CN111767574A - User permission determining method and device, electronic equipment and readable storage medium - Google Patents
User permission determining method and device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN111767574A CN111767574A CN202010602208.6A CN202010602208A CN111767574A CN 111767574 A CN111767574 A CN 111767574A CN 202010602208 A CN202010602208 A CN 202010602208A CN 111767574 A CN111767574 A CN 111767574A
- Authority
- CN
- China
- Prior art keywords
- user
- database
- information
- determining
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 230000000694 effects Effects 0.000 claims description 42
- 238000004458 analytical method Methods 0.000 claims description 24
- 238000004590 computer program Methods 0.000 claims description 7
- 238000005206 flow analysis Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 18
- 238000004891 communication Methods 0.000 description 9
- 230000006399 behavior Effects 0.000 description 7
- 230000009471 action Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000003780 insertion Methods 0.000 description 2
- 230000037431 insertion Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a user permission determining method and device, electronic equipment and a readable storage medium, and relates to the field of data security. The method comprises the following steps: receiving an access data stream of a user accessing a database; analyzing the access data stream to obtain user access information; and determining the operation authority of the user on the database based on the user access information. According to the scheme, the user access information is obtained from the access data stream, and then the operation authority of the user on the database is determined based on the user access information.
Description
Technical Field
The application relates to the field of database security, in particular to a user permission determining method and device, an electronic device and a readable storage medium.
Background
With the development scale of companies becoming larger and larger, the company services are increasing, the service data volume is increasing, and the access volume of database users is rapidly increasing. However, as the number of company personnel increases continuously, many personnel have the need to operate the related database table according to the business needs of the company, so that access rights of different databases need to be opened for different personnel.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for determining user permissions, an electronic device, and a readable storage medium, so as to solve the problem in the prior art that permission allocation is not reasonable due to permission allocation performed by an administrator.
In a first aspect, an embodiment of the present application provides a method for determining user rights, where the method includes: receiving an access data stream of a user accessing a database; analyzing the access data stream to obtain user access information; and determining the operation authority of the user on the database based on the user access information.
In the implementation process, the user access information is acquired from the access data stream, and then the operation authority of the user on the database is determined based on the user access information.
Optionally, the analyzing the access data stream to obtain the user access information includes:
carrying out SQL lexical analysis and SQL syntactic analysis on the access data stream to acquire database parameter information related to the user when accessing the database; and extracting user information from the access data stream;
wherein the user access information includes the database parameter information and the user information.
In the implementation process, the database parameter information in the access data stream is identified through SQL lexical analysis and SQL syntactic analysis, so that the database parameter information can be accurately identified from the access data stream, and the subsequent accurate determination of the operation authority of the user is facilitated.
Optionally, the database parameter information includes at least one of an operation performed by the user on the database, a database type, a database table, and a database instance, and the user information includes an IP address, a port, and a user name.
Optionally, the determining, based on the user access information, the operation authority of the user on the database includes:
counting the operation activity of the user on the object related in the database parameter information based on the user access information;
and determining the operation authority of the user to the object according to the operation activity.
In the implementation process, the operation authority of the user on the object is determined based on the operation activity, so that the operation authority can be determined according to the operation behavior of the user, and more reasonable operation authority can be distributed to the user.
Optionally, the characterizing the operation activity by using operation times or operation frequency, and determining the operation authority of the user on the object according to the operation activity includes:
and when the operation activity reaches a preset activity, determining that the user has the operation authority on the object.
In the implementation process, when the user frequently operates a certain object, the user frequently operates the object in the working process, so that the operation authority of the object can be reasonably allocated to the user.
Optionally, after determining the operation authority of the user on the database based on the user access information, the method further includes:
and outputting prompting information for prompting the administrator to allocate the user authority matched with the operation authority to the user.
In the implementation process, corresponding prompt information is output to the administrator, so that suggestions for user right assignment can be provided for the administrator, and data reference can be provided for the administrator.
Optionally, after the obtaining of the user access information, the method further includes:
and acquiring a user access track based on the user access information, and outputting the user access track.
In the implementation process, the access track of the user is obtained, so that the access behavior of the user to the database can be known, and data support can be provided for the user to assign the authority in the subsequent process.
In a second aspect, an embodiment of the present application provides a user right determining apparatus, where the apparatus includes:
the data stream receiving module is used for receiving an access data stream of a user accessing the database;
the data flow analysis module is used for analyzing the access data flow to acquire user access information;
and the permission determining module is used for determining the operation permission of the user on the database based on the user access information.
Optionally, the data stream analysis module is configured to perform SQL lexical analysis and SQL syntax analysis on the access data stream, and acquire database parameter information related to the user accessing the database; and extracting user information from the access data stream;
wherein the user access information includes the database parameter information and the user information.
Optionally, the database parameter information includes at least one of an operation performed by the user on the database, a database type, a database table, and a database instance, and the user information includes an IP address, a port, and a user name.
Optionally, the authority determining module is configured to count, based on the user access information, an operation activity of the user on an object related in the database parameter information; and determining the operation authority of the user to the object according to the operation activity.
Optionally, the operation activity is represented by operation frequency or operation frequency, and the permission determining module is configured to determine that the user has an operation permission for the object when the operation activity reaches a preset activity.
Optionally, the apparatus further comprises:
and the prompt information output module is used for outputting prompt information for prompting the administrator to allocate the user authority matched with the operation authority to the user.
Optionally, the apparatus further comprises:
and the user access track acquisition module is used for acquiring a user access track based on the user access information and outputting the user access track.
In a third aspect, an embodiment of the present application provides an electronic device, including a processor and a memory, where the memory stores computer-readable instructions, and when the computer-readable instructions are executed by the processor, the steps in the method as provided in the first aspect are executed.
In a fourth aspect, embodiments of the present application provide a readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, performs the steps in the method as provided in the first aspect.
Additional features and advantages of the present application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the present application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of an electronic device for executing a user right determining method according to an embodiment of the present application;
fig. 2 is a flowchart of a user right determining method according to an embodiment of the present application;
fig. 3 is a block diagram of a user right determining apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
Compared with the mode of authority distribution through an administrator in the prior art, the method for determining the user authority determines the operation authority by analyzing the user access information, so that the determined operation authority is closer to the access behavior of the user to the database, and the corresponding operation authority can be more reasonably distributed to the user.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an electronic device for executing a user right determining method according to an embodiment of the present application, where the electronic device may include: at least one processor 110, such as a CPU, at least one communication interface 120, at least one memory 130, and at least one communication bus 140. Wherein the communication bus 140 is used for realizing direct connection communication of these components. The communication interface 120 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The memory 130 may be a high-speed RAM memory or a non-volatile memory (e.g., at least one disk memory). Memory 130 may optionally be at least one memory device located remotely from the aforementioned processor. The memory 130 stores computer readable instructions, when the computer readable instructions are executed by the processor 110, the electronic device executes the method process shown in fig. 2, for example, the memory 130 may be configured to store an access data stream for accessing a database and user access information, and the processor 110 may be configured to obtain the access data stream from the memory 130, analyze the access data stream, obtain the user access information, and then determine an operation right of a user on the database based on the user access information.
It will be appreciated that the configuration shown in fig. 1 is merely illustrative and that the electronic device may also include more or fewer components than shown in fig. 1 or have a different configuration than shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
Referring to fig. 2, fig. 2 is a flowchart of a method for determining user rights according to an embodiment of the present application, where the method includes the following steps:
step S110: and receiving an access data stream of a user accessing the database.
It is to be appreciated that in order to secure a database, in some cases, the security of the database may be ensured by limiting the user's operation rights to the database. Taking the database management of an enterprise as an example, for financial statement data, the financial statement data can be stored by adopting a database, and the operation on the financial statement data can be generally only performed by people in a financial department, such as updating, modifying, deleting and the like, while other departments, such as personnel departments, only have the operation authority for checking the financial statement data, but not the operation authority for modifying, deleting and the like, and in this case, reasonable different operation authorities can be respectively allocated to users in the financial department and the personnel departments.
It is understood that the above example only refers to one database, in practical application, different databases may be involved, and the operation rights of the same user to different databases may not be consistent. The database may refer to any one database that needs to perform authority management, and for the authority management of each database, the method provided by the present application may be adopted to determine the operation authority of the user.
After determining the database which needs to be subjected to authority management, a monitor program can be installed in the electronic device, the electronic device is connected with the database through the monitor program, then the access data stream for accessing the database is mirrored to a uniform port through flow, and the electronic device can receive the access data stream for accessing the database through the port.
In addition, the original message of the user accessing the database can be captured, then the protocol analysis is carried out on the original message, more detailed information is obtained from the original message, and then the more detailed information can be transmitted to the data statistics module in the electronic equipment through the message middleware, so that the data statistics module can obtain the access data stream of the user accessing the database.
It should be noted that there may be more than one user accessing the database, and in order to determine the operation authority of each user on the database, user identification information, such as an Internet Protocol (IP) address, a port number, and the like, for characterizing each user may be obtained from the access data stream to the database, so that the access data stream of each user may be screened out based on the user identification information. It should be understood that the user referred to in the embodiment of the present application refers to one of the users accessing the database, that is, the determination method of the operation authority for each user is the same, so for convenience of description, the embodiment of the present application takes one user as an example for description.
Step S120: and analyzing the access data stream to acquire user access information.
The access data stream generally carries user access information, such as an IP address, a port number, a user name, and information about related operations on the database, so that the access data stream can be analyzed to obtain corresponding user access information.
Step S130: and determining the operation authority of the user on the database based on the user access information.
The user access information generally carries operation behavior information of the user on the database, such as updating operation, deleting operation, checking operation and the like on the database, so that the operation authority of the user on the database can be more accurately determined based on the user access information.
In the embodiment of the application, the step of determining the operation authority of the user on the database may be a commissioning time period, in which the electronic device acquires the user access information, then determines the operation authority of the user based on the access information, and then may reallocate the corresponding operation authority for the user, and when a subsequent user accesses the database, the database may only be operated within the operation authority range, so that the security of the database may be ensured.
For example, taking the database management of the enterprise as an example, for a certain database, all operation permissions may be opened for all or some designated users in the enterprise within a commissioning time period, that is, the users may perform any operation on the database, and the users may perform related operations on the database according to work needs during a work process, so that the obtained user access information of the users to the database is attached to the work of the users, and the operation permissions of the users determined based on the user access information are also related to the actual operations of the users to the database, which may be beneficial to determining the operation permissions corresponding to each user according to the actual needs of the users, so that more reasonable operation permissions may be allocated to the users.
In the implementation process, the user access information is acquired from the access data stream, and then the operation authority of the user on the database is determined based on the user access information.
As an embodiment, the user access information may include database parameter information and user information, where the database parameter information may be obtained by: and carrying out SQL lexical analysis and SQL syntactic analysis on the access data stream to acquire database parameter information related to the user when accessing the database.
The database parameter information refers to an operation object of an operation performed when a user accesses a database, for example, the operation object may include a database instance, a database table, a database field, and the like, and the operation may refer to a specific operation on the operation object, such as an update, a deletion, a search, and the like. It is to be understood that the database parameter information may include at least one of a database instance, a database table, a database type (such as MySQL, SQL Server, Oracle, etc.), a database field, and a user operation on the database, for example, if the user is only performing an operation on a certain database instance, the database parameter information may only include the database instance and the user operation on the database instance, the database type, and the like.
Since the access data stream generally contains other information, after receiving the access data stream, the electronic device may extract the database operation statement from the access data stream in order to extract the database parameter information from the access data stream. Since the access data stream generally contains the text of the SQL statement, the database operation statement can be extracted from the SQL statement text. For example, for an operation of creating a DATABASE, an example of a corresponding DATABASE operation statement is "CREATE DATABASE-name", and for an operation of deleting a certain DATABASE table in the DATABASE, an example of a corresponding DATABASE operation statement is "drop table name", that is, the DATABASE operation statement refers to a statement for operating a DATABASE table, a DATABASE field, a DATABASE instance, and the like, and includes, but is not limited to, operations such as adding, deleting, searching, updating, and the like.
It is understood that according to the data structure of the database operation statement in the above example, a statement with a similar data structure can be extracted from the access data stream as the database operation statement. For example, a certain database operation statement is "SELECT database field xx FROM database table xx", in the embodiment of the present application, the access data stream may be analyzed through SQL syntax analysis and SQL lexical analysis to obtain the above-mentioned database parameter information and corresponding operation information, and for example, the database parameter information includes an operation type "SELECT", a database field "xx", and a database table "xx" as can be identified through SQL syntax analysis and SQL lexical analysis.
The SQL lexical analysis may refer to an SQL lexical analyzer, which is defined in a file scan.l and is responsible for identifying identifiers, SQL keywords, and the like. SQL parsing may refer to an SQL parser that is defined in the file gram.y, and that is an action performed when it contains a set of grammar rules and trigger rules. Therefore, the database operation statements are identified through SQL lexical analysis and SQL syntactic analysis, and the database parameter information in the database operation statements can be accurately identified.
In addition, the user information may be extracted from the access data stream, i.e. the user information may be extracted from the access data stream. The user information may include an IP address, port, and username.
In the implementation process, the database parameter information in the access data stream is identified through SQL lexical analysis and SQL syntactic analysis, so that the database parameter information can be accurately identified from the access data stream, and the subsequent accurate determination of the operation authority of the user is facilitated.
In order to facilitate identification of the operation behavior of each user on the database, after the database parameter information and the user information are obtained, a database instance tag may be determined based on the database parameter information and the user information, and the information may be stored in the cache map. Each database instance tag is used for identifying a unique user, and each user records corresponding information, such as a database table accessed by the user, a database instance, a database type, operation performed, access time, an IP address, a port number and the like.
The obtained database parameter information and the user information are stored in the cache map, and the data access is more efficient based on the storage mode of the memory map.
As an implementation mode, after the database parameter information is obtained, the operation activity of the user on the object involved in the database parameter information can be counted based on the user access information, and then the operation authority of the user on the object involved in the database parameter information is determined according to the operation activity.
The object related in the database parameter information comprises at least one of operation performed by a user, a database type, a database instance and a database table.
The operation activity may be understood as frequency or number of times that the user accesses these objects, and in the cache map, the number of times that the user performs each operation, the number of times that the user accesses the database, the number of times that the database table or the database instance, and the like may be counted in real time, for example, the operations performed by the user include updating, searching, deleting, and the like, by analyzing the user access data stream in real time, the cache map may add 1 to the number of corresponding updating operations each time the user performs an updating operation, and add 1 to the number of times that the user accesses the database table in the cache map each time the user accesses the database table, and the specific statistical information is shown in the following table:
the data in the table is stored based on each user, that is, after the electronic device obtains user access information, when the corresponding information is stored in the cache map, it may be first found whether the relevant information of the user is already stored in the cache map, if so, the relevant information corresponding to the user may be directly updated, such as the number of updates, etc., and if not, an information record of the user may be created in the cache map, and then the relevant information of the user may be recorded.
The counted number of times in the table may represent the operation activity of the user for each corresponding operation, and of course, the operation activity may also be represented by frequency, where the frequency is the number of times the user operates the object in a unit time, or the operation activity may also be represented by other manners, such as performing corresponding conversion on the total number of times of the operations in the table, where, for example, the number of times is 0-10, the corresponding operation activity is 1, the operation activity corresponding to 11-20 is 2, and the greater the operation activity, the more frequent the operation performed on the object by the user is. It should be understood that there are other ways to characterize operational activity, which are not listed here.
In order to facilitate data analysis, the information counted in the table can be put into a cache, so that the electronic device can conveniently and quickly call the content in the cache to determine the operation authority of the user.
In a specific implementation process, when determining an operation right of a user for an object according to an operation activity, if the operation activity of a certain user for a certain database table is high, it may be determined that the user has an operation right for the database, or if the number of selection operations and insertion operations performed by a certain user is high, it may be determined that the user has an operation right for performing selection operations and insertion operations on the database, and the user does not have an operation right for performing operations such as creation operations and deletion operations on the database.
In the implementation process, the operation authority of the user on the object is determined based on the operation activity, so that the operation authority can be determined according to the operation behavior of the user, and more reasonable operation authority can be distributed to the user.
As an implementation manner, when the operation activity is represented by the operation frequency or the operation frequency, it may be determined that the user has the operation right for the corresponding object when the operation activity reaches the preset activity.
For example, when the number of times of the selection operation performed by a certain user reaches a preset number of times, or the frequency of the selection operation performed by the user reaches a preset frequency, it is determined that the user has the right of the selection operation. Of course, when the operation activity of the user on a certain object does not reach the preset activity, it is determined that the user does not have the operation authority on the object, and in this way, the operation authority of the user on each object can be determined based on the user access information of each user.
It can be understood that the operation authority of the user may be not only for the database, but also for a certain database table or a certain database field, and the like, so that the manner of determining the operation authority of the user based on the operation activity may also have other finer-grained determination manners, for example, for determining the operation authority by combining the object and the operation, if the number of updates of a certain user reaches a preset number, and the number of accesses to the database table does not reach the preset number, and the update operation of the user refers to the update of the database table and the update of the database instance, in this case, it may be determined that the user does not update the operation authority to the database table, and if the number of accesses to the database instance reaches the preset number, it may be determined that the user has an update operation authority to the database instance. For other determination manners, the operation authority of the user may also be determined in a manner similar to the foregoing exemplary manner, which is not illustrated here.
In the implementation process, when the user frequently operates a certain object, the user frequently operates the object in the working process, so that the operation authority of the object can be reasonably allocated to the user.
In one embodiment, after determining the operation authority of the user, prompt information for prompting the administrator to assign the user authority matching the determined operation authority to the user may be output to the administrator.
That is, after the determined operation permission, the electronic device may further need to check whether to assign the corresponding user permission to the user by the administrator, so that the electronic device may further output corresponding prompt information to the administrator, where the prompt information includes the determined operation permission, and thus the administrator may be suggested to assign the corresponding user permission to the user, so that a more reasonable user permission may be assigned to the user, and thus, the problem of permission abuse is avoided.
Of course, after determining the operation permission of the user, the electronic device may directly configure the corresponding user permission for the user, without further checking by an administrator.
In the implementation process, corresponding prompt information is output to the administrator, so that suggestions for user right assignment can be provided for the administrator, and data reference can be provided for the administrator.
As an embodiment, after obtaining the user access information, the user access track may be further obtained based on the user access information, and the user access track is output.
The user access track can be understood as an operation track of a user on a database, for example, what operation is performed at what time point of the user, which database tables are accessed, and the operation is ended at several points, the electronic device can analyze the information from the user access information, then the information forms the user access track according to a time sequence, and the user access track can be output to an administrator or displayed on a display module, so that the administrator can master the user access track of each user, and data support can be provided for the administrator to allocate user rights to the user.
In addition, the electronic equipment can also generate a user portrait of the user according to the user access track and the user access information, the user portrait can be sent to an administrator, so that the administrator can conveniently manage the access behaviors of various users based on the user portrait, and the user authority characteristics can be quickly analyzed based on the user portrait to show the operation habits of the users on the database, so that the corresponding user authorities can be reasonably distributed to the users, and the problem of abuse of the authorities is avoided.
Referring to fig. 3, fig. 3 is a block diagram of a user authority determining apparatus 200 according to an embodiment of the present application, where the apparatus 200 may be a module, a program segment, or a code on an electronic device. It should be understood that the apparatus 200 corresponds to the above-mentioned embodiment of the method of fig. 2, and can perform various steps related to the embodiment of the method of fig. 2, and the specific functions of the apparatus 200 can be referred to the above description, and the detailed description is appropriately omitted here to avoid redundancy.
Optionally, the apparatus 200 comprises:
a data stream receiving module 210, configured to receive an access data stream for a user to access a database;
the data flow analysis module 220 is configured to analyze the access data flow to obtain user access information;
and the authority determining module 230 is configured to determine, based on the user access information, an operation authority of the user on the database.
Optionally, the data stream analysis module 220 is configured to perform SQL lexical analysis and SQL syntax analysis on the access data stream, and acquire database parameter information related to the user accessing the database; and extracting user information from the access data stream;
wherein the user access information includes the database parameter information and the user information.
Optionally, the database parameter information includes at least one of an operation performed by the user on the database, a database type, a database table, and a database instance, and the user information includes an IP address, a port, and a user name.
Optionally, the permission determining module 230 is configured to count the operation activity of the user on the object involved in the database parameter information based on the user access information; and determining the operation authority of the user to the object according to the operation activity.
Optionally, the operation activity is represented by an operation frequency or an operation frequency, and the permission determining module 230 is configured to determine that the user has an operation permission for the object when the operation activity reaches a preset activity.
Optionally, the apparatus 200 further comprises:
and the prompt information output module is used for outputting prompt information for prompting the administrator to allocate the user authority matched with the operation authority to the user.
Optionally, the apparatus 200 further comprises:
and the user access track acquisition module is used for acquiring a user access track based on the user access information and outputting the user access track.
The embodiment of the present application provides a readable storage medium, and when being executed by a processor, the computer program performs the method process performed by the electronic device in the method embodiment shown in fig. 2.
The present embodiments disclose a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the methods provided by the above-described method embodiments, for example, comprising: receiving an access data stream of a user accessing a database; analyzing the access data stream to obtain user access information; and determining the operation authority of the user on the database based on the user access information.
In summary, embodiments of the present application provide a method and an apparatus for determining user permissions, an electronic device, and a readable storage medium, where user access information is obtained from an access data stream, and then an operation permission of a user on a database is determined based on the user access information.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A method for determining user rights, the method comprising:
receiving an access data stream of a user accessing a database;
analyzing the access data stream to obtain user access information;
and determining the operation authority of the user on the database based on the user access information.
2. The method of claim 1, wherein analyzing the access data stream to obtain user access information comprises:
carrying out SQL lexical analysis and SQL syntactic analysis on the access data stream to acquire database parameter information related to the user when accessing the database; and
extracting user information from the access data stream;
wherein the user access information includes the database parameter information and the user information.
3. The method of claim 2, wherein the database parameter information comprises at least one of an operation performed on the database by the user, a database type, a database table, and a database instance, and wherein the user information comprises an IP address, a port, and a user name.
4. The method of claim 3, wherein the determining the operation authority of the user on the database based on the user access information comprises:
counting the operation activity of the user on the object related in the database parameter information based on the user access information;
and determining the operation authority of the user to the object according to the operation activity.
5. The method of claim 4, wherein the operation activity is characterized by a number of operations or a frequency of operations, and the determining the operation authority of the user on the object according to the operation activity comprises:
and when the operation activity reaches a preset activity, determining that the user has the operation authority on the object.
6. The method according to any one of claims 1-5, wherein after determining the user's operation right to the database based on the user access information, further comprising:
and outputting prompting information for prompting the administrator to allocate the user authority matched with the operation authority to the user.
7. The method according to any one of claims 1-5, wherein after obtaining the user access information, further comprising:
and acquiring a user access track based on the user access information, and outputting the user access track.
8. A user right determining apparatus, characterized in that the apparatus comprises:
the data stream receiving module is used for receiving an access data stream of a user accessing the database;
the data flow analysis module is used for analyzing the access data flow to acquire user access information;
and the permission determining module is used for determining the operation permission of the user on the database based on the user access information.
9. An electronic device comprising a processor and a memory, the memory storing computer readable instructions that, when executed by the processor, perform the method of any of claims 1-7.
10. A readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010602208.6A CN111767574A (en) | 2020-06-28 | 2020-06-28 | User permission determining method and device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010602208.6A CN111767574A (en) | 2020-06-28 | 2020-06-28 | User permission determining method and device, electronic equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111767574A true CN111767574A (en) | 2020-10-13 |
Family
ID=72722511
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010602208.6A Pending CN111767574A (en) | 2020-06-28 | 2020-06-28 | User permission determining method and device, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111767574A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114882974A (en) * | 2022-05-27 | 2022-08-09 | 江苏智慧智能软件科技有限公司 | Psychological diagnosis database access artificial intelligence verification system and method |
| CN115242516A (en) * | 2022-07-25 | 2022-10-25 | 北京自如信息科技有限公司 | Access authority management method, device, equipment and storage medium |
| CN115292272A (en) * | 2021-12-31 | 2022-11-04 | 广东美云智数科技有限公司 | Enterprise-level authority management method, system, electronic device and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060070124A1 (en) * | 2004-09-29 | 2006-03-30 | Bayer Business Services Gmbh | Rights management |
| CN104125335A (en) * | 2014-06-24 | 2014-10-29 | 小米科技有限责任公司 | Method, device and system for managing authority |
| CN109460644A (en) * | 2018-10-22 | 2019-03-12 | 平安科技(深圳)有限公司 | A kind of determination method and apparatus of user right |
| CN109766686A (en) * | 2018-04-25 | 2019-05-17 | 新华三大数据技术有限公司 | Rights management |
| CN111200595A (en) * | 2019-12-20 | 2020-05-26 | 北京淇瑀信息科技有限公司 | Authority management method and device for accessing container and electronic equipment |
-
2020
- 2020-06-28 CN CN202010602208.6A patent/CN111767574A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060070124A1 (en) * | 2004-09-29 | 2006-03-30 | Bayer Business Services Gmbh | Rights management |
| CN104125335A (en) * | 2014-06-24 | 2014-10-29 | 小米科技有限责任公司 | Method, device and system for managing authority |
| CN109766686A (en) * | 2018-04-25 | 2019-05-17 | 新华三大数据技术有限公司 | Rights management |
| CN109460644A (en) * | 2018-10-22 | 2019-03-12 | 平安科技(深圳)有限公司 | A kind of determination method and apparatus of user right |
| CN111200595A (en) * | 2019-12-20 | 2020-05-26 | 北京淇瑀信息科技有限公司 | Authority management method and device for accessing container and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 尹为民等人: "数据库原理与技术典型题解与实习指导", 武汉大学出版社, pages: 165 - 166 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115292272A (en) * | 2021-12-31 | 2022-11-04 | 广东美云智数科技有限公司 | Enterprise-level authority management method, system, electronic device and storage medium |
| CN114882974A (en) * | 2022-05-27 | 2022-08-09 | 江苏智慧智能软件科技有限公司 | Psychological diagnosis database access artificial intelligence verification system and method |
| CN114882974B (en) * | 2022-05-27 | 2023-04-18 | 江苏智慧智能软件科技有限公司 | Psychological diagnosis database access artificial intelligence verification system and method |
| CN115242516A (en) * | 2022-07-25 | 2022-10-25 | 北京自如信息科技有限公司 | Access authority management method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111767574A (en) | User permission determining method and device, electronic equipment and readable storage medium | |
| CN111339171B (en) | Data query method, device and equipment | |
| CN109524070B (en) | Data processing method and device, electronic equipment and storage medium | |
| CN111767573A (en) | Database security management method and device, electronic equipment and readable storage medium | |
| CN112351024B (en) | Public network communication safety monitoring system and method | |
| CN113360519B (en) | Data processing method, device, equipment and storage medium | |
| CN109740129B (en) | Report generation method, device and equipment based on blockchain and readable storage medium | |
| CN112685433A (en) | Metadata updating method and device, electronic equipment and computer-readable storage medium | |
| CN110941629B (en) | Metadata processing method, apparatus, device and computer readable storage medium | |
| US20120254416A1 (en) | Mainframe Event Correlation | |
| CN111324604A (en) | Database table processing method and device, electronic equipment and storage medium | |
| US8738768B2 (en) | Multiple destinations for mainframe event monitoring | |
| CN112307052A (en) | Data management method, service system, terminal and storage medium | |
| CN111324510A (en) | Log processing method and device and electronic equipment | |
| CN113010208B (en) | Version information generation method, device, equipment and storage medium | |
| CN116010480A (en) | Time sequence database auditing method and system | |
| US10664501B2 (en) | Deriving and interpreting users collective data asset use across analytic software systems | |
| CN112346938B (en) | Operation auditing method and device, server and computer readable storage medium | |
| CN114817990A (en) | Sensitive data management method and device, electronic equipment and storage medium | |
| CN103488693A (en) | Data processing device and data processing method | |
| CN112416713A (en) | Operation auditing system and method, computer readable storage medium and electronic equipment | |
| KR20140054913A (en) | Apparatus and method for processing data error for distributed system | |
| CN113254470A (en) | Data change method and device, computer equipment and storage medium | |
| CN109144489B (en) | State data processing method based on Yang language model | |
| CN111352818A (en) | Application program performance analysis method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |