CN112199624A - Data access control method, device, electronic device and storage medium - Google Patents

Data access control method, device, electronic device and storage medium Download PDF

Info

Publication number
CN112199624A
CN112199624A CN202011078883.XA CN202011078883A CN112199624A CN 112199624 A CN112199624 A CN 112199624A CN 202011078883 A CN202011078883 A CN 202011078883A CN 112199624 A CN112199624 A CN 112199624A
Authority
CN
China
Prior art keywords
data
sensitive data
sensitivity
type
sensitive
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202011078883.XA
Other languages
Chinese (zh)
Inventor
邵宛岩
范渊
鲁凌菁
刘博�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN202011078883.XA priority Critical patent/CN112199624A/en
Publication of CN112199624A publication Critical patent/CN112199624A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]

Abstract

The application relates to a data access control method, a data access control device, an electronic device and a storage medium, wherein the data access control method comprises the following steps: receiving response data of a preset user for external access according to the URL; detecting first sensitive data in the response data, wherein the first sensitive data is sensitive data corresponding to preset sensitive data; in the event that first sensitive data is detected, determining a sensitivity of the first sensitive data; and determining the sensitivity type of the first sensitive data based on the sensitivity, and performing data access control processing according to the sensitivity type of the first sensitive data, wherein the sensitivity type comprises an immunity type, a desensitization type and a semi-desensitization type. By the method and the device, the problems of complex data access control and high cost in the related technology are solved, and the simplification and cost reduction of the data access control are realized.

Description

Data access control method, device, electronic device and storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a data access control method, apparatus, electronic apparatus, and storage medium.
Background
With the popularization and development of internet applications, data on the internet also presents rapid, huge and various characteristics, and effective, reasonable, legal and compliant management of the data becomes a problem to be solved urgently. In a network environment, some data in the circulated data can be shared, some data cannot be shared, and some data should be authorized to be shared. However, due to the change of data, the security requirement of the network environment changes, and the current application system has a data management problem that the security requirement of the network environment cannot be met, for example, the current application system manages roles, and data that cannot be accessed completely shields the roles, while in a changed environment, data management may put different requirements on the system, and therefore the system needs to be modified, and meanwhile, the management range is changed, and some data also needs to be temporarily accessed, which results in a large cost. Therefore, a data management method capable of satisfying the security requirement of the network environment without changing the application system is needed.
At present, no effective solution is provided for the problems of complex data access control and high cost in the related technology.
Disclosure of Invention
The embodiment of the application provides a data access control method, a data access control device, an electronic device and a storage medium, and aims to at least solve the problems of complex data access control and high cost in the related art.
In a first aspect, an embodiment of the present application provides a data access control method, including:
receiving response data of a preset user for external access according to the URL;
detecting first sensitive data in the response data, wherein the first sensitive data are sensitive data corresponding to preset sensitive data;
determining a sensitivity of the first sensitive data in a case where the first sensitive data is detected;
and determining the sensitivity type of the first sensitive data based on the sensitivity, and performing data access control processing according to the sensitivity type of the first sensitive data, wherein the sensitivity type comprises an immunity type, a desensitization type and a semi-desensitization type.
In one embodiment, detecting the first sensitive data in the response data comprises:
extracting data information of the response data, wherein the data information at least comprises a data field;
detecting first data information in the data information, wherein the first data information at least comprises a preset sensitive data field;
and under the condition that the first data information is detected, determining that the response data corresponding to the first data information is the first sensitive data.
In one embodiment, determining the sensitivity of the first sensitive data comprises:
acquiring a preset sensitivity parameter table, wherein the preset sensitivity parameter table comprises corresponding relation information of sensitive data and sensitivity of the sensitive data;
and inquiring the sensitivity corresponding to the first sensitive data in the preset sensitivity parameter table.
In one embodiment, determining the sensitivity type of the first sensitive data based on the sensitivity comprises:
acquiring a preset sensitive type parameter table, wherein the preset sensitive type parameter table comprises a corresponding relation among sensitive data, sensitivity and a sensitive type;
and inquiring the sensitivity type of the first sensitive data corresponding to the sensitivity in the preset sensitivity type parameter table.
In one embodiment, the performing data access control processing according to the sensitive type of the first sensitive data includes:
determining a sensitivity type of the first sensitive data;
performing fuzzy processing on the first sensitive data under the condition that the sensitivity type of the first sensitive data is determined to be a desensitization type, wherein the fuzzy processing at least comprises a mask;
in the case that the sensitivity type of the first sensitive data is determined to be an immune type or a semi-desensitization type, the first sensitive data is retained.
In one embodiment, after performing data access control processing according to the sensitive type of the first sensitive data, the method includes:
receiving request information requested to be displayed by a preset user, wherein the request information at least comprises target information of sensitive data requested to be displayed;
selecting second sensitive data according to the target information, wherein the second sensitive data comprise the first sensitive data which finish data access control processing;
determining the sensitivity type of the second sensitive data, and displaying the second sensitive data under the condition that the sensitivity type of the second sensitive data is determined to be a first sensitivity type, wherein the first sensitivity type comprises one of the following: desensitization type, immune type.
In one embodiment, the method further comprises:
under the condition that the sensitivity type of the second sensitive data is determined to be a second sensitivity type, reading authorization authority in the request information, wherein the second sensitivity type comprises a semi-desensitization type, and the authorization authority comprises permission for displaying the second sensitive data;
and displaying the second sensitive data under the condition that the authorization authority is read.
In a second aspect, an embodiment of the present application provides a data access control apparatus, where the apparatus includes:
the receiving module is used for receiving response data of external access of a preset user according to the URL;
a detection module for detecting first sensitive data in the response data;
the determining module is used for determining the sensitivity of the first sensitive data under the condition that the first sensitive data is detected;
and the processing module is used for determining the sensitivity type of the first sensitive data based on the sensitivity and performing data access control processing according to the sensitivity type of the first sensitive data.
In a third aspect, an embodiment of the present application provides an electronic device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and the processor implements the data access control method according to the first aspect when executing the computer program.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, which when executed by the processor implements the data access control method of the first aspect.
Compared with the related art, the data access control method, the data access control device, the electronic device and the storage medium provided by the embodiment of the application have the advantages that response data accessed by a preset user according to the URL is received, the first sensitive data is detected in the response data, the sensitivity of the first sensitive data is determined under the condition that the first sensitive data is detected, the sensitive type of the first sensitive data is determined based on the sensitivity, the data access control processing is performed according to the sensitive type of the first sensitive data, the sensitive data identification in the request is automatically completed, the efficiency is higher compared with the related art, the implementation cost of the scheme is reduced, the efficiency is improved, and the problems that the data access control is complex and the cost is higher in the related art are solved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware structure of a terminal of a data access control method according to an embodiment of the present application;
FIG. 2 is a flow chart of a data access control method according to an embodiment of the application;
FIG. 3 is a flow chart of a data access control method according to a first preferred embodiment of the present application;
FIG. 4 is a flow chart of a data access control method according to a second preferred embodiment of the present application;
FIG. 5 is a flow chart of a data access control method according to a third preferred embodiment of the present application;
FIG. 6 is a flow chart of a data access control method according to a fourth preferred embodiment of the present application;
FIG. 7 is a flow chart of a data access control method according to a fifth preferred embodiment of the present application;
fig. 8 is a block diagram of a data access control device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The application scene of Access Control (Access Control) has abundant application Access Control in various electronic devices such as computers, mobile phones and the like, and the Access Control refers to a means for limiting the capability of a system for using data resources for user identities and predefined policy groups to which the user identities belong. Are commonly used for system administrators to control user access to network resources such as servers, directories, files, etc. The access control is an important basis for system confidentiality, integrity, availability and legality, is one of key policies of network security and resource protection, and is different authorized access of a subject to an object or a resource thereof according to certain control policies or authorities. Conceptually, access control involves three conceptual user identities, policy groups, data resources, which also constitute three elements of access control. In the field of data access control, the existing application system manages roles, and data which cannot be accessed completely shields the roles.
The method provided by the embodiment can be executed in a terminal, a computer or a similar operation device. Taking an example of the operation on a terminal, fig. 1 is a hardware structure block diagram of the terminal of the data access control method according to the embodiment of the present invention. As shown in fig. 1, the terminal may include one or more (only one shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the terminal. For example, the terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store computer programs, for example, software programs and modules of application software, such as computer programs corresponding to the data access control method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, so as to implement the method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The embodiment provides a data access control method. Fig. 2 is a flowchart of a data access control method according to an embodiment of the present application, and as shown in fig. 2, the flowchart includes the following steps:
step S201, receiving response data of a preset user accessing to the outside according to the URL.
In this embodiment, the controller receives response data that a preset user accesses to the outside according to the URL, wherein before the controller receives the response data, the controller accesses to the outside according to the URL to obtain the returned response data, and all data received by the preset user can be obtained through this step, so that a data basis is provided for the processing of the data in the subsequent step.
Step S202, detecting first sensitive data in the response data, where the first sensitive data is sensitive data corresponding to preset sensitive data.
In this embodiment, before detecting the first sensitive data, the manager may preset the preset sensitive data, which includes all data determined to be sensitive data, for comparing with the acquired data.
In step S203, in the case that the first sensitive data is detected, the sensitivity of the first sensitive data is determined.
In this embodiment, when the system detects the first sensitive data, the first sensitive data is compared with the preset sensitive data, and the sensitivity of the first sensitive data is determined according to the overlapping ratio of the first sensitive data and the preset sensitive data.
Step S204, determining the sensitivity type of the first sensitive data based on the sensitivity, and performing data access control processing according to the sensitivity type of the first sensitive data, wherein the sensitivity type comprises an immunity type, a desensitization type and a semi-desensitization type.
In this embodiment, the administrator originally sets three types of sensitivity, namely, an immunity type, a desensitization type, and a semi-desensitization type, wherein the method for determining the sensitivity type of the first sensitive data is to determine the sensitivity of the first sensitive data by calculating a coincidence ratio of the first sensitive data to preset sensitive data, determine the first sensitive data as the desensitization type when the coincidence ratio is higher than a certain preset coincidence value, and determine the first sensitive data as the immunity type or the semi-desensitization type when the coincidence ratio is other preset values.
Through the steps S201 to S204, receiving response data that a preset user accesses to the outside according to the URL; detecting first sensitive data in the response data, wherein the first sensitive data is sensitive data corresponding to preset sensitive data; in the event that first sensitive data is detected, determining a sensitivity of the first sensitive data; the method comprises the steps of determining the sensitivity type of first sensitive data based on the sensitivity, and performing data access control processing according to the sensitivity type of the first sensitive data, wherein the sensitivity type comprises an immunity type, a desensitization type and a semi-desensitization type, so that effective control of user access data is realized, and the problems of high cost and complexity in data access control are solved.
The embodiment has the following beneficial effects:
1. the method and the device can be used for classifying the sensitive data and managing the sensitive data in a fine granularity mode, and are closer to the requirements of users.
2. The method and the device can automatically complete the identification of the sensitive data in the request, and have higher efficiency compared with the related technology.
3. According to the method and the system, the management of the sensitive data can be realized without modifying the original system, the cost of scheme realization is reduced, and the efficiency is improved.
The embodiments of the present application are described and illustrated below by means of preferred embodiments.
Fig. 3 is a flowchart of a data access control method according to a first preferred embodiment of the present application. As shown in fig. 3, the data access control method includes the steps of:
step S301, response data of external access of a preset user according to the URL is received.
Step S302, extracting data information of the response data, wherein the data information at least includes a data field.
In this embodiment, the response data is result data returned by the server for the user access request, where the response data includes user information, data information, and the like, and the data information in the response data is extracted in this step to provide data information for detection of sensitive data in subsequent steps.
Step S303, detecting first data information in the data information, where the first data information at least includes a preset sensitive data field.
In this embodiment, the first data information refers to data information including all or part of the preset sensitive data field, and the detecting of the first data information is used to compare the preset sensitive data information with the first data information to obtain the sensitive data.
Step S304, in the case that the first data information is detected, determining that response data corresponding to the first data information is first sensitive data.
In this embodiment, the step may perform real-time detection on the first data information, and when the first data information is detected, the first sensitive data corresponding to the first data information may be determined to help the subsequent step determine the sensitivity of the sensitive data.
In step S305, in the case that the first sensitive data is detected, the sensitivity of the first sensitive data is determined.
Step S306, determining the sensitivity type of the first sensitive data based on the sensitivity, and performing data access control processing according to the sensitivity type of the first sensitive data, wherein the sensitivity type comprises an immunity type, a desensitization type and a semi-desensitization type.
Through the steps S301 to S302, response data of a preset user accessing to the outside according to the URL are received; extracting data information of response data, wherein the data information at least comprises a data field, detecting first data information in the data information, the first data information at least comprises a preset sensitive data field, determining that the response data corresponding to the first data information is first sensitive data under the condition that the first data information is detected, determining the sensitivity of the first sensitive data under the condition that the first sensitive data is detected, determining the sensitivity type of the first sensitive data based on the sensitivity, and performing data access control processing according to the sensitivity type of the first sensitive data, wherein the sensitivity type comprises an immunity type, a desensitization type and a semi-desensitization type, so that the first sensitive data can be acquired, after the sensitive data are acquired, the sensitivity of the first sensitive data can be detected, and the sensitivity can be conveniently classified and displayed according to preset rules according to different sensitive data finally, the problem of single data access control display mode is solved.
Fig. 4 is a flowchart of a data access control method according to a second preferred embodiment of the present application, and as shown in fig. 4, the data access control method includes the following steps:
step S401, receiving response data of a preset user accessing to the outside according to the URL.
Step S402, detecting first sensitive data in the response data, where the first sensitive data is sensitive data corresponding to preset sensitive data.
Step S403, acquiring a preset sensitivity parameter table when the first sensitive data is detected, where the preset sensitivity parameter table includes information of a corresponding relationship between the sensitive data and sensitivity of the sensitive data.
In this embodiment, the preset sensitivity parameter table is a sensitivity parameter list containing the corresponding relationship between the sensitivity data and the sensitivity of the sensitivity data, which is preset by the administrator.
Step S404, querying a sensitivity corresponding to the first sensitive data in a preset sensitivity parameter table.
In this embodiment, the sensitivity corresponding to the first sensitive data is queried in the preset sensitivity parameter table, specifically, the first sensitive data is compared with the corresponding relationship between the sensitive data and the sensitive data in the preset sensitivity parameter table, and the sensitivity of the first sensitive data is determined according to the overlapping ratio of the first sensitive data and the sensitive data in the preset sensitivity parameter table, wherein the ratio calculation mode and the classification threshold for determining the sensitivity are preset by a manager. Through the step, the sensitivity value of the first sensitive data can be obtained, and a sensitivity value basis is provided for determining the sensitivity type of the first sensitive data according to the sensitivity in the subsequent step.
Step S405, determining the sensitivity type of the first sensitive data based on the sensitivity, and performing data access control processing according to the sensitivity type of the first sensitive data, wherein the sensitivity type comprises an immunity type, a desensitization type and a semi-desensitization type.
Through the steps S403 to S405, when the first sensitive data is detected, acquiring a preset sensitivity parameter table, where the preset sensitivity parameter table includes information of correspondence between the sensitive data and sensitivity of the sensitive data, querying the sensitivity corresponding to the first sensitive data in the preset sensitivity parameter table, determining a sensitivity type of the first sensitive data based on the sensitivity, and performing data access control processing according to the sensitivity type of the first sensitive data, where the sensitivity type includes an immunity type, a desensitization type, and a semi-desensitization type. The method has the advantages that the sensitivity of the first sensitive data acquired in the previous step is calculated according to the preset sensitivity parameter table preset by the manager, the first sensitive data are classified into different sensitivity types originally set by the manager, different display modes are applicable to the sensitive data of different data types, and the problem of single data access control display mode is solved.
Fig. 5 is a flowchart of a data access control method according to a third preferred embodiment of the present application, and as shown in fig. 5, the data access control method includes the following steps:
step S501, receiving response data of a preset user accessing to the outside according to the URL.
Step S502, detecting first sensitive data in the response data, where the first sensitive data is sensitive data corresponding to preset sensitive data.
In step S503, in the case that the first sensitive data is detected, the sensitivity of the first sensitive data is determined.
Step S504, a preset sensitive type parameter table is obtained, wherein the preset sensitive type parameter table comprises the corresponding relation among sensitive data, sensitivity and sensitive types.
In this embodiment, a preset sensitive type parameter table is obtained, where the preset sensitive type parameter table includes sensitive data types corresponding to different sensitive data, where the corresponding sensitive data types include an immune type, a desensitization type, and a semi-desensitization type. The function of distinguishing the sensitive data into the three types is to enable data access control to distinguish and display data management with different sensitivities in a changing environment, help a user to acquire more data information and simplify the complexity of the data access control.
Step S505, a sensitivity type of the first sensitive data corresponding to the sensitivity is queried in a preset sensitivity type parameter table.
Through the steps S504 to S505, a preset sensitive type parameter table is obtained, where the preset sensitive type parameter table includes sensitive data types corresponding to different sensitive data. The corresponding sensitive data types comprise three data types of an immunity type, a desensitization type and a semi-desensitization type. The data access control can be distinguished and displayed according to three different sensitive data types in the display process, so that the data management with different sensitivities can be distinguished and displayed in a changing environment, and the problems of less data information acquired by a user and complex data access control are solved.
Fig. 6 is a flowchart of a data access control method according to the fourth preferred embodiment of the present application. As shown in fig. 6, the data access control method includes the steps of:
step S601, receiving response data of a preset user accessing to the outside according to the URL.
Step S602, detecting first sensitive data in the response data, where the first sensitive data is sensitive data corresponding to preset sensitive data.
Step S603, determining the sensitivity of the first sensitive data in case that the first sensitive data is detected.
Step S604, determining a sensitivity type of the first sensitive data based on the sensitivity.
Step S605, determine whether the sensitivity type of the first sensitive data is a desensitization type, an immune type, or a semi-desensitization type.
In this embodiment, the first sensitive data is judged, and the different classified sensitive data are subjected to different modes of access control according to the classification result, so that a user can conveniently obtain more data information.
Step S606, under the condition that the sensitive type of the first sensitive data is determined to be a desensitized type, fuzzy processing is carried out on the first sensitive data.
In this embodiment, the obfuscation includes performing a masking process on the original sensitive data, where the masking is a series of binary codes performing a bit and operation on the target field, and can mask the current sensitive data.
In step S607, in the case that the sensitivity type of the first sensitive data is determined to be the immune type or the semi-desensitization type, the first sensitive data is retained.
Through the above steps S605 to S607, it is determined whether the sensitive type of the first sensitive data is a desensitization type, an immune type, or a semi-desensitization type, and if it is determined that the sensitive type of the first sensitive data is the desensitization type, the first sensitive data is subjected to fuzzy processing, and if it is determined that the sensitive type of the first sensitive data is the immune type or the semi-desensitization type, the first sensitive data is retained, so that the determination of the first sensitive data type obtained in the previous step is realized, and the problems of complicated data access control and high cost in the related art are solved.
Fig. 7 is a flowchart of a data access control method according to a fifth preferred embodiment of the present application. As shown in fig. 7, the data access control method includes the steps of:
step S701, receiving response data of a preset user accessing to the outside according to the URL.
Step S702, detecting first sensitive data in the response data, where the first sensitive data is sensitive data corresponding to preset sensitive data.
Step S703, determining the sensitivity of the first sensitive data when the first sensitive data is detected.
Step S704, determining the sensitivity type of the first sensitive data based on the sensitivity, and performing data access control processing according to the sensitivity type of the first sensitive data, wherein the sensitivity type includes an immunity type, a desensitization type and a semi-desensitization type.
Step S705, receiving request information requested to be displayed by a preset user, and selecting second sensitive data according to the target information.
In this embodiment, the request information includes at least target information of the sensitive data requested to be displayed, and the second sensitive data includes the first sensitive data that completes the data access control processing. Through the step, the second sensitive data, namely the sensitive data which does not need to be subjected to fuzzy display, can be selected from the target information, and the data can be conveniently processed and displayed in the subsequent processing.
Step S706, determining a sensitivity type of the second sensitive data, and displaying the second sensitive data when the sensitivity type of the second sensitive data is determined to be the first sensitive type, where the first sensitive type includes one of: desensitization type, immune type.
In some embodiments, in the case that the sensitivity type of the second sensitive data is determined to be a second sensitivity type, reading the authorization authority in the request information, wherein the second sensitivity type includes a semi-desensitization type, and the authorization authority includes permission to display the second sensitive data; and displaying the second sensitive data under the condition that the authorized authority is read. In this embodiment, the autonomy of data access control is given to whether the second sensitive data shows the authorization authority in the request information.
The present embodiment further provides a data access control device, which is used to implement the foregoing embodiments and preferred embodiments, and the description of the device that has been already made is omitted. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
The embodiment also provides a data access control device, which comprises a memory and a processor, and is characterized in that the memory stores a computer program, and the processor is configured to run the computer program to perform the data access control method in any one of the above steps. Fig. 8 is a block diagram of a data access control apparatus according to an embodiment of the present application, and as shown in fig. 8, the apparatus includes:
the receiving module 81 is configured to receive response data of an external access of a preset user according to the URL.
A detecting module 82, coupled to the receiving module 81, for detecting the first sensitive data in the response data.
A determining module 83, coupled to the detecting module 82, for determining the sensitivity of the first sensitive data if the first sensitive data is detected.
And the processing module 84 is coupled to the determining module 83, and configured to determine a sensitivity type of the first sensitive data based on the sensitivity, and perform data access control processing according to the sensitivity type of the first sensitive data.
In one embodiment, the detection module 82 is configured to extract data information of the response data, where the data information includes at least a data field; detecting first data information in the data information, wherein the first data information at least comprises a preset sensitive data field; and under the condition that the first data information is detected, determining that response data corresponding to the first data information is first sensitive data.
In one embodiment, the determining module 83 is configured to obtain a preset sensitivity parameter table, where the preset sensitivity parameter table includes information of a corresponding relationship between sensitive data and sensitivity of the sensitive data.
In one embodiment, the determining module 83 is further configured to query the preset sensitivity parameter table for the sensitivity corresponding to the first sensitive data; acquiring a preset sensitive type parameter table, wherein the preset sensitive type parameter table comprises the corresponding relation among sensitive data, sensitivity and a sensitive type; and inquiring the sensitivity type of the first sensitive data corresponding to the sensitivity in a preset sensitivity type parameter table.
In one embodiment, the processing module 84 is configured to perform an obfuscation process on the first sensitive data if it is determined that the sensitivity type of the first sensitive data is a desensitization type, where the obfuscation process includes at least a mask; in the case where it is determined that the sensitivity type of the first sensitive data is an immune type or a semi-desensitization type, the first sensitive data is retained.
In one embodiment, the processing module 84 is further configured to, in a case that it is determined that the sensitivity type of the second sensitive data is a second sensitivity type, read the authorization authority in the request information, where the second sensitivity type includes a semi-desensitization type, and the authorization authority includes permission to display the second sensitive data; and displaying the second sensitive data under the condition that the authorized authority is read.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
and S1, receiving response data of the preset user accessing to the outside according to the URL.
And S2, detecting first sensitive data in the response data, wherein the first sensitive data is sensitive data corresponding to preset sensitive data.
S3, in case the first sensitive data is detected, determining a sensitivity of the first sensitive data.
S4, determining the sensitivity type of the first sensitive data based on the sensitivity, and performing data access control processing according to the sensitivity type of the first sensitive data, wherein the sensitivity type comprises an immunity type, a desensitization type and a semi-desensitization type.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
The present embodiment also provides a data access control storage medium having a computer program stored therein, wherein the computer program is configured to execute any one of the data access control methods in the above steps when running.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A data access control method, comprising:
receiving response data of a preset user for external access according to the URL;
detecting first sensitive data in the response data, wherein the first sensitive data are sensitive data corresponding to preset sensitive data;
determining a sensitivity of the first sensitive data in a case where the first sensitive data is detected;
and determining the sensitivity type of the first sensitive data based on the sensitivity, and performing data access control processing according to the sensitivity type of the first sensitive data, wherein the sensitivity type comprises an immunity type, a desensitization type and a semi-desensitization type.
2. The data access control method of claim 1, wherein detecting first sensitive data in the response data comprises:
extracting data information of the response data, wherein the data information at least comprises a data field;
detecting first data information in the data information, wherein the first data information at least comprises a preset sensitive data field;
and under the condition that the first data information is detected, determining that the response data corresponding to the first data information is the first sensitive data.
3. The data access control method of claim 1, wherein determining the sensitivity of the first sensitive data comprises:
acquiring a preset sensitivity parameter table, wherein the preset sensitivity parameter table comprises corresponding relation information of sensitive data and sensitivity of the sensitive data;
and inquiring the sensitivity corresponding to the first sensitive data in the preset sensitivity parameter table.
4. The data access control method of claim 1, wherein determining the sensitivity type of the first sensitive data based on the sensitivity comprises:
acquiring a preset sensitive type parameter table, wherein the preset sensitive type parameter table comprises a corresponding relation among sensitive data, sensitivity and a sensitive type;
and inquiring the sensitivity type of the first sensitive data corresponding to the sensitivity in the preset sensitivity type parameter table.
5. The data access control method of claim 1, wherein performing data access control processing according to the sensitivity type of the first sensitive data comprises:
determining a sensitivity type of the first sensitive data;
performing fuzzy processing on the first sensitive data under the condition that the sensitivity type of the first sensitive data is determined to be a desensitization type, wherein the fuzzy processing at least comprises a mask;
in the case that the sensitivity type of the first sensitive data is determined to be an immune type or a semi-desensitization type, the first sensitive data is retained.
6. The data access control method of claim 1, wherein after performing data access control processing according to the sensitive type of the first sensitive data, the method comprises:
receiving request information requested to be displayed by a preset user, wherein the request information at least comprises target information of sensitive data requested to be displayed;
selecting second sensitive data according to the target information, wherein the second sensitive data comprise the first sensitive data which finish data access control processing;
determining the sensitivity type of the second sensitive data, and displaying the second sensitive data under the condition that the sensitivity type of the second sensitive data is determined to be a first sensitivity type, wherein the first sensitivity type comprises one of the following: desensitization type, immune type.
7. The data access control method of claim 6, further comprising:
under the condition that the sensitivity type of the second sensitive data is determined to be a second sensitivity type, reading authorization authority in the request information, wherein the second sensitivity type comprises a semi-desensitization type, and the authorization authority comprises permission for displaying the second sensitive data;
and displaying the second sensitive data under the condition that the authorization authority is read.
8. A data access control apparatus, characterized in that the apparatus comprises:
the receiving module is used for receiving response data of external access of a preset user according to the URL;
a detection module for detecting first sensitive data in the response data;
the determining module is used for determining the sensitivity of the first sensitive data under the condition that the first sensitive data is detected;
and the processing module is used for determining the sensitivity type of the first sensitive data based on the sensitivity and performing data access control processing according to the sensitivity type of the first sensitive data.
9. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and the processor is arranged to run the computer program to perform the data access control method of any of claims 1 to 7.
10. A storage medium having stored thereon a computer program, wherein the computer program is arranged to perform the data access control method of any of claims 1 to 7 when executed.
CN202011078883.XA 2020-10-10 2020-10-10 Data access control method, device, electronic device and storage medium Withdrawn CN112199624A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011078883.XA CN112199624A (en) 2020-10-10 2020-10-10 Data access control method, device, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011078883.XA CN112199624A (en) 2020-10-10 2020-10-10 Data access control method, device, electronic device and storage medium

Publications (1)

Publication Number Publication Date
CN112199624A true CN112199624A (en) 2021-01-08

Family

ID=74013331

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011078883.XA Withdrawn CN112199624A (en) 2020-10-10 2020-10-10 Data access control method, device, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN112199624A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113378225A (en) * 2021-06-24 2021-09-10 平安普惠企业管理有限公司 Online sensitive data acquisition method and device, electronic equipment and storage medium
CN117094722A (en) * 2023-10-19 2023-11-21 深圳薪汇科技有限公司 Security supervision method and system for online payment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109614816A (en) * 2018-11-19 2019-04-12 平安科技(深圳)有限公司 Data desensitization method, device and storage medium
CN110348239A (en) * 2019-06-13 2019-10-18 平安普惠企业管理有限公司 Desensitize regular configuration method and data desensitization method, system, computer equipment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109614816A (en) * 2018-11-19 2019-04-12 平安科技(深圳)有限公司 Data desensitization method, device and storage medium
CN110348239A (en) * 2019-06-13 2019-10-18 平安普惠企业管理有限公司 Desensitize regular configuration method and data desensitization method, system, computer equipment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113378225A (en) * 2021-06-24 2021-09-10 平安普惠企业管理有限公司 Online sensitive data acquisition method and device, electronic equipment and storage medium
CN117094722A (en) * 2023-10-19 2023-11-21 深圳薪汇科技有限公司 Security supervision method and system for online payment
CN117094722B (en) * 2023-10-19 2024-01-30 深圳薪汇科技有限公司 Security supervision method and system for online payment

Similar Documents

Publication Publication Date Title
CN109743315B (en) Behavior identification method, behavior identification device, behavior identification equipment and readable storage medium for website
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN110858833B (en) Access control policy configuration method, device and system and storage medium
CN109889517B (en) Data processing method, permission data set creating device and electronic equipment
CN110830445B (en) Method and device for identifying abnormal access object
CN110943961A (en) Data processing method, device and storage medium
WO2021012509A1 (en) Method, device, and computer storage medium for detecting abnormal account
CN107454040B (en) Application login method and device
CN112165455A (en) Data access control method and device, computer equipment and storage medium
CN112199624A (en) Data access control method, device, electronic device and storage medium
CN112468482B (en) Data transmission method, device, server, storage medium and system
CN110278192A (en) Method, apparatus, computer equipment and the readable storage medium storing program for executing of extranet access Intranet
CN108154024B (en) Data retrieval method and device and electronic equipment
CN114139178A (en) Data link-based data security monitoring method and device and computer equipment
CN111464525A (en) Session identification method, session identification device, session identification control equipment and storage medium
CN106778295A (en) File storage, display methods, device and terminal
CN108076006B (en) Method for searching attacked host and log management server
CN110929129A (en) Information detection method, equipment and machine-readable storage medium
CN113098852A (en) Log processing method and device
CN113010904A (en) Data processing method and device and electronic equipment
CN111107079A (en) Method and device for detecting uploaded files
CN111866995B (en) WeChat applet-based intelligent device network distribution method and system
CN113645060B (en) Network card configuration method, data processing method and device
CN111324799B (en) Search request processing method and device
CN111814051B (en) Resource type determining method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20210108