CN114036540A - Interface data authority control method and system based on dynamic configuration - Google Patents

Interface data authority control method and system based on dynamic configuration Download PDF

Info

Publication number
CN114036540A
CN114036540A CN202111313987.9A CN202111313987A CN114036540A CN 114036540 A CN114036540 A CN 114036540A CN 202111313987 A CN202111313987 A CN 202111313987A CN 114036540 A CN114036540 A CN 114036540A
Authority
CN
China
Prior art keywords
data
authority
document
dimension
interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111313987.9A
Other languages
Chinese (zh)
Inventor
陈显智
何博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hand Enterprise Solutions Co ltd
Original Assignee
Hand Enterprise Solutions Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hand Enterprise Solutions Co ltd filed Critical Hand Enterprise Solutions Co ltd
Priority to CN202111313987.9A priority Critical patent/CN114036540A/en
Publication of CN114036540A publication Critical patent/CN114036540A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The interface data authority control method and system based on dynamic configuration classify and integrate data needing authority control as document dimensionality according to the splitting of a service scene and the attribute of service data; taking a basic unit for uniformly controlling the service data as a receipt, and integrating the receipt dimensionality related to the service scene; taking the operable data range of the authentication entity in the corresponding document dimension as dimension data; configuring document dimensionality corresponding to the interface field, associating the interface field with the document dimensionality, and determining a data range of the interface field and a data type of an interface; and distributing the document to the corresponding authentication entity, enabling the document dimension, the document, the dimension data, the interface field and the document dimension association to take effect on the authentication entity, and controlling the operable data range of the authentication entity. The invention shields the details of the technical bottom layer, realizes the flexible and accurate control of the data authority distributed by the service operator according to the service scene and the operable data authority of the interface by the authentication entity.

Description

Interface data authority control method and system based on dynamic configuration
Technical Field
The invention relates to an interface data authority control method and system based on dynamic configuration, and belongs to the technical field of data processing.
Background
Business is a transaction that needs to be processed in each industry, and is usually a transaction with a preference for sales, and any company unit is still mainly used for selling products, selling services, selling technologies and the like. Business is related activities in business, different business scenes usually have different hierarchical roles, a large amount of business data can be generated in the business activities, different business hierarchies have different control degrees on the business data, and different business data control authorities need to be given to the different business hierarchies.
In the traditional technology, the mixing degree of a bottom service data logic structure and a service scene is high, and users need to pay attention to not only the service scene logic but also the bottom detail data structure related to the service scene; the method cannot isolate bottom-level details, cannot think of system flow and perform authority distribution based on the requirements of a service scene, and has high complexity and poor flexibility in authority distribution; it is difficult to accurately control different data authority ranges of the same authentication entity under different scenes, and the data authority distribution granularity is controlled to be coarse.
Disclosure of Invention
Therefore, the invention provides an interface data authority control method and system based on dynamic configuration, which shields the details of the technical bottom layer and realizes the flexible and accurate control of the data authority distributed by the service operator according to the service scene and the data authority which can be operated by the authentication entity on the interface.
In order to achieve the above purpose, the invention provides the following technical scheme: the interface data authority control method based on dynamic configuration comprises the following steps:
document dimension definition: classifying and integrating data needing authority control according to the splitting of the service scene and the attribute of the service data, and taking the classified and integrated data needing authority control as document dimensionality;
document definition: according to the needs of the business scene and the correlation of business terms, a basic unit for uniformly controlling business data is used as a receipt, and then the receipt dimensionalities related to the business scene are integrated;
the dimension data defines: taking the operable data range of the authentication entity in the corresponding document dimension as dimension data;
interface fields and document dimensions association: configuring document dimensionality corresponding to an interface field, associating the interface field with the document dimensionality, and determining a data range of the interface field and a data type of an interface;
and (3) authentication entity document authority distribution: and distributing the bill to a corresponding authentication entity, enabling the bill dimension, the bill, the dimension data, the interface field and the bill dimension association to take effect on the authentication entity, and controlling the operable data range of the authentication entity.
As a preferred scheme of an interface data authority control method based on dynamic configuration, the document dimension is data abstraction which has actual business meaning and needs data authority control;
the document dimension describes a set of data, and the operable data range of the authentication entity is a subset of the document dimension.
As a preferred scheme of the interface data authority control method based on dynamic configuration, the document is an independent business data set abstracted according to a business scene, and the document dimension is an optional data set abstraction of the business scene corresponding to the document.
As a preferred scheme of the interface data authority control method based on dynamic configuration, the authentication entity comprises a role and a sub-account, wherein the role is a basic element abstracted based on entity responsibility;
distributing and defining documents and dimension data owned by the roles according to the meaning of entity responsibility;
after the sub-account is allocated with the role, the sub-account has entity responsibilities and data permissions possessed by the role.
As a preferred scheme of the interface data authority control method based on dynamic configuration, when the sub-account operates the service data, the data authority is checked, and whether the authentication entity has the operation authority of the service data to be operated is judged.
As an optimal scheme of the interface data authority control method based on dynamic configuration, the mode of the bill taking effect on the authentication entity comprises a blacklist and a white list;
in the blacklist validation mode, the access of the authentication entity is limited by maintaining the bill authority;
and allowing the authentication entity to access by maintaining the bill authority in the white list validation mode.
As a preferred scheme of the interface data authority control method based on dynamic configuration, whether submitted data can be operated under an interface is verified through determining document dimensions associated with corresponding fields in the interface and authority ranges owned by an authentication entity.
As a preferred scheme of the interface data authority control method based on dynamic configuration, the gateway judges the authority according to the interface authority setting and the data authority of the authentication entity, and releases or prevents the authentication entity from operating and accessing the interface;
and the gateway acquires the latest configuration information in real time and dynamically controls the data authority range of the authentication entity.
The invention also provides an interface data authority control system based on dynamic configuration, which comprises:
the document dimension defining module is used for classifying and integrating data needing authority control according to the splitting of the service scene and the attribute of the service data, and taking the classified and integrated data needing authority control as document dimensions;
the receipt definition module is used for taking a basic unit for uniformly controlling the business data as a receipt according to the needs of the business scene and the correlation of business terms, and then integrating the receipt dimensionality related to the business scene;
the dimension data definition module is used for taking the operable data range of the authentication entity in the corresponding document dimension as dimension data;
the correlation module is used for configuring the bill dimension corresponding to the interface field, correlating the interface field with the bill dimension, and determining the data range of the interface field and the data type of the interface;
and the authority distribution module is used for distributing the bill to the corresponding authentication entity, enabling the bill dimension, the bill, the dimension data, the interface field and the bill dimension to be associated on the authentication entity to take effect, and controlling the operable data range of the authentication entity.
As a preferred scheme of an interface data authority control system based on dynamic configuration, the document dimension is data abstraction which has actual business meaning and needs data authority control;
the document dimension describes a set of data, and the operable data range of the authentication entity is a subset of the document dimension;
the document is an independent business data set abstracted according to the business scene, and the document dimension is an optional data set abstraction of the business scene corresponding to the document.
As a preferred scheme of the interface data authority control system based on dynamic configuration, the authentication entity comprises a role and a sub-account, wherein the role is a basic element abstracted based on entity responsibility;
distributing and defining documents and dimension data owned by the roles according to the meaning of entity responsibility;
after the sub-account is allocated with the role, the sub-account has entity responsibilities and data permissions possessed by the role.
As a preferred scheme of an interface data authority control system based on dynamic configuration, in the authority distribution module, the mode of the document taking effect on the authentication entity comprises a black list and a white list;
in the blacklist validation mode, the access of the authentication entity is limited by maintaining the bill authority;
and allowing the authentication entity to access by maintaining the bill authority in the white list validation mode.
As a preferred scheme of the interface data authority control system based on dynamic configuration, the system further comprises an operation authority judgment module, which is used for verifying the data authority when the sub-account operates the service data, and judging whether the authentication entity has the operation authority of the service data to be operated;
verifying whether the certification authority can operate submitted data under the interface or not by determining document dimensions associated with corresponding fields in the interface and an authority range owned by the certification entity;
the gateway judges the authority according to the interface authority setting and the data authority of the authentication entity, and releases or prevents the authentication entity from operating and accessing the interface;
and the gateway acquires the latest configuration information in real time and dynamically controls the data authority range of the authentication entity.
The invention has the following advantages: classifying and integrating data needing authority control according to the splitting of the service scene and the attribute of the service data, and taking the classified and integrated data needing authority control as document dimensionality; according to the needs of the business scene and the correlation of business terms, a basic unit for uniformly controlling business data is used as a receipt, and then the dimensionality of the receipt related to the business scene is integrated; taking the operable data range of the authentication entity in the corresponding document dimension as dimension data; configuring document dimensionality corresponding to the interface field, associating the interface field with the document dimensionality, and determining a data range of the interface field and a data type of an interface; and distributing the document to the corresponding authentication entity, enabling the document dimension, the document, the dimension data, the interface field and the document dimension association to take effect on the authentication entity, and controlling the operable data range of the authentication entity. The invention realizes the separation of the logic structure of the bottom service data from the service scene, and achieves the purpose that the user only needs to pay attention to the logic of the service scene and does not need to pay attention to the bottom detail data structure related to the service scene; the judgment logic and the flow of the document data authority can be multiplexed, and the result is applied to different scenes; the control authority of the data can be configured through the sub-account and the role, and the limited range of the data authority can reach a specific interface and even a certain interface under a certain menu; the granularity of data authority control is finer, and different data authority ranges of the same authentication entity under different scenes can be flexibly and accurately controlled.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
The structures, ratios, sizes, and the like shown in the present specification are only used for matching with the contents disclosed in the specification, so that those skilled in the art can understand and read the present invention, and do not limit the conditions for implementing the present invention, so that the present invention has no technical significance, and any structural modifications, changes in the ratio relationship, or adjustments of the sizes, without affecting the functions and purposes of the present invention, should still fall within the scope of the present invention.
FIG. 1 is a schematic flow chart of a method for controlling interface data permissions based on dynamic configuration according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a technical architecture of a method for controlling interface data permissions based on dynamic configuration according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an interface data authority control system based on dynamic configuration according to an embodiment of the present invention.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Referring to fig. 1 and 2, a method for controlling interface data authority based on dynamic configuration is provided, which includes the following steps:
s1, defining document dimensions: classifying and integrating data needing authority control according to the splitting of the service scene and the attribute of the service data, and taking the classified and integrated data needing authority control as document dimensionality;
s2, document definition: according to the needs of the business scene and the correlation of business terms, a basic unit for uniformly controlling business data is used as a receipt, and then the receipt dimensionalities related to the business scene are integrated;
s3, dimension data definition: taking the operable data range of the authentication entity in the corresponding document dimension as dimension data;
s4, interface field and document dimension association: configuring document dimensionality corresponding to an interface field, associating the interface field with the document dimensionality, and determining a data range of the interface field and a data type of an interface;
s5, authentication entity document authority distribution: and distributing the bill to a corresponding authentication entity, enabling the bill dimension, the bill, the dimension data, the interface field and the bill dimension association to take effect on the authentication entity, and controlling the operable data range of the authentication entity.
In the embodiment, the document dimension is data abstraction which has actual business meaning and needs to be subjected to data authority control; the document dimension describes a set of data, and the operable data range of the authentication entity is a subset of the document dimension.
Specifically, the document dimension is an abstraction of data, one document dimension specifically describes and associates a series of related data, and the definition of the data authority range is defined based on the document dimension. That is, the document dimension describes a collection of data, and the operable range of data for the authentication entity is a subset of the document dimension. For example, a country, a company, a department, etc. have a series of related data which have practical meanings of business and need to be subjected to data authority control.
In this embodiment, the document is an independent service data set abstracted according to a service scene, and the document dimension is an optional data set abstraction of the service scene corresponding to the document.
Specifically, the document is an abstraction of a business scenario, and is an independent business data set abstracted based on understanding of the business scenario. A document may contain multiple document dimensions that are abstractions of alternative data sets for the business scenario to which the document corresponds.
Specifically, when a business entity is created, all data sets that need to control data rights are involved. For example, the purchase order includes a series of related data of a country, a company, and the like, and the data needs to be controlled by data authority, at this time, a document may be defined for the purchase order, and corresponding country and company dimensions with perfect definitions may be associated, and then, the data authority may be directly controlled according to the document.
In this embodiment, the authentication entity includes a role and a sub-account, and the role is a basic element abstracted based on entity responsibility;
distributing and defining documents and dimension data owned by the roles according to the meaning of entity responsibility;
after the sub-account is allocated with the role, the sub-account has entity responsibilities and data permissions possessed by the role.
Specifically, the role is a part belonging to the authentication entity, and based on basic elements abstracted from entity roles, documents owned by the role and data ranges operable on the documents can be assigned and defined based on the meaning of the entity roles, and the role can be assigned to a sub-account, wherein the sub-account has roles and data rights possessed by the role after assigning the role.
In this embodiment, when the sub-account operates the service data, the data authority is checked, and whether the authentication entity has the operation authority of the service data to be operated is determined.
Specifically, the sub-account belongs to the main body of the authentication entity, the definition of all the permissions finally falls into the sub-account, and when the sub-account operates the related data, the data permission is checked to judge whether the authentication entity has the permission of the data operation, so that the purpose of defining the data permission to control the operation permission of the system data is achieved.
In this embodiment, the document dimensions define a data range, and the dimension data is an operable data range of a specific business entity in the corresponding document dimensions. That is, the document dimension defines data owned in a business scenario, and the dimension data is a data range in which the authentication entity can operate in the business scenario.
Specifically, an operable data range of the authentication entity in a corresponding document dimension is defined, the operable data range is defined from multiple dimensions, and table 1 describes each dimension of the configurable data and the priority of each dimension.
Figure BDA0003343016530000081
TABLE 1 authentication entity dimension priority
In the embodiment, the document dimensionality corresponding to the interface field is configured, and the corresponding interface field is associated with the document dimensionality, so that the data range of the interface field is determined, and the interface needs to determine a specific data type, so that the same authentication entity can specifically distinguish the operation authority types of the same data, the granularity of data authority control is further reduced, and the functionality of data authority is enhanced. If the interface adopts RESTFUL architectural style, a unified comparison specification of the system can be used, and the association relationship is shown in
Table 2.
Interface request mode GET POST PUT DELETE
Dimension data type Q (Inquiry) A (newly-increased) M (amendment) D (delete)
TABLE 2 comparison table of interface request mode and dimension data type
In this embodiment, the valid modes of the document on the authentication entity include a black list and a white list;
in the blacklist validation mode, the access of the authentication entity is limited by maintaining the bill authority;
and allowing the authentication entity to access by maintaining the bill authority in the white list validation mode.
Specifically, the document dimension definition, the document definition, the dimension data definition, the interface field, and the document dimension are associated with basic configuration information, and the authority is assigned to the corresponding authentication entity during the operation process, so that the basic configuration information will take effect on the authentication entity, thereby controlling the operable data range of the authentication entity, there are two effective modes of the document on the authentication entity, and table 3 details the meanings of the two effective modes.
Black list The authenticating entity requires maintaining document rights to restrict access
White list The authenticating entity needs to maintain document rights to allow access
TABLE 3 document validation
In this embodiment, whether the data submitted by the entity can be operated under the interface is checked and confirmed by determining the document dimension associated with the corresponding field in the interface and the authority range owned by the authentication entity.
Specifically, an interface (API) is an entry of an operating system of the authentication entity, and by determining a document dimension associated with a corresponding field in the interface and an authority range possessed by the authentication entity, it is verified whether the authentication entity can operate submitted data under the interface, and finally, the data authority is controlled by controlling the data operable by the authentication entity.
In the embodiment, the gateway judges the authority according to the interface authority setting and the data authority of the authentication entity, and releases or prevents the authentication entity from operating and accessing the interface;
and the gateway acquires the latest configuration information in real time and dynamically controls the data authority range of the authentication entity.
Specifically, the gateway is used as an entrance of the system, the gateway can perform permission judgment according to the interface permission setting and the data permission of the authentication entity, prevent an illegal user and check an operable data range of the authentication entity, and finally decide whether to release the current request or block the current request, and if the current request is blocked, the gateway can return a specific reason and a processing mode for blocking the request.
In summary, the present invention separates the configuration and processing flow of the operable data range of the authentication entity, encapsulates the flow of the operable data range, defines the document authority engine, and can apply the determination result of the document authority engine to different scenes, thereby applying the determination result of the document authority engine to the interface data authority. The invention separates the data classification and structure of the bottom layer from the service scene, the service expert and the technical personnel of the core analyze and split the service, the bill dimension and the bill are defined according to the service scene, the service personnel only need to distribute the bill authority according to the definition of the bill, the bottom layer details are isolated, and only need to think about the system flow and distribute the authority according to the bill definition and the service scene. The invention can create corresponding roles according to the definition of the responsibility of the service scene, distribute the data authority to the roles created according to the responsibility category, and then distribute the roles to the authentication entity main body (such as a sub-account), thereby aggregating the service logic and reducing the complexity of distributing the authority, and distributing the authority according to the responsibility rather than distributing the authority according to the authority range which can be owned by the authentication entity. According to the invention, more-dimensional authority control and priority control of each dimension are realized, the dimension data configuration of sub-account + role + menu, sub-account + role, sub-account + menu, sub-account + default, role + menu and role + default is increased, and different data authority ranges of the same authentication entity under different scenes can be accurately controlled. The granularity controlled by the data authority of the invention is finer, the types of the operation data are divided into ADMQ according to the characteristics of the operation data, and the operation which can be carried out on the data by the authentication entity is specifically distributed according to the definitions of the authentication entity and the service scene, so that the data authority is controlled by finer granularity. The gateway of the invention acquires the latest configuration information in real time, thereby dynamically controlling the data authority range of the authentication entity.
Example 2
Referring to fig. 3, embodiment 2 of the present invention further provides an interface data authority control system based on dynamic configuration, including:
the document dimension definition module 1 is used for classifying and integrating data needing authority control according to the splitting of the business scene and the attribute of the business data, and taking the classified and integrated data needing authority control as document dimensions;
the receipt definition module 2 is used for taking a basic unit for uniformly controlling the business data as a receipt according to the needs of the business scene and the correlation of business terms, and then integrating the receipt dimensionality related to the business scene;
the dimension data definition module 3 is used for taking an operable data range of the authentication entity in the corresponding document dimension as dimension data;
the association module 4 is used for configuring document dimensions corresponding to the interface fields, associating the interface fields with the document dimensions, and determining the data range of the interface fields and the data types of the interfaces;
and the authority distribution module 5 is used for distributing the bill to the corresponding authentication entity, enabling the bill dimension, the bill, the dimension data, the interface field and the bill dimension to be associated on the authentication entity to be effective, and controlling the operable data range of the authentication entity.
In the embodiment, the document dimension is data abstraction which has actual business meaning and needs to be subjected to data authority control;
the document dimension describes a set of data, and the operable data range of the authentication entity is a subset of the document dimension;
the document is an independent business data set abstracted according to the business scene, and the document dimension is an optional data set abstraction of the business scene corresponding to the document.
In this embodiment, the authentication entity includes a role and a sub-account, and the role is a basic element abstracted based on entity responsibility;
distributing and defining documents and dimension data owned by the roles according to the meaning of entity responsibility;
after the sub-account is allocated with the role, the sub-account has entity responsibilities and data permissions possessed by the role.
In this embodiment, in the right assignment module 5, the valid modes of the document on the authentication entity include a black list and a white list;
in the blacklist validation mode, the access of the authentication entity is limited by maintaining the bill authority;
and allowing the authentication entity to access by maintaining the bill authority in the white list validation mode.
In this embodiment, the authentication system further includes an operation authority determining module 6, configured to verify a data authority when the sub-account operates the service data, and determine whether the authentication entity has an operation authority of the service data to be operated;
verifying whether the certification authority can operate submitted data under the interface or not by determining document dimensions associated with corresponding fields in the interface and an authority range owned by the certification entity;
the gateway judges the authority according to the interface authority setting and the data authority of the authentication entity, and releases or prevents the authentication entity from operating and accessing the interface;
and the gateway acquires the latest configuration information in real time and dynamically controls the data authority range of the authentication entity.
It should be noted that, for the information interaction, execution process, and other contents between the modules/units of the system, since the same concept is based on the method embodiment in embodiment 1 of the present application, the technical effect brought by the information interaction, execution process, and other contents are the same as those of the method embodiment of the present application, and specific contents may refer to the description in the foregoing method embodiment of the present application, and are not described herein again.
Example 3
Embodiment 3 of the present invention provides a non-transitory computer-readable storage medium, where a program code of an interface data permission control method based on dynamic configuration is stored in the computer-readable storage medium, where the program code includes instructions for executing the interface data permission control method based on dynamic configuration in embodiment 1 or any possible implementation manner thereof.
The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
Example 4
An embodiment 4 of the present invention provides an electronic device, including: a memory and a processor;
the processor and the memory are communicated with each other through a bus; the memory stores program instructions executable by the processor, and the processor calls the program instructions to execute the interface data permission control method based on dynamic configuration of embodiment 1 or any possible implementation manner thereof.
Specifically, the processor may be implemented by hardware or software, and when implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory, which may be integrated in the processor, located external to the processor, or stand-alone.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.).
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
Although the invention has been described in detail above with reference to a general description and specific examples, it will be apparent to one skilled in the art that modifications or improvements may be made thereto based on the invention. Accordingly, such modifications and improvements are intended to be within the scope of the invention as claimed.

Claims (10)

1. The interface data authority control method based on dynamic configuration is characterized by comprising the following steps:
document dimension definition: classifying and integrating data needing authority control according to the splitting of the service scene and the attribute of the service data, and taking the classified and integrated data needing authority control as document dimensionality;
document definition: according to the needs of the business scene and the correlation of business terms, a basic unit for uniformly controlling business data is used as a receipt, and then the receipt dimensionalities related to the business scene are integrated;
the dimension data defines: taking the operable data range of the authentication entity in the corresponding document dimension as dimension data;
interface fields and document dimensions association: configuring document dimensionality corresponding to an interface field, associating the interface field with the document dimensionality, and determining a data range of the interface field and a data type of an interface;
and (3) authentication entity document authority distribution: and distributing the bill to a corresponding authentication entity, enabling the bill dimension, the bill, the dimension data, the interface field and the bill dimension association to take effect on the authentication entity, and controlling the operable data range of the authentication entity.
2. The interface data authority control method based on dynamic configuration according to claim 1, wherein the document dimension is data abstraction which has actual business meaning and needs data authority control;
the document dimension describes a set of data, and the operable data range of the authentication entity is a subset of the document dimension.
3. The interface data authority control method based on dynamic configuration according to claim 2, wherein the document is an independent service data set abstracted according to a service scene, and the document dimension is an optional data set abstraction of the service scene corresponding to the document.
4. The dynamic configuration-based interface data permission control method according to claim 1, wherein the authentication entity comprises a role and a sub-account, the role is a basic element abstracted based on entity responsibility;
distributing and defining documents and dimension data owned by the roles according to the meaning of entity responsibility;
after the sub-account is allocated with the role, the sub-account has entity responsibilities and data permissions possessed by the role.
5. The method as claimed in claim 4, wherein the data authority is checked when the sub-account operates the service data, and whether the authentication entity has the operation authority of the service data to be operated is determined.
6. The dynamic configuration-based interface data permission control method of claim 1, wherein the manner in which the document is validated on an authentication entity comprises a black list and a white list;
in the blacklist validation mode, the access of the authentication entity is limited by maintaining the bill authority;
and allowing the authentication entity to access by maintaining the bill authority in the white list validation mode.
7. The method for controlling interface data authority based on dynamic configuration of claim 1, wherein the validation entity is verified whether the submitted data can be operated under the interface by determining the document dimension associated with the corresponding field in the interface and the authority range owned by the authentication entity.
8. The interface data authority control method based on dynamic configuration as claimed in claim 7, wherein the gateway makes authority judgment according to the interface authority setting and the data authority possessed by the authentication entity, and releases or prevents the authentication entity from operating and accessing the interface;
and the gateway acquires the latest configuration information in real time and dynamically controls the data authority range of the authentication entity.
9. The interface data authority control system based on dynamic configuration is characterized by comprising:
the document dimension defining module is used for classifying and integrating data needing authority control according to the splitting of the service scene and the attribute of the service data, and taking the classified and integrated data needing authority control as document dimensions;
the receipt definition module is used for taking a basic unit for uniformly controlling the business data as a receipt according to the needs of the business scene and the correlation of business terms, and then integrating the receipt dimensionality related to the business scene;
the dimension data definition module is used for taking the operable data range of the authentication entity in the corresponding document dimension as dimension data;
the correlation module is used for configuring the bill dimension corresponding to the interface field, correlating the interface field with the bill dimension, and determining the data range of the interface field and the data type of the interface;
and the authority distribution module is used for distributing the bill to the corresponding authentication entity, enabling the bill dimension, the bill, the dimension data, the interface field and the bill dimension to be associated on the authentication entity to take effect, and controlling the operable data range of the authentication entity.
10. The system of claim 9, wherein the document dimension is a data abstraction having a business-specific meaning and requiring data rights control;
the document dimension describes a set of data, and the operable data range of the authentication entity is a subset of the document dimension;
the receipt is an independent business data set abstracted according to the business scene, and the receipt dimension is an optional data set abstraction of the business scene corresponding to the receipt;
the authentication entity comprises a role and a sub-account, wherein the role is a basic element abstracted based on entity responsibility;
distributing and defining documents and dimension data owned by the roles according to the meaning of entity responsibility;
after the sub-account is allocated with the role, the sub-account has entity responsibility and data permission which the role has;
in the authority distribution module, the effective mode of the document on the authentication entity comprises a blacklist and a white list;
in the blacklist validation mode, the access of the authentication entity is limited by maintaining the bill authority;
in the white list effective mode, the access of the authentication entity is allowed by maintaining the bill authority;
the authentication entity is used for verifying the data authority when the sub-account operates the service data, and judging whether the authentication entity has the operation authority of the service data to be operated;
verifying whether the certification authority can operate submitted data under the interface or not by determining document dimensions associated with corresponding fields in the interface and an authority range owned by the certification entity;
the gateway judges the authority according to the interface authority setting and the data authority of the authentication entity, and releases or prevents the authentication entity from operating and accessing the interface;
and the gateway acquires the latest configuration information in real time and dynamically controls the data authority range of the authentication entity.
CN202111313987.9A 2021-11-08 2021-11-08 Interface data authority control method and system based on dynamic configuration Pending CN114036540A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111313987.9A CN114036540A (en) 2021-11-08 2021-11-08 Interface data authority control method and system based on dynamic configuration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111313987.9A CN114036540A (en) 2021-11-08 2021-11-08 Interface data authority control method and system based on dynamic configuration

Publications (1)

Publication Number Publication Date
CN114036540A true CN114036540A (en) 2022-02-11

Family

ID=80143384

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111313987.9A Pending CN114036540A (en) 2021-11-08 2021-11-08 Interface data authority control method and system based on dynamic configuration

Country Status (1)

Country Link
CN (1) CN114036540A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116821867A (en) * 2023-08-29 2023-09-29 美云智数科技有限公司 Recovery management method, device, equipment and storage medium of authority authorization data

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116821867A (en) * 2023-08-29 2023-09-29 美云智数科技有限公司 Recovery management method, device, equipment and storage medium of authority authorization data
CN116821867B (en) * 2023-08-29 2023-12-29 美云智数科技有限公司 Recovery management method, device, equipment and storage medium of authority authorization data

Similar Documents

Publication Publication Date Title
US11368403B2 (en) Access management tags
US11204983B2 (en) Scoring cloud packages for risk assessment automation
US10432642B2 (en) Secure data corridors for data feeds
CN102571815B (en) A kind of method of e-procurement privately owned cloud integrating ERP authenticating user identification
CN107465687B (en) Method, device and terminal for realizing permission configuration
US20040088563A1 (en) Computer access authorization
CN111062028A (en) Authority management method and device, storage medium and electronic equipment
CN110727930B (en) Authority control method and device
CN111651738A (en) Fine-grained role authority unified management method based on front-end and back-end separation framework and electronic device
CN112651000A (en) Permission configuration integrated system for modular plug-in development
CN114036540A (en) Interface data authority control method and system based on dynamic configuration
US11146560B1 (en) Distributed governance of computing resources
CN114417278A (en) Interface unified management system and platform interface management system
CN114138849A (en) Multi-tenant data authority control method and device, computer and readable storage medium
CN112464215A (en) Identity authentication and control method for enterprise service system
CN112948866A (en) Data processing method, device and equipment and readable storage medium
CN110704196B (en) Resource data transfer method, device and block chain system
CN110717818A (en) Method, device and storage medium for managing credit data based on big data
US10432641B2 (en) Secure data corridors
US11494479B2 (en) Authenticated component permissions framework
CN113220762A (en) Method, device, processor and storage medium for realizing general record processing of key service field change in big data application
CN112789596A (en) Processing method and device for task processing request and block chain node equipment
WO2024120316A1 (en) System operation permission method and apparatus, and computer device and storage medium
CN113765925B (en) Improved method based on OSAC and PERM access control model
CN117807619B (en) Uniform authority control method for unstructured data and structured data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination