CN113656827A - Method for realizing row-level authority control based on domestic database - Google Patents
Method for realizing row-level authority control based on domestic database Download PDFInfo
- Publication number
- CN113656827A CN113656827A CN202110811176.5A CN202110811176A CN113656827A CN 113656827 A CN113656827 A CN 113656827A CN 202110811176 A CN202110811176 A CN 202110811176A CN 113656827 A CN113656827 A CN 113656827A
- Authority
- CN
- China
- Prior art keywords
- row
- level authority
- user
- level
- control based
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/10—Office automation; Time management
- G06Q10/103—Workflow collaboration or project management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Strategic Management (AREA)
- Human Resources & Organizations (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Entrepreneurship & Innovation (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Economics (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for realizing row-level authority control based on a domestic database, which comprises the following steps: s1: defining row tags and column tags according to an organizational schema; s2: configuring the organization structure with row-level authority by using the row label and the column label; s3: creating a user for row-level authority, creating a row-level authority strategy and endowing the strategy to the user; the invention defines the row label and the column label according to the organization structure and configures the row-level authority, and can realize the judgment of various granularities by judging the matching and the calculation of the mechanism code of each row and the code of the current user. And creating a separate account number for each city or county, and creating a corresponding row-level permission strategy for the account number according to the organization code column.
Description
Technical Field
The invention belongs to the technical field of informatization construction in the field of organization and work, and particularly relates to a method for realizing row-level authority control based on a domestic database.
Background
With the pace of electronic informatization being accelerated, most electronic informatization business systems and application platforms have a lot of common business service requirements, namely organization and architecture personnel base service platforms.
In the electronic information construction of practical application, because the organization structure and the head information database in a plurality of application systems used by each unit are all independently built, data isolation is realized through the databases, different users can only see the data of the unit, and the hierarchy of each unit is divided into province, city and county levels due to more organization types, so that the electronic information construction can be realized by considering the row-level strategy of the databases.
Disclosure of Invention
The invention aims to provide a method for realizing row-level authority control based on a domestic database, aiming at solving the problem of row-level authority control in the prior art, a row-level strategy of the database can compare data according to a currently logged user name, if the data is determined to belong to the user name from the user name through a matching algorithm, a user can check, modify and delete the data, otherwise, the user cannot see the data.
A method for realizing row-level authority control based on a domestic database comprises the following steps:
s1: defining row tags and column tags according to an organizational schema;
s2: configuring the organization structure with row-level authority by using the row label and the column label;
s3: and creating a user for the row-level authority, creating a row-level authority strategy and endowing the user with the row-level authority strategy.
In a further preferred embodiment of the present invention, the row label is used for the user to access and modify the relevant data of each local state.
In a further preferred embodiment of the present invention, the column tag is used for a user to access data from a business department.
Further preferably, the service department includes a first service department, a second service department, and a third service department.
In a further preferred embodiment of the present invention, each organization or organization creates a user name encoded in the organization and a corresponding matching rule, and when the user name is registered, only the organization data can be seen.
In a further preferred embodiment of the present invention, in step S3, the granularity is determined by determining and calculating the matching between the mechanism code of each line and the code of the current user.
In a further preferred embodiment of the present invention, in step S3, the row-level authority policy includes comparing data according to the currently logged-in user name, and determining that the piece of data belongs to the user name from the user name through a matching algorithm.
Further preferably, the row-level permissions provide a row-based security policy, restrict the view table data permissions of database users, and perform operations of querying, adding, deleting, and modifying on each user.
In many system platform architectures and development constructions, the specific implementation modes are different. For example, in a common development application, program engineers directly program code to realize authority control, and acquire data satisfying conditions from the program code. Of course, this approach can also achieve the implementation of functions, but it is weak in data security, and the respective codes of different program engineers are not standardized or careless, so that the data security of the whole system is not strict.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:
the invention firstly defines the row label and the column label, and carries out corresponding authority configuration according to the organization structure, limits the authority of the user, provides a safety strategy based on the row, and limits the authority of the data of the check list of the database user. It can restrict for each user which rows can be queried or modified. The horizontal row-level authority realization purpose is achieved, and only relevant data of local cities can be accessed and modified by each local city. The purpose of realizing longitudinal row-level authority is achieved, each business department can only access data of the business department, the transverse row-level authority is realized according to the mechanism codes, and judgment of various granularities can be realized by judging that the mechanism codes of each row are matched and calculated with the codes of the current users. And creating a separate account number for each city or county, and creating a corresponding row-level permission strategy for the account number according to the organization code column.
Detailed Description
All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.
It is to be understood that the specific embodiments described herein are for purposes of illustration only and are not to be construed as limiting the invention, i.e., the described embodiments are merely a few embodiments of the invention, rather than all embodiments, and that all of the features disclosed in this specification, or all of the steps in any method or process disclosed, may be combined in any manner, except for mutually exclusive features and/or steps.
All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
It is noted that relational terms such as the terms "first," "second," and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The present invention will be described in detail below.
The first embodiment is as follows: a method for realizing row-level authority control based on a domestic database comprises the following steps:
s1: defining row tags and column tags according to an organizational schema;
s2: configuring the organization structure with row-level authority by using the row label and the column label;
s3: creating a user for row-level authority, creating a row-level authority strategy and endowing the strategy to the user;
if the unit A is used, the user name is created as: "E19.D09.291", each piece of data judges the current login user name during query, and if the three-level codes are all matched, the data is regarded as data of A unit.
The city-level convergent point: to check the aggregation point data of each city, a user corresponding to the aggregation point code is created, for example, to check the data of the urban aggregation point, a user "e 19.d 09" is created, the following rule is created, and then login is performed with the application, so that only the data belonging to the urban aggregation point can be seen, and the rule is as follows:
b unit: user "e 19.d01 user" who also creates C units, only see data belonging to C units, with the rule:
other relevant units: also taking a unit as an example, a corresponding user "e 19.d 09.291" is created, and data belonging to only a unit is viewed according to the following rule:
taking the D unit as an example, a user "E19.419" is created, and only data belonging to the D unit is viewed, with the rule:
the behavior example of the Chinese people bank is used for creating a user '465. E19.D09', only the data belonging to the Chinese people bank in metropolis are checked, and the rule is as follows:
example two: the row label is used for accessing and modifying relevant data of local states of each region by a user, the column label is used for accessing data of each business department by the user, and the business departments comprise a first business department, a second business department and a third business department.
Example three: each organization or unit creates a user name coded by the unit and a corresponding matching rule, and when the organization or unit logs in by the user name, only the data of the organization can be seen.
Example four: in the step S3, the judgment of granularity is implemented by judging that the mechanism code of each row matches and calculates with the code of the current user, and in the step S3, the row-level authority policy includes comparing data according to the currently logged-in user name, and judging that the piece of data belongs to the user name from the user name through a matching algorithm.
Although the invention has been described herein with reference to a number of illustrative embodiments thereof, it should be understood that numerous other modifications and embodiments can be devised by those skilled in the art that will fall within the spirit and scope of the principles of this disclosure. More specifically, various variations and modifications are possible in the component parts and/or arrangements of the subject combination arrangement within the scope of the disclosure and claims of this application. In addition to variations and modifications in the component parts and/or arrangements, other uses will also be apparent to those skilled in the art.
Claims (8)
1. A method for realizing row-level authority control based on a domestic database is characterized by comprising the following steps:
s1: defining row tags and column tags according to an organizational schema;
s2: configuring the organization structure with row-level authority by using the row label and the column label;
s3: and creating a user for the row-level authority, creating a row-level authority strategy and endowing the user with the row-level authority strategy.
2. The method for implementing row-level right control based on domestic database according to claim 1, wherein said row label is used for user to access and modify related data of local states.
3. The method for implementing row-level authority control based on domestic database according to claim 1, wherein said column tag is used for user access to data from individual business department.
4. The method for realizing row-level authority control based on the domestic database as claimed in claim 3, wherein the business departments comprise a first business department, a second business department and a third business department.
5. The method of claim 1, wherein each organization or unit creates a user name encoded in the unit and corresponding matching rules, and when the user name is registered, only the organization data can be seen.
6. The method for implementing row-level authority control based on domestic database according to claim 1, wherein the determination of granularity is implemented by determining that the organization code of each row matches with the code of the current user and performing calculation in step S3.
7. The method of claim 1, wherein the row-level authority policy of step S3 includes comparing data according to the currently logged-in user name, and determining the data belonging to the user name from the user name by a matching algorithm.
8. The method for implementing row-level authority control based on domestic databases of claim 1, wherein the row-level authority provides a row-based security policy, limits the view table data authority of database users, and performs operations of query, addition, deletion and modification on each user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110811176.5A CN113656827A (en) | 2021-07-19 | 2021-07-19 | Method for realizing row-level authority control based on domestic database |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110811176.5A CN113656827A (en) | 2021-07-19 | 2021-07-19 | Method for realizing row-level authority control based on domestic database |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113656827A true CN113656827A (en) | 2021-11-16 |
Family
ID=78477664
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110811176.5A Pending CN113656827A (en) | 2021-07-19 | 2021-07-19 | Method for realizing row-level authority control based on domestic database |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113656827A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116186767A (en) * | 2023-01-12 | 2023-05-30 | 北京万里开源软件有限公司 | Method and device for marking row level in database |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101075254A (en) * | 2007-06-08 | 2007-11-21 | 北京神舟航天软件技术有限公司 | Autonomous access control method for row-level data of database table |
CN110427775A (en) * | 2019-07-25 | 2019-11-08 | 北京明略软件系统有限公司 | Data query authority control method and device |
CN111177700A (en) * | 2019-12-31 | 2020-05-19 | 北京明略软件系统有限公司 | Method and device for controlling row-level authority |
CN112527812A (en) * | 2020-12-04 | 2021-03-19 | 北京顺达同行科技有限公司 | Data permission processing method and device based on multiple dimensions and computer equipment |
-
2021
- 2021-07-19 CN CN202110811176.5A patent/CN113656827A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101075254A (en) * | 2007-06-08 | 2007-11-21 | 北京神舟航天软件技术有限公司 | Autonomous access control method for row-level data of database table |
CN110427775A (en) * | 2019-07-25 | 2019-11-08 | 北京明略软件系统有限公司 | Data query authority control method and device |
CN111177700A (en) * | 2019-12-31 | 2020-05-19 | 北京明略软件系统有限公司 | Method and device for controlling row-level authority |
CN112527812A (en) * | 2020-12-04 | 2021-03-19 | 北京顺达同行科技有限公司 | Data permission processing method and device based on multiple dimensions and computer equipment |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116186767A (en) * | 2023-01-12 | 2023-05-30 | 北京万里开源软件有限公司 | Method and device for marking row level in database |
CN116186767B (en) * | 2023-01-12 | 2023-10-03 | 北京万里开源软件有限公司 | Method and device for marking row level in database |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110785981B (en) | Securing access to confidential data using blockchain ledgers | |
US9641334B2 (en) | Method and apparatus for ascertaining data access permission of groups of users to groups of data elements | |
US9971898B2 (en) | Method and system for providing anonymized data from a database | |
US8904551B2 (en) | Control of access to files | |
Xu et al. | Comparative study of three commonly used methods for hospital efficiency analysis in Beijing tertiary public hospitals, China | |
CN110968894B (en) | Fine granularity access control scheme for game service data | |
CN107844708A (en) | Towards the data permission control system and its control method of military equipment management business | |
CN113656827A (en) | Method for realizing row-level authority control based on domestic database | |
Pernul | Information systems security: Scope, state-of-the-art, and evaluation of techniques | |
Sariyar et al. | Reconsidering anonymization-related concepts and the term “identification” against the backdrop of the European legal framework | |
Batra et al. | Incremental maintenance of abac policies | |
US10320798B2 (en) | Systems and methodologies for controlling access to a file system | |
CN116933305A (en) | User authority model and construction method thereof | |
Harting | An Egalitarian Case for Class-Specific Political Institutions | |
Opyrchal et al. | Bouncer: Policy-based fine grained access control in large databases | |
Chen et al. | A Privacy‐Preserved Analytical Method for eHealth Database with Minimized Information Loss | |
Win et al. | Database security model using access control mechanism in student data management | |
Sengupta | Dynamic fragmentation and query translation based security framework for distributed databases | |
Miao | Coded Social Control: China's Normalization of Biometric Surveillance in the Post COVID-19 Era | |
Farooqi et al. | Developing a dynamic trust based access control model for xml databases | |
CN113642032B (en) | Resource authorization method and resource authorization system based on set operation | |
He et al. | A fine grained rbac model supporting flexible administrative separation of duty | |
Zhezhnych et al. | On the temporal access control implementation at the logical level of relational databases | |
SUBBARAJU et al. | Privacy Preserving Access Control to Incremental Data | |
CN116881977A (en) | Trust mechanism-based transaction data tracing and auditing method on cross-queue chain |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211116 |
|
RJ01 | Rejection of invention patent application after publication |