CN114722250A - Method for filtering horizontal and vertical permissions of data based on configuration - Google Patents
Method for filtering horizontal and vertical permissions of data based on configuration Download PDFInfo
- Publication number
- CN114722250A CN114722250A CN202210531674.9A CN202210531674A CN114722250A CN 114722250 A CN114722250 A CN 114722250A CN 202210531674 A CN202210531674 A CN 202210531674A CN 114722250 A CN114722250 A CN 114722250A
- Authority
- CN
- China
- Prior art keywords
- data
- authority
- filtering
- vertical
- horizontal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/9035—Filtering based on additional data, e.g. user or group profiles
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Abstract
The invention discloses a method for filtering data horizontal and vertical authorities based on configuration, which comprises the following steps: collecting document data to obtain a document type; performing data level authority filtering on the document type to obtain first target data; and carrying out data vertical authority filtering on the first target data to obtain second target data. According to the invention, by configuring the explanation execution engine and the data filter, the explanation execution engine can automatically construct the query condition according to the configuration only by page configuration, execute the query and return the data which the user has the authority to access, and then realize the processing of data filtration, desensitization, encryption and the like through the data filter, so that the development time of an application system on data authority control is greatly saved, the internal management cost of an enterprise is reduced, and the safety of business data is improved.
Description
Technical Field
The invention belongs to the field of data authority filtering, and particularly relates to a method for realizing data horizontal and vertical authority filtering based on configuration.
Background
With the continuous improvement of the informatization and digitization degree of enterprises, the continuous increase of internal systems and the continuous increase of the volume of service data, the original extensive data authority management mode cannot meet the fine management requirements of enterprise internal service field subdivision, management responsibility subdivision, personalized management and the like, and cannot ensure the safety of sensitive data such as customer information, price information and the like.
The currently widely used mode in the industry is to write control logic of data authority through codes. When a user accesses a kind of service data, writing a code to control the access authority of the kind of service data; when the user accesses another service data, another set of codes is written to control the access authority of another type of service data. The method has the defects of poor flexibility, incapability of adapting to business logic change, high time cost for coding, and the like.
Therefore, a method for controlling access rights of users of the system to different business data in an enterprise more flexibly, more accurately and more conveniently is needed.
Disclosure of Invention
In order to solve the problems, a set of data authority control framework which meets the principles of configurability, expandability and low code is designed and developed, so that an application system developed by the framework can realize the access control of data on the basis of no code or only a small amount of code.
In order to achieve the above object, the present invention provides a method for filtering horizontal and vertical permissions of data based on configuration implementation, comprising:
collecting document data to obtain a document type;
performing data level authority filtering on the bill type to obtain first target data;
and performing data vertical authority filtering on the first target data to obtain second target data, so as to realize data filtering.
Preferably, the document types comprise basic data authority, administrative organization architecture data authority and special data authority;
the special data authority comprises data created by the user, data responsible for the user and data needing examination and approval by the user or approved data.
Preferably, the horizontal authority filtering of the bill type is based on a horizontal authority filtering rule, and the rule configuration process comprises the steps of obtaining a data authority field of the bill type; and configuring a data level authority filtering rule based on the data authority field.
Preferably, the process of performing data level authority filtering on the document type includes configuring a data level authority filtering rule for the document type, executing query operation on the document type to which the data level authority filtering rule belongs, analyzing and constructing the data level authority filtering rule based on an interpretation execution engine, obtaining a query condition, and obtaining first target data through the query condition.
Preferably, the vertical authority filtering of the first target data is based on a vertical authority filtering rule, and the configuration process of the rule includes dynamically acquiring field information of the document type based on a persistent layer frame and a reflection technology; and configuring a data vertical authority filtering rule based on the field information.
Preferably, the data vertical authority filtering on the first target data is based on configurable attributes of the bill types, and the attributes include: field name, field description, whether viewing is allowed, whether modification is allowed, whether desensitization is present, and whether encryption is present.
Preferably, the process of performing data vertical authority filtering on the first target data includes allocating data vertical authority filtering rules to designated users; filtering field data which are not allowed to be checked out based on a data filter, and obtaining residual data according to data which are not allowed to be modified; saving the residual data to a database based on a persistence layer framework; and desensitizing and encrypting the residual data based on a data filter to obtain second target data and realize data filtering.
The invention has the technical effects that:
according to the invention, by configuring the interpretation execution engine and the data filter, the interpretation execution engine can automatically construct the query condition according to the configuration only by page configuration, execute the query and return the data which the user has the authority to access, and then realize the processing of data filtering, desensitization, encryption and the like through the data filter, so that the development time of an application system on data authority control is greatly saved, the management cost in an enterprise is reduced, and the safety of business data is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a flow chart of a method of an embodiment of the present invention;
FIG. 2 is a data level permissions filtering process of an embodiment of the present invention;
FIG. 3 is a block diagram of a data vertical rights filtering process according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
As shown in fig. 1, a method for filtering horizontal and vertical permissions of data based on configuration implementation includes:
1. data level rights filtering (as shown in FIG. 2)
(1) And defining a data authority field, including information such as a field name, a field description, a data source and the like, wherein the data source is used for providing a value range of the field, such as a data dictionary, main data and the like.
(2) Defining the bill type, including information such as bill type code, bill type name, and deactivation enabling state.
(3) And configuring a data level authority filtering rule for each bill type. Each bill type support is configured with a default rule; the same bill type can be configured with a plurality of different rules at the same time, the different rules can be distributed to different users, if a certain user does not distribute a specific rule, a default rule is used. The authority filtering rule of the data water meter comprises the following three types of configurations:
(ii) basic data Authority
After the data is enabled, the data authority can be filtered through the data authority field. The basic data authority rule comprises three configuration items of enabled data authority fields, whether detailed data authority is enabled or not, and whether the data of the data authority fields are allowed to be checked to be empty or not.
The enabled data authority field, namely the field required for filtering data in the bill type, is selected from all the data authority fields which are configured in the system and can be used, and multiple selections are supported. And (4) whether the data authority of the detail bill is enabled or not, namely whether the data of the sub-list needs to be filtered by using the rule or not if the bill type is of a main sub-list structure. Whether the record with the data of the data authority field being empty is allowed to be checked, and whether the record is allowed to be seen by all persons when the data of the data authority field in the record is empty is identified.
Besides the above three configuration items, it is also necessary to grant basic data authority to the user through a "data authorization" function in the user management, and the authorization information that needs to be configured includes: the field name: selecting from the defined data permission fields; the condition types are as follows: including all, equal, unequal, containing, not containing, left fuzzy, right fuzzy, full fuzzy, etc., i.e. the condition type when filtering the data level authority; authority value: i.e., the user's scope of rights to the data rights field.
For example, when a user is granted data rights of class a and class B when the user does not select to include the data rights, the user can access student information of all classes except class a and class B. The method supports the authorization of the same user, the authority of different data authority fields, and only one authorization configuration is allowed in the same data authority field.
Second administrative organization architecture data authority
After the system is started, data authority filtering can be performed through department staff. And the administrative organization architecture data authority configuration comprises two configuration items of allowing the lower department data and the document field association department to be subjected to joint inspection step by step.
The data of the lower department is allowed to be jointly checked step by step, namely, after the data of the lower department is opened, a user with the data authority of the lower department can check the data of all the lower departments of the lower department. The document field association department comprises a department where a person is located according to a system, namely, a department where a creator of the document is located and has the data authority of the document; acquiring a user from the document according to a department where the user field is located, namely according to the configured user field, wherein the department where the user is located has the data authority of the document; and acquiring a department from the document according to a department field, namely according to the configured department field, wherein the department has the data authority of the document.
Special data authority
Including data created by the user, data in charge of the user, and data requiring examination and approval by the user.
The data created by the owner, namely the data authority of the owner, is enabled.
The data in charge of the user can be configured with the field name of the user in charge after being started, and the user who obtains the document from the field has the data authority when the user is the user.
The document to be checked and the data authority of the checked document can be possessed after the document is started.
(4) After the data level authority filtering rule is configured, the rule is distributed to one or more users through a distribution function and is stored in corresponding distributed caches (Reids).
(5) When the distributed user accesses the data of the specified document type, the interpretation execution engine extracts the data level authority filtering rule corresponding to the document from a distributed cache (Redis), and establishes the query conditions of basic data authority, administrative organization architecture data authority and special data authority.
(6) The method for constructing the basic data permission query condition is that the name, the condition type and the permission value of a data permission field granted to a user by a data authorization function are read, then the three configuration items of the basic data permission are combined, and based on a Groovy script engine, the query condition is dynamically constructed, for example, the name of the data permission field is "class", the condition type is "NOT included", the permission value is "A, B", and the constructed query condition SQL statement is "WHERE class NOT IN ('A', 'B')". If the user has multiple data rights field authorizations, the query condition is merged through the "AND, & &" relationship.
(7) The method for constructing the administrative organization architecture data authority query condition comprises the following steps: and matching the department in the business data of the document type, or the department in which the production person is located, or the department in which the user is located in the business data through the department in which the user is located, and constructing a query condition. For example, three users are in the department A, and the data authority level filtering rule is configured with the department where the shoemaking person is located to filter the data authority, and is configured with the 'permission to jointly check the data of the lower department step by step', when the department where the shoemaking person is located is the department A or the lower department of the department A, three users can access all the users of the department A and the business documents created by all the users of the sub-departments below the department A.
(8) The method for constructing the special data authority query condition comprises the following steps: in the document type business data, the making person is the making person, or a certain responsible person user is the making person, or the making person needs to be checked by the making person or the responsible person user is checked by the making person, so that the making person can access the data. The document list which needs to be checked by the user is provided with an interface by the workflow; the list of the approved documents is provided by the bottom public auditing record table.
(9) After the above three conditions are constructed, the data are combined together through an OR (OR, |) "relationship, that is, when the data meets one of the conditions, the access right of the data owned by the current user is represented. And (3) sending the combined conditions to an interpretation execution engine, converting the query conditions into Predicate query condition objects or SQL statements in a criterion API of JPA through a built-in JPA converter or SQL converter, querying data in the database, returning to a front-end page, and displaying the data to a user.
2. Data vertical rights filtering (as shown in FIG. 3)
(1) Defining a document type, and defining a data vertical authority filtering rule under the document type. Each rule comprises a field name, field description, whether checking is allowed or not, whether modification is allowed or not, whether desensitization is allowed or not, whether transmission is encrypted or not, desensitization rules, encryption rules and the like, and the same document type allows a plurality of rules to be configured corresponding to a plurality of fields.
(2) And distributing the configured data vertical authority filtering rules to specified users.
(3) When a user logs in, the data vertical authority filtering rule distributed to the user is read out and put into a distributed cache (Redis).
(4) When the user accesses the data corresponding to the document type, the interpretation execution engine firstly filters the data level authority. After the data is inquired, the data vertical authority filtering rule of the current user is read from a distributed cache (Redis) through a data filter, and the filtering of the data vertical authority is executed after the rule is analyzed through a Groovy script engine.
(5) Fields which are not allowed to be viewed are directly removed by the data filter and are not returned to the front-end page to be displayed to the user.
(6) And (4) desensitizing fields, namely replacing the data in the middle by a data filter with an x number, performing desensitization treatment, or performing desensitization through a Groovy script engine according to configured desensitization rules, and returning to the front-end page to be displayed to the user.
(7) And the encrypted field is encrypted by a data filter through an AES + RSA algorithm, or is encrypted by a Groovy script engine according to a configured encryption rule and then returned to the front-end page to be displayed to the user.
(8) And the field which is not allowed to be modified is stored in the database after the field is removed through the data filter when the data is modified by the user and submitted to the background.
Name interpretation
The type of the document: type of traffic data in the system.
Data level rights: i.e., row rights for data, defines the user's access rights to each row of data for each document type.
Data vertical permission: i.e., column permissions for data, defines the user's access permissions to each column of data for each document type.
Field: each column of a piece of data is a field.
Data permission field: and the service data field is used for performing data level authority filtering.
Administrative organization architecture: namely, the department employee relationship of the system user, defines the employee information of the user, and the department where the employee is located, the superior-subordinate relationship between departments, and the like.
Data level rights filtering rules: the data level authority of a specific user for a specific document type and other limiting conditions for accessing and modifying the document type data are defined.
Data vertical authority filtering rule: the method defines the vertical authority of data possessed by a specific user for a specific document type and other limiting conditions when the document type data is accessed and modified.
Redis: a high performance key-value in-memory database is typically used to implement distributed caching.
Groovy: a JVM-based dynamic language capable of executing dynamic scripts at runtime.
JPA: JPA is the abbreviation of Java Persistence API, Chinese name Java Persistence API, which is JDK 5.0 annotation or XML description object-relationship table mapping relationship, and persists the entity object in the runtime into the database.
The interpretation execution engine: based on a distributed cache (Redis) technology, a script engine Groovy and a JPA framework, the tool for automatically constructing query conditions and executing data query according to configuration is realized.
Fastjson: a high performance JSON data transformation framework developed by arizaba.
AES: the full name of the Advanced Encryption Standard is an Advanced Encryption algorithm.
RSA: an asymmetric encryption algorithm which adopts public key encryption and private key decryption.
And (3) data filter: the data conversion filter is developed based on a distributed cache (Redis), Fastjson, a script engine Groovy, an AES + RSA encryption algorithm and is used for filtering, desensitizing, encrypting and the like of data.
The above description is only for the preferred embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (7)
1. A method for implementing data horizontal and vertical permission filtering based on configuration is characterized by comprising the following steps:
collecting document data to obtain a document type;
performing data level authority filtering on the bill type to obtain first target data;
and performing data vertical authority filtering on the first target data to obtain second target data, so as to realize data filtering.
2. The method for filtering the horizontal and vertical permissions of data based on configuration implementation of claim 1, comprising:
the bill types comprise basic data authority, administrative organization architecture data authority and special data authority;
the special data authority comprises data created by the user, data responsible for the user and data needing examination and approval by the user or approved data.
3. The method for filtering the horizontal and vertical permissions of data based on configuration implementation of claim 1, comprising:
performing horizontal authority filtering on the bill type based on a horizontal authority filtering rule, wherein the rule configuration process comprises the steps of obtaining a data authority field of the bill type; and configuring a data level authority filtering rule based on the data authority field.
4. The method for filtering the horizontal and vertical permissions of data based on configuration implementation of claim 1, comprising:
the process of filtering the data level authority of the document type comprises the steps of configuring a data level authority filtering rule for the document type, executing query operation on the document type to which the data level authority filtering rule belongs, analyzing and constructing the data level authority filtering rule based on an explanation execution engine to obtain a query condition, and obtaining first target data through the query condition.
5. The method for filtering the horizontal and vertical permissions of data based on configuration implementation of claim 1, comprising:
performing vertical authority filtering on the first target data based on a vertical authority filtering rule, wherein the rule configuration process comprises dynamically acquiring field information of the bill type based on a persistent layer frame and a reflection technology; and configuring a data vertical authority filtering rule based on the field information.
6. The method for filtering the horizontal and vertical permissions of data based on configuration implementation of claim 1, comprising:
performing data vertical authority filtering on the first target data, wherein the attributes are configurable based on the bill types and comprise: field name, field description, whether viewing is allowed, whether modification is allowed, whether desensitization is present, and whether encryption is present.
7. The method for filtering the horizontal and vertical permissions of data based on configuration implementation of claim 1, comprising:
the process of filtering the data vertical authority of the first target data comprises the steps of distributing a data vertical authority filtering rule to a specified user; filtering field data which are not allowed to be checked and data which are not allowed to be modified based on a data filter to obtain residual data; saving the residual data to a database based on a persistence layer framework; and desensitizing and encrypting the residual data based on a data filter to obtain second target data and realize data filtering.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210531674.9A CN114722250B (en) | 2022-05-17 | 2022-05-17 | Method for filtering horizontal and vertical permissions of data based on configuration |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210531674.9A CN114722250B (en) | 2022-05-17 | 2022-05-17 | Method for filtering horizontal and vertical permissions of data based on configuration |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114722250A true CN114722250A (en) | 2022-07-08 |
| CN114722250B CN114722250B (en) | 2022-08-26 |
Family
ID=82231027
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210531674.9A Active CN114722250B (en) | 2022-05-17 | 2022-05-17 | Method for filtering horizontal and vertical permissions of data based on configuration |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114722250B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101710348A (en) * | 2009-12-29 | 2010-05-19 | 金蝶软件(中国)有限公司 | Document data query method and server |
| CN103678557A (en) * | 2013-12-06 | 2014-03-26 | 金蝶软件(中国)有限公司 | Receipt access control method and device |
| CN107025411A (en) * | 2017-03-22 | 2017-08-08 | 红有软件股份有限公司 | A kind of system and method for fine-grained data permission dynamic control |
| CN111385264A (en) * | 2018-12-29 | 2020-07-07 | 卓望数码技术(深圳)有限公司 | Communication service data access system and method |
| CN111552678A (en) * | 2020-03-30 | 2020-08-18 | 平安医疗健康管理股份有限公司 | Data permission configuration method and device and computer equipment |
| CN112163207A (en) * | 2020-10-30 | 2021-01-01 | 平安数字信息科技(深圳)有限公司 | Business data query method based on dynamic permission and related equipment |
-
2022
- 2022-05-17 CN CN202210531674.9A patent/CN114722250B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101710348A (en) * | 2009-12-29 | 2010-05-19 | 金蝶软件(中国)有限公司 | Document data query method and server |
| CN103678557A (en) * | 2013-12-06 | 2014-03-26 | 金蝶软件(中国)有限公司 | Receipt access control method and device |
| CN107025411A (en) * | 2017-03-22 | 2017-08-08 | 红有软件股份有限公司 | A kind of system and method for fine-grained data permission dynamic control |
| CN111385264A (en) * | 2018-12-29 | 2020-07-07 | 卓望数码技术(深圳)有限公司 | Communication service data access system and method |
| CN111552678A (en) * | 2020-03-30 | 2020-08-18 | 平安医疗健康管理股份有限公司 | Data permission configuration method and device and computer equipment |
| CN112163207A (en) * | 2020-10-30 | 2021-01-01 | 平安数字信息科技(深圳)有限公司 | Business data query method based on dynamic permission and related equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114722250B (en) | 2022-08-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11328081B2 (en) | Consent-based data privacy management system | |
| US8561126B2 (en) | Automatic enforcement of obligations according to a data-handling policy | |
| US8086615B2 (en) | Security data redaction | |
| US20220398338A1 (en) | Data privacy pipeline providing collaborative intelligence and constraint computing | |
| US7243097B1 (en) | Extending relational database systems to automatically enforce privacy policies | |
| US8631046B2 (en) | Generic ontology based semantic business policy engine | |
| US11403299B2 (en) | Constraint manager for collaborative intelligence and constraint computing | |
| US20200334375A1 (en) | Constraint querying for collaborative intelligence and constraint computing | |
| Kessler et al. | SAP HANA goes private: from privacy research to privacy aware enterprise analytics | |
| US11734351B2 (en) | Predicted data use obligation match using data differentiators | |
| US10552642B2 (en) | Dynamic data-use restrictions | |
| Singh et al. | Managing attribute-based access control policies in a unified framework using data warehousing and in-memory database | |
| Jahid et al. | MyABDAC: compiling XACML policies for attribute-based database access control | |
| US20100030845A1 (en) | Enforcement of object permissions in enterprise resource planning software | |
| WO2021061236A1 (en) | Fine grained access control on procedural language for databases based on accessed resources | |
| Haber et al. | Open tools for quantitative anonymization of tabular phenotype data: literature review | |
| US9679031B2 (en) | Composing abstract queries for delegated user roles | |
| CN114722250B (en) | Method for filtering horizontal and vertical permissions of data based on configuration | |
| CN109219807B (en) | System, method, and medium providing access to a database | |
| Blanco et al. | Applying QVT in order to implement secure data warehouses in SQL Server Analysis Services | |
| Blanco et al. | Automatic generation of secure multidimensional code for data warehouses: An MDA approach | |
| US20230385449A1 (en) | Purpose-based data management for computing systems | |
| Blanco et al. | Defining and transforming security rules in an MDA approach for DWs | |
| Singh et al. | Hierarchical Rule Compliance Check Method for Distributed Query | |
| Sekar | Privacy Preserving Visualizations using Vega-Lite |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |