CN114244598B - Intranet data access control method, device, equipment and storage medium - Google Patents

Intranet data access control method, device, equipment and storage medium Download PDF

Info

Publication number
CN114244598B
CN114244598B CN202111529823.XA CN202111529823A CN114244598B CN 114244598 B CN114244598 B CN 114244598B CN 202111529823 A CN202111529823 A CN 202111529823A CN 114244598 B CN114244598 B CN 114244598B
Authority
CN
China
Prior art keywords
user
intranet data
access
access request
intranet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111529823.XA
Other languages
Chinese (zh)
Other versions
CN114244598A (en
Inventor
刘丁源
张洋
李睿
寿雯洁
刘涛
段成辉
张�杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Taimei Medical Technology Co Ltd
Original Assignee
Zhejiang Taimei Medical Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Taimei Medical Technology Co Ltd filed Critical Zhejiang Taimei Medical Technology Co Ltd
Priority to CN202111529823.XA priority Critical patent/CN114244598B/en
Publication of CN114244598A publication Critical patent/CN114244598A/en
Application granted granted Critical
Publication of CN114244598B publication Critical patent/CN114244598B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Abstract

The embodiment of the specification discloses an intranet data access control method, device, equipment and storage medium, wherein the scheme comprises the following steps: receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user; judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically comprises that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user; and if the first judgment result indicates that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information.

Description

Intranet data access control method, device, equipment and storage medium
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for controlling intranet data access.
Background
With the rapid development of internet technology, enterprises develop business based on the internet more and more. However, the internet technology is a double-edged sword, which brings convenience and also creates hidden trouble in the aspect of data security.
To solve this problem, one method in the prior art is based on hardware solutions. Such as constructing a network security arrangement such as a firewall, to create a protective barrier between the intranet and extranet. However, this approach has a large investment in early stages and a high maintenance cost in later stages. Another solution is a software solution based on a virtual private network (Virtual Private Network, VPN) or the like. However, this method is equivalent to directly exposing the intranet data in the extranet, and has potential data safety hazards.
Therefore, it is necessary to provide a data access control method that can secure data and is low in cost.
Disclosure of Invention
The embodiment of the specification provides an intranet data access control method, device, equipment and storage medium, so as to provide a data access control method capable of ensuring data security and low in cost.
In order to solve the above technical problems, the embodiments of the present specification are implemented as follows:
the intranet data access control method provided by the embodiment of the specification comprises the following steps:
receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user;
judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically comprises that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
and if the first judgment result indicates that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information.
An intranet data access control device provided in an embodiment of the present disclosure includes:
the first intranet data access request receiving module is used for receiving a first intranet data access request sent by a first user through network equipment in an external network, wherein the first intranet data access request at least carries first identification information and first access range information of the first user;
The authentication module is used for judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically comprises that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
and the authorization module is used for opening the external network access permission of the first user to the internal network data in the access range corresponding to the first access range information if the first judgment result indicates that the first internal network data access request meets the first preset condition.
An intranet data access control device provided in an embodiment of the present disclosure includes:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user;
Judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically comprises that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
and if the first judgment result indicates that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information.
Embodiments of the present disclosure provide a computer readable medium having computer readable instructions stored thereon, the computer readable instructions being executable by a processor to implement an intranet data access control method.
One embodiment of the present specification achieves the following advantageous effects:
in the technical scheme, the data access request information initiated by the user is authenticated, the user has the authority of actually accessing the intranet data in the access range after the authentication is passed, and only the intranet data in the authorized range is accessed, so that the access requirement of the user on the intranet data is met, and the safety of the rest intranet data except the data in the access range in the enterprise intranet is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present description or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and that other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.
Fig. 1 is an application scenario schematic diagram of an intranet data access control method provided in an embodiment of the present disclosure;
fig. 2 is a flowchart of an intranet data access control method provided in the embodiment of the present disclosure;
fig. 3 is an interface schematic diagram of user input access request information in an intranet data access control method according to an embodiment of the present disclosure;
fig. 4 is an interface schematic diagram of an enterprise deciding whether to approve an access request in an intranet data access control method according to an embodiment of the present disclosure;
fig. 5 is a schematic information diagram of a user who performs access to intranet data in a certain time period in the intranet data access control method provided in the embodiment of the present disclosure;
Fig. 6 is a schematic diagram of an intranet data access control device according to an embodiment of the present disclosure;
fig. 7 is a schematic diagram of an intranet data access control device according to an embodiment of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of one or more embodiments of the present specification more clear, the technical solutions of one or more embodiments of the present specification will be clearly and completely described below in connection with specific embodiments of the present specification and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present specification. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without undue burden, are intended to be within the scope of one or more embodiments herein.
In the prior art, when an enterprise performs a service based on the internet, sometimes a user needs to access intranet data of the enterprise, and in order to protect the security of the intranet data of the enterprise, one method in the prior art is based on hardware. For example, a firewall is built to form a protective barrier between the intranet and the extranet, however, the former investment of funds is large and the later maintenance cost is high.
Another solution is a software solution based on a virtual private network (Virtual Private Network, VPN) or the like. However, this way is equivalent to directly exposing the intranet data in the extranet, and it may happen that an external user changes the intranet data, thereby causing the intranet data to have a potential safety hazard.
Therefore, it is necessary to provide an intranet data access control method capable of ensuring data security and having low cost.
In order to solve the drawbacks of the prior art, the present solution gives the following examples.
Fig. 1 is a schematic diagram of an overall application scenario of an intranet data access control method in an embodiment of the present disclosure, and in the following, description is made of an overall application scenario of an intranet data access control method in an embodiment of the present disclosure with reference to fig. 1. In the technical scheme of the embodiment, the first user sends an authentication request to the enterprise server based on the user terminal, and requests the enterprise server to verify the authentication request, so that certain data in the enterprise intranet is accessed. After the authentication request passes, the first user is granted the right to actually access certain data in the enterprise intranet, so that the first user can obtain intranet data from the enterprise database.
In order to describe the present invention in detail, the following embodiments are provided, and it should be first noted that, in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
Fig. 2 is a schematic flow chart of an overall scheme of an intranet data access control method in an embodiment of the present disclosure. As shown in fig. 2, from the program perspective, the execution subject of the flow may be a program or an application client installed on an application server.
As shown in fig. 2, the process may include the steps of:
step S202: and receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user.
In the technical solution of this embodiment, the first user may refer to a user having access requirements for internal data of a certain enterprise, and the type of the first user may be a personal user or an enterprise user. For example, a medical enterprise a has several data about a clinical trial of a drug, and the enterprise a stores these data in an intra-enterprise database by categories of data or item attributes to which the data belongs, and other institutions that cooperate with the enterprise a, such as a hospital B, have a need to access the data about a certain item owned by the enterprise a based on their own needs.
The first identification information may be identification information that identifies the identity of the first user, e.g., a personal identification number of the first user if the first user is a personal user, or a uniform social credit code of the first user if the first user is a legal person or other organization.
The first access scope information is used to describe the access attribute of the first user to the internal data of the enterprise, because in general, the enterprise does not open the internal data owned by itself to the first user and other users without limitation. At this time, the first access scope information may be used to indicate which data of the enterprise has an access requirement for the first user, and further, the first access scope information may be used to indicate an access duration or an access period of the first user for the data having the access requirement. Also taking the above example as an example, the first user is a hospital B who wants to access the drug test data of the "xxx drug clinical test xx period" owned by the certain enterprise in the period from "xx years xx month xx day xx time xx minutes xx seconds" to "xxx years xxx month xxx day xxx time xxx minutes xxx", and the first access range information may be used to describe the attribute of the item to which the drug test data belongs and the access time attribute of the access period.
Step S204: judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically comprises that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with the pre-generated access range authorization information of the first user.
In this step, the first preset condition is used to authenticate the data access request of the first user, that is, to verify whether the first user has the authority to actually access the intranet data.
The pre-stored pre-authorized subscriber identification information list may refer to that a subscriber who wants to access intranet data of an enterprise needs to submit subscriber identification information in the early period and, for example, describes application materials of which intranet data are to be accessed, so that the enterprise can judge whether to grant an access request based on the application materials submitted by the subscriber, and if the access request is granted, the corresponding relationship between the subscriber identification information and the access range authorization information contained in the application materials can be pre-stored.
It should be noted that, in this step, only the correspondence between the user identification information and the access range authorization information included in the application material is stored in advance, and the specific storage mode is not limited in this embodiment, for example, besides the first user, other users may want to access intranet data of the enterprise based on own data requirements, and at this time, all the pre-authorized user identification information and the correspondence thereof may be stored in a centralized manner by using an information list.
Step S206: and if the first judgment result indicates that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information.
It should be understood that the method according to one or more embodiments of the present disclosure may include the steps in which some of the steps are interchanged as needed, or some of the steps may be omitted or deleted.
In the technical scheme, the data access request information initiated by the user is authenticated, the user has the authority of actually accessing the intranet data in the access range after the authentication is passed, and only the intranet data in the authorized range is accessed, so that the access requirement of the user on the intranet data is met, and the safety of the rest intranet data except the data in the access range in the enterprise intranet is ensured.
The examples of the present specification also provide some specific embodiments of the method based on the method of fig. 2, which is described below.
In an optional embodiment, the first intranet data access request further carries a message digest obtained by digitally signing the combined content of the first identification information and the first access range information based on the private key of the first user. A digital signature (also called public key digital signature) is a digital string that cannot be forged by others only the sender of the information, and is also a valid proof of the authenticity of the information sent by the sender of the information. In this embodiment, the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, the message digest is checked and signed based on a public key of the first user, and the first access range information is consistent with pre-generated access range authorization information of the first user. Because only the first user theoretically owns the private key of the first user, the first intranet data access request comprises the message digest obtained by digitally signing the combined content of the first identification information and the first access range information, and if the public key of the first user can pass the signature verification of the message digest in the subsequent stage, the first user can be determined to be the real first user, thereby preventing the illegal user from impersonating the first user, and illegally initiating the access request to the intranet data of the enterprise by the identity of the first user.
In an optional embodiment technical solution, the first identification information includes a first business name of the first user and a first unified social credit code corresponding to the first business name.
In this step, the identity of the first user is specifically identified by the first business name of the first user and the first unified social credit code corresponding to the first business name. The unified social credit code can be understood as a nationwide unified identity card number owned by French and other organizations, and the standard stipulates that the unified social credit code is represented by 18 digits of Arabic numerals or capital English letters, namely 1 registration management department code, 1 organization category code, 6 registration management organization administrative division code, 9 main body identification code and 1 check code.
It should be noted that, the foregoing has described that the first user may be an individual user or an enterprise user, and the enterprise user is taken as an example for illustration, if the first user is an individual user, the identification information of the first user with the attribute of the individual user needs to be submitted, so that the surname of the individual user and the identification card number (also may be a driver license number or a passport number) of the individual user.
In an optional embodiment technical solution, the first access range information includes a name of a first to-be-accessed item and a first to-be-accessed duration for the first to-be-accessed item. The first to-be-accessed duration is used for representing the to-be-accessed time length of the first user on the related data in the first to-be-accessed item.
In step S202 to step S206, it is explained that the first user needs to submit the self identification information and the access range information of the data in the actual data access stage, and after the authentication is passed, the first user can actually access the data in the access range information. Before that, the first user needs to submit the audit material, and the later stage of application itself has the right to actually access the data to be accessed, which can be understood as the legal request right to a certain extent, that is, the first user needs to apply itself to actually access the data to be accessed in the access range in the later stage, and the process is described below.
In an optional embodiment, before receiving, in the external network, a first intranet data access request sent by a first user through a network device, the method includes:
and receiving a second intranet data access request of the first user, wherein the second intranet data access request carries second identification information and second access range information of the first user. As shown in fig. 3, the first user may pre-submit the item name of the item to which the data to be accessed belongs and access time period information of the data to be accessed, and the enterprise name and unified social credit code of the first user. Thus, as shown in FIG. 4, after receiving the information, the enterprise personnel can determine whether to grant the data access request.
In an optional embodiment technical solution, the second identification information includes a second enterprise name of the first user and a second unified social credit code corresponding to the second enterprise name; the second access range information includes a name of a second item to be accessed and a second duration to be accessed for the second item to be accessed.
In an optional embodiment, after receiving the second intranet data access request of the first user, the method includes:
judging whether the second intranet data access request meets a second preset condition or not based on the second identification information and the second access range information to obtain a second judgment result;
the second preset condition specifically comprises that the first user has the right to be accessed to the data in the access range corresponding to the second access range information according to a preset authorization rule;
and if the second judgment result indicates that the second intranet data access request meets the second preset condition, storing the second identification information and the second access range information of the first user in the pre-authorized user identification information list.
In this step, the enterprise may audit whether to approve the request based on the second preset condition based on the audit material of the application itself submitted by the first user, which subsequently has the right to actually access the data to be accessed. The second preset condition is determined according to the actual situation, for example, the enterprise may open data of different levels according to the nature of the user, and the enterprise may only open data in a certain range owned by the enterprise to the outside, and the data beyond the range is not opened to the outside by the enterprise even if the external user has an access requirement.
In an optional embodiment, after the opening the external network access permission of the first user to the internal network data in the access range corresponding to the first access range information, the method includes: copying intranet data in an access range corresponding to the first access range information into an independent database in an intranet; and streaming the first intranet data access request to the independent database.
In the technical scheme of the embodiment, in order to further ensure the security of the intranet data of the enterprise, after the access authority of the first user to the data in the access range corresponding to the first access range information is opened, the data in the access range is copied to an independent database in the intranet, and meanwhile, the first intranet data access request is drained to the independent database, so that the access authority is equivalent to the data which is copied during access and is copied during access. In the subsequent stage, the first user accesses the data in the access range based on the independent database, so that the first user is physically isolated from other intranet data except the intranet data in the access range in the enterprise intranet, the user can only access the intranet data in the access range in the independent database, the access requirement of the first user on the intranet data in the access range is met, the safety of the other intranet data except the intranet data in the access range in the enterprise intranet is guaranteed, and meanwhile, even if the intranet data in the access range in the independent database is damaged due to the irregular operation of the first user, the original data corresponding to the intranet data in the access range is not influenced, and the safety of the intranet data in the enterprise is further guaranteed.
In an alternative embodiment, after the data access corresponding to the first intranet data access request is finished, deleting intranet data in an access range corresponding to the first access range information stored in the independent database.
After the first user finishes accessing the data in the access range corresponding to the first access range information, the data in the access range stored in the independent database is deleted in time, so that the disk space occupied by the independent database for storing the data can be reduced, and the resource utilization rate of the disk storage space is improved.
In an alternative embodiment technical scheme, the actual access time length of the first user to the intranet data in the access range is judged in real time, after the actual access time length is close to the access time length in the access range authorization information of the first user generated in advance, the first user is reminded, and when the actual access time length reaches the access time length in the access range authorization information of the first user, the data connection between the first user and the intranet is cut off. Meanwhile, after the first user finishes data access, the first user is charged according to the access duration or the actual access duration in the access range authorization information, and the statistics is carried out on which intranet data in the access range the first user actually accesses.
In the technical scheme of the alternative embodiment, as a plurality of users can access the intranet data of the enterprise, a time period can be set, in the end of the time period, which users access the intranet data of the enterprise in which time period is counted, and which data of which items of the enterprise are accessed by each user are recorded, after a plurality of time periods are finished, statistical analysis can be performed based on the data, for example, the intranet data access frequency of which items of the enterprise is higher can be analyzed, and based on the analysis data, the pricing strategy of the enterprise for selling the access rights of the intranet data can be adjusted. For example, as shown in fig. 5, information of a user accessing intranet data in a certain period may be counted, and meanwhile, the information may be derived for statistical analysis.
Based on the same thought, the embodiment of the specification also provides a device corresponding to the method. Fig. 6 is a schematic structural diagram of an intranet data access control device corresponding to fig. 2 according to an embodiment of the present disclosure. As shown in fig. 6, the apparatus may include:
the first intranet data access request receiving module 602 is configured to receive, in an external network, a first intranet data access request sent by a first user through a network device, where the first intranet data access request carries at least first identification information and first access range information of the first user;
The authentication module 604 is configured to determine whether the first intranet data access request meets a first preset condition, so as to obtain a first determination result; the first preset condition specifically comprises that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
and the authorization module 606 is configured to open an external network access right of the first user to the internal network data in the access range corresponding to the first access range information if the first determination result indicates that the first internal network data access request meets the first preset condition.
Based on the same thought, the embodiment of the specification also provides equipment corresponding to the method.
Fig. 7 is a schematic structural diagram of an intranet data access control device corresponding to fig. 2 according to an embodiment of the present disclosure. As shown in fig. 7, the apparatus 700 may include:
at least one processor 710; the method comprises the steps of,
a memory 730 communicatively coupled to the at least one processor; wherein,
the memory 730 stores instructions 720 executable by the at least one processor 710, the instructions being executable by the at least one processor 710 to enable the at least one processor 710 to:
Receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user;
judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically comprises that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
and if the first judgment result indicates that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information.
Based on the same thought, the embodiment of the specification also provides a computer readable medium corresponding to the method. Computer readable instructions stored on a computer readable medium, the computer readable instructions being executable by a processor to perform a method of:
receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user;
Judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically comprises that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
and if the first judgment result indicates that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information.
In the present specification, all embodiments are described in a progressive manner, and the same and similar parts of all embodiments are referred to each other, and relevant parts are referred to the part description of the method embodiments.
In the 90 s of the 20 th century, improvements to one technology could clearly be distinguished as improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) or software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., a field programmable gate array (Field Programmable gate array, FPGA)) is an integrated circuit whose logic function is determined by the user programming the device. The designer programs itself to "integrate" a digital system onto a single PLD without requiring the chip manufacturer to design and fabricate application specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented by using "logic compiler" software, which is similar to the software compiler used in program development and writing, and the original code before the compiling is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but not just one of the hdds, but a plurality of kinds, such as ABEL (AdvancedBoolean Expression Language), AHDL (Altera Hardware Description Language), confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), lava, lola, myHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application specific integrated circuits (Application Specific Integrated Circuit, ASIC), programmable logic controllers, and embedded microcontrollers, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, atmelAT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in one or more software and/or hardware elements when implemented in the present application.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.

Claims (11)

1. The intranet data access control method is characterized by comprising the following steps of:
receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user;
judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically comprises that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
if the first judgment result indicates that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information;
Setting a time period, counting the user accessing the intranet data, the accessed time period and the accessed enterprise item data in the time period at the end of the time period, performing statistical analysis on the accessed user, the accessed time period and the accessed enterprise item data to obtain analysis data, and adjusting the pricing strategy of the enterprise for selling the intranet data based on the analysis data;
before receiving a first intranet data access request sent by a first user through network equipment in an external network, the method comprises the following steps:
receiving a second intranet data access request of a first user, wherein the second intranet data access request carries second identification information and second access range information of the first user;
after receiving the second intranet data access request of the first user, the method includes:
judging whether the second intranet data access request meets a second preset condition or not based on the second identification information and the second access range information to obtain a second judgment result;
the second preset condition specifically includes that the first user has the to-be-accessed right to the intranet data in the access range corresponding to the second access range information according to a preset authorization rule;
And if the second judgment result indicates that the second intranet data access request meets the second preset condition, storing the second identification information and the second access range information of the first user in the pre-authorized user identification information list.
2. The method of claim 1, wherein the first intranet data access request further carries a message digest obtained by digitally signing the combined content of the first identification information and the first access range information based on a private key of the first user.
3. The method of claim 2, wherein the first preset condition specifically includes that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, that the message digest is checked and signed based on a public key of the first user passes, and that the first access range information is consistent with pre-generated access range authorization information of the first user.
4. The method of claim 1, wherein the first identification information includes a first business name of the first user, a first uniform social credit code corresponding to the first business name.
5. The method of claim 4, wherein the first access scope information includes a name of a first to-be-accessed item and a first to-be-accessed duration for the first to-be-accessed item.
6. The method of claim 1, wherein the second identification information includes a second business name of the first user and a second unified social credit code corresponding to the second business name; the second access range information includes a name of a second item to be accessed and a second duration to be accessed for the second item to be accessed.
7. The method of claim 1, wherein after opening the external network access right of the first user to the internal network data in the access range corresponding to the first access range information, the method comprises:
copying intranet data in an access range corresponding to the first access range information into an independent database in an intranet;
and streaming the first intranet data access request to the independent database.
8. The method according to claim 7, wherein after the data access corresponding to the first intranet data access request is finished, intranet data in an access range corresponding to the first access range information stored in the independent database is deleted.
9. An intranet data access control device, comprising:
the first intranet data access request receiving module is used for receiving a first intranet data access request sent by a first user through network equipment in an external network, wherein the first intranet data access request at least carries first identification information and first access range information of the first user;
the authentication module is used for judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically comprises that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
the authorization module is configured to open an external network access right of the first user to the internal network data in the access range corresponding to the first access range information if the first judgment result indicates that the first internal network data access request meets the first preset condition;
setting a time period, counting the user accessing the intranet data, the accessed time period and the accessed enterprise item data in the time period at the end of the time period, performing statistical analysis on the accessed user, the accessed time period and the accessed enterprise item data to obtain analysis data, and adjusting the pricing strategy of the enterprise for selling the intranet data based on the analysis data;
Before receiving a first intranet data access request sent by a first user through network equipment in an external network, the method comprises the following steps:
receiving a second intranet data access request of a first user, wherein the second intranet data access request carries second identification information and second access range information of the first user;
after receiving the second intranet data access request of the first user, the method includes:
judging whether the second intranet data access request meets a second preset condition or not based on the second identification information and the second access range information to obtain a second judgment result;
the second preset condition specifically includes that the first user has the to-be-accessed right to the intranet data in the access range corresponding to the second access range information according to a preset authorization rule;
and if the second judgment result indicates that the second intranet data access request meets the second preset condition, storing the second identification information and the second access range information of the first user in the pre-authorized user identification information list.
10. An intranet data access control device, comprising:
At least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
receiving a first intranet data access request sent by a first user through network equipment in an extranet, wherein the first intranet data access request at least carries first identification information and first access range information of the first user;
judging whether the first intranet data access request meets a first preset condition or not to obtain a first judgment result; the first preset condition specifically comprises that first identification information of the first user exists in a pre-stored pre-authorized user identification information list, and the first access range information is consistent with pre-generated access range authorization information of the first user;
if the first judgment result indicates that the first intranet data access request meets the first preset condition, opening the extranet access authority of the first user to the intranet data in the access range corresponding to the first access range information;
Setting a time period, counting the user accessing the intranet data, the accessed time period and the accessed enterprise item data in the time period at the end of the time period, performing statistical analysis on the accessed user, the accessed time period and the accessed enterprise item data to obtain analysis data, and adjusting the pricing strategy of the enterprise for selling the intranet data based on the analysis data;
before receiving a first intranet data access request sent by a first user through network equipment in an external network, the method comprises the following steps:
receiving a second intranet data access request of a first user, wherein the second intranet data access request carries second identification information and second access range information of the first user;
after receiving the second intranet data access request of the first user, the method includes:
judging whether the second intranet data access request meets a second preset condition or not based on the second identification information and the second access range information to obtain a second judgment result;
the second preset condition specifically includes that the first user has the to-be-accessed right to the intranet data in the access range corresponding to the second access range information according to a preset authorization rule;
And if the second judgment result indicates that the second intranet data access request meets the second preset condition, storing the second identification information and the second access range information of the first user in the pre-authorized user identification information list.
11. A computer readable medium having stored thereon computer readable instructions executable by a processor to implement the intranet data access control method of any one of claims 1 to 8.
CN202111529823.XA 2021-12-14 2021-12-14 Intranet data access control method, device, equipment and storage medium Active CN114244598B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111529823.XA CN114244598B (en) 2021-12-14 2021-12-14 Intranet data access control method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111529823.XA CN114244598B (en) 2021-12-14 2021-12-14 Intranet data access control method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114244598A CN114244598A (en) 2022-03-25
CN114244598B true CN114244598B (en) 2024-01-19

Family

ID=80756069

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111529823.XA Active CN114244598B (en) 2021-12-14 2021-12-14 Intranet data access control method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114244598B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114547423B (en) * 2022-04-27 2022-08-09 杜江波 Occupational competence big data knowledge graph data access management method and system
CN115190483B (en) * 2022-05-13 2023-09-19 中移互联网有限公司 Method and device for accessing network

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103516681A (en) * 2012-06-26 2014-01-15 华为技术有限公司 Network access control method and device thereof
US9224006B1 (en) * 2015-07-29 2015-12-29 KGSS, Inc. System and method of secure data access
CN108632253A (en) * 2018-04-04 2018-10-09 平安科技(深圳)有限公司 Client data secure access method based on mobile terminal and device
CN112822165A (en) * 2020-12-30 2021-05-18 支付宝(杭州)信息技术有限公司 Method, device, equipment and readable medium for communicating with Internet of things equipment
CN113282628A (en) * 2021-06-09 2021-08-20 支付宝(杭州)信息技术有限公司 Big data platform access method and device, big data platform and electronic equipment
CN113347206A (en) * 2021-06-30 2021-09-03 建信金融科技有限责任公司 Network access method and device
WO2021212928A1 (en) * 2020-04-22 2021-10-28 中国银联股份有限公司 Blockchain data authorization access method and apparatus, and device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120068814A1 (en) * 2002-02-25 2012-03-22 Crawford C S Lee Systems and methods of operating a secured facility
US9680763B2 (en) * 2012-02-14 2017-06-13 Airwatch, Llc Controlling distribution of resources in a network
US10032205B2 (en) * 2015-03-27 2018-07-24 Walmart Apollo, Llc System, method, and non-transitory computer-readable storage media for displaying product information on websites
US10320791B2 (en) * 2015-12-29 2019-06-11 Nokia Of America Corporation Method and apparatus for facilitating access to a communication network
US11290459B2 (en) * 2018-05-15 2022-03-29 Lenovo Enterprise Solutions (Singapore) Pte. Ltd. Granting guest devices access to a network using out-of-band authorization
US11436314B2 (en) * 2019-02-13 2022-09-06 Saudi Arabian Oil Company System and method for provisioning non-enterprise client devices with access credentials

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103516681A (en) * 2012-06-26 2014-01-15 华为技术有限公司 Network access control method and device thereof
US9224006B1 (en) * 2015-07-29 2015-12-29 KGSS, Inc. System and method of secure data access
CN108632253A (en) * 2018-04-04 2018-10-09 平安科技(深圳)有限公司 Client data secure access method based on mobile terminal and device
WO2021212928A1 (en) * 2020-04-22 2021-10-28 中国银联股份有限公司 Blockchain data authorization access method and apparatus, and device
CN112822165A (en) * 2020-12-30 2021-05-18 支付宝(杭州)信息技术有限公司 Method, device, equipment and readable medium for communicating with Internet of things equipment
CN113282628A (en) * 2021-06-09 2021-08-20 支付宝(杭州)信息技术有限公司 Big data platform access method and device, big data platform and electronic equipment
CN113347206A (en) * 2021-06-30 2021-09-03 建信金融科技有限责任公司 Network access method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
韩林等.旅游电子商务.重庆大学出版社,2008,第186-189页. *

Also Published As

Publication number Publication date
CN114244598A (en) 2022-03-25

Similar Documents

Publication Publication Date Title
EP3343425B1 (en) System and method for the creation and management of decentralized authorizations for connected objects
US10706141B2 (en) Methods and systems for identity creation, verification and management
KR102281558B1 (en) Consensus verification method and device
CN114244598B (en) Intranet data access control method, device, equipment and storage medium
CN113542288B (en) Service authorization method, device, equipment and system
CN110795501A (en) Method, device, equipment and system for creating verifiable statement based on block chain
US10812477B2 (en) Blockchain-based enterprise authentication method, apparatus, and device, and blockchain-based authentication traceability method, apparatus, and device
CN112272835A (en) Secure licensing of user account access, including secure distribution of aggregated user account data
US9647993B2 (en) Multi-repository key storage and selection
CN111985703B (en) User identity state prediction method, device and equipment
JP2000259567A (en) Device and method for controlling access and storage medium
CN110276178B (en) Risk control method, device and equipment based on identity verification
US11924201B1 (en) Authentication for application downloads
CN110337676B (en) Framework for access settings in a physical access control system
CN105956493A (en) Mobile phone file protection method and mobile phone file protection device
CN108229115A (en) A kind of method for authenticating and device
CN111245620A (en) Mobile security application architecture in terminal and construction method thereof
US20230186418A1 (en) System and method for applying ricardian contract principles to agreements
US11822795B2 (en) Secure data processing
CN115277754B (en) Vehicle control processing method and device
CN113407923B (en) Nuclear method, device and equipment
US20230370473A1 (en) Policy scope management
CN117034301A (en) Application authentication processing method and device
CN111784550A (en) Method, device and equipment for processing inherited service
CN116467324A (en) Remote account opening method, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant