CN113051614B - Information access processing method, device, equipment and system - Google Patents

Information access processing method, device, equipment and system Download PDF

Info

Publication number
CN113051614B
CN113051614B CN202110324994.2A CN202110324994A CN113051614B CN 113051614 B CN113051614 B CN 113051614B CN 202110324994 A CN202110324994 A CN 202110324994A CN 113051614 B CN113051614 B CN 113051614B
Authority
CN
China
Prior art keywords
information
access
external
access key
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110324994.2A
Other languages
Chinese (zh)
Other versions
CN113051614A (en
Inventor
厉科嘉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202110324994.2A priority Critical patent/CN113051614B/en
Publication of CN113051614A publication Critical patent/CN113051614A/en
Application granted granted Critical
Publication of CN113051614B publication Critical patent/CN113051614B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2137Time limited access, e.g. to a computer or data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The present specification provides an information access processing method, apparatus, device, and system, which implement a data storage model of a multilayer KV structure by setting an internal access key and an external access key, and implement access of an external system to user information stored inside through the external access key by issuing the external access key to the external system, where the external access key is associated with a corresponding internal access key. The internal access key is set to realize unified access management on the internally stored user information, and meanwhile, the internal access key can realize management on the access authority of an external system, so that the safety of the user information is ensured.

Description

Information access processing method, device, equipment and system
Technical Field
The present specification belongs to the field of computer technologies, and in particular, to an information access processing method, apparatus, device, and system.
Background
With the popularization of the internet, people's lives are becoming more and more away from the internet, and a large amount of personal data are also collected and used by various internet companies, wherein the leakage of the personal data and various public opinions invading the personal privacy are not endured, so that the security access to information is gradually emphasized. How to realize the safe access to the personal information of the user is a technical problem which needs to be solved urgently in the field.
Disclosure of Invention
An object of the embodiments of the present specification is to provide an information access processing method, apparatus, device, and system, which improve security of user information access.
In a first aspect, an embodiment of the present specification provides an information access processing method, where the method includes:
receiving an information access request sent by an external system, wherein the information access request comprises an external access key issued to the external system in advance;
authenticating the external access key based on the external system identification, the information access use range and the validity period which are associated with the external access key;
after the authentication of the external access key is passed, an internal access key related to the external access key is obtained; each internal access key is associated with one or more external access keys, and is configured with storage configuration information of user information allowed to be accessed;
acquiring target information accessed by the information access request based on the storage configuration information associated with the internal access key and the information access use range associated with the external access key;
and returning the acquired target information to the external system.
In a second aspect, an embodiment of the present specification provides an information access processing method, where the method includes:
sending an information access request to an information management system, wherein the information access request comprises a pre-issued external access key, and the external access key is associated with an internal access key, an external system identifier, an information access use range and an effective period;
and receiving the storage configuration information related to the internal access key and the target information returned by the information access use range after the information management system passes the authentication of the external access key.
In a third aspect, the present specification provides an information access processing apparatus comprising:
the device comprises a request receiving module, a processing module and a processing module, wherein the request receiving module is used for receiving an information access request sent by an external system, and the information access request comprises an external access key issued to the external system in advance;
the key authentication module is used for authenticating the external access key based on the external system identifier, the information access use range and the validity period which are associated with the external access key;
the internal key acquisition module is used for acquiring an internal access key related to the external access key after the authentication of the external access key is passed; each internal access key is associated with one or more external access keys, and is configured with storage configuration information of user information allowed to be accessed;
the information acquisition module is used for acquiring target information accessed by the information access request based on the storage configuration information associated with the internal access key and the information access use range associated with the external access key;
and the information returning module is used for returning the acquired target information to the external system.
In a fourth aspect, the present specification provides an information access processing apparatus comprising:
the information management system comprises a request sending module, a data access module and a data processing module, wherein the request sending module is used for sending an information access request to the information management system, the information access request comprises a pre-issued external access key, and the external access key is associated with an internal access key, an external system identifier, an information access use range and an effective period;
and the information receiving module is used for receiving the storage configuration information related to the internal access key and the target information returned by the information access use range after the information management system passes the authentication of the external access key.
In a fifth aspect, an embodiment of the present specification provides an information access processing apparatus, including at least one processor and a memory for storing processor-executable instructions, where the processor executes the instructions to implement the information access processing method according to the first aspect or the second aspect.
In a sixth aspect, an embodiment of the present specification provides an information access processing system, where user information is stored in the information access processing system, and different types of user information are configured with corresponding internal access keys; the information access processing system configures an external access key for an external system based on a request of the external system, wherein the external access key is associated with an internal access key, an external system identifier, an information access use range and an effective period;
the information access processing system has stored thereon computer instructions which, when executed, carry out the steps of the method of the first aspect.
The information access processing method, device, equipment and system provided by the specification realize a data storage model of a multilayer KV structure by setting an internal access key and an external access key, and realize the access of an external system to user information stored inside through the external access key by issuing the external access key to the external system and associating the external access key with a corresponding internal access key. The internal access key is set to realize unified access management on the internally stored user information, and meanwhile, the internal access key can realize management on the access authority of an external system, so that the safety of the user information is ensured. And the user does not need to carry out access authorization when the service scene is switched, the information access process is simplified, and the information access efficiency is improved.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present specification, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort.
Fig. 1 is a schematic flowchart of an embodiment of an information access processing method provided in an embodiment of the present specification;
FIG. 2 is a mapping relationship between external access keys, internal access keys, and user information in some embodiments of the present description;
FIG. 3 is a schematic flow chart of an external system accessing user information in some embodiments of the present description;
FIG. 4 is a schematic flow chart of information collection in an example scenario of the present description;
FIG. 5 is a flow diagram illustrating an example of a user authorizing access to an external system in one scenario of the present description;
FIG. 6 is a flow diagram illustrating an example scenario in which an external system accesses user information;
fig. 7 is a block diagram of an embodiment of an information access processing apparatus provided in the present specification;
fig. 8 is a block diagram of another embodiment of an information access processing apparatus provided in the present specification;
fig. 9 is a block diagram of a hardware configuration of the information access processing server in one embodiment of the present specification.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step should fall within the scope of protection of the present specification.
Data security access is more and more emphasized, especially some privacy information, some systems store the privacy information of users, and when an external system needs to access the privacy information, the security of information access needs to be ensured. Generally, an external system pops up prompt information for authorizing access to a user, the user can issue a token to the external system after authorization, and the information storage system returns corresponding information after verifying the token. However, each service scenario requires user authorization, such as: when a user logs in, an external system requests authorization access, and when the user carries out transaction payment on the external system, the user also needs to request authorization, so that the operation is complex, and the data access efficiency is influenced.
Fig. 1 is a schematic flowchart of an embodiment of an information access processing method provided in an embodiment of the present specification. Although the present specification provides the method steps or apparatus structures as shown in the following examples or figures, more or less steps or modules may be included in the method or apparatus structures based on conventional or non-inventive efforts. In the case of steps or structures which do not logically have the necessary cause and effect relationship, the execution order of the steps or the block structure of the apparatus is not limited to the execution order or the block structure shown in the embodiments or the drawings of the present specification. When the described method or module structure is applied to a device, a server or an end product in practice, the method or module structure may be executed sequentially or in parallel according to the embodiments or the method or module structure shown in the drawings (for example, in the environment of parallel processors or multi-thread processing, or even in the environment of distributed processing and server cluster).
The information access processing method provided in the embodiments of the present description may be applied to terminal devices such as a client and a server, for example: in a smart phone, or a PC (Personal Computer) terminal or a smart wearable device terminal, as shown in fig. 1, the method may include the steps of:
102, receiving an information access request sent by an external system, wherein the information access request comprises an external access key issued to the external system in advance.
In a specific implementation process, the information access processing method provided in the embodiment of the present specification may be applied to a service system in which user information is stored, for example: some shopping platforms accumulate much user information, or some websites accumulate some user information when users register, log in, or also can be applied to a system for storing and managing user information. If an external system needs to access user information, an information access request can be sent to a service system or an information management system which stores the user information, generally, the information access request can be provided with an external access key which is issued to the external system in advance, the external access key can be understood as an identity of the external system for accessing the user information, and a system without the external access key cannot access the user information in the system. The external system may be understood as a system, a platform, or a terminal outside the service system, and the external system may be a collaboration platform of the service system, and may access the user information stored in the service system by using the method provided in the embodiments of the present specification.
And 104, authenticating the external access key based on the external system identification, the information access use range and the validity period associated with the external access key.
In a specific implementation process, when an external access key is issued to an external system, corresponding association information may be configured for the external access key, for example: the system comprises an external system identification, an information access use range and a validity period, wherein the information access use range can represent a service scene which can be used by the external access key or which user information can be accessed, and the like. After receiving the information access request of the external system, the external system may be authenticated, such as: the external access key can be authenticated according to the external system identifier, the information access use range, the validity period and the like associated with the external access key of the external system, and whether the external access key can be used is verified, for example: verifying whether the external system identification associated with the external access key is consistent with the identification of the external system sending the information access request, and the like, verifying whether the current service scene where the external system is located is consistent with the information access use range, whether the external access key is in the valid period, and the like, and further verifying whether the external system can access the corresponding user information.
Step 106, after the authentication of the external access key is passed, obtaining an internal access key associated with the external access key; wherein each internal access key is associated with one or more external access keys, and each internal access key is configured with storage configuration information of user information allowed to be accessed.
In a specific implementation process, in this embodiment of the present specification, different internal access keys may be configured for user information stored in the system first, and the internal access key may be understood as a key used for managing the user information and the access right of an external system inside the system. Each internal access key may be associated with one or more external access keys, each internal access key is further configured with storage configuration information of user information allowed to be accessed, and the storage configuration information may include a storage path, a storage location, a storage policy, an allowed use range, an information source and the like of the user information.
In some embodiments of the present specification, before receiving an information access request sent by the external system, the method further includes:
classifying the collected user information, distributing internal access keys for different categories of user information, and associating the storage configuration information of the user information with the corresponding internal access keys, wherein one internal access key corresponds to one or more categories of user information.
In a specific implementation process, the system may classify the collected user information in advance, and assign corresponding internal access keys to different categories of user information, where one internal access key may correspond to one or more categories of user information, and each category of user information may be used as one data set or one data item. The user information may be determined according to the requirements of the actual service scenario as follows: identity information, account information, contact information, occupation, password information, and the like of the user, and the description is not particularly limited. Wherein, the minimum user information of each category can support management according to field granularity, such as: all the personal information of the user A can be in the user information category 1; the user information category 2 may also be the mobile phone number information (one field) of the user a. Together, the n categories of user A's user information (A1-An) are the complete user A's data. It is necessary to say that the user ID conventionally assigned to the user by the system also belongs to the personal data item. The user information may be classified according to the personal dimension of the user, or the user information of multiple users may be classified according to the dimension of the classification rule, which may be determined specifically according to the actual needs, and the embodiments of this specification are not limited specifically.
For example: the collected user information is divided into 3 types, namely user information 1, user information 2 and user information 3, wherein the user information 1 and the user information 2 are configured with an internal access key1, the user information 3 is configured with an internal access key 2, the user information 1 and the user information 2 can be accessed only through the internal access key1, and the user information 3 can be accessed only through the internal access key 2. The storage configuration information of the user information may be as follows: the storage location, storage policy, information source, etc. are associated with the corresponding internal access key for accessing the corresponding user information via the internal access key.
Besides the internal access key, the user information cannot be directly accessed by other means, such as: the internal access key KeyN1 points to the user information a1, which indicates that the user information a1 can be accessed by obtaining the internal access key KeyN1, and the internal access key KeyN1 indicates that the data is collected when the user registers an account in a mobile phone-side APP (Application), and is only allowed to be used by other functions in the APP, and the data is stored in a plaintext manner, and the stored location is in the database DB 001.
In addition, the collected user information can be stored in the block chain, so that the user information is prevented from being tampered, and the safety of the user information is ensured.
In the embodiment of the specification, the user information is classified and stored, different types of user information are matched with different internal access keys, and the internal access keys are utilized to realize the safe access management of the user information.
In some embodiments of this specification, the classifying the collected user information includes:
classifying the collected user information according to at least one of the source of the user information, the allowed use range, a storage strategy and a storage position, wherein the storage strategy comprises the following steps: plaintext storage, encrypted storage, desensitized storage, and privacy processing storage.
In a specific implementation process, when classifying the collected user information, the classification may be performed based on at least one of a source, an allowable range, a storage policy, and a storage location of the user information, so as to achieve storage of user information with different requirements according to requirements. The storage strategy can comprise plaintext storage, encryption storage, desensitization storage and privacy processing storage, and the privacy processing storage can be understood as a storage means which is not required to be stored in a database, is used only in some service scenes such as risk identification and can be deleted after being used so as to ensure the privacy of users. The embodiment of the specification can meet the storage requirements of different data, and can perform secure access management on information with different storage requirements.
When the information access request of the external system is received and the authentication is passed, the internal access key associated with the information access request can be obtained based on the external access key in the information access request. Fig. 2 is a mapping relationship between an external access key, an internal access key, and user information in some embodiments of the present specification, and as shown in fig. 2, an external system may apply for an external access key in advance, when the external system applies for the external access key, an external access key may be assigned to the external system, and the external access key is associated with a corresponding internal access key, that is, each external access key corresponds to one internal access key. And then after receiving an information access request of an external system, acquiring a corresponding internal access key based on the mapping relation or the association relation.
In some embodiments of the present specification, before receiving an information access request sent by the external system, the method further includes:
receiving an external key distribution request sent by the external system, wherein the external key distribution request comprises: user authorization information and an information access range authorized by the user;
determining user information which is allowed to be accessed of the external system according to the user authorization information and the information access range authorized by the user;
acquiring a corresponding internal access key according to the user information of the external system allowed to access;
distributing a corresponding external access key for the external system based on the obtained internal access key, and configuring associated information of the external access key, wherein the associated information comprises: an external system identification, an information access usage scope, a validity period, and an associated internal access key.
In a specific implementation process, if an external system needs to access user information in a service system or an information management system, an external key distribution request can be sent to the system in advance, and after the system receives the request, the user information which the user authorizes the external system to access can be determined according to user authorization information in the request and an information access range authorized by the user. That is, the external system may first request user authorization, and after the user authorization, send an external key distribution request to the service system to request the service system to distribute an external access key. When the user authorizes the access right of the external system, the user can authorize the external system with a specific information access scope such as: which information is allowed to be accessed or in which service scenarios the information itself is allowed to be accessed. The service system can determine the user information authorized to access by the user based on the information authorized by the user, and each user information in the service system is managed by the corresponding internal access key, so that after an external key distribution request of an external system is received, the user information accessible by the external system can be determined based on the information in the request, and further the internal access key corresponding to the user information is determined. Distributing an external access key for an external system based on the obtained internal access key, wherein the external access key is configured with associated information such as: an external system identification, an information access usage scope, a validity period, and an associated internal access key. The associated information of the external access key and the internal access key may be understood as configuration information of the key, and the allowable use range of the access key, the associated system, the access key, and the like may be determined based on the associated information.
The format of the external access key and the format of the internal access key may be configured according to actual needs, and embodiments of the present specification are not limited in particular. For example: the data structure of the external access key may include a key type (external access key or internal access key), a system type (external system or internal system), an information access usage scope, a validity period, an associated internal access key, and the like. Similarly, the data structure of the internal access key may include: key type (external access key or internal access key), system type (external system or internal system), allowed use range, storage policy and storage location of data, and the like.
The internal access key is typically not leaked to the outside, and the external system accesses the user information through the external access key. There are usually multiple external access keys assigned to different external systems, which point to the same internal access key. For example: the external access key KeyW1 points to the internal access key KeyN1, and the internal access key KeyN1 points to the user information a 1. The external access key KeyW1 indicates that the access key is allocated to the system S1, and is only used for sending a reminding short message of a certain product to the mobile phone number of the user, and is valid for one year (that is, after one year, access to the mobile phone number information of the user through the external access key is denied).
The embodiment of the specification adopts a data storage model with a multilayer Key-Value (KV) structure to realize the safety management of user information, can store and manage according to the field level granularity of the user information, manages and protects the authorization and access of client data through a multi-level access Key structure, and ensures the safety of data access.
And step 108, acquiring target information accessed by the information access request based on the storage configuration information associated with the internal access key and the information access use range associated with the external access key.
In a specific implementation process, after a corresponding internal access key is determined based on an external access key in an information access request of an external system, target information that the information access request requires to access may be acquired according to storage configuration information associated with the internal access key and an information access use range associated with the external access key.
For example: the external access system sends an information access request to the service system, the request carries an external access KEY1, after the authentication of the external access KEY is passed, an internal access KEY1 associated with the external access KEY1 can be obtained, and then user information for managing by the internal access KEY1 is obtained, for example: the user information set 1 and the user information set 2 are associated via the queried internal access key 1. The external access key may not necessarily access all user information associated with its corresponding internal access key, and further information access verification needs to be performed according to the information access use range configured by the external access key. Such as: the internal access KEY1 is associated with the user information set 1 and the user information set 2, but only allows the user information set 1 to be accessed by inquiring the information access use range of the external access KEY1, so that the user information in the user information set 1 can be acquired as the target information according to the storage position in the storage configuration information of the user information set 1 configured by the internal access KEY 1.
And step 110, returning the acquired target information to the external system.
In a specific implementation process, the external access key based on the external system obtains the corresponding internal access key, and after further obtaining the corresponding target information, the obtained target information may be returned to the external system, or a storage path of the target information may be sent to the external system, so that the external system obtains the corresponding information based on the storage path. It should be noted that, referring to the description of the foregoing embodiment, the user information in this embodiment may adopt different storage manners based on different storage policies, and if the user information is stored in an encrypted manner, the target information acquired by the external system is still the encrypted user information, so as to ensure the security of the user information. For example: after the external system S1 obtains the specially processed mobile phone number information through the external KEY1, the user does not know the real mobile phone number of the user, but a short message can be sent to the specially processed mobile phone number information through another external system S2. Here, the external system S2 has the right to access the plaintext mobile phone number, the external system S1 may send the acquired specially processed information to the external system S2, and the external system S2 acquires the corresponding plaintext information based on the received information and then sends the short message.
In the information access processing method provided in the embodiment of the present specification, a data storage model with a multilayer KV structure is implemented by setting an internal access key and an external access key, and an external system is issued an external access key, and the external access key is associated with a corresponding internal access key, so that the external system accesses user information stored inside through the external access key. The internal access key is set to realize unified access management on the internally stored user information, and meanwhile, the internal access key can realize management on the access authority of an external system, so that the safety of the user information is ensured. And the user does not need to carry out access authorization when the service scene is switched, the information access process is simplified, and the information access efficiency is improved.
On the basis of the foregoing embodiment, in some embodiments of this specification, after obtaining the internal access key associated with the external access key, the method further includes:
authenticating the internal access key based on the acquired storage configuration information of the internal access key, and acquiring the target information based on the internal access key after the authentication of the internal access key is passed;
and if the user information corresponding to the internal access key is displayed in the storage configuration information of the internal access key and is not allowed to access, determining that the authentication of the internal access key fails, and returning prompt information for rejecting the information access request to the external system.
In a specific implementation process, after the internal access key associated with the external access key is obtained, the internal access key may be authenticated based on the storage configuration information of the internal access key, whether the user information associated with the internal access key can be accessed is verified, and if the user information is verified to be passed, the corresponding target information may be obtained according to the internal access key and the information access use range associated with the external access key. And if the verification shows that the associated user information is not allowed to be accessed in the storage configuration information associated with the internal access key, determining that the authentication of the internal access key fails, and returning prompt information for rejecting the information access request to an external system. That is, even after the authentication of the external access key is passed, the internal access key still needs to be further verified, and only after the authentication of the internal access key is passed, the external system is allowed to access the corresponding user information.
The internal access key has the access right management right to the user information, the access security of the user information is ensured through further verification of the internal access key, and the internal access key is generally not sent outwards, so that the management of the internally stored user information through the internal access key is safer and more reliable.
In some embodiments of the present description, the method further comprises:
receiving a request for canceling authorization sent by a user terminal, wherein the request for canceling authorization comprises an external system identifier requesting for canceling authorization access and authorized user information for canceling authorization access;
acquiring a corresponding external access key to be deleted according to the external system identifier and the authorized user information in the request for canceling authorization;
and deleting the external access key to be deleted, so that the information access request is refused when the information access request with the external access key to be deleted is received.
In a specific implementation process, the user may also cancel access authorization to the external system, such as: the user sends a request for canceling the authorization to the service system through the user terminal, and the request can include an external system identifier for requesting to cancel the authorized access and authorized user information for canceling the authorized access. Based on the information of the authorized user and the external system identification, the external access key to be deleted, which is based on the original authorization of the user to distribute the external system, can be obtained, the external access key to be deleted can be deleted, and after deletion, the service system can refuse access when receiving the information access request with the external access key to be deleted.
For example: the user a applies for canceling the access authorization to the external system 1 through the user terminal, and the service system can acquire the external access key originally allocated to the external system 1 based on the authorization of the user a based on the identity of the user a and the external system identity of the external system 1, and then delete the external access key. When the deleted external system 1 requests to access the information of the user a through the external access key, a prompt message that the user is not authorized and the access is denied can be returned.
Based on the requirements of users, the external access key configured by the external system is deleted flexibly so as to meet the access requirements of different users.
In some embodiments of the present description, the method further comprises:
receiving a user information deleting request sent by a user terminal, wherein the user information deleting request comprises user information to be deleted, which is requested to be deleted;
and deleting the user information to be deleted and the internal access key and the external access key corresponding to the user information to be deleted.
In a specific implementation, in some embodiments of the present description, the method further includes:
receiving a user information deleting request sent by a user terminal, wherein the user information deleting request comprises user information to be deleted, which is requested to be deleted;
and deleting the user information to be deleted and the internal access key and the external access key corresponding to the user information to be deleted.
In a specific implementation process, the user may also apply for deleting the user information stored in the system, such as: the user sends a request for deleting the user information to the service system through the user terminal, wherein the request can comprise the user information to be deleted. After the system receives the request, the user information to be deleted stored in the system, the internal access key corresponding to the user information to be deleted and the external access key can be deleted together, so that the access of an external system is isolated, and the safety of the user information is ensured. Of course, after receiving a user information deletion request sent by a user, the system may first query whether the user information of the user is stored in the system, if so, delete the user information, and if not, a prompt message that the user information is not stored and does not need to be deleted may be returned.
On the basis of the above embodiment, the method further includes:
and when the validity period of the external access key reaches or the external access key is detected to be leaked, updating the external access key.
In a specific implementation process, if it is detected that the validity period of the external access key allocated to the external system arrives or the external access key is leaked, for example: the system identification of the external system sending the external access request is inconsistent with the external system identification associated with the external access key in the request, the external access key is considered to be leaked, at the moment, the external access key can be updated, namely, an external access key is distributed to the external system again, an internal access key, a validity period, an information access use range and the like associated with the new external access key are configured, and the newly configured external access key is sent to the corresponding external system. The validity period of the external access key of each external system can be detected at regular intervals, and the expired external access key can be discovered and updated in time, so that the follow-up information access is not interfered.
When the validity period of the external access key is detected to reach or be leaked, the external access key is timely thinned, so that the safety of user information access and the fluency of information access are ensured.
In addition, in some embodiments of the present description, if the user information associated with the internal access key changes, the internal access key is updated, and the updated internal access key is associated with the corresponding external access key.
In a specific implementation process, when it is detected that storage configuration information of user information associated with the internal access key changes, for example: and splitting, merging, processing, updating and the like of the user information set, and updating the internal access key. An internal access key may be reconfigured and the association of the original internal access key with the external access key updated to the new internal access key. When the user information changes, the internal access key is updated in time so as to ensure that the access management of the user information can be accurately realized.
In addition, the internal access key, the external access key, and the associated information configured in the internal access key and the external access key in the embodiments of the present specification may be uploaded to the block chain for storage, so as to ensure that the external access key and the internal access key are not tampered. When the external system needs to use the external access key to access the user information, the external access key of the external system can be acquired from the block chain, and then an information access request is sent to the service system. After the service system receives the request and passes the authentication of the external access key, the service system can acquire the internal access key associated with the external access key from the block chain and continue the subsequent access processing process.
Fig. 3 is a schematic flowchart of a process of accessing user information by an external system in some embodiments of the present specification, and as shown in fig. 3, the process of accessing user information by an external system mainly includes:
step 302, sending an information access request to an information management system, wherein the information access request comprises a pre-issued external access key, and the external access key is associated with an internal access key, an external system identifier, an information access use range and an effective period;
step 304, receiving the storage configuration information related to the internal access key and the target information returned by the information access use range after the authentication of the external access key by the information management system is passed.
In a specific implementation process, in the embodiment of the present description, the service system, that is, the information management system may store the collected user information in a classified manner in advance, and each category of user information may be managed by configuring an internal access key. After the external system is authorized by the user, it may:
sending an external key distribution request to the information management system, wherein the external key distribution request comprises: user authorization information and an information access range authorized by the user;
receiving the external access key distributed by the information management system, wherein the information management system configures associated information for the external access key, and the associated information includes: an external system identification, an information access usage scope, a validity period, and an associated internal access key.
After receiving an external key distribution request sent by an external system, the service system can determine user information which is authorized to be accessed by the external system by the user based on user authorization information in the request and an information access range authorized by the user, and then configures an external access key for the external system according to an internal access key corresponding to the user information. The external access key may be configured with an external system identification, an information access usage scope, a validity period, and an associated internal access key. For details, reference may be made to the descriptions of the above embodiments, which are not described herein again.
After obtaining the external access key, when the external access system needs to access the user information in the service system, it may send an information access request to the service system, and the service system will authenticate the external access key in the request, such as: verifying whether the external access key is in the validity period, verifying whether the use range of the external access key is the range corresponding to the current service scene, verifying whether the external access key is consistent with an external system sending the request, and the like. After the authentication is passed, the service system may obtain an internal access key corresponding to the external access key according to a mapping relationship between the external access key and the internal access key, and further obtain user information managed by the internal access key. And based on the use range of the external access key, acquiring user information which can be accessed by the external system, namely target information, and returning the target information to the external system. For a specific access process, reference may be made to the descriptions of the foregoing embodiments, which are not described herein again.
The information access processing method provided by the embodiment of the specification actually comprises 3 parts: information collection, access authorization, and information access, fig. 4 is a schematic flow diagram of information collection in a scenario example of this specification, as shown in fig. 4, in a scenario example of this specification, the collection of user information may include:
step 1, after the system obtains the agreement of the user, the system collects the information of the relevant user. For example, when registering an electronic account, a user agrees with a registration protocol and a privacy protection policy protocol and then starts to enter information such as a mobile phone number and a login password. The system begins to collect and process this user information. Of course, for other service scenarios, the user information may also include identity information, fingerprint information, facial image information, asset information, and the like of the user.
And 2, classifying and storing the collected data (or incapable of storing the data in a database) according to different requirements. For example, the mobile phone number is stored in plaintext, the password is encrypted and then stored in another database, and the database is used but not stored when risk identification is performed during location data registration. Here, the collected user information is stored in the personal data item model, possibly one or more personal data item models, as required. The personal data item model may be understood as a category of user information in the above embodiments.
And 3, creating an internal storage key and directing to the corresponding personal data item according to information such as the collection source of the data, the allowed use range, the storage strategy and the storage position of the personal data item and the like. Multiple internal access keys may also be created if there are multiple personal data items. Internal access keys are typically only used internally in the system.
Fig. 5 is a flowchart illustrating a process of authorizing an external system to access by a user in an exemplary scenario of the present specification, and as shown in fig. 5, the process of obtaining the user authorization by the external system may include:
step 1, the external system obtains authorization of user information through different interaction modes, such as a pop-up window page for allowing the user to check authorized information items, or the user agrees to a certain agreement including authorized information terms.
And 2, determining the use scene of the external system to the user information, and prompting the user or requiring an authorization process to meet relevant regulations when the user is authorized. The corresponding personal data item model(s) are then determined based on the authorized user information.
And 3, finding out a corresponding internal access key for use in the next step according to the determined authorized personal data item.
And 4, distributing an external access key to return to the external system based on the information of the identifier, the use scene, the expiration time and the like of the external system. This external access key points to the internal access key in the previous step.
Fig. 6 is a schematic flowchart of an external system accessing user information in an example scenario of the present specification, where as shown in fig. 6, an information accessing process includes:
step 1, the external system requests to access part or all of the information authorized by the user through the external access key.
And 2, verifying the validity of the external access key based on the information such as the external system identification, the use scene, the expiration time and the like associated with the external access key, including whether the external access key is allowed to be used in the current scene.
And 3, after the authentication of the external access key is passed, taking the internal access key pointed by the external access key. And then checking the information based on the allowable use range of the internal access key association and the like. For example, if a user is judiciously given access control, this information will be presented in the scope of its internal access key. Even if a legitimate external access key accesses the internal access key, a denial of access to the requested personal data item is returned.
And 4, after the authentication of the internal access key is passed, finally acquiring the personal data item information according to the information such as the storage strategy and the storage position of the personal data item recorded by the internal access key, and returning the personal data item information to the external system according to the request requirement.
In addition, in this embodiment of the present specification, if the user applies for canceling data that has been authorized for the external system, the corresponding external access key may be deleted. If there is an external system holding the external access key to request user data, the external access key will not pass the authentication because the system has been deleted. And if the user applies to delete the original personal information, the data stored in the client model after being collected. In addition to cleaning up the external access key (to block the external authorized system), both the internal access key and the personal data item need to be deleted. In addition, for example, the external access key is expired or leaked, and a process for updating the external access key is available; the updating of the internal access key is triggered by splitting, merging, processing and the like of the personal information items.
In the embodiment of the specification, the storage and the management are performed according to the field level granularity of the user information, and the authorization and the use scene of the client data are managed and protected through a multi-level key structure, so that the storage and the access of the user information are safer and more reliable. Compared with an open authorization method, the method provided by the embodiment of the specification is more suitable for the use in an internal environment, does not require the ejection of an authorization page, and can perform unified authorization and shared use on a plurality of internal scenes at a proper entrance or time. Compared with an open authorization scheme, the scheme can flexibly and compliantly control the authorization experience and the safety experience of the user in the system, and can also meet the unified and regional management requirements of an internal system on the client data.
In the present specification, each embodiment of the method is described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. The relevant points can be obtained by referring to the partial description of the method embodiment.
Based on the information access processing method, one or more embodiments of the present specification further provide an apparatus for information access processing. The apparatus may include apparatus (including distributed systems), software (applications), modules, plug-ins, servers, clients, etc. that use the methods described in embodiments of the present specification in conjunction with hardware where necessary to implement the methods. Based on the same innovative conception, embodiments of the present specification provide an apparatus as described in the following embodiments. Since the implementation scheme of the apparatus for solving the problem is similar to that of the method, the specific apparatus implementation in the embodiment of the present specification may refer to the implementation of the foregoing method, and repeated details are not repeated. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Specifically, fig. 7 is a schematic block diagram of an embodiment of an information access processing apparatus provided in this specification, and as shown in fig. 7, the information access processing apparatus provided in this specification may include:
a request receiving module 71, configured to receive an information access request sent by an external system, where the information access request includes an external access key issued to the external system in advance;
a key authentication module 72, configured to authenticate the external access key based on an external system identifier, an information access usage range, and a validity period associated with the external access key;
an internal key obtaining module 73, configured to obtain an internal access key associated with the external access key after the authentication of the external access key passes; each internal access key is associated with one or more external access keys, and is configured with storage configuration information of user information allowing access;
an information obtaining module 74, configured to obtain target information accessed by the information access request based on the storage configuration information associated with the internal access key and the information access usage range associated with the external access key;
and an information returning module 75, configured to return the acquired target information to the external system.
Fig. 8 is a schematic block diagram of another embodiment of the information access processing apparatus provided in this specification, and as shown in fig. 8, the information access processing apparatus provided in this specification may include:
the request sending module 81 is configured to send an information access request to an information management system, where the information access request includes a pre-issued external access key, and the external access key is associated with an internal access key, an external system identifier, an information access use range, and an expiration date;
and an information receiving module 82, configured to receive target information returned by the information management system based on the storage configuration information associated with the internal access key and the information access use range after the authentication of the external access key is passed.
In the embodiment of the specification, a data storage model with a multilayer KV structure is realized by setting an internal access key and an external access key, and an external system is issued with the external access key, and the external access key is associated with a corresponding internal access key, so that the external system can access user information stored inside through the external access key. The internal access key is set to realize unified access management on the internally stored user information, and meanwhile, the internal access key can realize management on the access authority of an external system, so that the safety of the user information is ensured. And the user does not need to carry out access authorization when the service scene is switched, the information access process is simplified, and the information access efficiency is improved.
It should be noted that the above-mentioned apparatus may also include other embodiments according to the description of the corresponding method embodiment. The specific implementation manner may refer to the description of the above corresponding method embodiment, and is not described in detail herein.
An embodiment of the present specification further provides an information access processing apparatus, including: at least one processor and a memory for storing processor-executable instructions, the processor implementing the information access processing method of the above embodiments when executing the instructions, such as:
receiving an information access request sent by an external system, wherein the information access request comprises an external access key issued to the external system in advance;
authenticating the external access key based on the external system identification, the information access use range and the validity period which are associated with the external access key;
after the authentication of the external access key is passed, an internal access key related to the external access key is obtained; each internal access key is associated with one or more external access keys, and is configured with storage configuration information of user information allowed to be accessed;
acquiring target information accessed by the information access request based on the storage configuration information associated with the internal access key and the information access use range associated with the external access key;
and returning the acquired target information to the external system.
Or, sending an information access request to an information management system, wherein the information access request comprises a pre-issued external access key, and the external access key is associated with an internal access key, an external system identifier, an information access use range and an effective period;
and receiving the storage configuration information related to the internal access key and the target information returned by the information access use range after the information management system passes the authentication of the external access key.
In some embodiments of the present specification, an information access processing system is further provided, where user information is stored in the information access processing system, and different types of user information are configured with corresponding internal access keys; the information access processing system configures an external access key for an external system based on a request of the external system, wherein the external access key is associated with an internal access key, an external system identifier, an information access use range and an effective period;
the information access processing system is stored with computer instructions, and the instructions can realize the information access processing method in the above embodiment when executed.
It should be noted that the above-described device or system may also include other embodiments according to the description of the method embodiments. The specific implementation manner may refer to the description of the related method embodiment, and is not described in detail herein.
The information access processing device and equipment provided by the specification can also be applied to various data analysis processing systems. The system or server or terminal or device may be a single server, or may include a server cluster, a system (including a distributed system), software (applications), actual operating devices, logical gate devices, quantum computers, etc. using one or more of the methods described herein or one or more embodiments of the system or server or terminal or device, in combination with necessary end devices implementing hardware. The system for checking for discrepancies may comprise at least one processor and a memory storing computer-executable instructions that, when executed by the processor, implement the steps of the method of any one or more of the embodiments described above.
The method embodiments provided by the embodiments of the present specification can be executed in a mobile terminal, a computer terminal, a server or a similar computing device. Taking the example of the operation on the server, fig. 9 is a block diagram of the hardware structure of the information access processing server in one embodiment of the present specification, and the computer terminal may be the information access processing server or the information access processing apparatus in the above embodiment. As shown in fig. 9, the server 10 may include one or more (only one shown) processors 100 (the processors 100 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), a non-volatile memory 200 for storing data, and a transmission module 300 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 9 is only an illustration and is not intended to limit the structure of the electronic device. For example, the server 10 may also include more or fewer plug-ins than shown in FIG. 9, and may also include other processing hardware, such as a database or multi-level cache, a GPU, or have a different configuration than that shown in FIG. 9, for example.
The non-volatile memory 200 may be used to store software programs and modules of application software, such as program instructions/modules corresponding to the information access processing method in the embodiments of the present specification, and the processor 100 executes various functional applications and resource data updates by running the software programs and modules stored in the non-volatile memory 200. Non-volatile memory 200 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the non-volatile memory 200 may further include memory located remotely from the processor 100, which may be connected to a computer terminal through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission module 300 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal. In one example, the transmission module 300 includes a Network adapter (NIC) that can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission module 300 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The method or apparatus provided in this specification and described in the foregoing embodiments may implement service logic through a computer program and record the service logic on a storage medium, where the storage medium may be read and executed by a computer, and implement the effects of the solutions described in the embodiments of this specification, such as:
receiving an information access request sent by an external system, wherein the information access request comprises an external access key issued to the external system in advance;
authenticating the external access key based on the external system identification, the information access use range and the validity period which are associated with the external access key;
after the authentication of the external access key is passed, an internal access key related to the external access key is obtained; each internal access key is associated with one or more external access keys, and is configured with storage configuration information of user information allowed to be accessed;
acquiring target information accessed by the information access request based on the storage configuration information associated with the internal access key and the information access use range associated with the external access key;
and returning the acquired target information to the external system.
Or, sending an information access request to an information management system, wherein the information access request comprises a pre-issued external access key, and the external access key is associated with an internal access key, an external system identifier, an information access use range and an effective period;
and receiving the storage configuration information related to the internal access key and the target information returned by the information access use range after the information management system passes the authentication of the external access key.
The storage medium may include a physical device for storing information, and typically, the information is digitized and then stored using an electrical, magnetic, or optical media. The storage medium may include: devices that store information using electrical energy, such as various types of memory, e.g., RAM, ROM, etc.; devices that store information using magnetic energy such as hard disks, floppy disks, tapes, core memories, bubble memories, and usb disks; devices that store information optically, such as CDs or DVDs. Of course, there are other ways of storing media that can be read, such as quantum memory, graphene memory, and so forth.
The information access processing method or apparatus provided in the embodiments of the present specification may be implemented in a computer by a processor executing corresponding program instructions, for example, implemented in a PC end using a c + + language of a windows operating system, implemented in a linux system, or implemented in an intelligent terminal using android, iOS system programming languages, implemented in processing logic based on a quantum computer, or the like.
The embodiments of the present description are not limited to what must be consistent with industry communications standards, standard computer resource data updating and data storage rules, or what is described in one or more embodiments of the present description. Certain industry standards or implementations modified slightly from those described using custom modes or examples can also achieve the same, equivalent or similar, or other expected implementation results after being modified. The embodiments using the modified or transformed data acquisition, storage, judgment, processing and the like can still fall within the scope of the alternative embodiments of the embodiments in this specification.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in purely computer readable program code means, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be conceived to be both a software module implementing the method and a structure within a hardware component.
For convenience of description, the above platform and terminal are described as being divided into various modules by functions and described separately. Of course, when implementing one or more of the present description, the functions of each module may be implemented in one or more software and/or hardware, or a module implementing the same function may be implemented by a combination of multiple sub-modules or sub-units, etc. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of logical functional division, and other divisions may be realized in practice, for example, a plurality of units or plug-ins may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
These computer program instructions may also be loaded onto a computer or other programmable resource data update apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, and the relevant points can be referred to only part of the description of the method embodiments. In the description of the specification, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the specification. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
The above description is merely exemplary of one or more embodiments of the present disclosure and is not intended to limit the scope of one or more embodiments of the present disclosure. Various modifications and alterations to one or more embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of the present specification should be included in the scope of the claims.

Claims (15)

1. An information access processing method, the method comprising:
receiving an information access request sent by an external system, wherein the information access request comprises an external access key issued to the external system in advance;
authenticating the external access key based on the external system identification, the information access use range and the validity period which are associated with the external access key;
after the authentication of the external access key is passed, an internal access key related to the external access key is obtained; each internal access key is associated with one or more external access keys, and is configured with storage configuration information of user information allowed to be accessed;
acquiring target information accessed by the information access request based on the storage configuration information associated with the internal access key and the information access use range associated with the external access key;
and returning the acquired target information to the external system.
2. The method of claim 1, prior to receiving an information access request sent by the external system, the method further comprising:
classifying the collected user information, distributing internal access keys for different categories of user information, and associating the storage configuration information of the user information with the corresponding internal access keys, wherein one internal access key corresponds to one or more categories of user information.
3. The method of claim 2, the classifying the collected user information comprising:
classifying the collected user information according to at least one of the source, the allowed range, the storage strategy and the storage position of the user information, wherein the storage strategy comprises the following steps: plaintext storage, encrypted storage, desensitized storage, and privacy processing storage.
4. The method of claim 1, prior to receiving an information access request sent by the external system, the method further comprising:
receiving an external key distribution request sent by the external system, wherein the external key distribution request comprises: user authorization information and an information access range authorized by the user;
determining user information allowing access of the external system according to the user authorization information and the information access range authorized by the user;
acquiring a corresponding internal access key according to the user information of the external system, which allows access;
distributing a corresponding external access key for the external system based on the obtained internal access key, and configuring associated information of the external access key, wherein the associated information comprises: an external system identification, an information access usage scope, a validity period, and an associated internal access key.
5. The method of claim 1, after obtaining the internal access key associated with the external access key, the method further comprising:
authenticating the internal access key based on the acquired storage configuration information of the internal access key, and acquiring the target information based on the internal access key after the authentication of the internal access key is passed;
and if the user information corresponding to the internal access key is displayed in the storage configuration information of the internal access key and is not allowed to access, determining that the authentication of the internal access key fails, and returning prompt information for rejecting the information access request to the external system.
6. The method of claim 1, further comprising:
receiving a request for canceling authorization sent by a user terminal, wherein the request for canceling authorization comprises an external system identifier requesting for canceling authorization access and authorized user information for canceling authorization access;
acquiring a corresponding external access key to be deleted according to the external system identifier and the authorized user information in the request for canceling authorization;
and deleting the external access key to be deleted, so that the information access request is refused when the information access request with the external access key to be deleted is received.
7. The method of claim 1, further comprising:
receiving a user information deleting request sent by a user terminal, wherein the user information deleting request comprises user information to be deleted, which is requested to be deleted;
and deleting the user information to be deleted and the internal access key and the external access key corresponding to the user information to be deleted.
8. The method of claim 1, further comprising:
and when the validity period of the external access key reaches or the external access key is detected to be leaked, updating the external access key.
9. The method of claim 1, further comprising:
and if the user information associated with the internal access key changes, updating the internal access key, and associating the updated internal access key with the corresponding external access key.
10. An information access processing method, the method comprising:
sending an information access request to an information management system, wherein the information access request comprises a pre-issued external access key, and the external access key is associated with an internal access key, an external system identifier, an information access use range and an effective period; each internal access key is associated with one or more external access keys, and is configured with storage configuration information of user information allowing access;
and receiving the storage configuration information related to the internal access key and the information access use range returned target information after the information management system passes the authentication of the external access key.
11. The method of claim 10, prior to sending an information access request to the information management system, the method further comprising:
sending an external key distribution request to the information management system, wherein the external key distribution request comprises: user authorization information and an information access range authorized by the user;
receiving the external access key distributed by the information management system, wherein the information management system configures associated information for the external access key, and the associated information includes: an external system identification, an information access usage scope, a validity period, and an associated internal access key.
12. An information access processing apparatus, the apparatus comprising:
the device comprises a request receiving module, a processing module and a processing module, wherein the request receiving module is used for receiving an information access request sent by an external system, and the information access request comprises an external access key issued to the external system in advance;
the key authentication module is used for authenticating the external access key based on the external system identifier, the information access use range and the validity period which are associated with the external access key;
the internal key acquisition module is used for acquiring an internal access key related to the external access key after the authentication of the external access key is passed; each internal access key is associated with one or more external access keys, and is configured with storage configuration information of user information allowing access;
the information acquisition module is used for acquiring target information accessed by the information access request based on the storage configuration information associated with the internal access key and the information access use range associated with the external access key;
and the information returning module is used for returning the acquired target information to the external system.
13. An information access processing apparatus, the apparatus comprising:
the information management system comprises a request sending module, a data access module and a data processing module, wherein the request sending module is used for sending an information access request to the information management system, the information access request comprises a pre-issued external access key, and the external access key is associated with an internal access key, an external system identifier, an information access use range and an effective period; each internal access key is associated with one or more external access keys, and is configured with storage configuration information of user information allowed to be accessed;
and the information receiving module is used for receiving the target information returned by the information management system based on the storage configuration information associated with the internal access key and the information access use range after the authentication of the external access key is passed.
14. An information access processing apparatus comprising: at least one processor and a memory for storing processor-executable instructions, the instructions when executed by the processor implementing the method of any one of claims 1-9 or 10-11.
15. An information access processing system stores user information, and different types of user information are configured with corresponding internal access keys; the information access processing system configures an external access key for an external system based on a request of the external system, wherein the external access key is associated with an internal access key, an external system identifier, an information access use range and an effective period;
the information access processing system having stored thereon computer instructions which, when executed, implement the steps of the method of any of claims 1 to 9.
CN202110324994.2A 2021-03-26 2021-03-26 Information access processing method, device, equipment and system Active CN113051614B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110324994.2A CN113051614B (en) 2021-03-26 2021-03-26 Information access processing method, device, equipment and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110324994.2A CN113051614B (en) 2021-03-26 2021-03-26 Information access processing method, device, equipment and system

Publications (2)

Publication Number Publication Date
CN113051614A CN113051614A (en) 2021-06-29
CN113051614B true CN113051614B (en) 2022-07-05

Family

ID=76515347

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110324994.2A Active CN113051614B (en) 2021-03-26 2021-03-26 Information access processing method, device, equipment and system

Country Status (1)

Country Link
CN (1) CN113051614B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111935094A (en) * 2020-07-14 2020-11-13 北京金山云网络技术有限公司 Database access method, device, system and computer readable storage medium

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100461875C (en) * 2005-10-21 2009-02-11 华为技术有限公司 Method for sharing storage space of mobile terminal and its system
CN101247336B (en) * 2008-03-07 2010-08-18 中兴通讯股份有限公司 Method and server for controlling multilevel access authority of access user
CN108121918B (en) * 2017-12-29 2020-11-10 福建省农村信用社联合社 Bidirectional cooperation system and method for internal and external services of bank
CN109246078B (en) * 2018-08-02 2022-09-13 平安科技(深圳)有限公司 Data interaction method and server
CN111092843A (en) * 2018-10-23 2020-05-01 钛马信息网络技术有限公司 Data desensitization and security authorization system for Internet of vehicles
CN109472159A (en) * 2018-11-15 2019-03-15 泰康保险集团股份有限公司 Access control method, device, medium and electronic equipment
CN111400765B (en) * 2020-03-25 2021-11-02 支付宝(杭州)信息技术有限公司 Private data access method and device and electronic equipment
CN112202744B (en) * 2020-09-23 2022-11-01 中国建设银行股份有限公司 Multi-system data communication method and device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111935094A (en) * 2020-07-14 2020-11-13 北京金山云网络技术有限公司 Database access method, device, system and computer readable storage medium

Also Published As

Publication number Publication date
CN113051614A (en) 2021-06-29

Similar Documents

Publication Publication Date Title
AU2016273890B2 (en) Controlling physical access to secure areas via client devices in a networked environment
CN107480555B (en) Database access authority control method and device based on block chain
US9686287B2 (en) Delegating authorization to applications on a client device in a networked environment
CN104683336B (en) A kind of Android private data guard method and system based on security domain
CN111079091A (en) Software security management method and device, terminal and server
CN109446259B (en) Data processing method and device, processor and storage medium
US9521032B1 (en) Server for authentication, authorization, and accounting
EP3777082B1 (en) Trusted platform module-based prepaid access token for commercial iot online services
CN111414612B (en) Security protection method and device for operating system mirror image and electronic equipment
US20140109194A1 (en) Authentication Delegation
WO2018045917A1 (en) Authorization system, method, and card
CN113051614B (en) Information access processing method, device, equipment and system
CN110968632B (en) Method and system for unified data exchange
CN114676411A (en) Authentication mode identification method and equipment
CN112422281A (en) Method and system for changing secret key in security module
CN105868603A (en) Configuration data based fingerprinting for access to a resource
CN116155565B (en) Data access control method and device
CN113992420B (en) Authority management method, system, electronic equipment and storage medium
CN114679301B (en) Method and system for accessing data of data lake by utilizing safe sandbox
CN116628674A (en) Authorization method, device, equipment and storage medium of application system
CN116401721A (en) Data processing method, system, equipment and storage medium
CN116938575A (en) Multi-system login authentication method and device, computer equipment and storage medium
KR101502800B1 (en) Digital system having rights identification information, application system, and service system
CN116842536A (en) Access control method, device, equipment and storage medium of operating system
CN116756715A (en) Work number management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant