Disclosure of Invention
The purpose of the invention is as follows: the invention aims to provide a method for managing data asset items aiming at the condition that the number of business departments of a platform service in power grid data is various, and the method can prevent the data asset from being safely leaked.
The technical scheme is as follows: the invention discloses a data center station data asset authority management method on the one hand, which comprises the following steps:
dividing a data storage space of the data center station into a source pasting layer and an analysis layer, wherein the source pasting layer is used for storing original data, the analysis layer is composed of a plurality of project spaces, one project space corresponds to one business department, and each project space is used for storing application data obtained after the original data are analyzed and processed according to business logic of the corresponding business department;
and granting the access right of each project space of the analysis layer to the corresponding business department user.
Further, still include:
judging whether the data requested to be accessed by the user is matched with the authority thereof: if the data requested to be accessed by the user is application data and the analysis layer project space where the application data is located is consistent with the department to which the user belongs, judging that the data are matched, otherwise, judging that the data are not matched; and when the judgment result is matching, allowing the user to directly access.
Further, still include:
creating a Package for each business department at a source layer, and granting the access authority of the Package to a corresponding business department user;
when the data which the user requests to access is original data, judging whether the business department which the user belongs to has the access authority of the original data; if so, adding the original data into a Package corresponding to the posting layer of the business department to which the user belongs; and allowing the user to access the data by accessing the Package corresponding to the posting layer of the business department.
Further, when the data requested to be accessed by the user is original data, firstly judging whether the original data is in a preset negative list result library; if the judgment result is negative, whether the business department to which the user belongs has the access right of the original data is judged.
And when the original data which the user requests to access is in a preset negative list result library, starting a negative list data approval process, and adding the approved original data into a Package corresponding to the posting layer of the business department to which the user belongs.
On the other hand, the invention also discloses a management system for realizing the data asset authority management method in the data, which comprises the following steps:
the data storage space dividing module is used for dividing the data storage space of the data center station into a source pasting layer and an analysis layer, wherein the source pasting layer is used for storing original data, the analysis layer is composed of a plurality of project spaces, one project space corresponds to one business department, and each project space is used for storing application data obtained after the original data are analyzed according to business logic of the corresponding business department;
and the project space authorization module is used for granting the access right of each project space of the analysis layer to the corresponding business department user.
Further, still include: the permission matching and verifying module is used for judging whether the data requested to be accessed by the user is matched with the permission of the user, and if the judgment result is matched, allowing the user to directly access the data; the judging step is as follows: and if the data requested by the user is application data and the analysis layer project space where the application data is located is consistent with the department to which the user belongs, judging that the data are matched, otherwise, judging that the data are not matched.
Further, still include: the Package setting module is used for creating a Package for each business department in the source layer and granting the access authority of the Package to a corresponding business department user;
the system comprises an original data authority judging module, a data processing module and a data processing module, wherein the original data authority judging module is used for judging whether a business department to which a user belongs has the access authority of original data or not when the data to which the user requests to access is the original data;
the original data authority verification module is used for adding the original data into a Package corresponding to the source layer of the business department to which the user belongs when the judgment result of the original data authority judgment module is yes; and allowing the user to access the data by accessing the Package corresponding to the posting layer of the business department.
Further, still include: the negative list result library judging module is used for judging whether the original data which the user requests to access is in a preset negative list result library or not;
and when the judgment result of the negative list result library judging module is negative, the original data authority judging module judges whether the business department to which the user belongs has the access authority of the original data.
And the negative list data approval module is used for starting a negative list data approval process when the original data which the user requests to access is in a preset negative list result library, and adding the approved original data into a Package corresponding to the posting layer of the business department to which the user belongs.
Has the advantages that: the data asset authority management method of the data center station disclosed by the invention solves the problem of data asset safety isolation when a large number of business departments exist through reasonable division and authority setting of the data storage space, prevents data leakage and improves the safety of the data asset.
Detailed Description
The invention is further elucidated with reference to the drawings and the detailed description.
As shown in fig. 1, the present invention discloses a data asset authority management method, including:
s1, dividing a data storage space of the data center station into a pasting layer L1 and an analysis layer L2, wherein the pasting layer is used for storing original data, the analysis layer is composed of a plurality of project spaces/spaces, one project space corresponds to one business department, and each project space is used for storing application data obtained after analysis processing is carried out on the original data according to business logic of the corresponding business department;
s2, granting the access right of each project space of the analysis layer to the corresponding business department user;
in this embodiment, the business departments are divided according to the local cities and the directly affiliated units of the power grid, and for example, the Nanjing power grid, the Xuzhou power grid and the electric academy are all one business department. Data in each project space in the analysis layer can only be accessed by users of corresponding business departments, and users of other business departments forbid access, so that leakage of application data is prevented.
S3, creating a Package for each business department at the source layer, and granting the access right of the Package to a corresponding business department user;
the division structure of the data storage space of the data center is shown in fig. 2; in the initial condition, the Package is empty;
s4, the user enters a data center platform portal through the ISC, login information is sent, the data center platform verifies the user login information, and a business department to which the user belongs is obtained; FIG. 3 shows a user logging into a station in data;
after the user successfully logs in, sending a data access request;
s5, the data center judges whether the data requested to be accessed by the user is matched with the authority: if the data requested to be accessed by the user is application data and the analysis layer project space where the application data is located is consistent with the department to which the user belongs, judging that the data are matched, otherwise, judging that the data are not matched;
when the judgment result is matched, allowing the user to directly access;
s6, when the data the user requests to access is the original data, firstly judging whether the original data is in a preset negative list result library;
the negative list result library comprises data which forbids the access of common service departments, such as sensitive data or data related to the privacy of power grid users; the data in the negative inventory result library is stored in the form of a table or a field;
if the original data requested to be accessed by the user is not in the negative list result library, judging whether the service department to which the user belongs has the access authority of the original data or not;
if the business department to which the user belongs has the access right of the original data, adding the original data into a Package corresponding to the source layer of the business department to which the user belongs; allowing a user to access data by accessing a Package corresponding to the source layer of the business department to which the user belongs; otherwise, the user is denied access to the requested data.
And S7, when the original data which the user requests to access is in a preset negative list result library, starting a negative list data approval process, and adding the approved original data into a Package corresponding to the posting layer of the business department to which the user belongs.
Through the steps S1-S7, the power grid data center station limits the authority of each service department user to use the data assets, and leakage of the data assets is avoided.
As shown in fig. 4, the data asset right management system disclosed in the present invention includes:
the data storage space dividing module 1 is configured to divide a data storage space of the data center station into a source pasting layer and an analysis layer, where the source pasting layer is used to store original data, the analysis layer is composed of a plurality of project spaces, one project space corresponds to one business department, and each project space is used to store application data obtained by analyzing and processing the original data according to business logic of the corresponding business department;
and the project space authorization module 2 is used for granting the access right of each project space of the analysis layer to the corresponding business department user.
The Package setting module 3 is used for creating a Package for each business department at the source layer and granting the access authority of the Package to a corresponding business department user;
the data middle desk portal 4 is used for receiving and verifying the login information and the data access request of the user and acquiring the business department to which the user belongs;
the authority matching verification module 5 is used for judging whether the data requested to be accessed by the user is matched with the authority of the user, and if the judgment result is matched, allowing the user to directly access the data; the judging step is as follows: if the data requested by the user is application data and the project space of the analysis layer where the application data is located is consistent with the department to which the user belongs, judging that the data are matched, otherwise, judging that the data are not matched;
a negative list result library judging module 6, configured to judge whether the original data requested to be accessed by the user is in a preset negative list result library;
and when the judgment result of the negative list result library judging module is negative, the original data authority judging module judges whether the business department to which the user belongs has the access authority of the original data.
The original data permission judging module 7 is used for judging whether a business department to which the user belongs has the access permission of the original data or not when the data to which the user requests to access is the original data;
the original data authority verification module 8 is used for adding the original data into a Package corresponding to the source layer of the business department to which the user belongs when the judgment result of the original data authority judgment module is yes; and allowing the user to access the data by accessing the Package corresponding to the posting layer of the business department.
And the negative list data approval module 9 is used for starting a negative list data approval process when the original data which the user requests to access is in a preset negative list result library, and adding the approved original data into a Package corresponding to the posting layer of the business department to which the user belongs.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing descriptions of specific exemplary embodiments of the present invention have been presented for purposes of illustration and description. It is not intended to limit the invention to the precise form disclosed, and obviously many modifications and variations are possible in light of the above teaching. The exemplary embodiments were chosen and described in order to explain certain principles of the invention and its practical application to enable one skilled in the art to make and use various exemplary embodiments of the invention and various alternatives and modifications as are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the claims and their equivalents.