CN111191210B - Method and device for controlling data access authority, computer equipment and storage medium - Google Patents
Method and device for controlling data access authority, computer equipment and storage medium Download PDFInfo
- Publication number
- CN111191210B CN111191210B CN201911260175.5A CN201911260175A CN111191210B CN 111191210 B CN111191210 B CN 111191210B CN 201911260175 A CN201911260175 A CN 201911260175A CN 111191210 B CN111191210 B CN 111191210B
- Authority
- CN
- China
- Prior art keywords
- organization
- data
- login information
- target
- information input
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9027—Trees
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Abstract
The application relates to a method and a device for controlling data access authority, computer equipment and a storage medium. The method comprises the following steps: monitoring a data access instruction triggered based on a service application; the data access instruction carries a user identifier and a data identifier of data to be accessed; determining the role of a target user corresponding to the user identifier in service application; when determining that the target user has the operation right for the service application according to the role, determining an organization node corresponding to the target user in a preset organization structure tree; taking the organization node corresponding to the target user as a current level organization node to traverse whether each organization node in the organization structure tree has the access right to the target data corresponding to the data identification until the organization node of the lowest level; and when one or more lower-level organization nodes directly or indirectly connected with the current-level organization node have the access right to the target data, exposing the target data. By adopting the method, the flexibility of authority management can be improved.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for controlling data access permission, a computer device, and a storage medium.
Background
With the continuous development of computer technology, various applications are emerging. The user can install various types of applications on the computer equipment according to the requirements of the user, such as personal applications or enterprise applications. In order to improve the system security, the access behavior and data operation of the user in the application need to be controlled. Traditional access control is based mainly on roles: the security management personnel define various roles according to the needs and set proper access authority, and the users are assigned to different roles according to the responsibilities and seniorities of the users, and the granting and the cancellation of the user authority are completed by allocating and canceling the roles. However, this approach is poorly flexible.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a method, an apparatus, a computer device, and a storage medium for controlling data access rights, which can improve flexibility of rights management.
A method of controlling data access rights, the method comprising: monitoring a data access instruction triggered based on a service application; the data access instruction carries a user identifier and a data identifier of data to be accessed; determining the role of the target user corresponding to the user identification in the service application; when the target user is determined to have the operation right applied to the business according to the role, determining an organization node corresponding to the target user in a preset organization structure tree; taking the organization node corresponding to the target user as a current level organization node to traverse whether each organization node in the organization structure tree has the access right to the target data corresponding to the data identification until the organization node of the lowest level; and when one or more low-level organization nodes directly or indirectly connected with the current level organization node have the access right to the target data, displaying the target data.
In one embodiment, the listening for the data access instruction triggered based on the business application comprises: when the current intranet environment is detected, displaying a login entry of the service application; responding to a trigger operation corresponding to the login entry, and displaying a first login information input interface; displaying a second login information input interface corresponding to the first login information according to the first login information input on the first login information input interface; logging in the service application according to the second login information input on the second login information input interface; and monitoring a data access instruction triggered based on the service application through the authority management application.
In one embodiment, the first login information is communication number login information; the displaying of the second login information input interface corresponding to the first login information according to the first login information input on the first login information input interface comprises: receiving the communication number login information input on the communication number login information input interface; acquiring an organization identification set corresponding to the communication number login information; when the organization identifier set comprises a target organization identifier corresponding to the intranet environment, acquiring identity information corresponding to the communication number login information and associated with the target organization identifier; and displaying a second login information input interface matched with the identity information.
In one embodiment, the monitoring, by the rights management application, the data access instruction triggered based on the business application includes: when the data access instruction is monitored, an authority verification request is sent to a first server based on the authority management application, so that the first server verifies whether a target user has the access authority to the target data, and a verification result is sent to a second server corresponding to the service application; the presenting the target data comprises: and receiving target data returned by the second server when the verification result is that the verification is passed.
In one embodiment, the method for controlling data access right further includes: acquiring an organization change instruction triggered based on the authority management application; the organization change instruction comprises an organization change requirement; and according to the organization change requirement, adding organization nodes in the organization structure tree to realize organization division, or deleting the organization nodes in the organization structure tree to realize organization combination.
In one embodiment, the method for controlling data access right further includes: acquiring a permission change instruction triggered based on the permission management application; the organization change instruction comprises a user identifier and an authority change requirement; and newly adding or deleting the connecting edges between the user nodes corresponding to the user identifications and one or more organization nodes in the organization structure tree according to the permission change instruction.
An apparatus for controlling data access rights, the apparatus comprising: the access operation monitoring module is used for monitoring a data access instruction triggered based on the service application; the data access instruction carries a user identifier and a data identifier of data to be accessed; the access authority verification module is used for determining an organization node corresponding to the target user in a preset organization structure tree when the target user is determined to have the operation authority applied to the business according to the role; taking the organization node corresponding to the target user as a current level organization node to traverse whether each organization node in the organization structure tree has the access right to the target data corresponding to the data identification until the organization node of the lowest level; and the target data access module is used for displaying the target data when one or more low-level organization nodes directly or indirectly connected with the current-level organization node have access rights to the target data.
In one embodiment, the access operation monitoring module is further configured to display a login entry of a service application when detecting that the current intranet environment is located; responding to a trigger operation corresponding to the login entry, and displaying a first login information input interface; displaying a second login information input interface corresponding to the first login information according to the first login information input on the first login information input interface; logging in the service application according to the second login information input on the second login information input interface; and monitoring a data access instruction triggered based on the service application through the authority management application.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the method for controlling data access permissions provided in any one of the embodiments of the present application when executing the computer program.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of a method for controlling data access rights, as provided in any one of the embodiments of the present application.
The control method, the control device, the computer equipment and the storage medium of the data access authority monitor the data access instruction triggered based on the service application, and automatically trigger the verification of the operation authority and the data access authority when the access instruction is monitored; when the target user is determined to have the operation right for the service application according to the user identification, subsequent data access right verification is performed, unnecessary data processing steps are avoided, and data processing resources can be saved; whether the current user has the access right to the target data or not can be verified by traversing the access right of a low-level organization node connected with the organization node corresponding to the target user in a preset organization structure tree to the target data; and only when the verification is passed, the target data is displayed, so that the completeness of the target data is improved. In the process, the operation authority and the data access authority are separated, so that the authority management flexibility can be improved, and the organization structure tree is set according to the real group organization architecture, so that the organization structure tree is more suitable for the actual application scene; based on the organization structure tree, dynamic adjustment and integration of the authority among different users can be realized, authority linkage is realized, high-level users can completely simulate access of low-level users, and authority management efficiency is improved.
Drawings
FIG. 1 is a diagram illustrating an exemplary embodiment of a method for controlling access to data;
FIG. 2 is a flowchart illustrating a method for controlling access to data according to one embodiment;
FIG. 3 is a diagram of an organizational structure tree of an individual in one embodiment;
FIG. 4 is a block diagram showing the structure of a control apparatus for controlling access rights to data according to an embodiment;
FIG. 5 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The data access method provided by the application can be applied to the application environment shown in fig. 1. Wherein, the first terminal 110 communicates with the first server 120 through a network; the first terminal 110 communicates with the second server 130 through a network; the second terminal 140 communicates with the first server 120 through a network; the second terminal 140 communicates with the second server 130 through a network. Wherein different service applications are running on the first terminal 110. The first terminal 110 is a terminal corresponding to a user of the service application. Each business application in the first terminal 110 integrates a common rights management application in a plug-in manner. The authority management application is used for controlling the data access authority of the user based on the service application. A rights management application is also running on the second terminal 140. The rights management application may be run separately on the second terminal 140 or may be integrated in other applications in a plug-in manner. The second terminal 140 is a terminal corresponding to the operation and maintenance person. The first terminal 110 and the second terminal 140 may be the same terminal or different terminals. The first terminal 110 and the second terminal 140 may be, but are not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, respectively. First server 120 may be an application server that provides services for a rights management application. The second server 130 may be an application server that provides services for business applications. The first server 120 and the second server 130 may be the same server or different servers. The first server 120 and the second server 130 may be implemented by separate servers or a server cluster composed of a plurality of servers.
In an embodiment, as shown in fig. 2, a data access method is provided, which is described by taking the application of the method to the first terminal in fig. 1 as an example, and includes the following steps:
One or more service applications are running on the first terminal. The business Application can be represented by a Web site, APP (Application), or applet. The business application may specifically be a social application, an office application, a payment application, etc. The business application may be an application that allows any natural person to use, such as a personal application or the like. Business applications may also be applications that allow natural persons included in an organization to be used within the organization, such as enterprise applications and the like.
The first terminal also runs a rights management application thereon. The access authority management and control of a plurality of service applications can be realized simultaneously based on the authority management application. When the rights management application runs on the terminal independently, the user can configure the access address of each service application to be managed and controlled in the rights management application. The access address refers to an address link between a location of a Resource and an access method available from the internet, and may be a URL (Uniform Resource Locator). The access address may be an access address of an entry page of the business application. It is easy to understand that if the rights management application is integrated in the business application in a plug-in manner, the user does not need to configure the access address.
The first terminal monitors a data access instruction triggered by a user in a service application based on the authority management application. The data access instruction may be an instruction generated by triggering a user to perform data access operations such as page browsing, data downloading, data forwarding and the like in the service application. The data access instruction carries a user identifier and a data identifier. The user identifier is information capable of uniquely representing the user identity, such as an identity card number, a mobile phone number or a registered account number of the user based on service application. The data identification is information capable of uniquely identifying target data that a user desires to access, and specifically may be a data number, a hash value generated based on a data title or content, or the like.
And step 204, determining the role of the target user corresponding to the user identification in the service application.
And step 206, when the target user is determined to have the operation right applied to the business according to the role, determining an organization node corresponding to the target user in a preset organization structure tree.
The first server pre-stores an organizational structure tree for a plurality of users. The organization structure tree of an individual includes a plurality of organization nodes and connecting edges for connecting the organization nodes. The organization structure tree of the individual also includes user nodes and connecting edges that the user connects the user nodes and the organization nodes. The organization node connected with the user node can be an organization node to which the user belongs or a cross-department organization node. The organization node to which the user belongs refers to an organization node corresponding to a functional department in which the user belongs. The user node and the organization node to which the user belongs are in a one-to-one relationship, in other words, one user only has one organization node to which the user belongs. The cross-department organization node refers to an organization node corresponding to a functional department with the authority of other departments of the user. The user nodes and the cross-department organization nodes may be in a many-to-one relationship, in other words, one user may have multiple cross-department organization nodes. Referring to FIG. 3, FIG. 3 is a diagram of an organizational structure tree of an individual in one embodiment. As shown in fig. 3, the organization node corresponding to the user a is organization 3, and has the cross-department function of organization 5 and organization 9.
In one embodiment, the organization structure tree of the individual may be constructed based on the organization structure tree of the group, and specifically includes: acquiring an organization structure tree of a group; determining an affiliated organization node and a cross-organization node corresponding to a target user in an organization structure tree of a group; and taking the user identification corresponding to the target user as a user node, and connecting the user node with the corresponding affiliated organization node and the cross-organization node in the organization structure tree of the group to obtain the personal organization structure tree corresponding to the target user.
The organization structure tree of the group adopted by the application can be constructed according to the organization structure of the whole group, and comprises a plurality of levels of organization nodes. It is easy to understand that the organization node of the highest hierarchy is the organization node corresponding to the group. Multiple business applications can share the organizational structure tree of groups as well as the organizational structure tree of individuals built based on the enterprise organizational structure tree. The organizational nodes in the organizational structure tree of an individual may be all or part of the organizational nodes in the organizational structure tree of an enterprise. The authority operation and maintenance personnel can configure and manage the organization structure tree of the group or the individual organization structure tree based on the authority management application at the second terminal, so that the authority operation and maintenance personnel can configure and manage the authority of a plurality of service applications on a unified platform, and the authority management efficiency is improved.
Specifically, when the data access instruction is monitored, the authority management application sends an authority verification request to the first server according to the data access instruction. And the first server determines the user role of the corresponding target user according to the user identification carried by the permission verification request. The user role is applicable to the role information reflecting the authority scope of the user. The first server prestores the corresponding relation of the operation authority of various user roles based on different service applications. The permission verification request also carries an application identifier of the service application. And the first server judges whether the target user has the operation authority of the service application corresponding to the application identifier or not according to the corresponding relation. And only when the operation right of the service application exists, the first server performs subsequent target data pulling operation, so that the safety of the target data is improved.
Further, when the operation right of the service application is possessed, the first server obtains the individual organization structure tree of the target user, and the organization node to which the target user belongs and the cross-department organization node corresponding to the target user are clear in the organization structure number.
And step 208, taking the organization node corresponding to the target user as a current level organization node to traverse whether each organization node in the organization structure tree has the access right to the target data corresponding to the data identifier until the organization node of the lowest level.
The first server traverses a plurality of levels of organizational nodes in the organizational structure tree. Specifically, the first server takes the organization node corresponding to the target user as a current level organization node, and verifies whether the next level organization node connected to the current level organization node has an access right to the target data corresponding to the data identifier. And if the next-level organization node has the access right to the target data, stopping traversal, and judging that the target user also has the access right to the target data. And if the next-level organization node does not have the access right to the target data, verifying whether the next-level organization node of the next-level organization node has the access right to the target data corresponding to the data identification. This is repeated until at least one lower level organizational node directly or indirectly connected to the current level organizational node is found to have access to the target data. And if the low-level organization node which is directly or indirectly connected with the current-level organization node and has the access right to the target data is not found after traversing to the organization node of the lowest level, judging that the target user does not have the access right to the target data.
And step 210, when one or more low-level organization nodes directly or indirectly connected with the current level organization node have access right to the target data, displaying the target data.
In one embodiment, listening, by the rights management application, for data access instructions triggered based on the business application comprises: when a data access instruction is monitored, an authority verification request is sent to a first server based on an authority management application, so that the first server verifies whether a target user has the access authority to target data, and a verification result is sent to a second server corresponding to a service application; the displaying of the target data comprises: receiving
And the second server returns the target data when the verification result is that the verification is passed.
And when the target user is judged not to have the access right to the target data, the first server generates a data issuing request according to the user identification and the data identification, and sends the data issuing request to a second server corresponding to the corresponding service application according to the application identification. And the second server pulls the target data corresponding to the data identification according to the data issuing request and issues the target data to the first terminal corresponding to the user identification. The first terminal displays the target data based on the corresponding service application.
In the process, the management element can simultaneously configure, manage and control the authorities of a plurality of service applications based on unified authority management reference, real-time service data are still stored in the respective corresponding service applications, data decentralization is realized, unified authority management is realized on the premise of ensuring data safety and reliability, and the workload of authority management in large-scale groups is effectively reduced.
The control method of the data access authority monitors the data access instruction triggered based on the service application, and automatically triggers the verification of the operation authority and the data access authority when the access instruction is monitored; when the target user is determined to have the operation right for the service application according to the user identification, subsequent data access right verification is performed, unnecessary data processing steps are avoided, and data processing resources can be saved; the access right of the target data of the current user can be verified by traversing the access right of the low-level organization node connected with the organization node corresponding to the target user in the preset organization structure tree; and only when the verification is passed, the target data is displayed, so that the completeness of the target data is improved. In the process, the operation authority and the data access authority are separated, so that the authority management flexibility can be improved, and the organization structure tree is set according to the real group organization architecture, so that the practical application scene is more met; based on the organization structure tree, dynamic adjustment and integration of the authority among different users can be realized, authority linkage is realized, high-level users can completely simulate lower-level user access, and authority management efficiency is improved.
In one embodiment, listening for data access instructions triggered based on a business application comprises: when the current intranet environment is detected, displaying a login entry of the service application; responding to a trigger operation corresponding to a login entry, and displaying a first login information input interface; displaying a second login information input interface corresponding to the first login information according to the first login information input on the first login information input interface; logging in the service application according to the second login information input on the second login information input interface; and monitoring a data access instruction triggered based on the service application through the authority management application.
The intranet environment refers to a local area network environment within a local geographic area. In this embodiment, the intranet environment may specifically refer to a network environment provided by an organization and used inside the organization, such as a school, an enterprise, and the like. The coverage area of the intranet is small, leakage of data in service application can be avoided to a certain extent, and data safety can be guaranteed in a certain scene. Another concept corresponding to the intranet environment is the extranet environment, which is a wide area network environment with a wide coverage area, which is also known as Internet. The login entry may specifically be a certain page control in the business application, such as a button or a hyperlink; and can also be a graphic code, such as a two-dimensional code or a bar code.
Specifically, under the scenario that the business application is an application that allows natural people included in an organization to use inside the organization, based on the confidentiality of the internal data of the organization, when the terminal detects that the terminal is currently in an intranet environment, the login entry of the business application is displayed, and leakage of the internal data of the organization can be avoided to a certain extent.
In one embodiment, the method is used for registering a login entry of a business application by an organization informal member of a target organization, and also used for registering the business application by an organization formal member of the target organization; but the organization formal member of the target organization can not log in the service application for the organization informal member of the target organization. It is to be understood that the business application herein is an application that allows a natural person included in an organization to be used inside the organization, and a plurality of different organizations can each set the same application as a business application. Then, when the user logs in the service application, the user needs to log in based on the member role of the organization to which the user belongs, and the target organization is the organization to which the member role of the user currently logging in the service application belongs. For example, assuming that user A belongs to both organization 1 and organization 2, user A logs into the business application in either the organizational role of organization 1 or the organizational role of organization 2, rather than in his personal role.
Further, the terminal can detect a trigger operation corresponding to the login entry, and when the trigger operation is detected, a first login information input interface for displaying the service application is triggered. The login information is data, such as an application account, a communication number, a mailbox, a token, and the like, by which the user logs in the service application.
And the terminal displays a second login information input interface corresponding to the first login information according to the first login information input on the first login information input interface. The login information input in the second login information input interface and the login information input in the first login information input interface above are different. For example, the application account and the password are one type of login information, and the communication number and the verification code are another type of login information. The different first login information may also be the same login information belonging to different rights role objects. For example, the communication number and the verification code of the official employee of the enterprise A and the communication number and the verification code of the outsourcing employee of the enterprise A.
According to the embodiment, the login information is combined in two ways, so that the login safety is improved. And when the current application is in the intranet environment, the login entry of the target application is displayed for login, so that the login safety is further improved.
In one embodiment, the first login information is communication number login information; according to the first login information input on the first login information input interface, displaying a second login information input interface corresponding to the first login information, and the method comprises the following steps: receiving the communication number login information input on the communication number login information input interface; acquiring an organization identification set corresponding to the communication number login information; when the organization identifier set comprises a target organization identifier corresponding to the intranet environment, acquiring identity information corresponding to the communication number login information and associated with the target organization identifier; and displaying a second login information input interface matched with the identity information.
The terminal receives the communication number login information input on the first login information input interface. After the communication number login information is checked to pass, the server can inquire the organization identification set corresponding to the communication number login information and feed the organization identification set back to the terminal. The set of tissue identifications is a set comprising a plurality of tissue identifications. The organization identifier is used to identify an organization. The organization identifier may specifically be a name or code of the organization, etc. For example, when organized as a business, the business name may be the business identification of the group. The terminal can check whether the organization identifier set comprises a target organization identifier corresponding to the current intranet environment.
The organization identifier set comprises a target organization identifier corresponding to the currently-located intranet environment, and the currently-logged object is an organization member of the target organization identified by the target organization identifier, and the currently-logged network environment is the intranet environment provided by the target organization. The terminal can continuously acquire the identity information which corresponds to the communication number login information and is associated with the target organization identification, can determine a second login information input interface matched with the identity information according to the identity information, and displays the second login information input interface.
In this embodiment, only if the currently logged-in object is an organization member of the target organization identified by the target organization identifier and the network environment where the current login is located is an intranet environment provided by the target organization, the subsequent page display is continued, that is, the interface display and the service application login path corresponding to the corresponding authority range are performed, so that the data leakage caused by the fact that the login user acquires data not belonging to the authority range of the login user can be avoided.
In one embodiment, the method further comprises: acquiring an organization change instruction triggered based on the authority management application; the organization change instruction comprises an organization change requirement; and adding organization nodes in the organization structure tree to realize organization division or deleting the organization nodes in the organization structure tree to realize organization combination according to the organization change requirement.
When the organization architecture of the group changes, organization changes, such as organization merging or organization splitting, can be initiated based on the rights management application. Specifically, the terminal acquires an organization change instruction. The organization change instruction includes an organization change requirement. Sending an organization change request to a server based on an organization change instruction, so that the server adds an organization node in an organization structure tree of a group according to an organization change requirement to realize organization division; or deleting the organization nodes in the organization structure tree of the group to realize organization combination to obtain the changed group organization structure tree.
Further, the server synchronously updates the organization structure tree of each associated individual according to the changed group organization structure tree. For example, the organization node "bank" may be divided into a "bank in east China" and a "bank in south China", and a user corresponding to the original organization node "bank" needs to be reallocated to one of the "bank in east China" and the "bank in south China". For another example, the "bank in the east China area" and the "bank in the south China area" may be merged into one organization node "bank", and users corresponding to the original organization node "bank in the east China area" and the organization node "bank in the south China area" need to be uniformly summarized to the "bank" node.
In this embodiment, the group-based organization service tree responds to the organization change requirement, and implements dynamic control of the organization architecture.
In one embodiment, the method further comprises: acquiring a permission change instruction triggered based on the permission management application; the organization change instruction comprises a user identifier and an authority change requirement; and adding or deleting the connecting edges between the user nodes corresponding to the user identifications and one or more organization nodes in the organization structure tree according to the authority change instruction.
When a certain service application does not have access right to a certain item of data, a requirement for right change can be provided for operation and maintenance personnel, such as "user a applies for accessing target data 2 in service application 1". Specifically, the terminal acquires a permission change instruction triggered by the user based on the permission management application. The permission change instruction comprises user identification and permission change requirements. And the terminal sends an authority change request to the server based on the authority change instruction, so that the server adds or deletes a connecting edge between the user node and one or more organization nodes in the personal organization structure tree corresponding to the user identifier according to the authority change requirement to obtain the changed personal organization structure tree.
In the embodiment, the dynamic control of the access authority is realized based on the individual organization service tree response authority change requirement.
It should be understood that, although the steps in the flowchart of fig. 2 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in fig. 2 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
In one embodiment, as shown in fig. 4, there is provided a control apparatus for data access right, including: an access operation listening module 402, an access right verifying module 404 and an access right verifying module 404, wherein:
an access operation monitoring module 402, configured to monitor a data access instruction triggered based on a service application; the data access instruction carries a user identifier and a data identifier of the data to be accessed.
An access right verifying module 404, configured to determine, when it is determined that the target user has an operation right for the service application according to the role, an organization node corresponding to the target user in a preset organization structure tree; and taking the organization node corresponding to the target user as the current level organization node to traverse whether each organization node in the organization structure tree has the access right to the target data corresponding to the data identification until the organization node of the lowest level.
And a target data access module 406 for exposing the target data when there are one or more lower level organization nodes directly or indirectly connected with the current level organization node having access rights to the target data.
In one embodiment, the access operation monitoring module 402 is further configured to display a login entry of the service application when detecting that the current intranet environment is present; responding to a trigger operation corresponding to a login entry, and displaying a first login information input interface; displaying a second login information input interface corresponding to the first login information according to the first login information input on the first login information input interface; logging in the service application according to the second login information input on the second login information input interface; and monitoring a data access instruction triggered based on the service application through the authority management application.
In one embodiment, the first login information is communication number login information; the access operation monitoring module 402 is further configured to receive the communication number login information input on the communication number login information input interface; acquiring an organization identification set corresponding to the communication number login information; when the organization identification set comprises a target organization identification corresponding to the intranet environment, acquiring identity information which corresponds to the communication number login information and is associated with the target organization identification; and displaying a second login information input interface matched with the identity information.
In an embodiment, the access operation monitoring module 402 is further configured to, when a data access instruction is monitored, send an authorization verification request to the first server based on the authorization management application, so that the first server verifies whether the target user has an authorization to access the target data, and send a verification result to the second server corresponding to the service application; the displaying target data includes: and receiving target data returned by the second server when the verification result is that the verification is passed.
In an embodiment, the apparatus for controlling data access permissions further includes an organization change module 408, configured to obtain an organization change instruction triggered based on the permission management application; the organization change instruction comprises an organization change requirement; and according to the organization change requirement, adding organization nodes in the organization structure tree to realize organization division, or deleting the organization nodes in the organization structure tree to realize organization combination.
In an embodiment, the apparatus for controlling data access rights further includes a rights changing module 410, configured to obtain a rights changing instruction triggered based on a rights management application; the organization change instruction comprises a user identifier and an authority change requirement; and adding or deleting connecting edges between the user node corresponding to the user identifier and one or more organization nodes in the organization structure tree according to the authority change instruction.
The specific definition of the control device for the data access right can refer to the above definition of the control method for the data access right, and is not described herein again. The modules in the control device for controlling the data access authority can be wholly or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 5. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operating system and the computer program to run on the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of controlling access rights to data. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the architecture shown in fig. 4 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
A computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of a method for providing control of data access rights according to any one of the embodiments of the present application.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent application shall be subject to the appended claims.
Claims (10)
1. A method of controlling data access rights, the method comprising:
monitoring a data access instruction triggered based on a service application; the data access instruction carries a user identifier and a data identifier of data to be accessed;
determining the role of the target user corresponding to the user identification in the service application;
when the target user is determined to have the operation right applied to the business according to the role, determining an organization node corresponding to the target user in a preset organization structure tree;
taking the organization node corresponding to the target user as a current level organization node to traverse whether each organization node in the organization structure tree has the access authority to the target data corresponding to the data identification until the organization node of the lowest level;
and when one or more lower-level organization nodes directly or indirectly connected with the current-level organization node have the access right to the target data, displaying the target data.
2. The method of claim 1, wherein the listening for data access instructions triggered based on a business application comprises:
when the current intranet environment is detected, displaying a login entry of the service application;
responding to a trigger operation corresponding to the login entry, and displaying a first login information input interface;
displaying a second login information input interface corresponding to the first login information according to the first login information input on the first login information input interface;
logging in the service application according to the second login information input on the second login information input interface;
and monitoring a data access instruction triggered based on the service application through the authority management application.
3. The method of claim 2, wherein the first registration information is a communication number registration information; the displaying of the second login information input interface corresponding to the first login information according to the first login information input on the first login information input interface comprises:
receiving the communication number login information input on the communication number login information input interface;
acquiring an organization identification set corresponding to the communication number login information;
when the organization identifier set comprises a target organization identifier corresponding to the intranet environment, acquiring identity information corresponding to the communication number login information and associated with the target organization identifier;
and displaying a second login information input interface matched with the identity information.
4. The method of claim 2, wherein the listening, by the rights management application, for the data access instruction triggered based on the business application comprises:
when the data access instruction is monitored, an authority verification request is sent to a first server based on the authority management application, so that the first server verifies whether a target user has the access authority to the target data, and a verification result is sent to a second server corresponding to the service application;
the presenting the target data comprises:
and receiving target data returned by the second server when the verification result is that the verification is passed.
5. The method of claim 2, further comprising:
acquiring an organization change instruction triggered based on the authority management application; the organization change instruction comprises an organization change requirement;
and according to the organization change requirement, adding organization nodes in the organization structure tree to realize organization division, or deleting the organization nodes in the organization structure tree to realize organization combination.
6. The method of claim 2, further comprising:
acquiring a permission change instruction triggered based on the permission management application; the organization change instruction comprises a user identifier and an authority change requirement;
and newly adding or deleting the connecting edges between the user nodes corresponding to the user identifications and one or more organization nodes in the organization structure tree according to the permission change instruction.
7. An apparatus for controlling access rights to data, the apparatus comprising:
the access operation monitoring module is used for monitoring a data access instruction triggered based on the service application; the data access instruction carries a user identifier and a data identifier of data to be accessed;
the device is used for determining the role of the target user corresponding to the user identifier in the service application;
the device further comprises:
the access authority verification module is used for determining an organization node corresponding to the target user in a preset organization structure tree when the target user is determined to have the operation authority applied to the business according to the role; taking the organization node corresponding to the target user as a current level organization node to traverse whether each organization node in the organization structure tree has the access right to the target data corresponding to the data identification until the organization node of the lowest level;
and the target data access module is used for displaying the target data when one or more low-level organization nodes directly or indirectly connected with the current-level organization node have access rights to the target data.
8. The apparatus according to claim 7, wherein the access operation monitoring module is further configured to, when detecting that the apparatus is currently in an intranet environment, present a login entry of a service application; responding to a trigger operation corresponding to the login entry, and displaying a first login information input interface; displaying a second login information input interface corresponding to the first login information according to the first login information input on the first login information input interface; logging in the service application according to the second login information input on the second login information input interface; and monitoring a data access instruction triggered based on the service application through the authority management application.
9. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 6 when executing the computer program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911260175.5A CN111191210B (en) | 2019-12-10 | 2019-12-10 | Method and device for controlling data access authority, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911260175.5A CN111191210B (en) | 2019-12-10 | 2019-12-10 | Method and device for controlling data access authority, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111191210A CN111191210A (en) | 2020-05-22 |
| CN111191210B true CN111191210B (en) | 2022-09-27 |
Family
ID=70710959
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911260175.5A Active CN111191210B (en) | 2019-12-10 | 2019-12-10 | Method and device for controlling data access authority, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111191210B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111861392A (en) * | 2020-07-16 | 2020-10-30 | 北京金和网络股份有限公司 | Organization level external relation creating method and device |
| CN112037048B (en) * | 2020-09-03 | 2024-02-27 | 中国银行股份有限公司 | Online banking application method and device for enterprise users |
| CN112235298B (en) * | 2020-10-14 | 2022-03-01 | 国网电子商务有限公司 | Data security classification dynamic access control method and device and electronic equipment |
| CN113761552A (en) * | 2021-01-05 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Access control method, device, system, server and storage medium |
| CN112836189B (en) * | 2021-02-26 | 2023-11-14 | 深圳证券交易所 | Third party application access method, terminal and computer readable storage medium |
| CN113204427A (en) * | 2021-05-20 | 2021-08-03 | 远景智能国际私人投资有限公司 | Resource management method, resource management device, computer equipment and storage medium |
| CN113204371B (en) * | 2021-05-28 | 2023-09-19 | 金蝶软件(中国)有限公司 | Access control method, related device and storage medium |
| CN113392423B (en) * | 2021-08-17 | 2021-11-30 | 深圳市信润富联数字科技有限公司 | User authority management method, system and storage medium |
| CN113660157B (en) * | 2021-08-17 | 2023-04-07 | 未鲲(上海)科技服务有限公司 | Application data processing method and device, computer equipment and storage medium |
| CN113744105A (en) * | 2021-09-08 | 2021-12-03 | 数字广东网络建设有限公司 | Government affair resource management method, device, equipment and storage medium |
| CN114389894B (en) * | 2022-01-28 | 2023-12-19 | 青岛海尔科技有限公司 | Authority control method, authority control device, storage medium and computer program product |
| CN114996746B (en) * | 2022-08-01 | 2022-11-08 | 太极计算机股份有限公司 | Data authority management method and system based on multi-dimensional information |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103078859A (en) * | 2012-12-31 | 2013-05-01 | 普天新能源有限责任公司 | Service system authority management method, equipment and system |
| CN103530568A (en) * | 2012-07-02 | 2014-01-22 | 阿里巴巴集团控股有限公司 | Authority control method, device and system |
| CN108009408A (en) * | 2017-12-04 | 2018-05-08 | 山东浪潮通软信息科技有限公司 | A kind of right management method, device, computer-readable recording medium and storage control |
| CN108322432A (en) * | 2017-12-14 | 2018-07-24 | 中国科学院信息工程研究所 | A kind of mechanism application rights management method and service system based on tree-like tissue model |
| CN109656921A (en) * | 2018-11-26 | 2019-04-19 | 平安科技(深圳)有限公司 | Organizational structure data processing method, device, computer equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8132227B2 (en) * | 2008-04-11 | 2012-03-06 | International Business Machines Corporation | Data management in a computer system |
-
2019
- 2019-12-10 CN CN201911260175.5A patent/CN111191210B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103530568A (en) * | 2012-07-02 | 2014-01-22 | 阿里巴巴集团控股有限公司 | Authority control method, device and system |
| CN103078859A (en) * | 2012-12-31 | 2013-05-01 | 普天新能源有限责任公司 | Service system authority management method, equipment and system |
| CN108009408A (en) * | 2017-12-04 | 2018-05-08 | 山东浪潮通软信息科技有限公司 | A kind of right management method, device, computer-readable recording medium and storage control |
| CN108322432A (en) * | 2017-12-14 | 2018-07-24 | 中国科学院信息工程研究所 | A kind of mechanism application rights management method and service system based on tree-like tissue model |
| CN109656921A (en) * | 2018-11-26 | 2019-04-19 | 平安科技(深圳)有限公司 | Organizational structure data processing method, device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111191210A (en) | 2020-05-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111191210B (en) | Method and device for controlling data access authority, computer equipment and storage medium | |
| US10848498B2 (en) | Systems and methods for dynamic granular access permissions | |
| CN105247531B (en) | Managed browser is provided | |
| US9311679B2 (en) | Enterprise social media management platform with single sign-on | |
| CN109286633A (en) | Single sign-on method, device, computer equipment and storage medium | |
| CN111191221B (en) | Configuration method and device of authority resources and computer readable storage medium | |
| CN110535971B (en) | Interface configuration processing method, device, equipment and storage medium based on block chain | |
| CN109670768A (en) | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain | |
| US20140068085A1 (en) | Controlling access to resources by hosted entities | |
| US20180218121A1 (en) | System and Method for Online Identity Management | |
| US9325711B2 (en) | Apparatus and data processing systems for accessing an object | |
| CN110287660A (en) | Access right control method, device, equipment and storage medium | |
| CN101573691A (en) | Time based permissioning | |
| CN109587154B (en) | Digital identity verification method, device, computer equipment and storage medium | |
| CN113079134A (en) | Mobile terminal access method, mobile terminal access device, computer equipment and medium | |
| CN109817347A (en) | Inline diagnosis platform, its right management method and Rights Management System | |
| CN111277711A (en) | Virtual contact number generation method and device, storage medium and computer equipment | |
| CN110598476A (en) | Block chain-based work evidence storing method and device and computer readable storage medium | |
| US11256661B1 (en) | User programmatic interface for supporting data access control in a database system | |
| CN113190322A (en) | Page acquisition method, related equipment and medium | |
| CN106487770A (en) | Method for authenticating and authentication device | |
| CN112965955A (en) | Data migration method and device, computer equipment and storage medium | |
| CN112560006A (en) | Single sign-on method and system under multi-application system | |
| CN109840403B (en) | Application login method and device, computer readable storage medium and computer equipment | |
| CN116560863A (en) | Task management method and device based on block chain and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |