CN113987541A

CN113987541A - Data access control method and device and electronic equipment

Info

Publication number: CN113987541A
Application number: CN202111276857.2A
Authority: CN
Inventors: 苏鑫; 杨炜林
Original assignee: Sichuan Minghoutian Information Technology Co ltd
Current assignee: Sichuan Minghoutian Information Technology Co ltd
Priority date: 2021-10-29
Filing date: 2021-10-29
Publication date: 2022-01-28

Abstract

The application discloses a data access control method and device and electronic equipment. The method comprises the steps of creating corresponding business data source information in advance according to business system information, micro-service information and database connection information, and generating data authority rules of corresponding business data sources by acquiring set values of target fields of target business tables of the business data source information. When a data authority authorization request is received, acquiring data authority rules and role tree information of each service data source, generating a role tree component based on the role tree information, and identifying authorized roles of target data authority rules selected by a user in the role tree component; and when detecting that the user executes role editing operation on the role tree component, sending a permission operation instruction carrying target data permission rule information and target role information. The method and the device can simply, effectively and low-cost realize data-level authority management and better control data access.

Description

Data access control method and device and electronic equipment

Technical Field

The present application relates to the field of computer technologies, and in particular, to a data access control method and apparatus, and an electronic device.

Background

Data access is controlled by managing the rights to data, colloquially, that in an organization, a user or users may make a decision on, the extent to which, or the degree to which, an event may be performed, and if the user has such characteristics, the user may be deemed to have such rights. Therefore, the authority management is to manage and control the authority, and limit and allocate different users to have different authorities. For enterprises, the authority assignment is performed on employees of a company, so that the management of the company is more orderly and efficient: the system can ensure that the employees respectively take their duties, and the contents of each employee are different and do not interfere with each other, thereby improving the working efficiency; the working range of each employee is specific and clear, the employee is responsible for the work, the authority and the responsibility are clear, and the problem is well documented; work importance that different staff are responsible for has the height, if secret or important decision can only be known by few staff, thereby can guarantee the privacy and avoid the risk.

From the control force perspective, rights management can be divided into two broad categories: function level rights management and data level rights management. The function right management technology generally uses a RBAC (Role-Based Access Control) model, which associates who, what, and how, and explains the problem of who (who) does what (what) and how to operate (how). However, for the data level rights management field, most techniques use hard coding methods, i.e. such logic is coupled with the service code in the form of if/else etc. However, the hard-coded form has strong coupling and is difficult to test; the system component reuse rate is low; the later stage of the system is very expensive to change, and the whole system is moved by pulling one person, which is not beneficial to practical application. The related art also employs a method using a rule engine that extracts such logic in the form of rules and parses the rules using the rule engine. Although many problems can be solved using a rules engine, the learning difficulty is still sufficient. However, the rule engine is not specialized for rights management, so that the method is not good for the complicated rights management. The related art also uses third party professional software such as open source middleware ralasefe, open source framework Spring Security, and the like. These third-party professional software have high requirements on users, for example, for ralasefe, users need to understand business, understand data, understand database SQL (Structured Query Language), and interface users, roles, departments, and the like with business systems; for the open source framework Spring Security, the service system needs to develop the control logic by itself. In addition, the cost of purchasing professional software is high, and business system software and the professional software are required to perform code docking accounts, roles, departments and the like. If the data access is completed by professional software, if a plurality of service systems access data at high concurrency, the professional software also needs to support high concurrency cluster deployment.

In view of this, how to implement data level authority management simply, efficiently and at low cost, and better control data access is a technical problem to be solved by those skilled in the art.

Disclosure of Invention

The application provides a data access control method, a data access control device and electronic equipment, which can simply, effectively and low-cost realize data-level authority management and better control data access.

In order to solve the above technical problems, embodiments of the present invention provide the following technical solutions:

an embodiment of the present invention provides a data access control method, including:

creating corresponding business data source information in advance according to the business system information, the micro-service information and the database connection information, and generating data authority rules of corresponding business data sources by acquiring set values of target fields of target business tables of the business data source information;

when a data authority authorization request is received, acquiring data authority rules and role tree information of each service data source, generating a role tree component based on the role tree information, and identifying authorized roles of target data authority rules selected by a user in the role tree component;

and when detecting that the user executes role editing operation on the role tree component, sending a permission operation instruction carrying target data permission rule information and target role information.

Optionally, the generating the data authority rule of the corresponding service data source by obtaining the setting value of the target field of the target service table of each service data source information includes:

when a data authority adding request is detected, displaying a data authority operation interface, and simultaneously sending a request for acquiring all service data sources;

responding to a target service data source selection request, and sending a request for acquiring all service table names of the target service data source;

responding to a target service table selection request, and sending a request for acquiring all field names of the target service table;

responding to the field setting request, and generating a data authority rule of the target service table according to the setting value corresponding to each field; the data authority rules comprise a target service data source id, a target service table name, a data authority code, whether to open data owner limitation, an owner field, data owner department limitation, an owner field, whether to allow all fields to be inquired and a return field.

Optionally, the creating of corresponding service data source information according to the service system information, the micro service information, and the database connection information includes:

when a target business data source adding request is detected, displaying a data source adding operation interface, and simultaneously sending a request for acquiring all business systems;

responding to a target service system selection request, and sending a request for acquiring all micro-service information of the target service system;

acquiring a target micro service selected by a user;

obtaining database connection information corresponding to the target micro service by analyzing a database connection information input instruction;

and creating target business data source information according to the target business system, the target micro-service information and the database connection information.

Optionally, the process of sending the permission operation instruction carrying the target data permission rule information and the target role information when detecting that the user performs the role editing operation on the role tree component includes:

when detecting that a user selects a target node and an authorization identifier in the role tree component, generating a request storage authorization instruction according to the target data authority rule information and the role information corresponding to the target node and sending the request storage authorization instruction;

and when detecting that a user selects a target node and selects a de-authorization identifier in the role tree component, generating a request de-authorization instruction according to the target data authority rule information and the role information corresponding to the target node and sending the request de-authorization instruction.

Another aspect of the embodiments of the present invention provides a data access control method, including:

pre-storing service data source information and corresponding data authority rules; the service data source information is created according to service system information, micro-service information and database connection information; the data authority rule is generated by acquiring a set value of a target field of a target service table of each service data source information;

when receiving a service authority acquisition request, feeding back a data authority rule of each service data source;

when receiving an authorized role obtaining request, feeding back an authorized role of a target data authority rule selected by a user;

when an authority operation instruction is detected, updating the relation between the corresponding data authority and the role in the target data authority rule based on target data authority rule information and target role information carried by the authority operation instruction;

the authority operation instruction is issued when the client detects that the user executes role editing operation on the role tree component; the role tree component is a role tree component generated by the client based on role tree information, and the role tree component identifies an authorized role of the target data permission rule.

Optionally, after updating the relationship between the corresponding data authority and the role in the target data authority rule based on the target data authority rule information and the target role information carried by the authority operation instruction, the method further includes:

the method comprises the steps of pre-building a business system micro-service, introducing an authority authentication toolkit into the business system micro-service and configuring a data authority interceptor based on annotation opening authentication; the service system micro-service is used for calling the data authority interceptor to judge that the user data access request meets the authentication condition after receiving the user data access request, and sending a data authority query request carrying user identification information, service table information to be queried and corresponding micro-service information;

when the data authority inquiry request is received, acquiring corresponding matched service data source information according to the micro service information, and acquiring all role information of a corresponding user according to the user identification information;

determining matching authority data of the user according to the matching service data source information, the service table information to be inquired and all the role information;

and sending the matching authority data to the service system micro-service so that the service system micro-service executes data query operation based on the matching authority data.

Optionally, the determining the matching authority data of the user according to the matching service data source information, the service table information to be queried, and the all role information includes:

acquiring all data authority rules of the user to-be-queried service table according to the matched service data source information, the to-be-queried service table information and all role information, and combining the affiliation of the user and the setting values of all fields to generate a target data authority rule;

if the target data authority rules have authority rules which need to inquire data according to departments, acquiring all department information of the user, and taking the target data authority rules and all department information as the matching authority data; and if the target data authority rules do not have authority rules which need to inquire data according to departments, taking the target data authority rules as the matching authority data.

Optionally, the invoking the process of the data permission interceptor for determining that the user data access request meets the authentication condition includes:

acquiring a data query statement and a query parameter, and analyzing the data query statement to obtain a data query condition;

if the data is judged to be queried according to the tenants, adding the tenant conditions into the data query conditions;

and if the data is judged to be inquired according to the data authority, acquiring the name of the service table to be inquired and the corresponding micro-service name.

Optionally, the process of the service system microserver executing the data query operation based on the matching authority data includes:

if the data authority interceptor judges that the data query condition needs to be reconstructed based on the matching authority data, reconstructing the data query condition according to a preset reconstruction rule; determining whether the fields of the data query condition need to be reconstructed according to whether the permission information for querying all the fields exists in the matching authority data; meanwhile, when the current data query condition is judged to be reconstructed, the reconstructed data query condition is used for updating and replacing the current data query condition;

and the business system micro-service executes data query operation based on the current data query condition and feeds back a data query result to the client.

The embodiment of the invention provides a data access control device on the other hand, which comprises a client, a data authority service module, a basic information management module, a service system micro-service module and a database;

the client is used for implementing the steps of the data access control method according to any one of the preceding items when executing the computer program stored in the memory;

the data authority service module is used for realizing the steps of the data access control method in any one of the preceding items when executing a computer program stored in a memory;

the basic information management module is used for managing basic information of the data access control device and providing basic information inquiry service. The basic information comprises user information, role information, department information, a user-role relationship, a user-department relationship, business system information, micro-service information and a business system-micro-service relationship.

An embodiment of the present invention further provides an electronic device, which includes a processor, and the processor is configured to implement the steps of the data access control method according to any one of the foregoing when executing the computer program stored in the memory.

Finally, an embodiment of the present invention provides a readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the data access control method according to any of the foregoing items.

The technical scheme provided by the application has the advantages that the micro-service is used without butt joint, and the self-contained horizontal extension supports high-concurrency cluster deployment; the data authority rules of all the service systems can be unified and flexibly managed on line, a user can operate the data authority at any time based on requirements without mastering specific professional skills, the operation is simple, and only the data authority rules need to be defined, so that the data-level authority management can be realized simply, effectively and at low cost, the data access behaviors of the user can be effectively controlled, and the data security is favorably improved.

In addition, the embodiment of the invention also provides a corresponding implementation device and electronic equipment for the data access control method, so that the method has higher practicability, and the device and the electronic equipment have corresponding advantages.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the related art, the drawings required to be used in the description of the embodiments or the related art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.

Fig. 1 is a schematic flowchart of a data access control method according to an embodiment of the present invention;

fig. 2 is a schematic view of a service data source adding process according to an embodiment of the present invention;

fig. 3 is a schematic diagram illustrating a data permission adding process according to an embodiment of the present invention;

fig. 4 is a schematic diagram illustrating a data right authorization process according to an embodiment of the present invention;

fig. 5 is a schematic diagram of a data authentication process according to an embodiment of the present invention;

fig. 6 is a schematic diagram illustrating a data request processing flow of a business system microservice according to an embodiment of the present invention;

fig. 7 is a structural diagram of a specific implementation of a data access control device according to an embodiment of the present invention;

fig. 8 is a block diagram of an embodiment of an electronic device according to an embodiment of the present invention.

Detailed Description

In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The terms "including" and "having," and any variations thereof, in the description and claims of this application and the above-described drawings are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may include other steps or elements not expressly listed.

Having described the technical solutions of the embodiments of the present invention, various non-limiting embodiments of the present application are described in detail below.

Referring to fig. 1, fig. 1 is a schematic flow chart of a data access control method according to an embodiment of the present invention, where the embodiment of the present invention may include the following:

s101: and creating corresponding service data source information in advance according to the service system information, the micro-service information and the database connection information, and generating a data authority rule of the corresponding service data source by acquiring a set value of a target field of a target service table of each service data source information.

In addition to the client and the business system operated by the user, the step also creates basic information management service, data authority service and database in advance, wherein the database includes but is not limited to mysql, oracle, sqlserver and the like. The basic information management service is used for managing basic information and providing basic information inquiry service, wherein the basic information can comprise user information, department information, post information, role information, tenant information and the like, and the basic information management service can be, for example, a basic information management service (large-admin) developed by Mingqia Tian company. The data authority service is used for uniformly managing authority definition, authorization operation and the like of business data, and can be used for uniformly managing data authority definition of a business system and service (large-auth-data) of authorization operation developed by Mingtian company. Furthermore, an authority authentication toolkit can be installed and used for obtaining user information through user identification information such as token, verifying access authority of a user to an interface, verifying access authority of the user to data, recording an operation log and the like, and the authority authentication toolkit can be a large-auth-client developed by Mingtian. The method and the system have the advantages that the micro-service system account number, the role and the department are integrated without butt joint, and the high-concurrency cluster deployment is supported by the horizontal expansion of the micro-service system. The large-auth-data online service uniformly manages all data authority rules, rule flexibility is provided through independent service management rules, and the large-auth-client serving as a data authority client can be accessed to the service system microservice, so that the technical defect of rule analysis by a built-in rule engine in the prior art is overcome, and the pressure of independent service analysis and data acquisition is reduced. The method and the system support management of the data authority of a plurality of service systems, can be separated from a specific service point, and can uniformly manage the data authority of all services.

The service system information is related information for identifying a current service system, such as a service system id, the micro-service information is related information for identifying a current micro-service, such as a micro-service name, one service system is composed of at least one micro-service, and one micro-service can only belong to one service system. Database connection information includes, but is not limited to, a data source name, a database type, a database IP, a database port, a database service name, a database account number, a database password, and a JDBC address. JDBC (Java Database Connectivity) is an application program interface in Java language that specifies how client programs access databases, providing methods such as querying and updating data in databases. One microservice has only one database service at most, and for the database cluster mode, the microservice still logically belongs to one microservice corresponding to one database service, and one database service can be used for a plurality of microservices. The structure of the business table is not fixed, the data access authority of a person to the business table can be configured on line, and the inquiry control row level and the field level can be supported. The service data source information includes, but is not limited to, a service system id, a micro service name, a data source name, a JDBC address, a database account, a database password, a database type, a database IP, a database port, and a database service name. After the service data source information is created, the service data source information can be sent to the data authority service and written into the database for storage. A database service of the application is provided with a plurality of data tables, one data table can be provided with a plurality of data authority rules, and one data authority rule only corresponds to one table. One data permission rule may be granted to multiple roles, and one role may have multiple data permission rules. A user may have multiple roles and a role may be granted to multiple users.

S102: when a data authority authorization request is received, the data authority rules and role tree information of each service data source are obtained, a role tree component is generated based on the role tree information, and the authorized roles of the target data authority rules selected by the user are identified in the role tree component.

In this step, the data authority authorization request is a request for a user to authorize some data, the role tree information refers to a role list including all roles obtained by querying from the database, for example, the role list is assembled into a tree structure according to parent _ id, the tree structure is returned to the client, and after the browser of the client receives the returned role tree information, the browser of the client can render the data into a tree component for display, that is, the role tree component. The target data permission rule refers to a data permission rule selected by a user from all data permission rules, and the authorized role refers to an authorized role in the target data permission rule.

S103: and when detecting that the user executes role editing operation on the role tree component, sending a permission operation instruction carrying target data permission rule information and target role information.

It can be understood that each node in the role tree component corresponds to a role, that is, all roles are displayed on the role tree component, the user selects a role by clicking the node on the role tree component, the role editing operation in this step includes adding a new role authorization or canceling the authority of the original authorized role, and the corresponding authority operation instruction is an authorization storage request instruction executed on the target role corresponding to the target role information or an authorization canceling request instruction executed on the target role corresponding to the target role information. Specifically, the steps may be: when detecting that a user selects a target node and an authorization identifier in a role tree component, generating a request storage authorization instruction according to target data authority rule information and role information corresponding to the target node and sending the request storage authorization instruction; and when detecting that the user selects a target node and selects a de-authorization identifier in the role tree component, generating a request de-authorization instruction according to the target data authority rule information and the role information corresponding to the target node and sending the request de-authorization instruction.

In the technical scheme provided by the embodiment of the invention, the micro-service is used without butt joint, and the self-contained horizontal extension supports high-concurrency cluster deployment; the data authority rules of all the service systems can be unified and flexibly managed on line, a user can operate the data authority at any time based on requirements without mastering specific professional skills, the operation is simple, and only the data authority rules need to be defined, so that the data-level authority management can be realized simply, effectively and at low cost, the data access behaviors of the user can be effectively controlled, and the data security is favorably improved.

S101 to S103 of the above embodiment are data authorization methods executed by a station at a client side, that is, the execution subject of the above embodiment is a client side, and in consideration of different technical solutions protected by the station at different angles, the present application further provides an embodiment in which a processor or a server providing data authority service is used as the execution subject, and the implementation process of executing data authorization by the execution subject may be:

pre-storing service data source information and corresponding data authority rules; the service data source information is created according to the service system information, the micro-service information and the database connection information; the data authority rule is generated by acquiring the set value of the target field of the target service table of each service data source information;

when the authority operation instruction is detected, updating the relation between the corresponding data authority and the role in the target data authority rule based on the target data authority rule information and the target role information carried by the authority operation instruction;

the permission operation instruction is issued when the client detects that the user executes role editing operation on the role tree component; the role tree component is a role tree component generated by the client based on the role tree information, and authorized roles of the target data permission rule are identified in the role tree component.

Since the embodiment and the above-mentioned embodiment are only different in terms of execution subject, the same steps in the embodiment and the above-mentioned embodiment may refer to the technical solutions described in the above-mentioned embodiments, and thus, the details are not repeated herein.

In the foregoing embodiment, how to execute step S101 is not limited, and an optional implementation manner in this embodiment may include the following steps:

the implementation process of creating corresponding service data source information according to the service system information, the micro-service information and the database connection information may include the following steps:

when a target business data source adding request is detected, displaying a data source adding operation interface, and simultaneously sending a request for acquiring all business systems; responding to a target service system selection request, and sending a request for acquiring all micro-service information of the target service system; acquiring a target micro service selected by a user, and acquiring database connection information corresponding to the target micro service by analyzing a database connection information input instruction; and creating target service data source information according to the target service system, the target micro-service information and the database connection information.

The implementation process of acquiring the setting value of the target field of the target service table of each service data source information to generate the data authority rule of the corresponding service data source may include the following steps:

when a data authority adding request is detected, displaying a data authority operation interface, and simultaneously sending a request for acquiring all service data sources; responding to a target service data source selection request, and sending a request for acquiring all service table names of the target service data source; responding to the target service table selection request, and sending a request for acquiring all field names of the target service table; and responding to the field setting request, and generating the data authority rule of the target service table according to the setting value corresponding to each field. When data is authorized, the present embodiment may divide the data according to the row level, and specifically may divide the data according to the tenant, according to the person to which the data belongs, according to the department to which the data belongs, all departments (including the subordinate), and all departments (including the subordinate). The data owner refers to the user who creates the data, or the business data belongs to the user. The affiliated department refers to a department to which the user directly belongs, and one user only has one affiliated department. The business department refers to a department where users participate in business, and one user can have a plurality of business departments. All departments (without subordinate) refer to the affiliated and business departments. All departments (including subordinate departments) refer to the affiliated department and the business department as well as all subordinate departments thereof. Correspondingly, the data authority rule may include a target service data source id, a target service table name, a data authority code, whether to open a data owner limit, an owner field, whether to allow querying of all fields, and a return field.

In order to make the technical solution of the present application more clear to those skilled in the art, the present application provides an illustrative example with reference to fig. 2 and 3, in order to solve the following problems: students can only see their own data. The instructor can only see the student data of the class managed by the instructor. And tutor's own teacher data. The courtyard can only see the data of students and teachers in the management college. Based on the technical scheme, the teacher-student list for solving the technical defects is provided, and students, instructors and courtyards can see any required data, which can comprise the following contents:

a1: a data manager opens a service data source page added with a client browser through a client, and in view of the management functions of providing a service system and micro-services by the large-admin, the browser JS (JavaScript) automatically sends a request to the large-admin to acquire all service systems after the page is loaded.

A2: after receiving the request, lark-admin reads all added service system information from a database, such as the service system storage relational database in fig. 2, and returns the added service system information to the browser in a json set form.

A3: and after receiving all returned business system data, the browser renders the business system data into select pull-down selection by using JS. Waiting for the data administrator to select a business system.

A4: after the data administrator selects the service system, the JS monitors that the select selection value is changed and automatically sends a request to the large-admin to obtain the micro-service information under the service system, and the micro-service information carries the parameter service system id.

A5: and after receiving the request, the lark-admin acquires all micro-service information under the service system from the database according to the service system id and returns the micro-service information to the browser in a json set mode.

A6: and after the browser receives all returned micro-service data under the service system, rendering the service system data into select pull-down selection by using JS. Waiting for the data administrator to select the microservice.

A7: after selecting the micro service, the data administrator inputs JDBC information of a database corresponding to the micro service, wherein the JDBC information comprises a data source name, a JDBC address, a database account number and a database password.

A8: and after monitoring that the JDBC address value is changed, the browser JS automatically analyzes the JDBC address to obtain the type of the database, the IP of the database, a port of the database and the service name of the database.

A9: and the data administrator clicks a 'save' button in a business data source page, and the JS sends information such as a business system id, a micro service name, a data source name, a JDBC address, a database account number, a database password, a database type, a database IP, a database port, a database service name and the like in the form to the large-auth-data.

A9: and after receiving the request, the lark-auth-data writes the service data source information into the database for storage.

A10: the data administrator opens an add data rights page. And the browser JS automatically sends a request to the large-auth-data to acquire all service data source information after the page loading is finished.

A11: and after receiving the request, the lark-auth-data reads all added service data source information from the database and returns the information to the browser in a json set mode.

A12: and after receiving the returned information of all the business data sources, the browser renders all the business data sources into select pull-down selection by using JS. And waiting for the data administrator to select a service data source.

A13: after the data administrator selects the service data source, the JS monitors that the select selection value changes and automatically sends a request to the large-auth-data to acquire all table names under the service data source, and parameter service data source id is carried.

A14: and after receiving the request, the lark-auth-data acquires the service data source information through the service data source id. And then, creating JDBC connection by using the information of the service data source, connecting the JDBC connection to the service data source, and sending SQL statement to acquire table information. And after receiving the service table information returned by the service data source, assembling the service table names into a set, converting the set into json and sending the json to the browser.

A15: and after receiving all returned business table names, the browser renders all business table names into select pull-down selection by using JS. Waiting for the data administrator to select the business table.

A16: after the data administrator selects the business table, the JS monitors that the select selection value is changed and automatically sends a request to the large-auth-data to acquire all field names under the business table, wherein the field names carry parameter business data source id and table names.

A17: and after receiving the request, the lark-auth-data acquires the service data source information through the service data source id. And then, creating JDBC connection by using the service data source information, connecting the JDBC connection to a service data source, sending SQL statements to acquire table field information, and using the service table name as a query condition. And after receiving the field information of the service table returned by the service data source, assembling the field names into a set, converting the set into json and sending the json to the browser.

A18: after receiving all returned field names, the browser renders all the field names into two select pull-down selections, namely 'belonged field and belonged department field' and 'return field' by using JS.

In this step, the data administrator formulates a specific data authority rule of the service table as follows:

whether to turn on the data owner restriction, and if so, which field represents the data owner in the "owner field".

Selecting the department limits to which the data belong, wherein the department limits are divided into four types: no department, department of ownership, all departments (not including subordinate), all departments (including subordinate). If the selected is not "not using department", which field represents the department to which the data belongs is selected in the "department to which field".

Whether all fields are allowed to be queried and if not, which fields are allowed to be queried back to the data user in a pull-down multiple selection "return fields".

A19: and after a data administrator formulates a specific data authority rule of the business table, clicking to save, and sending information such as a business data source id, a business table name, a data authority code, whether to open data owner limit, an owner field, data owner department limit, an owner field, whether to allow all fields to be inquired, a return field and the like in the form to the large-auth-data by the JS.

A20: and after receiving the request, the lark-auth-data writes the definition of the data authority rule into the database for storage.

Based on the above embodiment, the present application further provides an exemplary implementation of S102 and S103 in conjunction with fig. 4, which may include:

a21: and the data administrator opens a data authority authorization page of the client browser. And the browser JS automatically sends a request to the large-auth-data paging to acquire the data authority rule after the page loading is finished.

A22: after receiving the request, the lark-auth-data pages and reads the added data authority rules and the total number from the database, and returns the rules and the total number to the browser in a json object mode. The implementation of paging query can refer to any one of the prior art, and will not be described herein.

A23: and after the browser receives the returned data permission rule set and the total number, rendering the data into a table list by using JS. Waiting for the data administrator to select a row in the list.

A24: and after the data administrator selects a certain row of data authority rules, marking the data authority rules as current data authority rules, and then sending a request to the large-admin to obtain all role tree structures by the JS.

A25: and after receiving the request, the lark-admin inquires all roles from the database to obtain a role list, then assembles the list into a tree structure according to parent _ id, and returns the tree structure to the browser in a json object form. The list-to-tree structure can be found in any prior art, and is not described herein in detail.

A26: and after the browser receives the returned role tree information, rendering the data into a tree component for display by using JS. And then the JS sends a request to the large-auth-data to acquire the authorized role id of the current data authority rule, which carries the parameter current data authority rule id.

A27: and querying the corresponding authorized role id from the database through the data authority rule id after the request is received by the large-auth-data. And returning to the browser in a json set.

A28: and after the browser receives the returned authorized role id, rendering the corresponding node in the role tree component into a selected state by using JS.

A29: and (3) selecting a certain role or certain roles by the data administrator, sending a request to the large-auth-data by the JS to store authorization, wherein the parameters are the current data authority rule id and the newly selected role id set.

In this step, a selection of a single node is provided on the tree component. At this time, the newly added role set is the selected node, and the size of the set is 1.

And providing a button on a node on the tree component to authorize the current node and all lower nodes, wherein the newly added role set is a selected node and all lower node sets obtained by recursive search, and the size of the set is more than or equal to 1.

A button 'authorizing the current node and all the upper nodes' is provided on the node on the tree component, at this time, the newly added role set is a selected node and all the upper node sets obtained by recursive search, and the size of the set is more than or equal to 1.

A30: and after receiving the request, the lark-auth-data assembles the data authority rule id and the role id set into a one-to-one form to be written into the database, and returns success information to the browser after all the data authority rule id and the role id are written successfully.

A31: and the data administrator deselects a certain role or certain roles, the JS sends a request to the large-auth-data to cancel authorization, and the carried parameters are the current data authority rule id and the cancelled role id set.

A selection of a single node is provided on the tree component. At this time, the role set is cancelled as the selected node, and the size of the set is 1.

A button 'cancel authorization current node and all lower nodes' is provided on the node on the tree component, at this time, the role canceling set is a selected node and all lower node sets obtained by recursive search, and the size of the set is more than or equal to 1.

A button 'cancel authorization of the current node and all upper nodes' is provided on the nodes on the tree component, the role canceling set is a selected node and all upper node sets obtained by recursive search at the moment, and the size of the set is more than or equal to 1.

A32: and after receiving the request, the lark-auth-data assembles the data authority rule id and the role id into a one-to-one form to delete the data from the database, wherein the deletion condition is the data authority rule id and the role id, and after all the data authority rule id and the role id are deleted successfully, successful information is returned to the browser.

In the embodiment, account numbers, roles and departments of the micro-service system are integrated into a whole without butt joint, high-concurrency cluster deployment is supported by self-contained horizontal expansion, and horizontal expansion and cloud-oriented service are supported based on micro-service development. The lark-auth-data online service uniformly manages all data authority rules, supports the saas to divide data according to tenants, and manages the data authority rules of a plurality of service systems. The large-auth-client is used as a data authority client to access the service system microservice, and the pressure of analyzing and acquiring data by the independent service is reduced. Data administrators such as school teachers or employees do not need to understand SQL, only data (e.g., field meaning). The data administrator does not need to be responsible for making a data query SQL statement or a data open interface (SQL or data query rules are responsible for business system developers), and only needs to define the data authority rules. The operation is simple and convenient, and the realization is easy.

It can be understood that after the data authorization is implemented in the above embodiments, before the data access is performed, data authentication needs to be performed, and the present application also provides an implementation manner of data authentication, which may include:

the method comprises the steps of pre-building a business system micro-service, introducing an authority authentication toolkit into the business system micro-service and configuring a data authority interceptor based on annotation opening authentication; the service system micro-service is used for calling the data authority interceptor to judge that the user data access request meets the authentication condition after receiving the user data access request, and sending a data authority query request carrying user identification information, service table information to be queried and corresponding micro-service information.

And when a data authority inquiry request is received, acquiring corresponding matching service data source information according to the micro service information, and acquiring all role information of a corresponding user according to the user identification information.

And determining the matching authority data of the user according to the matching service data source information, the service table information to be inquired and all the role information.

And sending the matching authority data to the service system microservice so that the service system microservice executes data query operation based on the matching authority data.

In this embodiment, the service system micro-service project building process is as follows: and constructing a business system micro-service based on SpringCloud, SpringBoot and MyBatis, wherein the authority authentication toolkit can be a large-auth-client library, for example. The Spring framework is an open source application framework on the Java platform, and provides a container with control reversal characteristics. The Spring boot is an open-source lightweight frame, and is designed based on Spring4.0, so that the original excellent characteristics of the Spring frame are inherited, and the whole construction and development process of the Spring application is further simplified by simplifying configuration. In addition, the SpringBoot integrates a large number of frameworks to enable the problems of version conflict of the dependent packages, instability of citation and the like to be well solved. The Spring cloud is an ordered set of a series of frames, and development of infrastructure of a distributed system is ingeniously simplified by using development convenience of the Spring Boot, such as service discovery registration, configuration centers, message buses, load balancing, circuit breakers, data monitoring and the like, and one-key starting and deployment can be achieved by using a development style of the Spring Boot. Spring Cloud is an ordered collection of a series of frameworks. The development convenience of the Spring Boot is utilized to skillfully simplify the development of infrastructure of a distributed system, such as service discovery registration, configuration center, message bus, load balancing, circuit breaker, data monitoring and the like, and the Spring Boot can be used for one-key starting and deployment in a development style. Taking maven to manage item dependencies as an example, the process of referring to the data authority processing code base may be:

the data permission interceptor of the embodiment is used for completing the operations of analyzing request parameters, assigning page form parameters to corresponding attributes in a value stack, performing function inspection, debugging program exception and the like. A MyBatis data rights interceptor may be configured. MyBatis is an open source item iBatis of apache, and is a Java-based persistent layer framework. The persistence layer framework provided by iBATIS includes SQL Maps and Data Access Objects (DAOs). The MyBatis data rights interceptor code is defined in the lark-auth-client library. Specifically, the configuration may be defined using the org.spring frame.context.association.configuration note in Spring. Com, mht, large, security, auth, client, data, MyBatis dataauthinter class object instance datainter is constructed and added to the MyBatis interceptor set. Using the org.springframe.boot.autoconfigure.autoconfigurerfter comments in SpringBoot ensures that MyBatis data permission interceptors join the set of interceptors later than MyBatis paging interceptors. The interceptors added later are executed first, and then the SQL is reconstructed by using the data interceptors and then the reconstructed SQL is subjected to paging query.

As an optional implementation manner, an optional implementation manner in which the foregoing step determines the matching authority data of the user according to the matching service data source information, the service table information to be queried, and all role information may be:

if the target data authority rules have authority rules which need to inquire data according to departments, acquiring all department information of the user, and taking the target data authority rules and all department information as matching authority data; and if the target data authority rules do not have the authority rules which need to inquire data according to departments, taking the target data authority rules as matching authority data.

As an optional implementation manner, the step of invoking the data permission interceptor to determine that the user data access request meets the authentication condition may include:

if the data is judged to be inquired according to the tenants, adding the tenant conditions into the data inquiry conditions;

In this embodiment, the tenant refers to a client using a system or a computer computing resource, but in the multi-tenant technology, the tenant includes all data that can be identified as a designated user in the system, including account and statistical information (accounting data), various data built by the user in the system, and a customized application environment of the user, and the like, which all belong to the scope of the tenant.

As an optional implementation manner, the process that the service system microserver performs a data query operation based on the matching authority data in the above steps may include:

if the data authority interceptor judges that the data query condition needs to be reconstructed based on the matching authority data, reconstructing the data query condition according to a preset reconstruction rule; determining whether the fields of the data query condition need to be reconstructed according to whether the permission information for querying all the fields exists in the matching authority data; meanwhile, when the current data query condition is judged to be reconstructed, the reconstructed data query condition is used for updating and replacing the current data query condition; and the service system micro-service executes data query operation based on the current data query condition and feeds back the data query result to the client.

The embodiment supports the use of comment opening authentication and SQL automatic reconstruction. The permission activity is opened by using an annotation mode in the service system microservice, and the code access is simple, easy to realize and easier to maintain in a later period.

In order to make the technical solutions of the present application more clearly apparent to those skilled in the art, the present application provides an illustrative example of data authentication in conjunction with fig. 5 to 6, which may include the following:

b1: the data user initiates a data interface for requesting to access the microservice of the business system through the client, and the token and the query parameter are carried. Token may include user id, tenant id, user account, user name, department of affiliation, and the process of logging in to obtain Token is not described in detail here.

B2: after receiving the request, the micro service of the service system calls a method in the mapper of MyBatis to execute SQL statement query, and the MyBatis firstly acquires the SQL statement and assembles parameters, and then enters the data permission interceptor.

The process of how the open source project MyBatis obtains SQL statements from configuration files or annotations in this embodiment is not detailed in the scheme. The execution of the paging interceptor in MyBatis is not detailed in the scheme.

B3: the method comprises the steps of firstly obtaining SQL statements and parameters in a data permission interceptor, analyzing the SQL statements to obtain WHERE query conditions, and creating a character string variable WHERE for subsequent steps to store the query conditions.

B4: and judging whether to query data according to tenants in the data authority interceptor.

Specifically, whether the class of the mapper method has a comment is com. The mapper method is annotated with com. If the Tenant annotation exists on the class, the NoTenant annotation on the method does not exist, and the data is queried according to the tenants.

B5: and if the data in the data authority interceptor needs to be inquired according to the tenant, adding the tenant condition to the SQL condition. The detailed rules are seen in the whereSql reconstruction rules shown in table 1.

B6: and judging whether to inquire the data according to the data authority in the data authority interceptor.

Specifically, whether the mapper method has a comment com.mht.large.security.auth.client.annotation.dataauth (defined in the large-auth-client library) or not is judged, and if yes, data is queried according to the data authority. Note that the attribute tableName (service table name) in DataAuth must be specified. The specifying mode can directly specify the service table name through a character string, and can also specify a parameter value of the method by using the parameter name of the method, for example, { tableName } represents the parameter value of the parameter name tableName in the using method.

B7: if the data in the data authority interceptor needs to be inquired according to the data authority, the business table name and the current micro-service name are firstly obtained. The service table name may come from the tableName attribute of the annotation DataAuth. The current micro service name is provided by a profile of the SpringBoot.

B8: and the data authority interceptor uses Feign to call a large-auth-data interface to acquire the data authority of the current user to the service table. Carrying a parameter token, a business table name and a current micro-service name. The same table name may exist in different business systems and therefore a microservice name is needed to distinguish which business data source is the table under. Feign is a calling frame of a service consumption end in spring cloud, and is usually used in combination with ribbon, hystrix and the like.

B9: and after receiving the request in the large-auth-data, acquiring service data source information from the database through the micro service name, wherein the acquisition is mainly used for acquiring a data source id.

B10: and calling a lark-admin interface by using Feign in the lark-auth-data to acquire all role id sets of the current user and carry a parameter token.

B11: and acquiring a user id from the token after receiving the request in the lark-admin, then using the user id to query all role id sets of the current user, and returning the role id sets to the lark-auth-data in a json set mode.

B12: after receiving the current user role id set in the large-auth-data, querying all data authority rule sets of the current user for the service table from the database by using the data source id (from the step B9), the service table name (from the step B8) and the role id set (from the step B11).

B13: when a user has a plurality of data authority rules for a certain table, the data authority needs to be merged into one, so that the data authority rule set is merged in the large-auth-data, and a data authority rule is generated by merging.

Specifically, if the set is empty, the exception is directly thrown out and returned to the business system microservice, and the business system microservice receives the exception and terminates SQL execution and printing the exception information to the log. If the set is not empty: for the person to whom the data belongs, the restriction is not used as long as one does not use the restriction. And as for the department to which the data belongs, if only one department restriction is not used, the department restriction is not used. Department limits are used, and the maximum department range is taken. The section range size "not using a section" < "belonging section" < "all sections (not containing subordinate)" or "all sections (containing subordinate)" for fields, all fields are used as long as one allows all fields to be queried. All fields are not allowed to be queried, then a union of fields is taken.

B14: and merging the data authority sets in the lark-auth-data to obtain a final data authority, and judging whether the data in the final data authority needs to be inquired according to departments. If the final affiliated department is 'all departments (not containing subordinate)' or 'all departments (containing subordinate)', the Feign is used in the lark-auth-data to call the lark-admin interface to obtain the department id set of the current user, and the set carries the parameter token.

B15: and obtaining a user id from the token after receiving the request in the lark-admin, then using the user id to inquire an id set of all departments (not containing subordinate) or all departments (containing subordinate) of the current user, and returning the id set to the lark-auth-data in a json set mode.

B16: and after receiving the department id set in the lark-auth-data, returning the final data authority rule and the department id set to a data authority interceptor of the service system microservice in a json object form.

B17: and after receiving the data authority rule and the department id set, the data authority interceptor judges whether the SQL condition needs to be reconstructed according to the data authority.

B18: if the person to which the data belongs or the department to which the data belongs is not the 'unused department', the SQL condition needs to be reconstructed.

Table 1 whereesql reconstruction rules

In this step, if the Tenant condition is "Tenant field ═ Tenant id'", the value of the attribute tenantField of the Tenant field from the comment Tenant is defaulted to Tenant _ id, and the Tenant id is from token. If the belonger condition is "belonger field ═ user id'", the belonger field comes from the data authority rule, and the user id comes from token. If the data belong to the department, the data belong to the department condition is ' the department field from the data authority rule ', and the department from the token '. If the department to which the data belongs is "all departments (not including subordinate)" or "all departments (including subordinate)", the condition of the department to which the data belongs is "a field in of the department (set of department id)", the field of the department to which the data belongs is from the data authority rule, and the set of the department id is returned from the lark-auth-data.

B19: and after the reconstructed SQL condition is acquired in the data permission interceptor, judging whether all fields are allowed to be inquired in the data permission rule.

If all fields are allowed to be queried, the returned fields in SQL do not need to be reconstructed. If not, analyzing the returned fields in the original SQL to obtain the returned field set of the original SQL. And circularly traversing the original SQL returned field set to judge whether the field is in the field set allowed by the data authority, and removing the field if the field is not in the field set allowed by the data authority. Then resetting SQL return field

B20: and judging whether the query condition is reconstructed in the data permission interceptor, and replacing the original query condition by using the whereSQL if the query condition is reconstructed.

B21: and finishing the execution of the data authority interceptor, and continuously executing MyBatis to inquire data from the database. And the business system microservice returns the inquired data to the data user of the client.

It should be noted that, in the present application, there is no strict sequential execution order among the steps, and as long as a logical order is met, the steps may be executed simultaneously or according to a certain preset order, and fig. 1 to fig. 6 are only schematic manners, and do not represent only such an execution order.

The embodiment of the invention also provides a corresponding device for the data access control method, thereby further ensuring that the method has higher practicability. Wherein the means can be described separately from the functional module point of view and the hardware point of view. In the following, the data access control device provided by the embodiment of the present invention is introduced, and the data access control device described below and the data access control method described above may be referred to correspondingly.

Based on the angle of the functional module of the client, the data access control device may include:

the system comprises a pre-deployment module, a database connection module and a service data source module, wherein the pre-deployment module is used for creating corresponding service data source information in advance according to service system information, micro-service information and database connection information, and generating a data authority rule of a corresponding service data source by acquiring a set value of a target field of a target service table of each service data source information;

the authorization module is used for acquiring data authority rules and role tree information of each service data source when receiving a data authority authorization request, generating a role tree component based on the role tree information, and identifying authorized roles of target data authority rules selected by a user in the role tree component;

and the permission operation module is used for sending a permission operation instruction carrying target data permission rule information and target role information when detecting that a user executes role editing operation on the role tree component.

Optionally, the pre-deployment module of the above embodiment may be further configured to: when a data authority adding request is detected, displaying a data authority operation interface, and simultaneously sending a request for acquiring all service data sources; responding to a target service data source selection request, and sending a request for acquiring all service table names of the target service data source; responding to the target service table selection request, and sending a request for acquiring all field names of the target service table; responding to the field setting request, and generating a data authority rule of the target service table according to the setting value corresponding to each field; the data authority rule comprises a target service data source id, a target service table name, a data authority code, whether to open data owner limitation, an owner field, data owner department limitation, an owner field, whether to allow all fields to be inquired and a return field.

In other embodiments of this embodiment, the pre-deployment module of the above embodiment may be further configured to: when a target business data source adding request is detected, displaying a data source adding operation interface, and simultaneously sending a request for acquiring all business systems; responding to a target service system selection request, and sending a request for acquiring all micro-service information of the target service system; acquiring a target micro service selected by a user, and acquiring database connection information corresponding to the target micro service by analyzing a database connection information input instruction; and creating target service data source information according to the target service system, the target micro-service information and the database connection information.

Optionally, in some embodiments of this embodiment, the permission operating module may be further configured to: when detecting that a user selects a target node and an authorization identifier in a role tree component, generating a request storage authorization instruction according to target data authority rule information and role information corresponding to the target node and sending the request storage authorization instruction; and when detecting that the user selects a target node and selects a de-authorization identifier in the role tree component, generating a request de-authorization instruction according to the target data authority rule information and the role information corresponding to the target node and sending the request de-authorization instruction.

Based on the perspective of the functional module of the processor providing the data authority service, the data access control apparatus may include:

the data storage module is used for pre-storing service data source information and corresponding data authority rules; the service data source information is created according to the service system information, the micro-service information and the database connection information; the data authority rule is generated by acquiring the set value of the target field of the target service table of each service data source information;

the data feedback module is used for feeding back the data authority rules of all the service data sources when receiving the service authority acquisition request; when receiving an authorized role obtaining request, feeding back an authorized role of a target data authority rule selected by a user;

the authority operation execution module is used for updating the relation between the corresponding data authority and the role in the target data authority rule based on the target data authority rule information and the target role information carried by the authority operation instruction when the authority operation instruction is detected; the permission operation instruction is issued when the client detects that the user executes role editing operation on the role tree component; the role tree component is a role tree component generated by the client based on the role tree information, and authorized roles of the target data permission rule are identified in the role tree component.

As an optional implementation manner of this embodiment, the apparatus may further include an authentication module, for example, configured to pre-build a business system microservice, and configure an authority authentication kit and a data authority interceptor in the business system microservice; the service system micro-service is used for calling a data authority interceptor to judge that the user data access request meets the authentication condition after receiving the user data access request, and sending a data authority query request carrying user identification information, service table information to be queried and corresponding micro-service information; when a data authority inquiry request is received, acquiring corresponding matching service data source information according to the micro service information, and acquiring all role information of a corresponding user according to the user identification information; determining matching authority data of a user according to the matching service data source information, the service table information to be inquired and all role information; and sending the matching authority data to the service system microservice so that the service system microservice executes data query operation based on the matching authority data.

As an optional implementation manner of the foregoing embodiment, the authentication module may be further configured to: acquiring all data authority rules of the user to-be-queried service table according to the matched service data source information, the to-be-queried service table information and all role information, and combining the affiliation of the user and the setting values of all fields to generate a target data authority rule; if the target data authority rules have authority rules which need to inquire data according to departments, acquiring all department information of the user, and taking the target data authority rules and all department information as matching authority data; and if the target data authority rules do not have the authority rules which need to inquire data according to departments, taking the target data authority rules as matching authority data.

As another optional implementation manner of the foregoing embodiment, the authentication module may be further configured to: acquiring a data query statement and a query parameter, and analyzing the data query statement to obtain a data query condition; if the data is judged to be inquired according to the tenants, adding the tenant conditions into the data inquiry conditions; and if the data is judged to be inquired according to the data authority, acquiring the name of the service table to be inquired and the corresponding micro-service name.

As another optional implementation manner of the foregoing embodiment, the authentication module may be further configured to: if the data authority interceptor judges that the data query condition needs to be reconstructed based on the matching authority data, reconstructing the data query condition according to a preset reconstruction rule; determining whether the fields of the data query condition need to be reconstructed according to whether the permission information for querying all the fields exists in the matching authority data; meanwhile, when the current data query condition is judged to be reconstructed, the reconstructed data query condition is used for updating and replacing the current data query condition; and the service system micro-service executes data query operation based on the current data query condition and feeds back the data query result to the client.

Referring to fig. 7, the data access control device may include a client 71, a data authority service module 72, a basic information management module 73, a business system micro-service module 74, and a database 75. The data authority service module 72, the basic information management module 73, the business system micro-service module 74 and the database 75 may be installed on the same server, or may be installed on different servers, and those skilled in the art may flexibly select the data authority service module according to the actual application scenario.

The client 71 is arranged to carry out the steps of the data access control method as described in any one of the preceding method embodiments when executing a memory stored computer program. The data rights service module 72 is operative when executing the memory stored computer program to implement the steps of the data access control method of any of the previous method embodiments. The basic information management module 73 is used to manage basic information of the data access control device and provide a basic information inquiry service. The basic information comprises user information, role information, department information, a user-role relationship, a user-department relationship, business system information, micro-service information and a business system-micro-service relationship. The database 75 is used to store data. The service system micro-service module 74 is configured to call a data authority interceptor to determine that the user data access request meets the authentication condition when receiving the user data access request, and send a data authority query request carrying user identification information, service table information to be queried, and corresponding micro-service information; if the data authority interceptor judges that the data query condition needs to be reconstructed based on the matching authority data, reconstructing the data query condition according to a preset reconstruction rule; determining whether the fields of the data query condition need to be reconstructed according to whether the permission information for querying all the fields exists in the matching authority data; meanwhile, when the current data query condition is judged to be reconstructed, the reconstructed data query condition is used for updating and replacing the current data query condition; and the service system micro-service executes data query operation based on the current data query condition and feeds back the data query result to the client.

The functions of each functional module of the data access control device in the embodiments of the present invention may be specifically implemented according to the method in the above method embodiments, and the specific implementation process may refer to the description related to the above method embodiments, which is not described herein again.

Therefore, the embodiment of the invention can simply, effectively and low-cost realize data-level authority management and better control data access.

The data access control device mentioned above is described from the perspective of a functional module, and further, the present application also provides an electronic device described from the perspective of hardware. Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 8, the electronic device includes a memory 80 for storing a computer program; a processor 81 for implementing the steps of the data access control method as mentioned in any of the above embodiments when executing the computer program.

The processor 81 may include one or more processing cores, such as a 4-core processor, an 8-core processor, a controller, a microcontroller, a microprocessor, or other data processing chip, and the like. The processor 81 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 81 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 81 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content that the display screen needs to display. In some embodiments, the processor 81 may further include an AI (Artificial Intelligence) processor for processing computing operations related to machine learning.

The memory 80 may include one or more computer-readable storage media, which may be non-transitory. Memory 80 may also include high speed random access memory as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. The memory 80 may in some embodiments be an internal storage unit of the electronic device, for example a hard disk of a server. The memory 80 may also be an external storage device of the electronic device in other embodiments, such as a plug-in hard disk provided on a server, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. Further, the memory 80 may also include both an internal storage unit and an external storage device of the electronic device. The memory 80 can be used for storing application software installed in the electronic device and various data, such as: the code of the program that executes the vulnerability handling method, etc. may also be used to temporarily store data that has been output or is to be output. In this embodiment, the memory 80 is at least used for storing a computer program 801, wherein after being loaded and executed by the processor 81, the computer program can implement the relevant steps of the data access control method disclosed in any of the foregoing embodiments. In addition, the resources stored in the memory 80 may also include an operating system 802, data 803, and the like, and the storage manner may be a transient storage or a permanent storage. Operating system 802 may include, among other things, Windows, Unix, Linux, and the like. The data 803 may include, but is not limited to, data corresponding to data access control results, and the like.

In some embodiments, the electronic device may further include a display 82, an input/output interface 83, a communication interface 84 or network interface, a power supply 85, and a communication bus 86. The display 82 and the input/output interface 83, such as a Keyboard (Keyboard), belong to a user interface, and the optional user interface may also include a standard wired interface, a wireless interface, and the like. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, as appropriate, is used for displaying information processed in the electronic device and for displaying a visualized user interface. The communication interface 84 may optionally include a wired interface and/or a wireless interface, such as a WI-FI interface, a bluetooth interface, etc., typically used to establish a communication connection between an electronic device and other electronic devices. The communication bus 86 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 8, but this is not intended to represent only one bus or type of bus.

Those skilled in the art will appreciate that the configuration shown in fig. 8 is not intended to be limiting of the electronic device and may include more or fewer components than those shown, such as a sensor 87 that performs various functions.

The functions of the functional modules of the electronic device according to the embodiments of the present invention may be specifically implemented according to the method in the above method embodiments, and the specific implementation process may refer to the description related to the above method embodiments, which is not described herein again.

It is to be understood that, if the data access control method in the above embodiments is implemented in the form of software functional units and sold or used as a stand-alone product, it may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application may be substantially or partially implemented in the form of a software product, which is stored in a storage medium and executes all or part of the steps of the methods of the embodiments of the present application, or all or part of the technical solutions. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), an electrically erasable programmable ROM, a register, a hard disk, a multimedia card, a card type Memory (e.g., SD or DX Memory, etc.), a magnetic Memory, a removable magnetic disk, a CD-ROM, a magnetic or optical disk, and other various media capable of storing program codes.

Based on this, the embodiment of the present invention further provides a readable storage medium, which stores a computer program, and the computer program is executed by a processor, and the steps of the data access control method according to any one of the above embodiments are provided.

The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. For hardware including devices and electronic equipment disclosed by the embodiment, the description is relatively simple because the hardware includes the devices and the electronic equipment correspond to the method disclosed by the embodiment, and the relevant points can be obtained by referring to the description of the method.

Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

The foregoing describes a data access control method, an apparatus, and an electronic device provided in the present application in detail. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present application.

Claims

1. A data access control method, comprising:

2. The data access control method of claim 1, wherein the generating the data authority rule of the corresponding service data source by obtaining the setting value of the target field of the target service table of each service data source information comprises:

3. The data access control method of claim 2, wherein the creating of the corresponding service data source information according to the service system information, the micro service information and the database connection information comprises:

acquiring a target micro service selected by a user;

4. The data access control method according to any one of claims 1 to 3, wherein the process of sending the permission operation instruction carrying the target data permission rule information and the target role information when detecting that the user performs the role editing operation on the role tree component includes:

5. A data access control method, comprising:

6. The data access control method according to claim 5, wherein after updating the relationship between the corresponding data authority and the role in the target data authority rule based on the target data authority rule information and the target role information carried by the authority operation instruction, the method further comprises:

7. The data access control method of claim 6, wherein the determining the matching authority data of the user according to the matching service data source information, the service table information to be queried, and the all-role information comprises:

8. The data access control method according to claim 6, wherein the invoking the process of the data permission interceptor determining that the user data access request meets the authentication condition comprises:

9. The data access control method of claim 6, wherein the business system microserver performs a process of data query operation based on the matching authority data, comprising:

10. A data access control device is characterized by comprising a client, a data authority service module, a basic information management module, a service system micro-service module and a database;

the steps of the data access control method of any one of claims 1 to 4 when implemented by the client for executing a memory-stored computer program;

the data right service module is used for implementing the steps of the data access control method according to any one of claims 5 to 9 when executing a computer program stored in a memory;

the basic information management module is used for managing basic information of the data access control device and providing basic information inquiry service.

11. An electronic device comprising a processor and a memory, the processor being configured to implement the steps of the data access control method of any one of claims 1 to 4 and/or the data access control method of any one of claims 5 to 9 when executing the computer program stored in the memory.