CN114650149A

CN114650149A - Authorization policy processing method, system and storage medium

Info

Publication number: CN114650149A
Application number: CN202011403594.2A
Authority: CN
Inventors: 米婧; 刘芳; 张星; 耿慧拯
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Priority date: 2020-12-02
Filing date: 2020-12-02
Publication date: 2022-06-21

Abstract

The invention discloses an authorization strategy processing method, a system and a storage medium, comprising the following steps: determining data characteristics according to the data access log; determining data blood relationship; obtaining an authorization policy; and adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity relations and the authorization policy. By adopting the method and the device, strategy loopholes which appear when the same data is backed up or redundant data possibly existing in a platform can be avoided; the policy optimization process can be dynamically adjusted according to the access condition of data in practical application.

Description

Authorization policy processing method, system and storage medium

Technical Field

The present invention relates to the field of wireless communication technologies, and in particular, to an authorization policy processing method, system, and storage medium.

Background

With the development of the modern society, big data has started to change the life and working modes of people, and brings huge opportunities and challenges to the technological progress of the modern times. Huge data volume is generated in all trades at all times, the data is converted into capital and profit from cost, and the data is presented with the maximum value.

In human society, the relationship of blood relationship refers to the relationship of human beings generated by marriage or birth.

In the big data era, data is explosively increased, and massive and various types of data are rapidly generated. The huge and complicated data information generates new data through the contact fusion, conversion transformation and circulation, and the new data is converged into the ocean of the data.

The data generation, processing fusion, circulation and circulation are carried out until the data are finally lost, and a relationship can be naturally formed among the data. The relationship between data is expressed by taking a similar relationship in human society as reference, and the relationship is called the blood-related relationship of the data. Unlike the relationship of blood relationship in human society, the relationship of blood relationship of data also contains some characteristic features:

1. and attributing. Generally, specific data is attributed to a specific organization or individual, and the data has attributes.

2. And (4) multiple sources. The same data may have multiple sources (multiple parents). One data may be generated by processing a plurality of data, and such processing may be a plurality of data.

3. Traceability. The blood relationship of the data shows the life cycle of the data, shows the whole process from generation to extinction of the data, and has traceability.

4. And (4) layering. The blood-based relationship of the data is hierarchical. The description information of the data, such as classification, induction and summarization of the data, forms new data, and the description information of different degrees forms the hierarchy of the data.

At present, security strategies such as authority and desensitization of a data full link are optimized based on the existing blood relationship of a data platform, and the security of data in the using process can be ensured.

The prior art has the defects that a strategy loophole exists in the conventional scheme for predicting the strategy rationality of the authorization strategy of the data blood relationship.

Disclosure of Invention

The invention provides an authorization policy processing method, an authorization policy processing system and a storage medium, which are used for solving the problem of vulnerability in a data authorization policy.

The invention provides the following technical scheme:

an authorization policy processing method, comprising:

determining data characteristics according to the data access log;

determining data blood relationship;

obtaining an authorization policy;

and adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity relations and the authorization policy.

In an implementation, the data access log includes one or a combination of the following information:

the operation time of the data, the content of the data, the user of the data, whether the data is authorized or not, whether the data is desensitized or not, whether the data is sensitized or not and whether the data operation is successful or not.

In implementation, the data characteristics are determined after characteristic extraction is carried out on the following data:

data comprising statistical indicators of one or a combination of the following information: data access amount, data interception rate, data user amount, data general query amount, data export derivation amount and data illegal user amount; and/or the presence of a gas in the gas,

data of a label indicator comprising one or a combination of the following information: whether the data is sensitive or not, whether the data is authorized or not, whether the data is desensitized or not, and whether the data is judged to be sensitive or not.

In implementation, the authorization policy is adjusted according to the data relationship, namely the authorization policy is adjusted according to the backup and/or redundant data of the data determined by the data relationship.

In an implementation, the authorization policy includes one or a combination of the following policies configured for data and/or users:

authorization policy, desensitization policy, sensitive rating policy.

In implementation, adjusting the authorization policy according to one or a combination of data characteristics, data context, and the authorization policy includes:

determining data belonging to the same data according to the data blood relationship;

determining whether the data belong to data with difference according to the data characteristics and/or the same degree of an authorization policy of the data belonging to the same data;

adjusting the authorization policy for the differentiated data based on the data characteristics of the differentiated data and/or the authorization policy.

In implementation, determining whether data belonging to the same data belong to data with difference according to the same degree of data characteristics and/or authorization policy of the data, includes:

when the data characteristics of the data are determined according to the statistical indexes, the data with the same degree outside a preset range belong to data with difference;

when the data characteristics of the data are determined according to the label indexes, the data with the same degree of judgment belong to data with difference;

data for which the same degree of the authorization policy of the data is negative belongs to data having a difference.

In an implementation, the authorization policy includes one or a combination of the following policies configured for data and/or users: when the authorization strategy, the desensitization strategy and the sensitive grading strategy are adopted, the adjustment is carried out according to one or the combination of the following modes:

for the authorization policy, adjusting the authorization policy into an authorization policy after duplication removal of the configured union set of the authorization policies of all data;

for the desensitization strategy, adjusting the desensitization strategy to a desensitization strategy after the duplication of the union set of the desensitization strategy configuration of each data;

and adjusting the sensitivity grading strategy to be the highest level of the sensitivity grade in each data.

In implementation, after the adjusting the authorization policy, the method further includes:

and verifying the adjusted authorization strategy and feeding back a verification result.

An authorization policy processing system comprising:

a processor for reading the program in the memory, performing the following processes:

determining data characteristics according to the data access log;

determining data blood relationship;

obtaining an authorization policy;

adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity relationships and the authorization policy;

a transceiver for receiving and transmitting data under the control of the processor.

data of a label index comprising one or a combination of the following information: whether the data is sensitive or not, whether the data is authorized or not, whether the data is desensitized or not, and whether the data is judged to be sensitive or not.

authorization policy, desensitization policy, sensitive rating policy.

In implementation, determining whether the data belongs to the data with difference according to the same degree of data characteristics and/or authorization policy of the data belonging to the same data includes:

the data with the same degree of the authorization policy of the data being negative belongs to the data with the difference.

In an implementation, the authorization policy includes one or a combination of the following policies configured for data and/or users: when the authorization strategy, the desensitization strategy and the sensitive grading strategy are adopted, the regulation is carried out according to one of the following modes or the combination of the following modes:

adjusting the desensitization strategy to a desensitization strategy after de-duplication of a configured union set of the desensitization strategies of each data;

In the implementation, after the adjusting the authorization policy, the method further includes:

An authorization policy processing system comprising:

the characteristic calculation module is used for determining data characteristics according to the data access log;

the data blood margin module is used for determining the data blood margin relation;

the strategy configuration library is used for acquiring an authorization strategy;

and the strategy optimization module is used for adjusting the authorization strategy according to one or the combination of the data characteristics, the data consanguinity relation and the authorization strategy.

In an implementation, the feature calculation module is further configured to determine the data feature from the data access log including one or a combination of the following information:

In an implementation, the feature calculation module is further configured to determine data features after performing feature extraction on the following data:

data of a label indicator comprising one or a combination of the following information: whether the data is sensitive or not, whether the data is authorized or not, whether the data is desensitized or not, and whether the data judges the sensitivity level or not.

In an implementation, the policy optimization module is further configured to adjust the authorization policy based on backup and/or redundant data of the data determined by the data consanguinity relationship.

In an implementation, the policy configuration repository is further configured to obtain the authorization policy comprising one or a combination of the following policies configured for data and/or users:

authorization policy, desensitization policy, sensitive rating policy.

In an implementation, the policy optimization module, when adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity, and the authorization policy, is further configured to:

In an implementation, the policy optimization module is further configured to, when determining whether data belonging to the same data belongs to data with a difference according to a same degree of data characteristics and/or authorization policy of the data, include:

In an implementation, the policy optimization module is further configured to, when the authorization policy includes one or a combination of the following policies configured for data and/or users: when the authorization strategy, the desensitization strategy and the sensitive grading strategy are adopted, the regulation is carried out according to one of the following modes or the combination of the following modes:

In an implementation, the method further comprises the following steps:

and the strategy verification module is used for verifying the adjusted authorization strategy and feeding back a verification result after the authorization strategy is adjusted.

A computer-readable storage medium storing a computer program for executing the above authorization policy processing method.

The invention has the following beneficial effects:

in the technical scheme provided by the embodiment of the invention, because the relationship among the data is determined according to the data blood relationship, the backup and/or redundant data can be determined, the data characteristics determined according to the data access log and the authorization strategy determine whether the data with the blood relationship are consistent, and if the data with the blood relationship are inconsistent, the authorization strategy can be adjusted according to the difference of the data, so that the strategy loophole which possibly exists in the platform for the same data during backup or redundant data can be avoided; because the adjustment is carried out according to the data access log, the strategy optimization process can be dynamically adjusted according to the access condition of the data in the actual application.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and not to limit the invention. In the drawings:

FIG. 1 is a schematic diagram illustrating an implementation flow of an authorization policy processing method according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of a system architecture for blood-based policy optimization according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of a feature calculation process according to an embodiment of the present invention;

FIG. 4 is a diagram illustrating a data structure of a database according to an embodiment of the present invention;

FIG. 5 is a diagram illustrating the structure of data 1 in the database according to an embodiment of the present invention;

FIG. 6 is a diagram illustrating data relationship according to an embodiment of the present invention;

FIG. 7 is a schematic diagram of a policy optimization process according to an embodiment of the present invention;

FIG. 8 is a schematic diagram of a difference feature matrix 1 according to an embodiment of the present invention;

FIG. 9 is a schematic structural diagram of a difference feature matrix 2 according to an embodiment of the present invention;

FIG. 10 is a schematic diagram of a process for policy optimization based on blood-related nodes according to an embodiment of the present invention;

FIG. 11 is a schematic diagram illustrating an example of a policy optimization based on a blood-related node according to an embodiment of the present invention;

FIG. 12 is a diagram of an authorization policy processing system architecture 1 according to an embodiment of the present invention;

fig. 13 is a schematic diagram of an authorization policy processing system structure 2 according to an embodiment of the present invention.

Detailed Description

The inventor notices in the process of invention that:

in the existing scheme, an authorization policy optimization model is constructed by extracting the characteristics of authorization log information, then policy rationality prediction is carried out on a received authorization policy, and optimization processing is carried out on the authorization policy according to a generated prediction value.

The existing scheme has at least one of the following problems:

1. the authorization strategy optimization process is mainly based on historical authorization log information, backup or redundant data possibly existing in the same data on a platform are not considered, and strategy vulnerabilities of the same data with low occurrence rate are difficult to discover.

2. The policy optimization process is not dynamically adjusted according to the access situation of data in actual application when the authorization policy is optimized.

That is, the scheme for performing policy rationality prediction on the authorization policy of the data consanguinity is mainly based on historical authorization log information, and does not consider backup or redundant data possibly existing in the same data on a platform, so that policy vulnerabilities are difficult to discover for the same data with a low occurrence rate, and dynamic adjustment cannot be performed.

Based on this, the embodiment of the invention provides a policy optimization scheme, which mainly optimizes and adjusts the policy according to the data consanguinity relationship, and combines the actual access condition of the data to ensure the reasonability and safety of the policy.

The following describes embodiments of the present invention with reference to the drawings.

Fig. 1 is a schematic flow chart of an implementation of an authorization policy processing method, as shown in the figure, including:

step 101, determining data characteristics according to a data access log;

step 102, determining a data blood relationship;

step 103, obtaining an authorization strategy;

step 104, adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity relation and the authorization policy.

It should be noted that there is no timing relationship between steps 101 to 103 in the implementation.

The technical scheme provided by the embodiment of the invention is adjusted according to the data access log, so that the strategy optimization process can be dynamically adjusted according to the access condition of data in practical application, and the 'bug' can be dynamically compensated due to the dynamic adjustment.

Because these "vulnerabilities" are backup or redundant data that may exist on the platform from the same data, and the data of the platform is changing constantly, for example, the current policy is perfect, and there is no "vulnerability", but when a new backup or redundant data is generated for a certain data, it is considered that a "vulnerability" may occur, at this time, the relationship between this data and the previous data and the newly generated data can be determined through the blood-related relationship, and then a new authorization policy can be adjusted, and thus it can be considered that a new "vulnerability" is overcome.

In the implementation, after the adjusting the authorization policy, the method may further include:

In order to better understand the implementation of the authorization policy processing method, the following example will describe an implementation manner of a policy optimization system architecture formed by using functional modules, it should be noted that, in a specific practice, other forms of structural systems may also be adopted, and the combination or separation of the functional modules does not affect the implementation of the scheme.

Fig. 2 is a schematic diagram of a architecture of a system for blood-based policy optimization, and as shown in the figure, the system may mainly include the following functional modules:

a feature calculation module: calculating data characteristics according to the data access log library, and establishing a data consanguinity relation library;

data blood margin module: establishing a data blood relationship database;

a policy optimization module: optimizing and adjusting the existing strategy based on the existing blood relationship, the data characteristics and the strategy configuration library;

a policy verification module: and verifying the adjusted authorization strategy and feeding back a verification result. For example, the administrator performs rationality verification on the optimized policy result set and feeds back the adjustment result to the policy optimization module.

The implementation of the feature computation module to build a database of data access features is described below.

In implementation, the following data are subjected to feature extraction, and then the data features are determined:

Fig. 3 is a schematic diagram of a characteristic calculation process, and as shown in the figure, a specific implementation of the process according to the statistical data characteristics of the data access log may be as follows:

1. the data access log library stores audit log contents related to the operation of the data platform, and the data access log is input to the characteristic calculation module.

2. Preprocessing a log:

and preprocessing the data access log, including processes of filtering meaningless logs, removing redundant fields, formatting data and the like, and preparing for subsequent feature extraction.

The data access log content may be one or a combination of the following: time of operation, data content, user, whether authorized, whether desensitized, whether sensitive, whether operation was successful, etc.

3. Log feature extraction:

and calculating multi-dimensional index values of data access, and constructing an index library. Feature extraction may be performed based on a library of metrics. The data multidimensional indexes comprise two categories of statistical indexes and label indexes which are respectively as follows:

the statistical indicator of data access may include one or a combination of the following: the access volume, the interception rate, the user volume, the general query volume, the export derived volume, the illegal user volume and the like.

The tag metrics for data access may include one or a combination of the following: whether it is sensitive, whether it is authorized, whether it is desensitized, whether it is determined the sensitivity level, etc.

4. Constructing a log feature library:

and according to the data access characteristics, performing characterization processing on the data access log to construct a data characteristic library. Fig. 4 is a schematic diagram of a data structure of a data feature library, and information contained in the constructed data feature library may be as shown in the figure, which is described as follows by way of example:

data 1 may be a table of a database or a column of a table.

The access characteristic may be an amount of access of data 1, an amount of violation of data 1, an amount of users of data 1, and the like.

The tag characteristics may be whether data 1 contains sensitive data, the sensitivity level of data 1, whether data 1 is desensitized, etc.

Fig. 5 is a schematic structural diagram of data 1 in the data feature library, and specific data 1 is shown in the figure.

The following describes the implementation of establishing a data blood relationship library.

Fig. 6 is a schematic diagram of data blood relationship, as shown in the figure, the data blood relationship refers to a flow direction conversion diagram of data inside a data platform, and identifies the whole process of the data from a source table, an intermediate table and a final target table.

Through data lineage relationships, multiple copies or redundant data of the same data in a data platform can be found, and the data can be created due to the requirements of an intermediate table or a temporary table and is not deleted in time, but is easy to be ignored because the data is not frequently used. Therefore, redundant backup of the data is found along the blood relationship, management personnel can be helped to find the vulnerability of the data strategy configuration better, and the strategy configuration loss of important data is prevented.

The data blood relationship map can be established by means of related sql commands of the database or by means of analyzing audit logs and the like.

The data consanguinity database is a graph database that stores nodes and connecting lines in relationship, which may include the following:

a source node: from which table a certain data flows, e.g. the a-library test _ ori table visit column.

And a destination node: some data flows back into which tables within the platform.

Node connecting line: the flow direction of certain data is indicated, and information such as flow operation and time of specific execution can be recorded.

The implementation of establishing a policy configuration database is described below.

authorization policy, desensitization policy, sensitive rating policy.

Specifically, in the policy configuration database, the security policy configuration related to the target data is recorded, and may include three major elements, data, user, and policy. The policy may be an authorization policy, a desensitization policy, a sensitive rating policy, etc.

For example:

and (3) authorization policy: authority that user Amy has on data 1: select, insert.

Desensitization strategy: and when the user Amy accesses the data 1, hiding numbers from 2 to 7 as numbers.

Sensitive grading strategy: data 1 is four levels of sensitivity.

The implementation of the policy optimization module is described below.

determining whether the data belong to data with difference according to the data characteristics and/or the same degree of an authorization strategy of the data belonging to the same data;

adjusting the authorization policy for data with differences according to data characteristics of the data with differences and/or the authorization policy.

Fig. 7 is a schematic diagram of a policy optimization process, as shown in the figure, the policy optimization module may implement adjustment based on the data feature library, the data consanguinity relation library, and the existing policy configuration library, and the specific process may be as follows:

1. and constructing a differential feature matrix on the blood margin link.

In specific implementation, when the data characteristics of the data are determined according to the statistical indexes, the data with the same degree outside the preset range belong to data with differences;

specifically, based on a data blood relationship database and a data feature database, a data feature matrix of a blood relationship link is established in a blood relationship feature matching module, feature values of the same data at different nodes of the link are compared, and a difference feature matrix is determined. If the statistical type characteristic exists, setting the tolerance of the characteristic value difference, and not calculating the difference value within the tolerance; if the label type features are inconsistent, the difference features are obtained.

For example: data 1 is in the table of node 1, the interception rate is 90%, which indicates that the authorization policy is set strictly. However, in the node 2, the interception rate is 10%, a large number of users can access the data 1, and the difference between the interception rates is large. Fig. 8 is a schematic structural diagram of the difference feature matrix 1, and as shown in the figure, the storage content of the difference feature matrix of the data is:

2. and constructing a difference strategy matrix on the blood margin link.

In a specific implementation, the data with the same degree of the authorization policy of the data being negative belongs to the data with the difference.

Specifically, based on the data consanguinity relation library and the strategy configuration library, a strategy matrix of a consanguinity link is constructed in a consanguinity strategy matching module, strategy configurations of the same data at different nodes of the link are compared, and a difference strategy matrix is determined.

For example: fig. 9 is a schematic structural diagram of the differential feature matrix 2, and the authorization list and sensitivity level of the data 1 at the node 1 and the node 2 are shown in fig. 9. User 1, user 2 and user 3 all have select rights in node 2, and only user 1 has select rights in node 1. At node 2, there is non-sensitive data, and at node 1, there is a level 4 of sensitivity.

As shown in the figure, the storage content of the differential policy matrix of the data is as follows:

Fig. 10 is a schematic diagram of a policy optimization process based on blood-related nodes, and as shown in the figure, based on a difference feature matrix and a difference policy matrix on the blood-related nodes, a node policy is optimized in a policy optimization module, specifically as follows:

1: according to the differential strategy matrix, the following criteria can be referred to for different types of strategy optimization:

and (3) authorization policy: calculating a union set of the configuration of the authorization strategies of the blood margin nodes, then removing duplication as a standard strategy, and adjusting the authorization strategies of all the nodes on the blood margin;

desensitization strategy: calculating a union set of the desensitization strategies of the blood margin nodes, then performing duplication removal as a standard strategy, and adjusting the desensitization strategies of all the nodes on the blood margin;

sensitive grading strategy: and calculating the highest level of the sensitivity levels of the blood margin nodes as a standard strategy, and adjusting the sensitivity grading strategy of all the nodes on the blood margin.

For example: fig. 11 is a schematic diagram of an example of policy optimization based on the blood-edge nodes, and assuming that the configuration of data 1 on the whole blood-edge relationship and the configuration on other nodes are all subsets of node 1 and node 2, the result of adjusting the configuration of each node according to the above optimization criteria is shown in fig. 11.

2: the strategy optimization module selects standard nodes (namely representative nodes) of data on the blood-related links according to the difference characteristic matrix and the actual scene characteristics, for example, the nodes closest to the average value (for example, the center of mass is selected by a K-means algorithm) can be selected as the standard nodes by calculating the access quantity average value of the multiple nodes. And transmitting the original strategy configuration and the optimized strategy configuration of the standard node to a strategy verification module as verification bases.

For example: for data 1, the node with the largest visit amount is the node which is most concerned by the administrator, namely the most reasonable node is configured, and the standard node of the data 1 in the blood-related link is selected to be the node 4 (the visit total amount reaches 10000) according to the difference characteristic matrix.

The implementation of the policy validation module is described below.

Since policy configuration is an important link related to data security, in the policy validation module, an administrator is required to manually adjust and verify the policy optimization set, so as to ensure that an appropriate policy is configured to the data node.

The administrator needs to adjust the strategy optimization result according to the difference configuration output by the strategy optimization module in the module, and needs to feed back the selection accuracy of the standard node of the strategy optimization module, so that the effect of the strategy optimization module is improved.

Based on the same inventive concept, the embodiment of the present invention further provides an authorization policy processing system and a computer readable storage medium, and because the principle of solving the problem of these devices is similar to that of the authorization policy processing method, the implementation of these devices may refer to the implementation of the method, and the repeated parts are not described again.

When the technical scheme provided by the embodiment of the invention is implemented, the implementation can be carried out as follows.

Fig. 12 is a schematic diagram of an authorization policy processing system structure 1, as shown in the figure, the system includes:

a processor 1200 for reading the program in the memory 1220 and executing the following processes:

determining data characteristics according to the data access log;

determining data blood relationship;

obtaining an authorization policy;

adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity relationships, and the authorization policy;

a transceiver 1210 for receiving and transmitting data under the control of the processor 1200.

the operation time of the data, the content of the data, the user of the data, whether the data is authorized or not, whether the data is desensitized or not, whether the data is sensitive or not and whether the data operation is successful or not.

authorization policy, desensitization policy, sensitive rating policy.

Where in fig. 12, the bus architecture may include any number of interconnected buses and bridges, with various circuits of one or more processors represented by processor 1200 and memory represented by memory 1220 being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 1210 may be a number of elements including a transmitter and a receiver that provide a means for communicating with various other apparatus over a transmission medium. The processor 1200 is responsible for managing the bus architecture and general processing, and the memory 1220 may store data used by the processor 1200 in performing operations.

Fig. 13 is a schematic diagram of an authorization policy processing system structure 2, as shown, the system includes:

a feature calculation module 1301, configured to determine data features according to the data access log;

a data blood relationship module 1302 for determining a data blood relationship;

a policy configuration library 1303, configured to obtain an authorization policy;

a policy optimization module 1304 for adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity relationships, and the authorization policy.

In an implementation, the feature calculation module is further configured to determine the data feature from a data access log including one or a combination of the following information:

authorization policy, desensitization policy, sensitive rating policy.

In an implementation, the policy optimization module is further configured to, when the authorization policy includes one or a combination of the following policies configured for data and/or users: when the authorization strategy, the desensitization strategy and the sensitive grading strategy are adopted, the adjustment is carried out according to one or the combination of the following modes:

In an implementation, the method further comprises the following steps:

For convenience of description, each part of the above-described apparatus is separately described as being functionally divided into various modules or units. Of course, the functionality of the various modules or units may be implemented in the same one or more pieces of software or hardware in practicing the invention.

The specific implementation may refer to implementation of the authorization policy processing method.

In summary, in the technical scheme provided by the embodiment of the present invention, based on the data blood relationship, a policy vulnerability of data in the platform flow process can be discovered, so as to better optimize the security policy.

The scheme is combined with the data actual access log, and the strategy can be optimized from the data actual use perspective.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. An authorization policy processing method, comprising:

determining data characteristics according to the data access log;

determining data blood relationship;

obtaining an authorization strategy;

adjusting the authorization policy according to one or a combination of data characteristics, data context, and the authorization policy.

2. The method of claim 1, wherein adjusting the authorization policy based on data context is adjusting the authorization policy based on data that is redundant and/or backup to data determined by data context.

3. The method of claim 1, wherein the authorization policy comprises one or a combination of the following policies configured for data and/or users:

authorization policy, desensitization policy, sensitive rating policy.

4. The method of any one of claims 1 to 3, wherein adjusting the authorization policy based on one or a combination of data characteristics, data consanguinity relationships, and the authorization policy comprises:

5. The method of claim 4, wherein determining whether data belonging to the same data belong to data having a difference according to a degree of identity of data characteristics and/or an authorization policy of the data, comprises:

6. The method of claim 4, wherein the authorization policy comprises one or a combination of the following policies configured for data and/or users: when the authorization strategy, the desensitization strategy and the sensitive grading strategy are adopted, the regulation is carried out according to one of the following modes or the combination of the following modes:

7. The method of claim 1, wherein adjusting the authorization policy further comprises:

8. An authorization policy processing system, comprising:

a processor for reading the program in the memory and executing the following processes:

determining data characteristics according to the data access log;

determining data blood relationship;

obtaining an authorization policy;

9. An authorization policy processing system, comprising:

10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the method of any one of claims 1 to 7.