CN113656827A - Method for realizing row-level authority control based on domestic database - Google Patents

Method for realizing row-level authority control based on domestic database Download PDF

Info

Publication number
CN113656827A
CN113656827A CN202110811176.5A CN202110811176A CN113656827A CN 113656827 A CN113656827 A CN 113656827A CN 202110811176 A CN202110811176 A CN 202110811176A CN 113656827 A CN113656827 A CN 113656827A
Authority
CN
China
Prior art keywords
row
level authority
user
level
control based
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110811176.5A
Other languages
Chinese (zh)
Inventor
孙龙
孙忠
张�诚
李杨曦
车百灵
黄本波
夏浩智
张锐
杨馥溢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Organization Department Of Dazhou Municipal Committee Of Communist Party Of China
Organization Department Of Cpc Sichuan Provincial Committee
Original Assignee
Organization Department Of Dazhou Municipal Committee Of Communist Party Of China
Organization Department Of Cpc Sichuan Provincial Committee
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Organization Department Of Dazhou Municipal Committee Of Communist Party Of China, Organization Department Of Cpc Sichuan Provincial Committee filed Critical Organization Department Of Dazhou Municipal Committee Of Communist Party Of China
Priority to CN202110811176.5A priority Critical patent/CN113656827A/en
Publication of CN113656827A publication Critical patent/CN113656827A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • G06Q10/103Workflow collaboration or project management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Human Resources & Organizations (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Entrepreneurship & Innovation (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method for realizing row-level authority control based on a domestic database, which comprises the following steps: s1: defining row tags and column tags according to an organizational schema; s2: configuring the organization structure with row-level authority by using the row label and the column label; s3: creating a user for row-level authority, creating a row-level authority strategy and endowing the strategy to the user; the invention defines the row label and the column label according to the organization structure and configures the row-level authority, and can realize the judgment of various granularities by judging the matching and the calculation of the mechanism code of each row and the code of the current user. And creating a separate account number for each city or county, and creating a corresponding row-level permission strategy for the account number according to the organization code column.

Description

Method for realizing row-level authority control based on domestic database
Technical Field
The invention belongs to the technical field of informatization construction in the field of organization and work, and particularly relates to a method for realizing row-level authority control based on a domestic database.
Background
With the pace of electronic informatization being accelerated, most electronic informatization business systems and application platforms have a lot of common business service requirements, namely organization and architecture personnel base service platforms.
In the electronic information construction of practical application, because the organization structure and the head information database in a plurality of application systems used by each unit are all independently built, data isolation is realized through the databases, different users can only see the data of the unit, and the hierarchy of each unit is divided into province, city and county levels due to more organization types, so that the electronic information construction can be realized by considering the row-level strategy of the databases.
Disclosure of Invention
The invention aims to provide a method for realizing row-level authority control based on a domestic database, aiming at solving the problem of row-level authority control in the prior art, a row-level strategy of the database can compare data according to a currently logged user name, if the data is determined to belong to the user name from the user name through a matching algorithm, a user can check, modify and delete the data, otherwise, the user cannot see the data.
A method for realizing row-level authority control based on a domestic database comprises the following steps:
s1: defining row tags and column tags according to an organizational schema;
s2: configuring the organization structure with row-level authority by using the row label and the column label;
s3: and creating a user for the row-level authority, creating a row-level authority strategy and endowing the user with the row-level authority strategy.
In a further preferred embodiment of the present invention, the row label is used for the user to access and modify the relevant data of each local state.
In a further preferred embodiment of the present invention, the column tag is used for a user to access data from a business department.
Further preferably, the service department includes a first service department, a second service department, and a third service department.
In a further preferred embodiment of the present invention, each organization or organization creates a user name encoded in the organization and a corresponding matching rule, and when the user name is registered, only the organization data can be seen.
In a further preferred embodiment of the present invention, in step S3, the granularity is determined by determining and calculating the matching between the mechanism code of each line and the code of the current user.
In a further preferred embodiment of the present invention, in step S3, the row-level authority policy includes comparing data according to the currently logged-in user name, and determining that the piece of data belongs to the user name from the user name through a matching algorithm.
Further preferably, the row-level permissions provide a row-based security policy, restrict the view table data permissions of database users, and perform operations of querying, adding, deleting, and modifying on each user.
In many system platform architectures and development constructions, the specific implementation modes are different. For example, in a common development application, program engineers directly program code to realize authority control, and acquire data satisfying conditions from the program code. Of course, this approach can also achieve the implementation of functions, but it is weak in data security, and the respective codes of different program engineers are not standardized or careless, so that the data security of the whole system is not strict.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:
the invention firstly defines the row label and the column label, and carries out corresponding authority configuration according to the organization structure, limits the authority of the user, provides a safety strategy based on the row, and limits the authority of the data of the check list of the database user. It can restrict for each user which rows can be queried or modified. The horizontal row-level authority realization purpose is achieved, and only relevant data of local cities can be accessed and modified by each local city. The purpose of realizing longitudinal row-level authority is achieved, each business department can only access data of the business department, the transverse row-level authority is realized according to the mechanism codes, and judgment of various granularities can be realized by judging that the mechanism codes of each row are matched and calculated with the codes of the current users. And creating a separate account number for each city or county, and creating a corresponding row-level permission strategy for the account number according to the organization code column.
Detailed Description
All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.
It is to be understood that the specific embodiments described herein are for purposes of illustration only and are not to be construed as limiting the invention, i.e., the described embodiments are merely a few embodiments of the invention, rather than all embodiments, and that all of the features disclosed in this specification, or all of the steps in any method or process disclosed, may be combined in any manner, except for mutually exclusive features and/or steps.
All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
It is noted that relational terms such as the terms "first," "second," and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The present invention will be described in detail below.
The first embodiment is as follows: a method for realizing row-level authority control based on a domestic database comprises the following steps:
s1: defining row tags and column tags according to an organizational schema;
s2: configuring the organization structure with row-level authority by using the row label and the column label;
s3: creating a user for row-level authority, creating a row-level authority strategy and endowing the strategy to the user;
if the unit A is used, the user name is created as: "E19.D09.291", each piece of data judges the current login user name during query, and if the three-level codes are all matched, the data is regarded as data of A unit.
The city-level convergent point: to check the aggregation point data of each city, a user corresponding to the aggregation point code is created, for example, to check the data of the urban aggregation point, a user "e 19.d 09" is created, the following rule is created, and then login is performed with the application, so that only the data belonging to the urban aggregation point can be seen, and the rule is as follows:
Figure RE-GDA0003269390680000041
b unit: user "e 19.d01 user" who also creates C units, only see data belonging to C units, with the rule:
Figure RE-GDA0003269390680000051
other relevant units: also taking a unit as an example, a corresponding user "e 19.d 09.291" is created, and data belonging to only a unit is viewed according to the following rule:
Figure RE-GDA0003269390680000052
taking the D unit as an example, a user "E19.419" is created, and only data belonging to the D unit is viewed, with the rule:
Figure RE-GDA0003269390680000053
the behavior example of the Chinese people bank is used for creating a user '465. E19.D09', only the data belonging to the Chinese people bank in metropolis are checked, and the rule is as follows:
Figure RE-GDA0003269390680000054
example two: the row label is used for accessing and modifying relevant data of local states of each region by a user, the column label is used for accessing data of each business department by the user, and the business departments comprise a first business department, a second business department and a third business department.
Example three: each organization or unit creates a user name coded by the unit and a corresponding matching rule, and when the organization or unit logs in by the user name, only the data of the organization can be seen.
Example four: in the step S3, the judgment of granularity is implemented by judging that the mechanism code of each row matches and calculates with the code of the current user, and in the step S3, the row-level authority policy includes comparing data according to the currently logged-in user name, and judging that the piece of data belongs to the user name from the user name through a matching algorithm.
Although the invention has been described herein with reference to a number of illustrative embodiments thereof, it should be understood that numerous other modifications and embodiments can be devised by those skilled in the art that will fall within the spirit and scope of the principles of this disclosure. More specifically, various variations and modifications are possible in the component parts and/or arrangements of the subject combination arrangement within the scope of the disclosure and claims of this application. In addition to variations and modifications in the component parts and/or arrangements, other uses will also be apparent to those skilled in the art.

Claims (8)

1. A method for realizing row-level authority control based on a domestic database is characterized by comprising the following steps:
s1: defining row tags and column tags according to an organizational schema;
s2: configuring the organization structure with row-level authority by using the row label and the column label;
s3: and creating a user for the row-level authority, creating a row-level authority strategy and endowing the user with the row-level authority strategy.
2. The method for implementing row-level right control based on domestic database according to claim 1, wherein said row label is used for user to access and modify related data of local states.
3. The method for implementing row-level authority control based on domestic database according to claim 1, wherein said column tag is used for user access to data from individual business department.
4. The method for realizing row-level authority control based on the domestic database as claimed in claim 3, wherein the business departments comprise a first business department, a second business department and a third business department.
5. The method of claim 1, wherein each organization or unit creates a user name encoded in the unit and corresponding matching rules, and when the user name is registered, only the organization data can be seen.
6. The method for implementing row-level authority control based on domestic database according to claim 1, wherein the determination of granularity is implemented by determining that the organization code of each row matches with the code of the current user and performing calculation in step S3.
7. The method of claim 1, wherein the row-level authority policy of step S3 includes comparing data according to the currently logged-in user name, and determining the data belonging to the user name from the user name by a matching algorithm.
8. The method for implementing row-level authority control based on domestic databases of claim 1, wherein the row-level authority provides a row-based security policy, limits the view table data authority of database users, and performs operations of query, addition, deletion and modification on each user.
CN202110811176.5A 2021-07-19 2021-07-19 Method for realizing row-level authority control based on domestic database Pending CN113656827A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110811176.5A CN113656827A (en) 2021-07-19 2021-07-19 Method for realizing row-level authority control based on domestic database

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110811176.5A CN113656827A (en) 2021-07-19 2021-07-19 Method for realizing row-level authority control based on domestic database

Publications (1)

Publication Number Publication Date
CN113656827A true CN113656827A (en) 2021-11-16

Family

ID=78477664

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110811176.5A Pending CN113656827A (en) 2021-07-19 2021-07-19 Method for realizing row-level authority control based on domestic database

Country Status (1)

Country Link
CN (1) CN113656827A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116186767A (en) * 2023-01-12 2023-05-30 北京万里开源软件有限公司 Method and device for marking row level in database

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101075254A (en) * 2007-06-08 2007-11-21 北京神舟航天软件技术有限公司 Autonomous access control method for row-level data of database table
CN110427775A (en) * 2019-07-25 2019-11-08 北京明略软件系统有限公司 Data query authority control method and device
CN111177700A (en) * 2019-12-31 2020-05-19 北京明略软件系统有限公司 Method and device for controlling row-level authority
CN112527812A (en) * 2020-12-04 2021-03-19 北京顺达同行科技有限公司 Data permission processing method and device based on multiple dimensions and computer equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101075254A (en) * 2007-06-08 2007-11-21 北京神舟航天软件技术有限公司 Autonomous access control method for row-level data of database table
CN110427775A (en) * 2019-07-25 2019-11-08 北京明略软件系统有限公司 Data query authority control method and device
CN111177700A (en) * 2019-12-31 2020-05-19 北京明略软件系统有限公司 Method and device for controlling row-level authority
CN112527812A (en) * 2020-12-04 2021-03-19 北京顺达同行科技有限公司 Data permission processing method and device based on multiple dimensions and computer equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116186767A (en) * 2023-01-12 2023-05-30 北京万里开源软件有限公司 Method and device for marking row level in database
CN116186767B (en) * 2023-01-12 2023-10-03 北京万里开源软件有限公司 Method and device for marking row level in database

Similar Documents

Publication Publication Date Title
CN110785981B (en) Securing access to confidential data using blockchain ledgers
US9641334B2 (en) Method and apparatus for ascertaining data access permission of groups of users to groups of data elements
US9971898B2 (en) Method and system for providing anonymized data from a database
US8904551B2 (en) Control of access to files
Xu et al. Comparative study of three commonly used methods for hospital efficiency analysis in Beijing tertiary public hospitals, China
CN110968894B (en) Fine granularity access control scheme for game service data
CN107844708A (en) Towards the data permission control system and its control method of military equipment management business
CN113656827A (en) Method for realizing row-level authority control based on domestic database
Pernul Information systems security: Scope, state-of-the-art, and evaluation of techniques
Sariyar et al. Reconsidering anonymization-related concepts and the term “identification” against the backdrop of the European legal framework
Batra et al. Incremental maintenance of abac policies
US10320798B2 (en) Systems and methodologies for controlling access to a file system
CN116933305A (en) User authority model and construction method thereof
Harting An Egalitarian Case for Class-Specific Political Institutions
Opyrchal et al. Bouncer: Policy-based fine grained access control in large databases
Chen et al. A Privacy‐Preserved Analytical Method for eHealth Database with Minimized Information Loss
Win et al. Database security model using access control mechanism in student data management
Sengupta Dynamic fragmentation and query translation based security framework for distributed databases
Miao Coded Social Control: China's Normalization of Biometric Surveillance in the Post COVID-19 Era
Farooqi et al. Developing a dynamic trust based access control model for xml databases
CN113642032B (en) Resource authorization method and resource authorization system based on set operation
He et al. A fine grained rbac model supporting flexible administrative separation of duty
Zhezhnych et al. On the temporal access control implementation at the logical level of relational databases
SUBBARAJU et al. Privacy Preserving Access Control to Incremental Data
CN116881977A (en) Trust mechanism-based transaction data tracing and auditing method on cross-queue chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20211116

RJ01 Rejection of invention patent application after publication