CN114676399A - Data security access method and device, electronic equipment and server - Google Patents

Data security access method and device, electronic equipment and server Download PDF

Info

Publication number
CN114676399A
CN114676399A CN202210158962.4A CN202210158962A CN114676399A CN 114676399 A CN114676399 A CN 114676399A CN 202210158962 A CN202210158962 A CN 202210158962A CN 114676399 A CN114676399 A CN 114676399A
Authority
CN
China
Prior art keywords
data
user
access
target data
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210158962.4A
Other languages
Chinese (zh)
Inventor
穆建广
刘焕焕
盛国军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Haier Digital Technology Qingdao Co Ltd
Haier Caos IoT Ecological Technology Co Ltd
Qingdao Haier Industrial Intelligence Research Institute Co Ltd
Original Assignee
Haier Digital Technology Qingdao Co Ltd
Haier Caos IoT Ecological Technology Co Ltd
Qingdao Haier Industrial Intelligence Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Haier Digital Technology Qingdao Co Ltd, Haier Caos IoT Ecological Technology Co Ltd, Qingdao Haier Industrial Intelligence Research Institute Co Ltd filed Critical Haier Digital Technology Qingdao Co Ltd
Priority to CN202210158962.4A priority Critical patent/CN114676399A/en
Publication of CN114676399A publication Critical patent/CN114676399A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention belongs to the technical field of internet, and particularly relates to a data security access method and device, electronic equipment and a server. The present invention is directed to solving the problems of the prior art. According to the data security access method, a data access request is received, the data access request is used for accessing target data, the data access request carries data access authorization information of a user, when the target data are located in electronic equipment, an operation program corresponding to the target data is called according to the data access authorization information of the user, data access authority of the user is added in the operation program, and then when the data access authority of the user in the operation program belongs to the authority that the target data obtained in advance can be accessed, access processing is carried out on the target data through the operation program. According to the scheme, the problem that hidden danger exists in information safety is avoided by adding the access authority in the program for operating the target data.

Description

Data security access method and device, electronic equipment and server
Technical Field
The invention belongs to the technical field of internet, and particularly relates to a data security access method and device, electronic equipment and a server.
Background
In distributed/stand-alone ethernet systems, access to information resources is made through an operating program or process, such as accessing data, files through read and write commands or viewing files through a text viewer, users viewing static files with programs/tools, and so forth. At present, information resources such as files, directories, databases and even programs exist in a server, users in a system all have authority to access the information resources, the access mode is unsafe, access to the information resources is not authority/set for accessing the information resources by taking the users as centers, and a fine management strategy cannot be realized.
In the prior art, a user capable of operating an information resource is identified through self-service access control in an operating system, and the information resource on the existing access system distinguishes the user and the information resource to be operated through an Identity Document (ID) system.
However, in a distributed ethernet system, each operating system/server has at least one user, and in a plurality of operating systems, unique ID differentiation cannot be implemented, and a source user without permission may invoke an intermediate program to replace the user (a user with permission) to operate information resources, which may lead to hidden information security risks.
Disclosure of Invention
In order to solve the above problem in the prior art, that is, to solve the problem of information access security in the prior art, an embodiment of the present invention provides a data security access method, which is applied to an electronic device, where the method includes:
receiving a data access request, wherein the data access request is used for accessing target data and carries data access authorization information of a user;
when the target data is located in the electronic equipment, calling an operation program corresponding to the target data according to the data access authorization information of the user, and adding the data access authority of the user in the operation program;
and when the data access authority of the user in the operating program belongs to the authority which is obtained in advance and can be accessed by the target data, performing access processing on the target data through the operating program.
In a preferred embodiment of the above method for secure access to data, the method further includes:
when the target data is located in a server, adding the data access authority of the user in a data transmission protocol between the electronic equipment and the server according to the data access authorization information of the user;
And sending the identification and the operation requirement of the target data in the data access request to the server.
In a preferred embodiment of the above method for secure access to data, the method further includes:
and when the data access authority of the user in the operating program does not belong to the authority that the target data can be accessed, returning an error prompt.
The embodiment of the invention provides a data security access method, which is applied to a server and comprises the following steps:
acquiring an identifier and an operation requirement of target data sent by electronic equipment based on a data transmission protocol, wherein the data transmission protocol carries a data access right of a user;
calling an operation program corresponding to the target data according to the identification of the target data and the operation requirement, and adding the data access authority of the user in the operation program;
and when the data access authority of the user in the operating program belongs to the authority which is obtained in advance and can be accessed by the target data, performing access processing on the target data through the operating program.
In a preferred embodiment of the above method for secure access to data, the method further includes:
And when the data access authority of the user in the operating program does not belong to the authority that the target data can be accessed, sending an error prompt to the electronic equipment.
An embodiment of the present invention further provides a data security access apparatus, which is applied to an electronic device, and the apparatus includes:
the receiving module is used for receiving a data access request, wherein the data access request is used for accessing target data, and the data access request carries data access authorization information of a user;
the determining module is used for calling an operation program corresponding to the target data according to the data access authorization information of the user when the target data is located in the electronic equipment, and adding the data access authority of the user in the operation program;
and the processing module is used for performing access processing on the target data through the operating program when the data access authority of the user in the operating program belongs to the authority which is acquired in advance and can be accessed by the target data.
In a preferred technical solution of the foregoing data security access apparatus, the determining module is further configured to:
when the target data is located in a server, adding the data access authority of the user in a data transmission protocol between the electronic equipment and the server according to the data access authorization information of the user;
And sending the identification and the operation requirement of the target data in the data access request to the server.
In a preferred technical solution of the above data security access apparatus, the sending module is configured to return an error prompt when the data access right of the user in the operation program does not belong to the right that the target data can be accessed.
The embodiment of the invention also provides a data security access device, which is applied to a server and comprises:
the receiving module is used for acquiring the identification and the operation requirement of target data sent by the electronic equipment based on a data transmission protocol, and the data transmission protocol carries the data access authority of a user;
the determining module is used for calling an operation program corresponding to the target data according to the identification of the target data and the operation requirement and adding the data access authority of the user in the operation program;
and the processing module is used for performing access processing on the target data through the operating program when the data access authority of the user in the operating program belongs to the pre-acquired authority that the target data can be accessed.
In a preferred technical solution of the above data security access apparatus, the sending module is configured to send an error prompt to the electronic device when the data access right of the user in the operating program does not belong to the right that the pre-acquired target data can be accessed.
An embodiment of the present invention further provides an electronic device, including: a processor, a memory;
the memory stores computer-executable instructions;
the processor executes the computer-executable instructions to cause the electronic device to execute the data security access method as described above.
An embodiment of the present invention further provides a server, including: a processor, a memory;
the memory stores computer-executable instructions;
the processor executes the computer-executable instructions to cause the server to perform the data security access method as described above.
The embodiment of the invention also provides a computer-readable storage medium, wherein computer-executable instructions are stored in the computer-readable storage medium, and when the computer-executable instructions are executed by a processor, the computer-executable instructions are used for realizing the data security access method.
An embodiment of the present invention further provides a computer program product, which includes a computer program, and the computer program is used for implementing the data security access method as described above when being executed by a processor.
As can be understood by those skilled in the art, in the electronic device, by receiving a data access request, the data access request is used to access target data, the data access request carries data access authorization information of a user, and when the target data is located in the electronic device, according to the data access authorization information of the user, an operation program corresponding to the target data is invoked, and a data access right of the user is added to the operation program, and then when the data access right of the user in the operation program belongs to a right that the target data acquired in advance can be accessed, access processing is performed on the target data through the operation program. According to the scheme, the problem that hidden danger exists in information safety is avoided by adding the access authority in the program for operating the target data.
Drawings
Preferred embodiments of a data security access method, apparatus, server, and storage medium of the present invention are described below with reference to the accompanying drawings. The attached drawings are as follows:
fig. 1 is a schematic view of an application scenario of a data security access method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a first embodiment of a data security access method according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a second embodiment of a data security access method according to an embodiment of the present invention;
fig. 4 is a first schematic structural diagram of a data security access device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a data security access device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a server according to an embodiment of the present invention.
With the foregoing drawings in mind, certain embodiments of the disclosure have been shown and described in more detail below. These drawings and written description are not intended to limit the scope of the disclosed concepts in any way, but rather to illustrate the concepts of the disclosure to those skilled in the art by reference to specific embodiments.
Detailed Description
It should be understood by those skilled in the art that these embodiments are only for explaining the technical principle of the present invention, and are not intended to limit the scope of the present invention. And can be adjusted as needed by those skilled in the art to suit particular applications.
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
Before describing the embodiments of the present invention, the technical background of the embodiments of the present invention is explained first:
in the distributed/single machine Ethernet system, information resources are accessed through an operating program or process, for example, data are accessed through read and write instructions; accessing files by reading, writing, executing instructions or viewing files through a text viewer, users viewing static files with programs/tools, and the like.
At present, information resources such as files, directories, databases and even programs exist in a server, users in a system all have authority to access the information resources, the access mode is unsafe, access to the information resources is not authority/set for accessing the information resources by taking the users as centers, and a fine management strategy cannot be realized.
Therefore, in the operating system, a user capable of operating the information resource is identified through self-service access control, the information resource on the existing access system distinguishes the user and the information resource to be operated through an ID system, and the existing ID system comprises three IDs: actual user ID (RUID), valid user ID (EUID), Set User ID (SUID)
The RUID is used for identifying a user in the system, and when the user successfully logs in an operating system by using a user name and a password, the RUID of the user is uniquely determined; the EUID is used for a system to determine the access right of a user to a system resource, and is generally equal to the RUID; the SUID is used for opening external rights, and is different from the RUID and the EUID by using one user binding, and the SUID is bound with the file.
In a distributed Ethernet system, each operating system/server has users with numbers 0, 1, … … to N, in a plurality of operating systems, the unique distinction of ID can not be realized, global ID is not available, the operation (such as reading, writing and execution) of information resources in the operating systems depends on the authority of a directly connected calling program of the upper layer, source users without authority can replace the users (authorized users) to operate the information resources by calling an intermediate program, whether the source users have authority to operate the information resources of the operating systems can not be determined, the identification of the source users is lacked, and the most original initiator can not be traced.
For example: a user initiates a request through a client, and the request is displayed to the client after the file is completely read by a program, wherein different user permissions are different, such as large administrator permission and small permission of other personnel, and if the program calls the administrator program, the program can open the resource which is not authorized to access and can access the resource. In existing systems, the procedure cannot be guaranteed. The first reason is as follows: program bug, not designed; the second reason is that: the design permission is abandoned due to low efficiency after permission design is added; the third reason is that: the authority is not uniform, and each authentication logic is provided, so that the concatenation is too complex;
therefore, how to uniquely identify and confirm the identity of the initiator of the calling program to determine whether the initiator (the source user of the calling program) has the right to access the relevant information resources to be accessed, i.e., information access security, is a technical problem to be solved urgently.
In order to solve the above technical problem, fig. 1 is a schematic view of an application scenario of a data security access method provided in an embodiment of the present invention, and as shown in fig. 1, the application scenario includes: electronic equipment 11, server 12.
Wherein, the electronic device 11 may be a terminal device of a user, and includes: cell-phone, computer, panel, computer etc..
In a possible implementation, a user accesses the data a through the electronic device 11, but the data a is located in the server 12, at this time, the server 12 receives data access authorization information of the user carried in a data access request of the electronic device 11, and when the server 12 specifically performs an operation on the data a, the data access authorization information is inherited by the program in the server 12, and the program determines whether the access is legal or not by comparing information of access rights corresponding to the data a with the data access authorization information.
In view of the above problems, the inventive concept of the present invention is as follows: the method comprises the steps that the permission of an initiator who has permission to access related information resources to be accessed cannot be determined in the prior art, but the inventor thinks that for the access of data, the problem can be solved from the beginning of execution to the obtaining of an execution result, if the permission information corresponding to the initiator can be added in each link, and the data can be processed by a user with the permission in the last link of processing the data, so that the safety problem of data access can be solved.
The following describes the technical solution of the present invention and how to solve the above technical problems with specific examples. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present invention will be described below with reference to the accompanying drawings.
Fig. 2 is a schematic flowchart of a first embodiment of a data security access method according to an embodiment of the present invention. As shown in fig. 2, the data security access method may include the following steps:
the embodiment is applied to a stand-alone system, and the execution main body is electronic equipment.
It should be understood that the electronic device may be a computer, tablet, or stand-alone server, etc.
Step 21, receiving a data access request.
The data access request is used for accessing target data, and carries data access authorization information of a user.
In this step, the user accesses or manipulates the desired data, i.e., the target data, by operating the electronic device.
At this time, the user clicks the identifier of the data to be accessed or operated by logging in the application program, and the electronic device receives a data access request corresponding to the click.
In a possible implementation, in a standalone scenario, a user needs to open a target file under a windows system, that is, the user calls a text editor to open a target file (target data) through a login program. In this process, the global ID of the login program is (data access authorization information of the user).
In another possible implementation, in a single-computer scenario, a user logs in a computer, opens "my computer", pops up a resource window (program), calls a resource manager, finds a D-disk PPTexe program through the resource manager, clicks on the PPTexe program (the resource manager calls the PPTexe program), and finds a target PPT file (target data) in the PPT. In the process, the operation of the PPTexe program is started, that is, the operation carries the global ID (data access authorization information of the user).
And step 22, when the target data is positioned in the electronic equipment, calling an operation program corresponding to the target data according to the data access authorization information of the user, and adding the data access authority of the user in the operation program.
In this step, because the target data is located in the local storage in the electronic device in the standalone scenario, at this time, according to the operation program corresponding to the target data that needs to be called, the operation program is used to access the target data, and specifically, when performing operations such as reading and writing, data access permission of a user needs to be given to the operation program, so as to determine whether the operation program has permission to access the target data.
In a possible implementation following the above embodiment, in a standalone scenario, the text editor program (operating program) inherits the data access rights of the user.
In another possible implementation, in a standalone scenario, when a pptexte program (operating program) opens a target PPT file, a program is called, and during the program call, the global ID (data access authority of a user) of the explorer program is inherited by the pptexte program.
And 23, when the data access authority of the user in the operation program belongs to the authority that the pre-acquired target data can be accessed, performing access processing on the target data through the operation program.
In this step, based on the inherited data access permission of the user in the operating program, the data access permission of the user is compared with the access permission which is obtained in advance in the target data, whether the data access permission of the user can perform access processing on the target data is judged, and when the data access permission of the user can perform access processing on the target data, the target data is accessed through the operating program.
In a possible implementation, in a standalone scenario, the kernel of the operating system of the electronic device determines whether the global ID inherited by the text editor program matches the target data (i.e., whether the global ID has permission), and opens the electronic device if the global ID matches the target data. The method realizes that the program is called locally, only the global ID is inherited when the program is called on the local machine, the total chain is continuous until the last program accesses the target resource, the judgment logic is in the kernel of the operating system, the kernel needs the identity global ID to make a decision, and the program does not need to make a decision and change.
In another possible implementation, in a standalone scenario, when the PPTexe program opens a target PPT file, it is determined whether a global ID inherited by the PPTexe program matches the target PPT file, and it is further determined whether a resource manager of an original source program has a right to open the target PPT file, and if so, the resource manager can open the target PPT file by calling the PPTexe program.
In addition, when the data access authority of the user in the operating program does not belong to the authority that the target data can be accessed, an error prompt is returned.
Further, the user is reminded that the current access authority cannot access the target data.
Furthermore, by adding fields in a structure/process for identifying the identity of a user, the original logic is unchanged, only new fields are added in three IDs of the original system, the inheritance and the identification of the original ID of the identity are realized under a protocol, and finally, the data node is accessed with the original ID, so that whether a source program has the authority to access the information resource can be determined based on the original ID, and the original identity can be kept compatible with the original embodiment.
In the data security access method provided by the embodiment of the invention, in the electronic device, a data access request is received, the data access request is used for accessing target data, the data access request carries data access authorization information of a user, when the target data is located in the electronic device, an operation program corresponding to the target data is called according to the data access authorization information of the user, data access permission of the user is added in the operation program, and then when the data access permission of the user in the operation program belongs to the permission that the pre-acquired target data can be accessed, access processing is performed on the target data through the operation program. According to the scheme, the problem that hidden danger exists in information safety is avoided by adding the access authority in the program for operating the target data.
Based on fig. 2, fig. 3 is a schematic flowchart of a second embodiment of a data security access method provided in the embodiment of the present invention. As shown in fig. 3, the step 21 can be implemented by the following steps:
the embodiment is applied to a distributed system, and the execution subject is the electronic device and the server, namely, the electronic device and the server interact with each other, namely, a user accesses target data in the server through the electronic device.
Step 31, the electronic device receives a data access request.
The data access request is used for accessing target data, and carries data access authorization information of a user.
In this step, the electronic device is provided with a client, and the user accesses the target data in the server through the client, that is, the electronic device obtains the data access request of the user.
In a possible implementation, the electronic device is provided with a mysecoco client, the server is a mysecoco server, and is provided with an Internet Protocol (IP) and a MysecoD service program, and the information resource of the mysecoco server is written by calling the MysecoD service program.
In another possible implementation, an Office Automation (OA) system is accessed and operated in association with a browser. When a user inputs an OA website link on a browser of the electronic equipment, the browser requests to access an OA program and displays a login page or a homepage, or the login page or the homepage cannot be displayed (when the authority is not available), and when the user logs in, the user ID accesses the browser, and at the moment, the user ID carries data access authorization information of the user.
And step 32, when the target data is located in the server, the electronic device adds the data access authority of the user in a data transmission protocol between the electronic device and the server according to the data access authorization information of the user.
In this step, the data access authority of the user is added to the data transmission protocol between the electronic device and the server, and the global layout of the data access authority of the user can be still ensured when the server receives the operation request sent by the electronic device.
In one possible implementation, the network connection between the electronic device and the server performs data transmission through an IP network protocol (i.e., a data transmission protocol), and a CIPSO protocol (which is a self-defined extension protocol) in the IP network protocol is the IP network protocol.
Specifically, the global ID across the servers is set in a Common Internet Protocol Security Option (CIPSO) Protocol, when a program across the electronic device/server is called, the global ID in the CIPSO Protocol is decoded when the program is executed, and is continuously inherited to a next program, and if the next program calls a file (target data), the inherited global ID (i.e., the global ID of the source program, that is, the data access authority of the user) can be known.
In another possible implementation, the browser carries an IP protocol when requesting the OA through the network, and a global ID is set in an extension protocol CIPSO protocol carried in the IP protocol. (the ID mechanism is set in the operating kernel, the application program does not need to be changed), the browser sends the access request to the kernel of the server operating system of the browser, and the kernel of the server operating system of the browser sends the access request to the kernel of the server operating system of the OA.
And step 33, the electronic equipment sends the identification of the target data and the operation requirement in the data access request to the server.
In this step, when the electronic device receives a data access request from a user, the data access request is parsed to obtain an identifier of target data (i.e., which data needs to be accessed) and an operation requirement (i.e., a specific operation performed on the target data).
Further, the electronic device sends the identification of the target data and the operation requirement to the server based on the data transmission protocol added with the data access right of the user.
And step 34, the server calls an operation program corresponding to the target data according to the identification and the operation requirement of the target data, and adds the data access authority of the user in the operation program.
In this step, after receiving the identifier and the operation requirement of the target data, the server calls a corresponding operation program based on the identifier and the operation requirement of the target data, and at this time, adds the data access authority of the user to the operation program, so that the access authority is determined when the target data is accessed subsequently.
And step 35, when the data access authority of the user in the operation program belongs to the authority that the pre-acquired target data can be accessed, performing access processing on the target data through the operation program.
In this step, based on the inherited data access permission of the user in the operation program, comparing with the access permission which can be acquired in advance in the target data, judging whether the data access permission of the user can perform access processing on the target data, and when the data access permission of the user can perform access processing on the target data, performing access processing on the target data through the operation program.
In one possible implementation, the operating program can operate on the target data if the global ID (the user's data access rights) matches the attributes of the information resource (i.e., the rights to which the target data can be accessed).
Further, if the operating program does not directly call the file, but calls the file through the intermediate program, the global ID of the operating program is inherited into the intermediate program, the called program decodes the global ID in the CIPSO protocol of the intermediate program, and if the global ID matches with the attribute of the information resource, the intermediate program can operate the information resource.
In another possible implementation, the kernel of the server operating system judges whether the global ID carried by the browser inherited by the OA program matches the target data, if so, the kernel of the OA server operating system transmits the data to the kernel of the browser server operating system, and the data is analyzed by the kernel of the browser operating system after being acquired and transmitted to the browser display program to be displayed by the browser.
In addition, when the data access authority of the user in the operation program does not belong to the authority that the pre-acquired target data can be accessed, an error prompt is sent to the electronic equipment.
Optionally, that is, when the data access authority of the user cannot access the target data, an error prompt is sent to the electronic device to prompt the user that the current access authority is low and the target data cannot be accessed.
In addition, when the electronic device corresponding to the user is an initiator, no matter how many layers of programs are called to operate information resources, the identity of the source user, namely the global ID (data access authority of the user), is inherited, transferred and identified. Under the condition of a plurality of servers, one program on one server and a program on another server are linked, one program calls the other program through a network, the other program helps the program to operate, for example, target data is captured in a database, and the target data is returned and displayed after the operation is completed.
The data security access method provided by the embodiment of the invention receives a data access request through the electronic equipment, the data access request is used for accessing target data, the data access request carries data access authorization information of a user, and when the electronic device is in the server, according to the data access authorization information of the user, adding the data access authority of a user in a data transmission protocol between the electronic equipment and the server, then sending the identification and the operation requirement of target data in a data access request to the server by the electronic equipment, then calling the corresponding operation program of the target data by the server according to the identification and the operation requirement of the target data, and finally, when the data access authority of the user in the operation program belongs to the access authority of the pre-acquired target data, performing access processing on the target data through the operation program. According to the technical scheme, the data access authorization information of the user is carried in the transmission protocol, so that the access safety is realized when the data is operated in a distributed system.
The following is an embodiment of the apparatus of the present invention, which can be used to execute an embodiment of the data security access method of the present invention. For details that are not disclosed in the embodiments of the apparatus of the present invention, refer to the embodiments of the data security access method of the present invention.
Fig. 4 is a schematic structural diagram of a first data security access apparatus according to an embodiment of the present invention, as shown in fig. 4, the first data security access apparatus is applied to an electronic device, and includes:
a receiving module 41, configured to receive a data access request, where the data access request is used to access target data, and the data access request carries data access authorization information of a user;
the determining module 42 is configured to, when the target data is located in the electronic device, invoke an operation program corresponding to the target data according to the data access authorization information of the user, and add the data access permission of the user in the operation program;
and the processing module 43 is configured to perform access processing on the target data through the operation program when the data access right of the user in the operation program belongs to a right that the pre-acquired target data can be accessed.
In one possible implementation of the embodiment of the present application, the determining module 42 is further configured to:
when the target data is positioned in the server, adding the data access authority of the user in a data transmission protocol between the electronic equipment and the server according to the data access authorization information of the user;
and sending the identification and the operation requirement of the target data in the data access request to the server.
In another possible implementation of the embodiment of the present application, the sending module 44 is configured to return an error prompt to the terminal device when the data access right of the user in the operation program does not belong to the right that the target data can be accessed.
The data security access device provided in the embodiment of the present invention may be used to implement the technical solution of the data security access method applied to the electronic device in the foregoing embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.
In addition, fig. 5 is a schematic structural diagram of a data security access apparatus according to an embodiment of the present invention, and as shown in fig. 5, the data security access apparatus applied to a server includes:
the receiving module 51 is configured to obtain an identifier and an operation requirement of target data sent by an electronic device based on a data transmission protocol, where the data transmission protocol carries a data access permission of a user;
the determining module 52 is configured to invoke an operation program corresponding to the target data according to the identifier and the operation requirement of the target data, and add the data access right of the user to the operation program;
and a processing module 53, configured to perform access processing on the target data through the operating program when the data access right of the user in the operating program belongs to a right to access the pre-acquired target data.
In a possible implementation of the embodiment of the present application, the sending module 54 is configured to send an error prompt to the electronic device when the data access right of the user in the operation program does not belong to the right that the pre-acquired target data can be accessed.
The data security access device provided in the embodiment of the present invention may be used to implement the technical solution of the data security access method applied to the server in the foregoing embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.
It should be noted that the division of the modules of the above apparatus is only a logical division, and the actual implementation may be wholly or partially integrated into one physical entity, or may be physically separated. And these modules can be realized in the form of software called by processing element; or may be implemented entirely in hardware; and part of the modules can be realized in the form of calling software by the processing element, and part of the modules can be realized in the form of hardware. For example, the processing module 53 may be a separate processing element, or may be integrated into a chip of the apparatus, or may be stored in a memory of the apparatus in the form of program code, and a processing element of the apparatus calls and executes the functions of the above determining module. The other modules are implemented similarly. In addition, all or part of the modules can be integrated together or can be independently realized. The processing element here may be an integrated circuit with signal processing capabilities. In the implementation process, each step or each module of the above data security access method may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software.
On the basis of the above embodiments, fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. As shown in fig. 6, the electronic device is configured to execute the data security access method in the foregoing embodiment, and may include: a processor 61, a memory 62.
The processor 61 executes the computer execution instructions stored in the memory, so that the processor 61 executes the technical solution of the data security access method in the above embodiment.
Processor 61 may be a general-purpose processor including a Central Processing Unit (CPU), a Network Processor (NP), etc.; but also a digital signal processor DSP, an application specific integrated circuit ASIC, a field programmable gate array FPGA or other programmable logic device, discrete gate or transistor logic, discrete hardware components.
The memory 62 is connected to the processor 61 via a system bus and communicates with each other, and the memory 62 is used for storing computer program instructions.
The system bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The system bus may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus. The transceiver is used to enable communication between the database access device and other computers (e.g., clients, read-write libraries, and read-only libraries). The memory may comprise Random Access Memory (RAM) and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The electronic device provided by the embodiment of the present invention may be used to implement the technical solution of the data security access method in the above embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.
On the basis of the foregoing embodiment, fig. 7 is a schematic structural diagram of a server according to an embodiment of the present invention. As shown in fig. 7, the server is configured to execute the data security access method in the foregoing embodiment, and may include: a processor 71, a memory 72.
The processor 71 executes the computer execution instructions stored in the memory, so that the processor 71 executes the technical solution of the data security access method in the above embodiment.
The processor 71 may be a general-purpose processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also a digital signal processor DSP, an application specific integrated circuit ASIC, a field programmable gate array FPGA or other programmable logic device, discrete gate or transistor logic, discrete hardware components.
A memory 72 is coupled to the processor 71 via the system bus and communicates with each other, the memory 72 storing computer program instructions.
The system bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The system bus may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The transceiver is used to enable communication between the database access device and other computers (e.g., clients, read-write libraries, and read-only libraries). The memory may comprise Random Access Memory (RAM) and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The server provided by the embodiment of the present invention may be used to implement the technical solution of the data security access method in the foregoing embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.
The embodiment of the invention also provides a chip for operating the instruction, and the chip is used for executing the technical scheme of the data security access method in the embodiment.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer instruction is stored in the computer-readable storage medium, and when the computer instruction runs on a computer, the computer is enabled to execute the technical solution of the data security access method in the foregoing embodiment.
The embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, which is stored in a computer-readable storage medium, and a processor can read the computer program from the computer-readable storage medium, and when the processor executes the computer program, the processor can implement the technical solution of the data security access method in the foregoing embodiments.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. A data security access method is applied to an electronic device, and the method comprises the following steps:
receiving a data access request, wherein the data access request is used for accessing target data, and the data access request carries data access authorization information of a user;
when the target data is located in the electronic equipment, calling an operation program corresponding to the target data according to the data access authorization information of the user, and adding the data access authority of the user in the operation program;
and when the data access authority of the user in the operating program belongs to the authority which is obtained in advance and can be accessed by the target data, performing access processing on the target data through the operating program.
2. The method of claim 1, further comprising:
when the target data is located in a server, adding the data access authority of the user in a data transmission protocol between the electronic equipment and the server according to the data access authorization information of the user;
and sending the identification and the operation requirement of the target data in the data access request to the server.
3. The method of claim 1, further comprising:
and when the data access authority of the user in the operating program does not belong to the authority that the target data can be accessed, returning an error prompt.
4. A data security access method is applied to a server, and the method comprises the following steps:
acquiring an identifier and an operation requirement of target data sent by electronic equipment based on a data transmission protocol, wherein the data transmission protocol carries a data access right of a user;
calling an operation program corresponding to the target data according to the identification of the target data and the operation requirement, and adding the data access authority of the user in the operation program;
and when the data access authority of the user in the operating program belongs to the authority which is obtained in advance and can be accessed by the target data, performing access processing on the target data through the operating program.
5. The method of claim 4, further comprising:
and when the data access authority of the user in the operation program does not belong to the authority that the target data can be accessed, sending an error prompt to the electronic equipment.
6. A data security access apparatus, applied to an electronic device, the apparatus comprising:
the receiving module is used for receiving a data access request, wherein the data access request is used for accessing target data, and the data access request carries data access authorization information of a user;
the determining module is used for calling an operation program corresponding to the target data according to the data access authorization information of the user when the target data is located in the electronic equipment, and adding the data access authority of the user in the operation program;
and the processing module is used for performing access processing on the target data through the operating program when the data access authority of the user in the operating program belongs to the pre-acquired authority that the target data can be accessed.
7. A data security access device, applied to a server, the device comprising:
The receiving module is used for acquiring the identification and the operation requirement of target data sent by the electronic equipment based on a data transmission protocol, and the data transmission protocol carries the data access authority of a user;
the determining module is used for calling an operation program corresponding to the target data according to the identification of the target data and the operation requirement and adding the data access authority of the user in the operation program;
and the processing module is used for performing access processing on the target data through the operating program when the data access authority of the user in the operating program belongs to the pre-acquired authority that the target data can be accessed.
8. An electronic device, comprising: a processor, a memory and computer program instructions stored on the memory and executable on the processor, the processor implementing the method of secure access to data as claimed in any one of claims 1 to 3 when executing the computer program instructions.
9. A server, comprising: a processor, a memory and computer program instructions stored on the memory and executable on the processor, the processor when executing the computer program instructions implementing the method of secure access to data as claimed in claim 4 or 5 above.
10. A computer-readable storage medium having computer-executable instructions stored thereon, which when executed by a processor, are configured to implement a method of secure access to data as claimed in any one of claims 1 to 5.
CN202210158962.4A 2022-02-21 2022-02-21 Data security access method and device, electronic equipment and server Pending CN114676399A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210158962.4A CN114676399A (en) 2022-02-21 2022-02-21 Data security access method and device, electronic equipment and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210158962.4A CN114676399A (en) 2022-02-21 2022-02-21 Data security access method and device, electronic equipment and server

Publications (1)

Publication Number Publication Date
CN114676399A true CN114676399A (en) 2022-06-28

Family

ID=82072221

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210158962.4A Pending CN114676399A (en) 2022-02-21 2022-02-21 Data security access method and device, electronic equipment and server

Country Status (1)

Country Link
CN (1) CN114676399A (en)

Similar Documents

Publication Publication Date Title
US10581919B2 (en) Access control monitoring through policy management
US10250612B1 (en) Cross-account role management
US10454975B1 (en) Conditional comptuing resource policies
US10951661B1 (en) Secure programming interface hierarchies
CN111416811B (en) Unauthorized vulnerability detection method, system, equipment and storage medium
CN111695156A (en) Service platform access method, device, equipment and storage medium
CN111641627A (en) User role authority management method and device, computer equipment and storage medium
US10771468B1 (en) Request filtering and data redaction for access control
US10691822B1 (en) Policy validation management
CN108289098B (en) Authority management method and device of distributed file system, server and medium
US20160028774A1 (en) Data Access Policies
EP2605177B1 (en) Extensible and/or distributed authorization system and/or methods of providing the same
CN109062965B (en) Big data analysis system, server, data processing method and storage medium
US20150373011A1 (en) Credential collection in an authentication server employing diverse authentication schemes
US10891357B2 (en) Managing the display of hidden proprietary software code to authorized licensed users
US10650153B2 (en) Electronic document access validation
CN110839014A (en) Authentication method, device, computer system and readable storage medium
CN112464176B (en) Authority management method and device, electronic equipment and storage medium
US20230315890A1 (en) Call location based access control of query to database
US8806589B2 (en) Credential collection in an authentication server employing diverse authentication schemes
CN114745185B (en) Cluster access method and device
CN114676399A (en) Data security access method and device, electronic equipment and server
CN114861160A (en) Method, device, equipment and storage medium for improving non-administrator account authority
CN112311716A (en) Data access control method and device based on openstack and server
CN111639020B (en) Program bug reproduction method, system, device, electronic equipment and storage medium thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination