CN112350997A - Database access right control method and device, computer equipment and storage medium - Google Patents

Database access right control method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN112350997A
CN112350997A CN202011106958.0A CN202011106958A CN112350997A CN 112350997 A CN112350997 A CN 112350997A CN 202011106958 A CN202011106958 A CN 202011106958A CN 112350997 A CN112350997 A CN 112350997A
Authority
CN
China
Prior art keywords
access
user role
user
access request
database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011106958.0A
Other languages
Chinese (zh)
Inventor
牛自宾
范渊
刘博�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN202011106958.0A priority Critical patent/CN112350997A/en
Publication of CN112350997A publication Critical patent/CN112350997A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to a database access right control method, a database access right control device, computer equipment and a storage medium, wherein the method comprises the following steps: acquiring an access request; the access request is added with a user role stamp, and the user role stamp comprises user role information; analyzing the access request to obtain user role information and access operation; matching the user role information and the access operation with a preset authority control table, and determining the access authority of the user according to the matching result; and processing the corresponding access request based on the access authority. By adding the user role stamp to the access request in advance, fine management of the access authority based on the user role information is realized.

Description

Database access right control method and device, computer equipment and storage medium
Technical Field
The present application relates to the field of data security technologies, and in particular, to a method and an apparatus for controlling access rights to a database, a computer device, and a storage medium.
Background
The access control is an important measure for protecting database resources, mainly defines the access authority of a subject to an object, and controls the access of the resources according to the identity of the subject on the basis of identity recognition. The purpose of implementing the access control technology is to prevent unauthorized access to any resource and ensure that the system resource can be used within a reasonable range.
Currently, a common access control policy for a database intercepts an applied SQL request through a security gateway, performs semantic analysis on the SQL request to obtain an operation object, namely a library, a table or a field, of the SQL request, and then judges whether the operation object has sensitive information, thereby executing a release and blocking policy. However, the current application system has users with multiple roles, each role has different access rights, and this way cannot finely control access.
Disclosure of Invention
The embodiment of the application provides a database access right control method, a database access right control device, computer equipment and a storage medium, and at least solves the problem that access cannot be controlled finely in the related technology.
In a first aspect, an embodiment of the present application provides a method for controlling access rights to a database, including:
acquiring an access request; the access request is added with a user role stamp, and the user role stamp comprises user role information;
analyzing the access request to obtain user role information and access operation;
matching the user role information and the access operation with a preset authority control table, and determining the access authority of the user according to the matching result;
and processing the corresponding access request based on the access authority.
In some of these embodiments, the obtaining the access request comprises:
acquiring an open IP and a corresponding open port of a database to be accessed;
acquiring access flow based on the open IP and the open port;
and analyzing the access flow to obtain an access request.
In some of these embodiments, obtaining the access request comprises: the database application system is provided with a role stamp plug-in;
the role stamp plug-in obtains login information of a user, and extracts user role information according to the login information;
the role stamp plug-in obtains access operation, generates an access request according to the access operation and user role information, and sends the access request to a gateway so that the gateway obtains the access request.
In some embodiments, before matching the user role information and the access operation with a preset authority control table and determining the access authority of the user according to the matching result, the method further includes:
acquiring a control corresponding relation between user role information and access operation;
and configuring a preset authority control table according to the control corresponding relation.
In some embodiments, the obtaining of the control correspondence between the user role information and the access operation includes:
and acquiring the control corresponding relation between the user role information and the access operation according to the service requirement and/or the service standard of the database to be protected.
In some embodiments, the control correspondence includes at least one of a correspondence of user role information to data tables, user role information to table fields, user role information to table operations, and user role information to field operations.
In some embodiments, said processing the corresponding access request based on the access right includes:
when the user has the access right, forwarding the access request to a corresponding database to be accessed;
blocking the access request when the user does not have access rights.
In a second aspect, an embodiment of the present application provides a database access right control apparatus, including:
an access request acquisition unit for acquiring an access request; the access request is added with a user role stamp, and the user role stamp comprises user role information;
the analysis unit is used for analyzing the access request to obtain user role information and access operation;
the authority matching unit is used for matching the user role information and the access operation with a preset authority control table and determining the access authority of the user according to a matching result;
and the access request processing unit is used for processing the corresponding access request based on the access authority.
In a third aspect, an embodiment of the present application provides a computer device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the method for controlling access rights to a database as described in the first aspect is implemented.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the database access right control method according to the first aspect.
Compared with the prior art, the database access authority control method provided by the embodiment of the application determines the access authority of the user according to the matching result by matching the user role information and the access operation with a preset authority control table. When the user role or the access operation is changed, the permission matching can be conveniently carried out by adjusting the preset permission control table. Pre-stamping a user role stamp on the access request, wherein the user role stamp comprises user role information; and matching the user role information and the access operation with a preset authority control table, determining the access authority of the user according to the matching result, and processing the corresponding access request based on the access authority, thereby realizing the fine management of the access authority based on the user role information on the premise of not transforming the original database application system.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a flow chart illustrating a database access right control method according to an embodiment of the present application;
FIG. 2 is a block diagram of a database access right control device according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a computer device in one embodiment of the present application.
Description of the drawings: 201. an access request acquisition unit; 202. an analysis unit; 203. an authority matching unit; 204. an access request processing unit; 30. a bus; 31. a processor; 32. a memory; 33. a communication interface.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
In the digital environment, the security problem faced by databases is further complicated by the rapid development of information technology. Access control refers to a means for limiting the ability of a user to use data resources based on predefined protection rules, and is generally used to control the user's access to network resources such as servers, directories, files, etc. The access control is an important basis for confidentiality, integrity, availability and legal usability of an enterprise information system, is one of key strategies for network security prevention and resource protection, and is different authorized access of a subject to an object or a resource thereof according to certain control strategies or authorities.
Among them, role access control (RBAC) is generally considered to be a promising alternative to both traditional autonomous access and mandatory access, i.e., it is a neutral access control policy. The logical separation of the subject and the object is realized by introducing the concept of the role, and the authority is described as the accessibility of the role to the object. The RBAC indirectly achieves the goal of associating a subject and its accessible objects by associating one or more roles with the subject.
The embodiment provides a database access authority control method. Fig. 1 is a flowchart of a database access right control method according to an embodiment of the present application, which can be executed by a computer device. As shown in fig. 1, the process includes the following steps:
step S101, obtaining an access request; the access request is stamped with a user role stamp, which includes user role information.
In this embodiment, the computer device may be a gateway device, a base station, or a network node such as an authentication server. For example, when the computer device is a gateway device, the user terminal receives an access request sent by the user terminal through a gateway of the database, that is, the gateway, before accessing the database.
Specifically, the obtaining of the access request includes:
step S1011, acquiring an open IP and a corresponding open port of a database to be accessed;
step S1022, obtaining access traffic based on the open IP and the open port;
step S1013, analyzing the access flow to obtain an access request.
In this embodiment, each IP address corresponds to one database, one database may open multiple active ports, and access traffic of the open ports is obtained by using an autonomous development tool or an open-source third-party scanning tool, such as nmap scanning. In some embodiments, access traffic of a specified open port may be obtained in a mirror image manner; in other embodiments, the appropriate data acquisition mode may be determined according to the network structure, the network traffic, the device characteristics, and the like in specific applications, through Port monitoring, traffic redirection of a WCCP Protocol (Web Cache Communication Protocol), optical splitter traffic acquisition, traffic redirection of a four-layer switch, and the like.
In this embodiment, the access request is tagged with a user role stamp, which is a user role tag generated based on the identity information of the user. The users are visitors of the database application system, each user can belong to a plurality of different roles, and the roles of different users or different roles of the same user can have a hierarchical association relationship. Correspondingly, the user role stamp includes user role information, and the user role information may be a user role type, an association set of roles, and the like. The user role information is divided according to the work responsibility of the actual unit or organization corresponding to the user, and different roles are given according to different rights and obligations born by the user. For example: for the online teaching system, the user role information comprises a master, a teacher, a student and the like; for a project management system, user role information includes project managers, project developers, testers, and the like.
And step S102, analyzing the access request to obtain user role information and access operation.
In this embodiment, the user role stamp and the user access information may be obtained by parsing the access request. The role information of the user can be obtained based on the user role stamp; based on the user access information, an access source and an access operation can be obtained, and the access operation can be object operation or data operation such as login, addition, modification, deletion, viewing, moving, uploading, downloading and the like.
And S103, matching the user role information and the access operation with a preset authority control table, and determining the access authority of the user according to the matching result.
Under the condition that the user roles are complex, a preset authority control table can be set in a self-defined mode independently, the authority control table comprises control corresponding relations between user role information and corresponding access operation, authority types, role hierarchical relations, role description and the like, and personalized authority management of the user roles is facilitated.
In this embodiment, when the user role information and the corresponding access operation are not matched with a preset authority control table, the user does not have access authority corresponding to the access operation; and when the user role information and the corresponding access operation are matched with a preset authority control table, the user has the access authority corresponding to the access operation.
And step S104, processing the corresponding access request based on the access authority.
And after the access authority is determined, judging whether to allow the access according to the access authority. Specifically, when the user has the access right, the access request is forwarded to the corresponding database to be accessed, and the user can perform corresponding access operation; and when the user has no access right, blocking the access request, thereby realizing finer-grained access right control based on the user role.
In summary, the database access authority control method provided in the embodiment of the present application determines the access authority of the user according to the matching result by matching the user role information and the access operation with a preset authority control table. When the user role or the access operation is changed, the permission matching can be conveniently carried out by adjusting the preset permission control table. Pre-stamping a user role stamp on the access request, wherein the user role stamp comprises user role information; and matching the user role information and the access operation with a preset authority control table, determining the access authority of the user according to the matching result, and processing the corresponding access request based on the access authority, thereby realizing the fine management of the access authority based on the user role information on the premise of not transforming the original database application system.
The embodiments of the present application are described and illustrated below by means of preferred embodiments.
In one embodiment, obtaining the access request comprises: the database application system is provided with a role stamp plug-in; the role stamp plug-in obtains login information of a user, and extracts user role information according to the login information; the role stamp plug-in obtains access operation, generates an access request according to the access operation and user role information, and sends the access request to a gateway so that the gateway obtains the access request.
In the embodiment, a role stamp plug-in is installed in advance for an application system accessing a database to be accessed. When a user logs in a database application system, a role stamp plug-in is started to acquire login information of the user and access operation of the user. The login information includes user role information, such as a user role, a user ID, a local IP, and authentication information. And then extracting user role information according to the login information, packaging the user role information with the access operation group, and sending the user role information to a gateway of a database, so that the gateway can carry out subsequent permission judgment on the access request.
In one embodiment, before step S103, the method further includes: acquiring a control corresponding relation between user role information and access operation; and configuring a preset authority control table according to the control corresponding relation.
The user is assigned different roles according to the responsibility and qualification of the user in the application system of the database, the different roles correspond to different access authorities to all resources of the application system, and a preset authority control table can be configured according to the control corresponding relation between the acquired user role information and the access operation. The control corresponding relation comprises at least one of corresponding relations of user role information and a data table, user role information and a table field, user role information and a table operation and user role information and a field operation.
In a specific implementation manner, the control corresponding relationship between the user role information and the access operation can be obtained according to the service requirement and/or the service standard of the database to be protected. For example: when the database application system is used for project management, the control corresponding relation can be obtained according to the data access operation authority corresponding to the service standard (such as access rule, operation authority limit and the like) of a project and the specific work arrangement (such as development, management, test and the like) of the related personnel of the project; when the database application system is used for student status management, the control corresponding relationship can be obtained according to the operation authority (login, modification and processing) corresponding to the services such as student files, student status, scores, daily reports and the like and the control authority of user roles (such as students, educational departments, teacher departments, school managers and the like). Of course, the control corresponding relationship between the user role information and the access operation may also be obtained or set in a user-defined manner, and the present application is not limited specifically.
It can be understood that when the access operation authority corresponding to the user role changes, the authority management can be performed by modifying the preset authority control table, such as modifying, deleting, adding the access operation corresponding to the user role and/or the user role corresponding to the access operation type.
It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than here.
The present embodiment further provides a database access right control apparatus, which is used to implement the foregoing embodiments and preferred embodiments, and the description of the apparatus is omitted for brevity. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 2 is a block diagram of a database access right control device according to an embodiment of the present application, and as shown in fig. 2, the device includes: an access request acquisition unit 201, a parsing unit 202, a right matching unit 203, and an access request processing unit 204.
An access request acquisition unit 201 for acquiring an access request; the access request is added with a user role stamp, and the user role stamp comprises user role information;
the analyzing unit 202 is configured to analyze the access request to obtain user role information and access operation;
the authority matching unit 203 is used for matching the user role information and the access operation with a preset authority control table and determining the access authority of the user according to the matching result;
an access request processing unit 204, configured to process the corresponding access request based on the access right.
The access request obtaining unit 201 includes: the device comprises a port acquisition module, an access flow acquisition module and a flow analysis module.
The port acquisition module is used for acquiring an open IP of the database to be accessed and a corresponding open port;
an access traffic obtaining module, configured to obtain access traffic based on the open IP and the open port;
and the flow analysis module is used for analyzing the access flow to obtain an access request.
The access request obtaining unit 201 includes: the database application system is provided with a role stamp plug-in;
the role stamp plug-in obtains login information of a user, and extracts user role information according to the login information;
the role stamp plug-in obtains access operation, generates an access request according to the access operation and user role information, and sends the access request to a gateway so that the gateway obtains the access request.
The database access authority control device further comprises: a control corresponding relation obtaining unit and a preset authority control table configuration unit.
The control corresponding relation acquisition unit is used for acquiring the control corresponding relation between the user role information and the access operation;
and the preset authority control table configuration unit is used for configuring a preset authority control table according to the control corresponding relation.
The control corresponding relation obtaining unit is specifically configured to:
and acquiring the control corresponding relation between the user role information and the access operation according to the service requirement and/or the service standard of the database to be protected.
The control corresponding relation comprises at least one of corresponding relations of user role information and a data table, user role information and a table field, user role information and a table operation and user role information and a field operation.
The access request processing unit 204 includes: the device comprises a first control module and a second control module.
The first control module is used for forwarding the access request to a corresponding database to be accessed when the user has the access right;
and the second control module is used for blocking the access request when the user has no access right.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
In addition, the database access right control method described in the embodiment of the present application with reference to fig. 1 may be implemented by a computer device. Fig. 3 is a hardware structure diagram of a computer device according to an embodiment of the present application.
The computer device may comprise a processor 31 and a memory 32 in which computer program instructions are stored.
Specifically, the processor 31 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
Memory 32 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 32 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 32 may include removable or non-removable (or fixed) media, where appropriate. The memory 32 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 32 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, Memory 32 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory (FPMDRAM), an Extended data output Dynamic Random-Access Memory (EDODRAM), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.
The memory 32 may be used to store or cache various data files that need to be processed and/or used for communication, as well as possible computer program instructions executed by the processor 31.
The processor 31 may implement any one of the database access right control methods in the above embodiments by reading and executing computer program instructions stored in the memory 32.
In some of these embodiments, the computer device may also include a communication interface 33 and a bus 30. As shown in fig. 3, the processor 31, the memory 32, and the communication interface 33 are connected via the bus 30 to complete mutual communication.
The communication interface 33 is used for implementing communication between modules, devices, units and/or equipment in the embodiment of the present application. The communication interface 33 may also enable communication with other components such as: the data communication is carried out among external equipment, image/data acquisition equipment, a database, external storage, an image/data processing workstation and the like.
Bus 30 comprises hardware, software, or both coupling the components of the computer device to each other. Bus 30 includes, but is not limited to, at least one of the following: data Bus (Data Bus), Address Bus (Address Bus), Control Bus (Control Bus), Expansion Bus (Expansion Bus), and Local Bus (Local Bus). By way of example, and not limitation, Bus 30 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (Front Side Bus), an FSB (FSB), a Hyper Transport (HT) Interconnect, an ISA (ISA) Bus, an InfiniBand (InfiniBand) Interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a microchannel Architecture (MCA) Bus, a PCI (Peripheral Component Interconnect) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a Video Electronics Bus (audio Association) Bus, abbreviated VLB) bus or other suitable bus or a combination of two or more of these. Bus 30 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.
The computer device may execute the database access right control method in the embodiment of the present application based on the acquired computer program, thereby implementing the database access right control method described in conjunction with fig. 1.
In addition, in combination with the database access right control method in the foregoing embodiment, the embodiment of the present application may provide a computer-readable storage medium to implement. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the database access right control methods in the above embodiments.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A method for controlling access rights to a database, comprising:
acquiring an access request; the access request is added with a user role stamp, and the user role stamp comprises user role information;
analyzing the access request to obtain user role information and access operation;
matching the user role information and the access operation with a preset authority control table, and determining the access authority of the user according to the matching result;
and processing the corresponding access request based on the access authority.
2. The database access permission control method of claim 1, wherein the obtaining an access request comprises:
acquiring an open IP and a corresponding open port of a database to be accessed;
acquiring access flow based on the open IP and the open port;
and analyzing the access flow to obtain an access request.
3. The database access permission control method of claim 1, wherein obtaining an access request comprises: the database application system is provided with a role stamp plug-in;
the role stamp plug-in obtains login information of a user, and extracts user role information according to the login information;
the role stamp plug-in obtains access operation, generates an access request according to the access operation and user role information, and sends the access request to a gateway so that the gateway obtains the access request.
4. The method for controlling access authority to database according to claim 1, wherein before matching the user role information and the access operation with a preset authority control table and determining the access authority of the user according to the matching result, the method further comprises:
acquiring a control corresponding relation between user role information and access operation;
and configuring a preset authority control table according to the control corresponding relation.
5. The method of claim 4, wherein the obtaining the control correspondence between the user role information and the access operation comprises:
and acquiring the control corresponding relation between the user role information and the access operation according to the service requirement and/or the service standard of the database to be protected.
6. The database access permission control method according to claim 4, wherein the control correspondence includes at least one of correspondence of user role information and data table, user role information and table field, user role information and table operation, and user role information and field operation.
7. The method of claim 1, wherein the processing the corresponding access request based on the access right comprises:
when the user has the access right, forwarding the access request to a corresponding database to be accessed;
blocking the access request when the user does not have access rights.
8. A database access authority control apparatus, comprising:
an access request acquisition unit for acquiring an access request; the access request is added with a user role stamp, and the user role stamp comprises user role information;
the analysis unit is used for analyzing the access request to obtain user role information and access operation;
the authority matching unit is used for matching the user role information and the access operation with a preset authority control table and determining the access authority of the user according to a matching result;
and the access request processing unit is used for processing the corresponding access request based on the access authority.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the database access right control method according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium on which a computer program is stored, the program, when executed by a processor, implementing a database access right control method according to any one of claims 1 to 7.
CN202011106958.0A 2020-10-16 2020-10-16 Database access right control method and device, computer equipment and storage medium Pending CN112350997A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011106958.0A CN112350997A (en) 2020-10-16 2020-10-16 Database access right control method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011106958.0A CN112350997A (en) 2020-10-16 2020-10-16 Database access right control method and device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN112350997A true CN112350997A (en) 2021-02-09

Family

ID=74360918

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011106958.0A Pending CN112350997A (en) 2020-10-16 2020-10-16 Database access right control method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112350997A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113961542A (en) * 2021-10-19 2022-01-21 平安普惠企业管理有限公司 Database operation method, device, equipment and storage medium
CN114996746A (en) * 2022-08-01 2022-09-02 太极计算机股份有限公司 Data authority management method and system based on multi-dimensional information
CN116070196A (en) * 2023-03-28 2023-05-05 苏州阿基米德网络科技有限公司 Access authority allocation method and system for medical system and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080120302A1 (en) * 2006-11-17 2008-05-22 Thompson Timothy J Resource level role based access control for storage management
CN111625782A (en) * 2020-05-25 2020-09-04 杭州安恒信息技术股份有限公司 Method and device for controlling access authority of source code, computer equipment and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080120302A1 (en) * 2006-11-17 2008-05-22 Thompson Timothy J Resource level role based access control for storage management
CN111625782A (en) * 2020-05-25 2020-09-04 杭州安恒信息技术股份有限公司 Method and device for controlling access authority of source code, computer equipment and storage medium

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
孙先友: "一种基于角色的数据库访问控制系统设计", 《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》 *
李伟等: "基于角色的访问控制技术在党务管理系统中的应用", 《九江学院学报》 *
李岚: "基于角色的数据库安全访问控制的应用", 《通信技术》 *
陈金玉等: "基于角色控制的教学权限访问系统的设计与实现", 《重庆大学学报(自然科学版)》 *
颜平超等: "基于RBAC的权限管理的设计与实现", 《硅谷》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113961542A (en) * 2021-10-19 2022-01-21 平安普惠企业管理有限公司 Database operation method, device, equipment and storage medium
CN114996746A (en) * 2022-08-01 2022-09-02 太极计算机股份有限公司 Data authority management method and system based on multi-dimensional information
CN116070196A (en) * 2023-03-28 2023-05-05 苏州阿基米德网络科技有限公司 Access authority allocation method and system for medical system and electronic equipment

Similar Documents

Publication Publication Date Title
CN110414268B (en) Access control method, device, equipment and storage medium
CN112350997A (en) Database access right control method and device, computer equipment and storage medium
US10127401B2 (en) Redacting restricted content in files
US20140108755A1 (en) Mobile data loss prevention system and method using file system virtualization
US20140215620A1 (en) System for Testing Computer Application
US20150019858A1 (en) Data loss prevention techniques
JP6785808B2 (en) Policy forced delay
US10445514B1 (en) Request processing in a compromised account
CA2684023A1 (en) Method and apparatus for verification of information access in ict-systems having multiple security dimensions and multiple security levels
US9871778B1 (en) Secure authentication to provide mobile access to shared network resources
KR101977178B1 (en) Method for file forgery check based on block chain and computer readable recording medium applying the same
CN107370604A (en) A kind of more granularity access control methods under big data environment
US10282461B2 (en) Structure-based entity analysis
CN107465650A (en) A kind of access control method and device
CN111131220B (en) Method, device, equipment and storage medium for data transmission among multi-network environments
CN109302397B (en) Network security management method, platform and computer readable storage medium
CN112150113A (en) Method, device and system for borrowing file data and method for borrowing data
US20210157910A1 (en) Access card penetration testing
CN116522308A (en) Database account hosting method, device, computer equipment and storage medium
US11507686B2 (en) System and method for encrypting electronic documents containing confidential information
CN114006735B (en) Data protection method, device, computer equipment and storage medium
Kadhim et al. Security approach for instant messaging applications: viber as a case study
CN113922952A (en) Access request response method, device, computer equipment and storage medium
CN107948126A (en) A kind of report inspection method and equipment
KR101304452B1 (en) A cloud system for document management using location

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210209