CN111177789A - Authority management method, system, device and storage medium - Google Patents
Authority management method, system, device and storage medium Download PDFInfo
- Publication number
- CN111177789A CN111177789A CN202010014207.XA CN202010014207A CN111177789A CN 111177789 A CN111177789 A CN 111177789A CN 202010014207 A CN202010014207 A CN 202010014207A CN 111177789 A CN111177789 A CN 111177789A
- Authority
- CN
- China
- Prior art keywords
- authority
- user
- role
- database
- accessed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
- G06F16/283—Multi-dimensional databases or data warehouses, e.g. MOLAP or ROLAP
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method, a system, a device and a storage medium for managing authority, wherein the method comprises the following steps: receiving a user authority authentication request; obtaining authenticated user information and accessed database information from the authority authentication request; judging whether the user has the operation authority of the accessed database; and determining the authority identification result according to the judgment result. The invention takes the database as the asset to carry out management empowerment, realizes authority management, realizes the management and control of the data asset taking the database as a carrier, realizes the unified management of all database authorities in an enterprise, strengthens the management and control and protection of data after a unified data warehouse is established and before the data use and data energization, realizes the unified big data authority management in the enterprise and improves the safety of the data asset.
Description
Technical Field
The invention relates to the technical field of data warehouses, in particular to a method, a system, equipment and a storage medium for managing authority.
Background
After an enterprise establishes a data warehouse in a unified planning manner, the traditional data island problem is broken through, and various business departments can use data to establish related applications conveniently, but the accompanying data security problem needs to be solved urgently. After the data warehouse is unified, in order to facilitate the data fetching of each business department, the data authority is not controlled, and great potential safety hazards are provided. Most of the existing reporting systems, BI (Business intelligence) systems and other internal authority control systems manage their own systems, and mainly take menu authority, reporting authority and the like, and have no big data unified authority control. The authority management and authentication of each system are independent, and the user needs to apply for the authority repeatedly, so that the process is increased, and the working efficiency is reduced.
Disclosure of Invention
In view of the problems in the prior art, the present invention aims to provide a method, a system, a device and a storage medium for managing rights, which use a database as an asset to realize unified rights management of a data warehouse.
The embodiment of the invention provides a permission management method, which comprises the following steps:
receiving a user authority authentication request;
obtaining authenticated user information and accessed database information from the authority authentication request;
judging whether the user has the operation authority of the accessed database;
and determining the authority identification result according to the judgment result.
Optionally, obtaining the accessed database information from the permission authentication request includes: obtaining accessed data table information from the authority identification request; determining corresponding accessed database information according to the accessed data table information;
the method for determining the authority identification result according to the judgment result comprises the following steps:
if the user has the operation authority of the accessed database, judging whether the user has the operation authority of the accessed data table;
if so, determining that the authority authentication of the user is successful.
Optionally, the permission authentication request further includes an authenticated operation type;
judging whether the user has the operation authority of the accessed database or not, wherein the judgment comprises judging whether the user has the operation authority of the identified operation type on the accessed database or not;
the judging whether the user has the operation authority of the accessed data table comprises judging whether the user has the operation authority of the identified operation type on the accessed data table.
Optionally, the determining whether the user has an operation right of the accessed database includes the following steps:
inquiring the role information of the user according to the identified user information;
and judging whether the role of the user has the operation authority of the accessed database.
Optionally, after querying the role information of the user according to the identified user information, the method further includes the following steps:
judging whether the current state of the role of the user is an available state;
if yes, judging whether the role of the user has the operation authority of the accessed database.
Optionally, the authority authentication request further includes accessed data table information and authenticated operation type;
judging whether the role of the user has the operation authority of the accessed database or not, wherein the judgment comprises judging whether the role of the user has the operation authority of the identified operation type on the accessed database or not;
the method for determining the authority identification result according to the judgment result comprises the following steps:
if the database which the role of the user has access to has the operation authority of the identified operation type, judging whether the role of the user has the operation authority of the identified operation type on the accessed data table;
if so, determining that the authority authentication of the user is successful.
The embodiment of the invention also provides an authority management system which is applied to the authority management method, and the system comprises:
the authority setting module is used for managing the operation authority setting of the user on each database;
the authority storage module is used for storing authority setting data of a user;
and the authority application module is used for acquiring the authenticated user information and the accessed database information from the authority authentication request when receiving the user authority authentication request, acquiring the authority setting data of the user from the authority storage module, judging whether the user has the operation authority of the accessed database, and determining the authority authentication result according to the judgment result.
Optionally, the permission setting module includes:
a role management unit for managing each role and state information of each role;
the user management unit is used for managing the corresponding relation between each user and the role;
the database authority management unit is used for managing the operation authority of each role to each database;
the authority application module is also used for determining the role of the user according to the identified user information and judging whether the role of the user has the operation authority of the accessed database.
Optionally, the permission setting module further includes:
and the table authority management unit is used for managing the operation authority of each role to each data table.
An embodiment of the present invention further provides an authority management device, including:
a processor;
a memory in which there are executable instructions of the processor;
wherein the processor is configured to perform the steps of the rights management method via execution of the executable instructions.
An embodiment of the present invention further provides a computer-readable storage medium, configured to store a program, where the program is executed to implement the steps of the rights management method.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
The authority management method, the system, the equipment and the storage medium provided by the invention have the following advantages:
the invention solves the problems in the prior art, manages and empowers by taking the database as an asset, realizes authority management, realizes the management and control of data assets by taking the database as a carrier, realizes the unified management of all database authorities in an enterprise, strengthens the management and control and protection of data after a unified data warehouse is established and before the data is used and enabled, realizes the unified big data authority management in the enterprise and improves the safety of the data assets.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, with reference to the accompanying drawings.
FIG. 1 is a flow diagram of a rights management method according to one embodiment of the invention;
FIG. 2 is a flow diagram of a method for rights management after adding table rights management in accordance with an embodiment of the present invention;
FIG. 3 is a flowchart of a method for managing rights after adding role management according to an embodiment of the present invention;
FIG. 4 is a flow diagram of a method for rights management in accordance with an embodiment of the present invention;
FIG. 5 is a block diagram of a rights management system according to an embodiment of the invention;
FIG. 6 is a block diagram of a privilege setting module according to an embodiment of the invention;
FIG. 7 is a schematic diagram of a rights management device according to an embodiment of the invention;
fig. 8 is a schematic diagram of a computer-readable storage medium according to an embodiment of the present invention.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
In order to solve the technical problems in the prior art, embodiments of the present invention provide a method and a system for rights management, in which a database is used as an asset to perform unified management of rights of a data warehouse, and by performing one-time right assignment on the basis of the data warehouse, all business systems in an enterprise can be used without individually setting a rights management scheme for data access for each business system, so that production efficiency is improved on the basis of enhancing data management and control and data security.
As shown in fig. 1, in an embodiment of the present invention, the method for managing rights includes the following steps:
s100: receiving a user authority authentication request; here, the received user authority authentication request may be a request for authenticating the authority of the user received from a service system, or a request for authenticating the authority of the user directly received from a user side, and the service system may be, for example, a peer-to-peer query system, a reporting system, a business intelligence system, and other systems related to a specific service;
when a user logs in a service system and performs related operations, if the user is involved in the action of operating data in a data warehouse, the service system sends a permission authentication request to a permission management system;
s200: obtaining authenticated user information and accessed database information from the authority authentication request; the identified user information can be identification information such as ID, name and the like of a user logging in the service system, and the accessed database information can be identification information such as the number of a database which the user needs to access;
s300: judging whether the user has the operation authority of the accessed database or not according to the prestored authority setting data of the user; the authority setting data of the user can be the database which the user has access and operation authority;
s400: and determining the authority identification result according to the judgment result.
Therefore, by adopting the authority management method, whether the user has the authority to operate the database is judged through the step S300, the database is taken as the asset to perform management empowerment, the authority management is realized, the management and control of the data asset taking the database as the carrier are realized, the unified management of all the database authorities in an enterprise is realized, and the management and control and the protection of the data are enhanced before the data use and the data empowerment are performed after the unified data warehouse is established.
In practical application, the database is used as a set of data tables, and the authority division granularity is still large. Only a few data tables of a certain database may be needed for some service parties, and therefore, the authority of the database can be further divided into the operation authority of the data tables. On the basis that the user has the authority to a database, the user can be further set to which specific data tables in the database have the operation authority.
Therefore, as shown in fig. 2, in this embodiment, the step S200 includes the following steps:
s210: obtaining authenticated user information and accessed data table information from the authority authentication request, wherein the accessed data table information is identification information of a data table needing to be accessed;
s220: and determining corresponding accessed database information according to the accessed data table information according to the corresponding relation between the pre-stored data table and the database, namely the corresponding relation between which data tables are included in each specific database in the data warehouse.
As shown in fig. 2, after the operation authority of the user on the database is determined in step S300, the operation authority of the user on the accessed data table may be further determined, and therefore, step S400: determining the authority identification result according to the judgment result, comprising the following steps:
in step S300: after judging whether the user has the operation authority of the accessed database, if the user has the operation authority of the accessed database, continuing to step S410, and if the user does not have the operation authority of the accessed database, continuing to step S430;
s410: judging whether the user has the operation authority of the accessed data table according to the pre-stored authority setting data of the user, if so, continuing to step S420, otherwise, continuing to step S430; the authority setting data can be the data tables which are accessed and operated by the user;
s420: determining that the authority authentication of the user is successful, wherein the service system can read data from a corresponding data table of the data warehouse or execute corresponding operation on the data table according to the request of the user;
s430: and determining that the authority authentication of the user fails, wherein the business system cannot access the corresponding data table in the data warehouse and execute corresponding operation.
Therefore, the invention can carry out unified authority management on the data warehouse in the enterprise by taking the database and the data table as assets, practically takes each data table as an asset to carry out management empowerment, and achieves one-time empowerment on the basis of the data warehouse, all business systems in the enterprise can be used, and each business system is not required to independently set an authority management scheme for data access, thereby breaking the problems of disordered authority management among a plurality of business systems and excessive user application processes, and providing safety guarantee for breaking data islands and enabling data.
In this embodiment, the permission authentication request further includes an authenticated operation type, that is, a request type of a user for data of the data warehouse through the business system. For example, in the authority management system, it may be preset that a user has an authority to modify or delete data of a certain database, or it may be preset that a user has only a right to read data of a certain database and does not have an authority to modify the data. The operation types may include reading data, modifying data, deleting a database, deleting a data table, and the like.
The step S300: judging whether the user has the operation authority of the accessed database, wherein the operation authority of the user with the identified operation type on the accessed database is judged;
the step S410: and judging whether the user has the operation authority of the accessed data table or not, wherein the judgment is carried out whether the user has the operation authority of the identified operation type on the accessed data table or not.
For example, a user only has data reading authority for a data table, if the user requests to read the data of the data table through the service system, the authority authentication is successful, the user operation can be allowed, and if the user requests to modify the data of the data table through the service system, the authority authentication is failed, and the user operation is not allowed.
In the embodiment, further, the concept of roles is added for authority control. For an enterprise, each business team can apply for different roles, each member in the business team can correspond to the corresponding role respectively, and then the administrator of the authority management system establishes the roles in the role management interface. After each business team applies for the role, the authority of different databases can be applied according to the business characteristics of the business team, and the administrator sets the authority of the role in the authority management system. Therefore, the authority setting data stored in the authority management system is authority setting data of different roles, and for one user, the authority setting data is the authority setting data of the corresponding role. Therefore, the invention gets through the relationship between enterprise personnel and the roles in the authority management system and realizes the role authority management.
As shown in fig. 3, the step S300: judging whether the user has the operation authority of the accessed database, comprising the following steps:
s310: inquiring the role information of the user corresponding to the identified user information according to the corresponding relation between the user and the role stored in the authority management system, wherein the role information can be identification information such as ID of the role type corresponding to the user;
s320: and judging whether the role of the user has the operation authority of the accessed database.
FIG. 4 is a flowchart illustrating a rights management method according to an embodiment. In this example, the authority management system may further manage the role state, and only when the role state is an available state, the user may join the role, and the user may enjoy the authority of the role, and when the role state is a disabled state, the new user may not join the role, and the user may not enjoy the authority of the role. The role can be in a disabled state when newly created, and can be normally used only after the state is switched to an available state.
Therefore, the S310: after inquiring the role information of the user according to the identified user information, the method also comprises the following steps:
s311: judging whether the current state of the role of the user is an available state;
if the current status of the user' S role is available, continue to step S320: judging whether the role of the user has the operation authority of the identified operation type on the accessed database;
if the current status of the user' S role is the disabled status, continue to step S430: and determining that the authority authentication of the user fails.
After judging that the role of the user has the operation authority of the authenticated operation type to the accessed database through the step S320, the step S410 is performed: judging whether the role of the user has the operation authority of the identified operation type on the accessed data table, if so, continuing to the step S420: determining that the authority authentication of the user is successful, otherwise, executing step S430: and determining that the authority authentication of the user fails.
As shown in fig. 5, an embodiment of the present invention further provides a rights management system, which is applied to the rights management method, and the system includes:
the permission setting module M100 is configured to manage operation permission settings of users on each database, where the operation permission settings may include settings of whether to have operation permission and types of operation permission, for example, setting permission to read data from one database, setting permission to write data into one database, modify data, and the like;
the permission storage module M200 is configured to store permission setting data of a user, and the permission storage module M200 may store the permission setting data in a MySQL database for persistent storage;
the permission application module M300 is configured to, when receiving a user permission authentication request, obtain authenticated user information and accessed database information from the permission authentication request, obtain permission setting data of the user from the permission storage module M200, determine whether the user has an operation permission of the accessed database, and determine a permission authentication result according to the determination result.
Therefore, by adopting the authority management method, the invention uniformly sets the operation authority data of the user on the database through the authority setting module M100, uniformly stores the authority setting data through the authority storage module M200, judges whether the user has the authority to operate the database through the authority application module M300, and manages and entitles by taking the database as an asset, thereby realizing the authority management, realizing the management and control of the data asset by taking the database as a carrier, realizing the uniform management of all library authorities in an enterprise, and strengthening the management and control and protection of data before the data use and data enable after a uniform data warehouse is established.
As shown in fig. 6, in this embodiment, role authority management is implemented through an association relationship between a role and a user, and specifically, the authority setting module M100 includes:
the role management unit M110 is used for managing each role and state information of each role, the state of each role can comprise an available state and a disabled state, the role can be applied and created by each team or each person in an enterprise, a manager of the authority management system establishes the role on a role management interface, and the role management unit M110 can try functions of role adding, role modification, role deletion, state switching and the like;
the user management unit M120 is used for managing the corresponding relation between each user and each role, a service team or a user person can join the created role according to a service department to which the user belongs or the service function of the user person, and further enjoys the operation authority of the role on the database, and the user management unit M120 can realize the functions of adding, modifying, deleting and the like of the user;
the database authority management unit M130 is used for managing the operation authority of each role on each database, after each business team applies for creating roles, different database authorities can be applied according to own business functions and business characteristics, and an administrator performs the empowerment operation, and the database authority management unit M130 can realize the functions of empowerment, deletion of authorities and the like on the roles;
the permission application module M300 is further configured to determine a role of the user according to the identified user information, and determine whether the role of the user has an operation permission of the accessed database. Specifically, the limited application module M300 may provide an RPC (Remote Procedure Call) service for a downstream service system to request to acquire role information of a user, permission information owned by the role, and whether the role to which the user belongs has an operation permission of a specific table.
In this embodiment, the authority of the database is further refined and divided into the authorities of each data table, and specifically, the authority setting module M100 further includes:
the table authority management unit M140 is configured to manage operation authorities of each role on each data table, and after a user joins a certain role, the user can enjoy the operation authorities of the role on the database and the data table, and the table authority management unit M140 can grant the role with the operation authority of a part of the data table in the database, and also grant the role with the operation authorities of all the data tables in the database.
When receiving a user authority authentication request, the authority application module M300 acquires accessed data table information from the authority authentication request, and determines corresponding accessed database information according to the accessed data table information. After the permission application module M300 determines that the role of the user has the operation permission of the accessed database, it is also used to determine whether the role of the user has the operation permission of the accessed data table.
Therefore, the authority management system can perform unified authority management on the data warehouse inside the enterprise by taking the database and the data tables as assets, practically performs management authorization by taking each data table as an asset, performs one-time authorization on the basis of the data warehouse, can be used by all business systems inside the enterprise, and does not need to set an authority management scheme for data access independently for each business system.
In this embodiment, the permission setting module M100 may be developed by separating a front end and a back end, the front end displays a user setting interface based on a browser, the user setting interface may include a role setting interface, a user management interface, a library permission setting interface, a table permission setting interface, and the like, and the development is performed by using a vue. The back end uses a rest api interface (presentation layer state conversion application programming interface) developed by spring mvc (a web layer mvc framework) to interactively display with the front end; the JDBC (Java Data BaseConnectivity, Java database connection) interface is used to perform interactive Data storage operation with the mySQL database (rights storage module M200).
The permission application module M300 may be developed using a spring boot (an open source application framework on a Java platform, providing a container with a control reversal characteristic), and interacts with a mySQL database (permission storage module M200) through a JDBC interface to obtain data; in addition, the rights application module M300 may implement RPC service using the pigeon framework of the mayonnaise point evaluation source.
The embodiment of the invention also provides the authority management device, which comprises a processor; a memory in which there are executable instructions of the processor; wherein the processor is configured to perform the steps of the rights management method via execution of the executable instructions.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 600 according to this embodiment of the invention is described below with reference to fig. 7. The electronic device 600 shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 7, the electronic device 600 is embodied in the form of a general purpose computing device. The combination of the electronic device 600 may include, but is not limited to: at least one processing unit 610, at least one memory unit 620, a bus 630 connecting different system combinations (including the memory unit 620 and the processing unit 610), a display unit 640, and the like.
Wherein the storage unit has program code, which can be executed by the processing unit 610, so that the processing unit 610 performs the steps according to various exemplary embodiments of the present invention described in the above-mentioned electronic prescription flow processing method section of the present specification. For example, the processing unit 610 may perform the steps as shown in fig. 1.
The storage unit 620 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)6201 and/or a cache memory unit 6202, and may further include a read-only memory unit (ROM) 6203.
The memory unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The electronic device 600 may also communicate with one or more external devices 700 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 600, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 600 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 650. Also, the electronic device 600 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via the network adapter 660. The network adapter 660 may communicate with other modules of the electronic device 600 via the bus 630. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
An embodiment of the present invention further provides a computer-readable storage medium, configured to store a program, where the program is executed to implement the steps of the rights management method. In some possible embodiments, aspects of the present invention may also be implemented in the form of a program product comprising program code for causing a terminal device to perform the steps according to various exemplary embodiments of the present invention described in the above-mentioned electronic prescription flow processing method section of this specification, when the program product is run on the terminal device.
Referring to fig. 8, a program product 800 for implementing the above method according to an embodiment of the present invention is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
In summary, compared with the prior art, the rights management method, system, device and storage medium provided by the present invention have the following advantages:
the invention solves the problems in the prior art, manages and empowers by taking the database as an asset, realizes authority management, realizes the management and control of data assets by taking the database as a carrier, realizes the unified management of all database authorities in an enterprise, strengthens the management and control and protection of data after a unified data warehouse is established and before the data is used and enabled, realizes the unified big data authority management in the enterprise and improves the safety of the data assets.
The foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.
Claims (11)
1. A rights management method, comprising the steps of:
receiving a user authority authentication request;
obtaining authenticated user information and accessed database information from the authority authentication request;
judging whether the user has the operation authority of the accessed database;
and determining the authority identification result according to the judgment result.
2. The rights management method of claim 1, wherein obtaining the accessed database information from the rights evaluation request comprises the steps of:
obtaining accessed data table information from the authority identification request;
determining corresponding accessed database information according to the accessed data table information;
the method for determining the authority identification result according to the judgment result comprises the following steps:
if the user has the operation authority of the accessed database, judging whether the user has the operation authority of the accessed data table;
if so, determining that the authority authentication of the user is successful.
3. The rights management method of claim 2, wherein the rights authentication request further includes an authenticated operation type;
judging whether the user has the operation authority of the accessed database or not, wherein the judgment comprises judging whether the user has the operation authority of the identified operation type on the accessed database or not;
the judging whether the user has the operation authority of the accessed data table comprises judging whether the user has the operation authority of the identified operation type on the accessed data table.
4. The method for managing authority according to claim 1, wherein the step of determining whether the user has the operation authority of the accessed database comprises the steps of:
inquiring the role information of the user according to the identified user information;
and judging whether the role of the user has the operation authority of the accessed database.
5. The rights management method according to claim 4, wherein after querying the role information of the user based on the authenticated user information, further comprising the steps of:
judging whether the current state of the role of the user is an available state;
if yes, judging whether the role of the user has the operation authority of the accessed database.
6. The rights management method of claim 4, wherein the rights authentication request further includes accessed data table information and authenticated operation type;
judging whether the role of the user has the operation authority of the accessed database or not, wherein the judgment comprises judging whether the role of the user has the operation authority of the identified operation type on the accessed database or not;
the method for determining the authority identification result according to the judgment result comprises the following steps:
if the database which the role of the user has access to has the operation authority of the identified operation type, judging whether the role of the user has the operation authority of the identified operation type on the accessed data table;
if so, determining that the authority authentication of the user is successful.
7. A rights management system to which the rights management method of any one of claims 1 to 6 is applied, the system comprising:
the authority setting module is used for managing the operation authority setting of the user on each database;
the authority storage module is used for storing authority setting data of a user;
and the authority application module is used for acquiring the authenticated user information and the accessed database information from the authority authentication request when receiving the user authority authentication request, acquiring the authority setting data of the user from the authority storage module, judging whether the user has the operation authority of the accessed database, and determining the authority authentication result according to the judgment result.
8. The rights management system of claim 7, wherein the rights setting module comprises:
a role management unit for managing each role and state information of each role;
the user management unit is used for managing the corresponding relation between each user and the role;
the database authority management unit is used for managing the operation authority of each role to each database;
the authority application module is also used for determining the role of the user according to the identified user information and judging whether the role of the user has the operation authority of the accessed database.
9. The rights management system of claim 8, wherein the rights setting module further comprises:
the table authority management unit is used for managing the operation authority of each role to each data table;
when the authority application module receives a user authority identification request, acquiring accessed data table information from the authority identification request, and determining corresponding accessed database information according to the accessed data table information;
and after the permission application module judges that the role of the user has the operation permission of the accessed database, the permission application module is also used for judging whether the role of the user has the operation permission of the accessed data table.
10. A rights management device, comprising:
a processor;
a memory in which there are executable instructions of the processor;
wherein the processor is configured to perform the steps of the rights management method of any of claims 1-6 via execution of the executable instructions.
11. A computer readable storage medium storing a program, characterized in that the program when executed implements the steps of the rights management method of any one of claims 1 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010014207.XA CN111177789A (en) | 2020-01-07 | 2020-01-07 | Authority management method, system, device and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010014207.XA CN111177789A (en) | 2020-01-07 | 2020-01-07 | Authority management method, system, device and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111177789A true CN111177789A (en) | 2020-05-19 |
Family
ID=70656174
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010014207.XA Pending CN111177789A (en) | 2020-01-07 | 2020-01-07 | Authority management method, system, device and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111177789A (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111625866A (en) * | 2020-05-28 | 2020-09-04 | 广东浪潮大数据研究有限公司 | Authority management method, system, equipment and storage medium |
CN111737291A (en) * | 2020-06-11 | 2020-10-02 | 青岛海尔科技有限公司 | Method, device and database for inquiring equipment information |
CN112131560A (en) * | 2020-08-05 | 2020-12-25 | 新华三大数据技术有限公司 | Role authority adjustment method and device |
CN112199434A (en) * | 2020-11-17 | 2021-01-08 | 平安数字信息科技(深圳)有限公司 | Data processing method and device, electronic equipment and storage medium |
CN112532604A (en) * | 2020-11-20 | 2021-03-19 | 深圳市和讯华谷信息技术有限公司 | Cache access control method and device, computer equipment and storage medium |
CN112835902A (en) * | 2021-02-01 | 2021-05-25 | 上海上讯信息技术股份有限公司 | Data asset identification and use method and equipment |
CN113222740A (en) * | 2021-05-27 | 2021-08-06 | 中国工商银行股份有限公司 | Asset management method, apparatus, computing device and medium executed by computing device |
CN113779517A (en) * | 2020-06-09 | 2021-12-10 | 武汉斗鱼鱼乐网络科技有限公司 | Authority obtaining method, device, equipment and storage medium |
CN114021108A (en) * | 2021-10-13 | 2022-02-08 | 百安居信息技术(上海)有限公司 | Cross-application data authority management, configuration and control method and device |
CN114205098A (en) * | 2020-08-31 | 2022-03-18 | 北京华为数字技术有限公司 | Method, device and equipment for inquiring operation authority and computer readable storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107563206A (en) * | 2017-07-18 | 2018-01-09 | 北京奥鹏远程教育中心有限公司 | Unified rights method of servicing and system |
CN107895123A (en) * | 2017-11-13 | 2018-04-10 | 医渡云(北京)技术有限公司 | Data access authority control method and device, method for managing user right |
CN109409119A (en) * | 2017-08-17 | 2019-03-01 | 北京京东尚科信息技术有限公司 | Data manipulation method and device |
CN109670768A (en) * | 2018-09-27 | 2019-04-23 | 深圳壹账通智能科技有限公司 | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain |
CN110298189A (en) * | 2018-03-23 | 2019-10-01 | 华为技术有限公司 | Data base authority management method and equipment |
-
2020
- 2020-01-07 CN CN202010014207.XA patent/CN111177789A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107563206A (en) * | 2017-07-18 | 2018-01-09 | 北京奥鹏远程教育中心有限公司 | Unified rights method of servicing and system |
CN109409119A (en) * | 2017-08-17 | 2019-03-01 | 北京京东尚科信息技术有限公司 | Data manipulation method and device |
CN107895123A (en) * | 2017-11-13 | 2018-04-10 | 医渡云(北京)技术有限公司 | Data access authority control method and device, method for managing user right |
CN110298189A (en) * | 2018-03-23 | 2019-10-01 | 华为技术有限公司 | Data base authority management method and equipment |
CN109670768A (en) * | 2018-09-27 | 2019-04-23 | 深圳壹账通智能科技有限公司 | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111625866A (en) * | 2020-05-28 | 2020-09-04 | 广东浪潮大数据研究有限公司 | Authority management method, system, equipment and storage medium |
CN111625866B (en) * | 2020-05-28 | 2024-04-19 | 广东浪潮大数据研究有限公司 | Authority management method, system, equipment and storage medium |
CN113779517A (en) * | 2020-06-09 | 2021-12-10 | 武汉斗鱼鱼乐网络科技有限公司 | Authority obtaining method, device, equipment and storage medium |
CN111737291A (en) * | 2020-06-11 | 2020-10-02 | 青岛海尔科技有限公司 | Method, device and database for inquiring equipment information |
CN111737291B (en) * | 2020-06-11 | 2023-07-21 | 青岛海尔科技有限公司 | Method, device and database for inquiring equipment information |
CN112131560A (en) * | 2020-08-05 | 2020-12-25 | 新华三大数据技术有限公司 | Role authority adjustment method and device |
CN112131560B (en) * | 2020-08-05 | 2022-05-24 | 新华三大数据技术有限公司 | Role authority adjustment method and device |
CN114205098A (en) * | 2020-08-31 | 2022-03-18 | 北京华为数字技术有限公司 | Method, device and equipment for inquiring operation authority and computer readable storage medium |
CN114205098B (en) * | 2020-08-31 | 2023-12-15 | 北京华为数字技术有限公司 | Method, device, equipment and computer readable storage medium for inquiring operation authority |
CN112199434A (en) * | 2020-11-17 | 2021-01-08 | 平安数字信息科技(深圳)有限公司 | Data processing method and device, electronic equipment and storage medium |
CN112199434B (en) * | 2020-11-17 | 2023-09-19 | 深圳平安智汇企业信息管理有限公司 | Data processing method, device, electronic equipment and storage medium |
CN112532604A (en) * | 2020-11-20 | 2021-03-19 | 深圳市和讯华谷信息技术有限公司 | Cache access control method and device, computer equipment and storage medium |
CN112835902A (en) * | 2021-02-01 | 2021-05-25 | 上海上讯信息技术股份有限公司 | Data asset identification and use method and equipment |
CN113222740A (en) * | 2021-05-27 | 2021-08-06 | 中国工商银行股份有限公司 | Asset management method, apparatus, computing device and medium executed by computing device |
CN114021108A (en) * | 2021-10-13 | 2022-02-08 | 百安居信息技术(上海)有限公司 | Cross-application data authority management, configuration and control method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111177789A (en) | Authority management method, system, device and storage medium | |
US9591000B2 (en) | Methods, systems, and computer readable media for authorization frameworks for web-based applications | |
CN113239344B (en) | Access right control method and device | |
US9940472B2 (en) | Edge access control in querying facts stored in graph databases | |
US11962511B2 (en) | Organization level identity management | |
US8326874B2 (en) | Model-based implied authorization | |
CN109598117A (en) | Right management method, device, electronic equipment and storage medium | |
US9665577B2 (en) | Controlling enterprise data on mobile device via the use of a tag index | |
CN104995598A (en) | Use of freeform metadata for access control | |
US11210410B2 (en) | Serving data assets based on security policies by applying space-time optimized inline data transformations | |
CN109522751B (en) | Access right control method and device, electronic equipment and computer readable medium | |
CN103530106A (en) | Method and system of context-dependent transactional management for separation of duties | |
US20150127680A1 (en) | Protected handling of database queries | |
US9158932B2 (en) | Modeled authorization check implemented with UI framework | |
CN113342775B (en) | Centralized multi-tenant as-a-service in a cloud-based computing environment | |
CN113761552A (en) | Access control method, device, system, server and storage medium | |
CN111586177B (en) | Cluster session loss prevention method and system | |
US20190227857A1 (en) | Smart clipboard for secure data transfer | |
US20180349269A1 (en) | Event triggered data retention | |
US11170080B2 (en) | Enforcing primary and secondary authorization controls using change control record identifier and information | |
US8726336B2 (en) | Authorizations for analytical reports | |
US20230421567A1 (en) | Systems for Securely Tracking Incident Data and Automatically Generating Data Incident Reports Using Collaboration Rooms with Dynamic Tenancy | |
CN107911443A (en) | A kind of session information processing method, device, server and readable storage medium storing program for executing | |
US20210064775A1 (en) | Nlp workspace collaborations | |
US10826985B2 (en) | System and method for content tethering in an enterprise content management system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200519 |
|
RJ01 | Rejection of invention patent application after publication |