CN114244598A - Intranet data access control method, device, equipment and storage medium - Google Patents
Intranet data access control method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114244598A CN114244598A CN202111529823.XA CN202111529823A CN114244598A CN 114244598 A CN114244598 A CN 114244598A CN 202111529823 A CN202111529823 A CN 202111529823A CN 114244598 A CN114244598 A CN 114244598A
- Authority
- CN
- China
- Prior art keywords
- user
- access
- intranet data
- data access
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 65
- 238000013475 authorization Methods 0.000 claims abstract description 23
- 239000000126 substance Substances 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 15
- 238000004590 computer program Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 9
- 230000006872 improvement Effects 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 7
- 239000000463 material Substances 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 229940079593 drug Drugs 0.000 description 4
- 239000003814 drug Substances 0.000 description 4
- 238000012550 audit Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 230000004888 barrier function Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 229920001296 polysiloxane Polymers 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the specification discloses an intranet data access control method, an intranet data access control device, intranet data access control equipment and a storage medium, and the scheme comprises the following steps: receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user; judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user; and if the first judgment result shows that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for controlling access to intranet data.
Background
With the rapid development of internet technology, enterprises increasingly develop business based on the internet. However, the internet technology is a double-edged sword, which brings convenience and also creates hidden troubles in data security.
To solve this problem, one approach in the prior art is a hardware-based solution. For example, a network security setting such as a firewall is constructed, so that a protection barrier isolated from each other is constructed between the intranet and the extranet. However, the mode has large capital investment in the early stage and high maintenance cost in the later stage. Another solution is a software solution based on Virtual Private Network (VPN). However, this method is equivalent to directly exposing intranet data to an extranet, and there is a data security risk.
Therefore, it is necessary to provide a data access control method that can ensure data security and is low in cost.
Disclosure of Invention
Embodiments of the present specification provide an intranet data access control method, an intranet data access control apparatus, an intranet data access control device, and a storage medium, so as to provide a data access control method that can ensure data security and is low in cost.
In order to solve the above technical problem, the embodiments of the present specification are implemented as follows:
an intranet data access control method provided in an embodiment of the present specification includes:
receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user;
judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
and if the first judgment result shows that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information.
An intranet data access control device provided in an embodiment of the present specification includes:
a first intranet data access request receiving module, configured to receive, in an extranet, a first intranet data access request sent by a first user through a network device, where the first intranet data access request carries at least first identification information and first access range information of the first user;
the authentication module is used for judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
and the authorization module is used for opening the external network access authority of the first user to the internal network data in the access range corresponding to the first access range information if the first judgment result shows that the first internal network data access request meets the first preset condition.
An intranet data access control device provided in an embodiment of the present specification includes:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user;
judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
and if the first judgment result shows that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information.
Embodiments of the present specification provide a computer readable medium, on which computer readable instructions are stored, where the computer readable instructions are executable by a processor to implement an intranet data access control method.
One embodiment of the present description achieves the following advantageous effects:
according to the technical scheme, the data access request information initiated by the user is authenticated, the user only has the authority of actually accessing the intranet data within the access range after the authentication is passed, and only the intranet data within the authorized range can be accessed, so that the access requirement of the user on the intranet data is met, and the safety of the rest intranet data except the data within the access range in the intranet of an enterprise is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort.
Fig. 1 is a schematic view of an application scenario of an intranet data access control method provided in an embodiment of the present specification;
fig. 2 is a flowchart of an intranet data access control method provided in an embodiment of the present specification;
fig. 3 is a schematic interface diagram of a user inputting access request information in an intranet data access control method according to an embodiment of the present specification;
fig. 4 is a schematic interface diagram illustrating an enterprise determining whether to approve an access request in the intranet data access control method according to the embodiment of the present disclosure;
fig. 5 is a thumbnail information diagram of a user accessing intranet data within a certain time period in a method for controlling access to intranet data according to an embodiment of the present disclosure;
fig. 6 is a schematic diagram of an intranet data access control device according to an embodiment of the present disclosure;
fig. 7 is a schematic diagram of an intranet data access control device according to an embodiment of the present specification.
Detailed Description
To make the objects, technical solutions and advantages of one or more embodiments of the present disclosure more apparent, the technical solutions of one or more embodiments of the present disclosure will be described in detail and completely with reference to the specific embodiments of the present disclosure and the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present specification, and not all embodiments. All other embodiments that can be derived by a person skilled in the art from the embodiments given herein without making any creative effort fall within the scope of protection of one or more embodiments of the present specification.
In the prior art, when an enterprise develops a business based on the internet, sometimes a user needs to access intranet data of the enterprise, and in order to protect the security of the intranet data of the enterprise, one method in the prior art is based on hardware solution. For example, network security settings such as firewalls are constructed, so that a protection barrier isolated from each other is constructed between an intranet and an extranet of an enterprise, but the mode has large capital investment in the early stage and high maintenance cost in the later stage.
Another solution is a software solution based on Virtual Private Network (VPN). However, this method is equivalent to directly exposing intranet data to the extranet, and it may happen that an external user changes data in the intranet, thereby causing a potential safety hazard to the intranet data.
Therefore, it is necessary to provide an intranet data access control method that can ensure data security and is low in cost.
In order to solve the defects in the prior art, the scheme provides the following embodiments.
Fig. 1 is a schematic view of an overall application scenario of an intranet data access control method in an embodiment of this specification, and the overall application scenario of the intranet data access control method in the embodiment of this specification is described below with reference to fig. 1. In the technical scheme of this embodiment, the first user sends an authentication request to the enterprise server based on the user terminal, and requests the enterprise server to verify the authentication request, so as to access some data in the enterprise intranet. After the authentication request passes, the first user is granted the authority to actually access some data in the enterprise intranet, so that the first user can obtain intranet data from the enterprise database.
In order to explain the technical solution of the present invention in detail, the present solution provides the following embodiments, and it should be firstly explained that relational terms such as "first" and "second" and the like are only used to distinguish one entity or operation from another entity or operation in the present document, and do not necessarily require or imply any actual relation or precedence between the entities or operations.
Fig. 2 is a schematic flowchart of an overall scheme of an intranet data access control method in an embodiment of the present specification. As shown in fig. 2, from the viewpoint of a program, the execution subject of the flow may be a program installed in an application server or an application client.
As shown in fig. 2, the process may include the following steps:
step S202: receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user.
In this embodiment, the first user may refer to a user who has an access requirement on internal data of an enterprise, and the type of the first user may be an individual user or an enterprise user. For example, a medical enterprise a has a plurality of data about clinical trials of drugs, the enterprise a stores these data in an internal database of the enterprise by categories of the data or project attributes to which the data belong, and other entities who work in cooperation with the enterprise a, such as a hospital B, have a need to access the data about a project owned by the enterprise a on their own needs.
The first identification information may be identification information identifying the identity of the first user, such as a personal identification number of the first user if the first user is a personal user, or a unified social credit code of the first user if the first user is a legal person or other organization.
The first access scope information is used to describe the access attribute of the first user to the internal data of the certain enterprise, because generally speaking, the certain enterprise does not open the internal data owned by itself to the first user and other users without limitation. In this case, the first access range information may be used to indicate which data of the enterprise the first user needs to access, and further, the first access range information may also be used to indicate an access duration or an access time period of the data that the first user needs to access. Also taking the above example as an example, if the first user is hospital B, and this hospital B wants to access the medication test data of "xxx medication clinical test xx phase" owned by this certain enterprise in the time period from "xx minutes xx seconds at xx month xx day xx" to "xxx minutes xxx at xxx month xxx day xxx" in xxx year, the first access range information may be used to describe the attributes of the items to which these medication test data belong and the access time attribute of the access time period.
Step S204: judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user.
In this step, the first preset condition is used to authenticate the data access request of the first user, that is, to verify whether the first user has the authority to actually access the intranet data.
The pre-stored list of pre-authorized user identification information may refer to user identification information that needs to be submitted by a user who wants to access intranet data of the enterprise in the early stage, and application materials describing intranet data to be accessed, for example, so that the enterprise can judge whether to grant the access request based on the application materials submitted by the user, and if the access request is granted, the corresponding relationship between the user identification information and the access range authorization information included in the application materials can be pre-stored.
It should be noted that, in this step, only the corresponding relationship between the user identification information and the access range authorization information included in the application material needs to be stored in advance, and a specific storage manner is not limited in this embodiment, for example, except for the first user, there may be other users who want to access the intranet data of the enterprise based on their own data requirements, and at this time, all the pre-authorized user identification information and the corresponding relationship thereof may be stored in a centralized manner in an information list manner.
Step S206: and if the first judgment result shows that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information.
It should be understood that the order of some steps in the method described in one or more embodiments of the present disclosure may be interchanged according to actual needs, or some steps may be omitted or deleted.
According to the technical scheme, the data access request information initiated by the user is authenticated, the user only has the authority of actually accessing the intranet data within the access range after the authentication is passed, and only the intranet data within the authorized range can be accessed, so that the access requirement of the user on the intranet data is met, and the safety of the rest intranet data except the data within the access range in the intranet of an enterprise is ensured.
Based on the method of fig. 2, the present specification also provides some specific embodiments of the method, which are described below.
In the technical solution of an optional embodiment, the first intranet data access request further carries a message digest obtained by digitally signing the combined content of the first identification information and the first access range information based on a private key of the first user. The digital signature (also called public key digital signature) is a section of digital string which can be generated only by the sender of the information and cannot be forged by others, and the section of digital string is also a valid proof for the authenticity of the information sent by the sender of the information. In the technical solution of this embodiment, the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, the message digest is checked and signed based on a public key of the first user, and the first access range information is consistent with pre-generated access range authorization information of the first user. Because only the first user theoretically has the own private key, the first intranet data access request comprises the message abstract obtained by digitally signing the combined content of the first identification information and the first access range information, and in the subsequent stage, if the signature of the message abstract can be checked and passed based on the public key of the first user, the first user can be determined to be the real first user, so that the first user is prevented from being impersonated by an illegal user, and the access request for the intranet data of the enterprise is initiated illegally by the identity of the first user.
In an optional embodiment, the first identification information includes a first business name of the first user and a first uniform social credit code corresponding to the first business name.
In this step, the identity of the first user is specifically identified by the first business name of the first user and the first uniform social credit code corresponding to the first business name. The unified social credit code can be understood as a nationwide unified 'identity card number' owned by a legal person and other organizations, and the standard stipulates that the unified social credit code is represented by 18 digits of Arabic numbers or capital English letters and is respectively a 1-digit registration management department code, a 1-digit mechanism category code, a 6-digit registration management organization administrative division code, a 9-digit main body identification code and a 1-digit check code.
It should be noted that, it has been stated above that the first user may be an individual user or an enterprise user, and here, the enterprise user is taken as an example for description, and if the first user is an individual user, the identification information of the first user of the individual user attribute needs to be submitted, so that the surname of the individual user, and the identification number (also may be a driving license number or a passport number) of the individual user.
In an optional embodiment, the first access range information includes a name of a first item to be accessed and a first duration to be accessed for the first item to be accessed. The first time duration to be accessed is used for representing the time length to be accessed of the first user to the related data in the first item to be accessed.
In steps S202 to S206, it is stated that the first user needs to submit the identification information of the first user and the access range information of the data in the actual data accessing stage, and after the authentication is passed, the first user can actually access the data in the access range information. Before this, the first user has to submit the audit material, and the subsequent stage of applying for itself has the authority to actually access the data to be accessed, which can be understood as the legal request right to a certain extent, that is, the previous stage of applying for itself by the first user has the right to actually access the data to be accessed in the access range, which is explained below.
In the technical solution of the optional embodiment, before receiving, in the external network, a first intranet data access request sent by a first user through the network device, the method includes:
and receiving a second intranet data access request of a first user, wherein the second intranet data access request carries second identification information and second access range information of the first user. As shown in fig. 3, the first user may submit the project name of the project to which the data to be accessed belongs, the access time period information of the data to be accessed, the enterprise name of the first user, and the unified social credit code in advance. Thus, as shown in FIG. 4, upon receiving this information, the business worker can determine whether to grant the data access request.
In an optional embodiment, the second identification information includes a second business name of the first user and a second unified social credit code corresponding to the second business name; the second access range information includes a name of a second item to be accessed and a second access waiting duration for the second item to be accessed.
In the technical solution of the optional embodiment, after receiving the second intranet data access request of the first user, the method includes:
judging whether the second intranet data access request meets a second preset condition or not based on the second identification information and the second access range information to obtain a second judgment result;
the second preset condition specifically includes that the first user has a to-be-accessed right to the data in the access range corresponding to the second access range information according to a preset authorization rule;
and if the second judgment result shows that the second intranet data access request meets the second preset condition, storing the second identification information and the second access range information of the first user in the pre-authorized user identification information list.
In this step, based on the audit material submitted by the first user and subsequently having the authority to actually access the data to be accessed, the enterprise may audit whether to grant the request based on the second preset condition. The second preset condition is determined according to actual conditions, for example, an enterprise may open data of different levels according to the nature of a user, and the enterprise may only open data within a certain range owned by the enterprise, and data beyond the range is not opened by the enterprise even if an external user has an access demand.
In a technical solution of an optional embodiment, after the opening of the extranet access right of the first user to the intranet data within the access range corresponding to the first access range information, the method includes: copying intranet data in an access range corresponding to the first access range information into an independent database in the intranet; and guiding the first intranet data access request to the independent database.
In the technical solution of this embodiment, in order to further ensure the security of the data in the enterprise intranet, after the access right of the first user to the data in the access range corresponding to the first access range information is opened, the data in the access range is copied to the independent database in the intranet, and meanwhile, the first intranet data access request is directed to the independent database, which is equivalent to "copy during access" and "access copied data". During the subsequent stage, the first user accesses the data in the access range based on the independent database, this is equivalent to physically isolating the first user from the intranet data in the intranet except the intranet data in the access range, and the user can only access the intranet data in the access range in the independent database, on one hand, the access requirement of the first user on the intranet data in the access range is met, on the other hand, the security of the rest intranet data except the intranet data in the access range in the enterprise intranet is ensured, and simultaneously, even if the intranet data in the access range in the independent database is damaged due to the non-standard operation of the first user, the original data corresponding to the intranet data in the access range cannot be influenced, and the safety of the intranet data of an enterprise is further guaranteed.
In the technical solution of the optional embodiment, after the data access corresponding to the first intranet data access request is finished, the intranet data in the access range corresponding to the first access range information stored in the independent database is deleted.
After the first user finishes accessing the data in the access range corresponding to the first access range information, the data in the access range stored in the independent database is deleted in time, so that the disk space occupied by the independent database for storing the data can be reduced, and the resource utilization rate of the disk storage space is improved.
In the technical scheme of the optional embodiment, the actual access time of the first user to the intranet data in the access range is judged in real time, the first user is reminded after the actual access time is close to the access time in the access range authorization information of the first user generated in advance, and the data connection between the first user and the intranet is cut off when the actual access time reaches the access time in the access range authorization information of the first user. Meanwhile, after the first user finishes data access, the first user is charged according to the access duration or the actual access duration in the access range authorization information, and statistics is carried out on which intranet data in the access range are actually accessed by the first user.
In the technical solution of the optional embodiment, because a plurality of users can access the intranet data, a time period can be set, and statistics can be performed at the end of the time period on which users access the intranet data, which time period to access, and recording of data of which items of the enterprise the users access, so that after a plurality of time periods are ended, statistical analysis can be performed based on the data, for example, which item of the enterprise has a higher intranet data access frequency, and based on the analysis data, a pricing strategy of the access authority of the enterprise to sell the intranet data can be adjusted. For example, as shown in fig. 5, information of a user who accesses intranet data in a certain period may be counted, and the information may be derived and statistically analyzed.
Based on the same idea, the embodiment of the present specification further provides a device corresponding to the above method. Fig. 6 is a schematic structural diagram of an intranet data access control device corresponding to fig. 2 according to an embodiment of the present disclosure. As shown in fig. 6, the apparatus may include:
a first intranet data access request receiving module 602, configured to receive, in an extranet, a first intranet data access request sent by a first user through a network device, where the first intranet data access request at least carries first identification information and first access range information of the first user;
the authentication module 604 is configured to determine whether the first intranet data access request meets a first preset condition, so as to obtain a first determination result; the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
an authorization module 606, configured to, if the first determination result indicates that the first intranet data access request meets the first preset condition, open an extranet access permission of the first user to intranet data within an access range corresponding to the first access range information.
Based on the same idea, the embodiment of the present specification further provides a device corresponding to the above method.
Fig. 7 is a schematic structural diagram of an intranet data access control device corresponding to fig. 2 according to an embodiment of the present disclosure. As shown in fig. 7, the apparatus 700 may include:
at least one processor 710; and the number of the first and second groups,
a memory 730 communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory 730 stores instructions 720 executable by the at least one processor 710 to enable the at least one processor 710 to:
receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user;
judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
and if the first judgment result shows that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information.
Based on the same idea, the embodiment of the present specification further provides a computer-readable medium corresponding to the above method. The computer readable medium has computer readable instructions stored thereon that are executable by a processor to implement the method of:
receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user;
judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
and if the first judgment result shows that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information.
All the embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments may be referred to each other, and the related parts may be referred to the parts of the description of the method embodiments.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital character system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate a dedicated integrated circuit chip. Furthermore, nowadays, instead of manually manufacturing an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abll (advanced desktop Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), and vhjlang (Hardware Description Language), which are currently used in most general. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, AtmelAT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium which can be used to store information which can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (13)
1. An intranet data access control method is characterized by comprising the following steps:
receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user;
judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
and if the first judgment result shows that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information.
2. The method according to claim 1, wherein the first intranet data access request further carries a message digest obtained by digitally signing a combined content of the first identification information and the first access range information based on a private key of the first user.
3. The method according to claim 2, wherein the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, the message digest is checked and signed through based on a public key of the first user, and the first access range information is consistent with pre-generated access range authorization information of the first user.
4. The method of claim 1, wherein the first identification information comprises a first business name of the first user, a first uniform social credit code corresponding to the first business name.
5. The method of claim 4, wherein the first access scope information comprises a name of a first item to be accessed and a first duration to be accessed for the first item to be accessed.
6. The method according to claim 5, wherein before receiving the first intranet data access request sent by the first user through the network device in the extranet, the method comprises:
and receiving a second intranet data access request of a first user, wherein the second intranet data access request carries second identification information and second access range information of the first user.
7. The method of claim 6, wherein the second identification information comprises a second business name of the first user and a second unified social credit code corresponding to the second business name; the second access range information includes a name of a second item to be accessed and a second access waiting duration for the second item to be accessed.
8. The method of claim 7, wherein after receiving the second intranet data access request from the first user, comprising:
judging whether the second intranet data access request meets a second preset condition or not based on the second identification information and the second access range information to obtain a second judgment result;
the second preset condition specifically includes that the first user has a to-be-accessed permission to the intranet data in the access range corresponding to the second access range information according to a preset authorization rule;
and if the second judgment result shows that the second intranet data access request meets the second preset condition, storing the second identification information and the second access range information of the first user in the pre-authorized user identification information list.
9. The method according to claim 1, wherein after the step of opening the extranet access right of the first user to the intranet data within the access range corresponding to the first access range information, the method comprises:
copying intranet data in an access range corresponding to the first access range information into an independent database in the intranet;
and guiding the first intranet data access request to the independent database.
10. The method according to claim 9, wherein the intranet data within the access range corresponding to the first access range information stored in the independent database is deleted after the data access corresponding to the first intranet data access request is completed.
11. An intranet data access control device, comprising:
a first intranet data access request receiving module, configured to receive, in an extranet, a first intranet data access request sent by a first user through a network device, where the first intranet data access request carries at least first identification information and first access range information of the first user;
the authentication module is used for judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
and the authorization module is used for opening the external network access authority of the first user to the internal network data in the access range corresponding to the first access range information if the first judgment result shows that the first internal network data access request meets the first preset condition.
12. An intranet data access control device, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user;
judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
and if the first judgment result shows that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information.
13. A computer readable medium having computer readable instructions stored thereon which are executable by a processor to implement the intranet data access control method according to any one of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111529823.XA CN114244598B (en) | 2021-12-14 | 2021-12-14 | Intranet data access control method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111529823.XA CN114244598B (en) | 2021-12-14 | 2021-12-14 | Intranet data access control method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114244598A true CN114244598A (en) | 2022-03-25 |
| CN114244598B CN114244598B (en) | 2024-01-19 |
Family
ID=80756069
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111529823.XA Active CN114244598B (en) | 2021-12-14 | 2021-12-14 | Intranet data access control method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114244598B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114547423A (en) * | 2022-04-27 | 2022-05-27 | 彭州市教育人才管理服务中心 | Occupational competence big data knowledge graph data access management method and system |
| CN115190483A (en) * | 2022-05-13 | 2022-10-14 | 中移互联网有限公司 | Method and device for accessing network |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120068814A1 (en) * | 2002-02-25 | 2012-03-22 | Crawford C S Lee | Systems and methods of operating a secured facility |
| CN103516681A (en) * | 2012-06-26 | 2014-01-15 | 华为技术有限公司 | Network access control method and device thereof |
| US9224006B1 (en) * | 2015-07-29 | 2015-12-29 | KGSS, Inc. | System and method of secure data access |
| US20160284001A1 (en) * | 2015-03-27 | 2016-09-29 | Wal-Mart Stores, Inc. | System, method, and non-transitory computer-readable storage media for displaying product information on websites |
| US20170187715A1 (en) * | 2015-12-29 | 2017-06-29 | Jennifer Liu | Method And Apparatus For Facilitating Access To A Communication Network |
| US20170279731A1 (en) * | 2012-02-14 | 2017-09-28 | Airwatch Llc | Controllng distribution of resources in a network |
| CN108632253A (en) * | 2018-04-04 | 2018-10-09 | 平安科技(深圳)有限公司 | Client data secure access method based on mobile terminal and device |
| US20190356668A1 (en) * | 2018-05-15 | 2019-11-21 | Lenovo Enterprise Solutions (Singapore) Pte. Ltd. | Granting guest devices access to a network using out-of-band authorization |
| US20200257793A1 (en) * | 2019-02-13 | 2020-08-13 | Saudi Arabian Oil Company | System and method for provisioning non-enterprise client devices with access credentials |
| CN112822165A (en) * | 2020-12-30 | 2021-05-18 | 支付宝(杭州)信息技术有限公司 | Method, device, equipment and readable medium for communicating with Internet of things equipment |
| CN113282628A (en) * | 2021-06-09 | 2021-08-20 | 支付宝(杭州)信息技术有限公司 | Big data platform access method and device, big data platform and electronic equipment |
| CN113347206A (en) * | 2021-06-30 | 2021-09-03 | 建信金融科技有限责任公司 | Network access method and device |
| WO2021212928A1 (en) * | 2020-04-22 | 2021-10-28 | 中国银联股份有限公司 | Blockchain data authorization access method and apparatus, and device |
-
2021
- 2021-12-14 CN CN202111529823.XA patent/CN114244598B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120068814A1 (en) * | 2002-02-25 | 2012-03-22 | Crawford C S Lee | Systems and methods of operating a secured facility |
| US20170279731A1 (en) * | 2012-02-14 | 2017-09-28 | Airwatch Llc | Controllng distribution of resources in a network |
| CN103516681A (en) * | 2012-06-26 | 2014-01-15 | 华为技术有限公司 | Network access control method and device thereof |
| US20160284001A1 (en) * | 2015-03-27 | 2016-09-29 | Wal-Mart Stores, Inc. | System, method, and non-transitory computer-readable storage media for displaying product information on websites |
| US9224006B1 (en) * | 2015-07-29 | 2015-12-29 | KGSS, Inc. | System and method of secure data access |
| US20170187715A1 (en) * | 2015-12-29 | 2017-06-29 | Jennifer Liu | Method And Apparatus For Facilitating Access To A Communication Network |
| CN108632253A (en) * | 2018-04-04 | 2018-10-09 | 平安科技(深圳)有限公司 | Client data secure access method based on mobile terminal and device |
| US20190356668A1 (en) * | 2018-05-15 | 2019-11-21 | Lenovo Enterprise Solutions (Singapore) Pte. Ltd. | Granting guest devices access to a network using out-of-band authorization |
| US20200257793A1 (en) * | 2019-02-13 | 2020-08-13 | Saudi Arabian Oil Company | System and method for provisioning non-enterprise client devices with access credentials |
| WO2021212928A1 (en) * | 2020-04-22 | 2021-10-28 | 中国银联股份有限公司 | Blockchain data authorization access method and apparatus, and device |
| CN112822165A (en) * | 2020-12-30 | 2021-05-18 | 支付宝(杭州)信息技术有限公司 | Method, device, equipment and readable medium for communicating with Internet of things equipment |
| CN113282628A (en) * | 2021-06-09 | 2021-08-20 | 支付宝(杭州)信息技术有限公司 | Big data platform access method and device, big data platform and electronic equipment |
| CN113347206A (en) * | 2021-06-30 | 2021-09-03 | 建信金融科技有限责任公司 | Network access method and device |
Non-Patent Citations (1)
| Title |
|---|
| 韩林等: "旅游电子商务", 重庆大学出版社, pages: 186 - 189 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114547423A (en) * | 2022-04-27 | 2022-05-27 | 彭州市教育人才管理服务中心 | Occupational competence big data knowledge graph data access management method and system |
| CN114547423B (en) * | 2022-04-27 | 2022-08-09 | 杜江波 | Occupational competence big data knowledge graph data access management method and system |
| CN115190483A (en) * | 2022-05-13 | 2022-10-14 | 中移互联网有限公司 | Method and device for accessing network |
| CN115190483B (en) * | 2022-05-13 | 2023-09-19 | 中移互联网有限公司 | Method and device for accessing network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114244598B (en) | 2024-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3343425B1 (en) | System and method for the creation and management of decentralized authorizations for connected objects | |
| CN102112990B (en) | Granting least privilege access for computing processes | |
| US11222137B2 (en) | Storing and executing an application in a user's personal storage with user granted permission | |
| EP3133507A1 (en) | Context-based data classification | |
| US11411959B2 (en) | Execution of application in a container within a scope of user-granted permission | |
| US20220382713A1 (en) | Management of erasure or retention of user data stored in data stores | |
| US10013570B2 (en) | Data management for a mass storage device | |
| CN114244598A (en) | Intranet data access control method, device, equipment and storage medium | |
| US20220198054A1 (en) | Rights management regarding user data associated with data lifecycle discovery platform | |
| CN107077546A (en) | Hold the system and method for factor authority for updating | |
| US11893130B2 (en) | Data lifecycle discovery and management | |
| JP2020053091A (en) | Individual number management device, individual number management method, and individual number management program | |
| US11593523B2 (en) | Data processing systems for orphaned data identification and deletion and related methods | |
| CN113468576B (en) | Role-based data security access method and device | |
| CN106815503A (en) | A kind of operating system method for managing user right and system | |
| JP2004158007A (en) | Computer access authorization | |
| CN111931140A (en) | Authority management method, resource access control method and device and electronic equipment | |
| CN117413248A (en) | Data lifecycle discovery and management | |
| JP2007004610A (en) | Complex access approval method and device | |
| US20230185938A1 (en) | Managing purpose-based processing of data using a purpose agent | |
| CN111209580B (en) | Method, system and medium for isolating shared user environment based on mandatory access control | |
| US11860904B2 (en) | Determining and propagating high level classifications | |
| CN114139127A (en) | Authority management method of computer system | |
| JPH1125053A (en) | Certification security server dealing with ic card and dedicated application program interface(api) for certification processing of application program | |
| WO2022133267A1 (en) | Data lifecycle discovery and management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |