392051A (en) * | 2017-07-28 | 2017-11-24 | 北京明朝万达科技股份有限公司 | A kind of big data processing method and system |
CN108881108A (en) * | 2017-05-09 | 2018-11-23 | 北京京东尚科信息技术有限公司 | The method and apparatus of rights management |
CN109298929A (en) * | 2018-10-12 | 2019-02-01 | 平安科技(深圳)有限公司 | Timing task carrying-out time recommended method, device, equipment and storage medium |
-
2019
- 2019-04-29 CN CN201910359595.2A patent/CN110135146B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040221157A1 (en) * | 2000-02-22 | 2004-11-04 | Microsoft Corporation | Methods and systems for accessing networks methods and systems for accessing the internet |
US20070168678A1 (en) * | 2006-01-18 | 2007-07-19 | Sybase, Inc. | Secured Database System with Built-in Antivirus Protection |
CN1858740A (en) * | 2006-05-31 | 2006-11-08 | 武汉华工达梦数据库有限公司 | 'Three powers separation' safety method for data bank safety management |
CN102184355A (en) * | 2011-04-11 | 2011-09-14 | 浪潮电子信息产业股份有限公司 | Method for realizing separation of three powers by using kernel technology |
CN102411689A (en) * | 2011-12-21 | 2012-04-11 | 北京人大金仓信息技术股份有限公司 | Method for controlling authority of database administrator |
CN102891840A (en) * | 2012-06-12 | 2013-01-23 | 北京可信华泰信息技术有限公司 | Three power separation-based information security management system and information security management method |
CN103838719A (en) * | 2012-11-20 | 2014-06-04 | 镇江鼎拓科技信息有限公司 | Design method for database connection middleware |
CN106850512A (en) * | 2015-12-07 | 2017-06-13 | 北京航天长峰科技工业集团有限公司 | A kind of information system design method for meeting cascade protection requirement |
CN108881108A (en) * | 2017-05-09 | 2018-11-23 | 北京京东尚科信息技术有限公司 | The method and apparatus of rights management |
CN107392051A (en) * | 2017-07-28 | 2017-11-24 | 北京明朝万达科技股份有限公司 | A kind of big data processing method and system |
CN109298929A (en) * | 2018-10-12 | 2019-02-01 | 平安科技(深圳)有限公司 | Timing task carrying-out time recommended method, device, equipment and storage medium |
Non-Patent Citations (1)
Title |
---|
朱虹 等: ""DBMS的安全管理"", 《计算机工程与应用》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110417820A (en) * | 2019-09-05 | 2019-11-05 | 曙光信息产业(北京)有限公司 | Processing method, device and the readable storage medium storing program for executing of single-node login system |
CN111222161A (en) * | 2019-12-31 | 2020-06-02 | 航天信息股份有限公司 | Picture library management method and device based on authority control |
CN111914295A (en) * | 2020-08-04 | 2020-11-10 | 北京金山云网络技术有限公司 | Database access control method and device and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN110135146B (en) | 2021-04-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9286475B2 (en) | Systems and methods for enforcement of security profiles in multi-tenant database | |
CN109643242B (en) | Security design and architecture for multi-tenant HADOOP clusters | |
CN110135146A (en) | A kind of data base authority management method and system | |
CN104301418B (en) | A kind of cross-domain single login system and login method based on SAML | |
US20110214165A1 (en) | Processor Implemented Systems And Methods For Using Identity Maps And Authentication To Provide Restricted Access To Backend Server Processor or Data | |
CN107104931A (en) | A kind of access control method and platform | |
CN105577656B (en) | A kind of unified identity authentication method based on cloud platform | |
CN100466657C (en) | Access control decision-making device for grid computing environment | |
CN101707594A (en) | Single sign on based grid authentication trust model | |
CN104394141A (en) | Unified authentication method based on distributed file system | |
CN105046125B (en) | A kind of OA system application access methods based on grading system | |
WO2017020693A1 (en) | Control method of storage system and storage system | |
US6681330B2 (en) | Method and system for a heterogeneous computer network system with unobtrusive cross-platform user access | |
CN108881218A (en) | A kind of data safety Enhancement Method and system based on cloud storage management platform | |
CN109413080A (en) | A kind of cross-domain dynamic mandatory control method and system | |
US8219807B1 (en) | Fine grained access control for linux services | |
CN115865502A (en) | Authority management and control method, device, equipment and storage medium | |
CN107018128A (en) | One kind is based on domain collaborative multi framework third-party application authorization and authentication method | |
CN106778307A (en) | Method for realizing dynamic authority management based on cloud test platform | |
CN101827110A (en) | Application server access system in intranet | |
CN108881197A (en) | High score grid system authentication system based on RBAC model | |
Salunke et al. | A survey paper on role based access control | |
CN103188269B (en) | The control method of access privilege in cloud platform | |
CN110414213A (en) | A kind of method and device to rights management in operation management system based on keycloak | |
CN115378635A (en) | Inter-system cross-domain access control method and platform based on roles |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |