CN115130138A - Data security protection method, system, storage medium and equipment - Google Patents
Data security protection method, system, storage medium and equipment Download PDFInfo
- Publication number
- CN115130138A CN115130138A CN202211043735.3A CN202211043735A CN115130138A CN 115130138 A CN115130138 A CN 115130138A CN 202211043735 A CN202211043735 A CN 202211043735A CN 115130138 A CN115130138 A CN 115130138A
- Authority
- CN
- China
- Prior art keywords
- information
- data
- current user
- department
- employee
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a data security protection method, a system, a storage medium and a device, wherein the method comprises the following steps: the method comprises the steps of obtaining a plurality of groups of employee information data, carrying out data division to obtain a plurality of information sub-databases, segmenting employee information in the information sub-databases to obtain sub-data, distributing the obtained sub-data to different storage areas for data storage, enabling each storage area to correspond to an encryption key, obtaining an information calling instruction, determining target employee information data, carrying out information comparison on the target employee information data and a current user, and judging whether the current user has data output authority or not according to a comparison result so as to protect the safety of the target employee information data. According to the method and the device, the subdata is obtained according to the information subdatabase obtained by dividing the employee information data, the obtained subdata is distributed to different storage areas, each storage area corresponds to one encryption key, the risk that the employee information is stored in the same storage area and stolen is avoided, and the safety protection level of each employee information is improved.
Description
Technical Field
The present invention relates to the field of personal information management technologies, and in particular, to a method, a system, a storage medium, and a device for protecting data security.
Background
With the increasingly fierce competition of industries, the competition among industries becomes the competition of talents, and therefore, the protection of personnel information of enterprises becomes an important talent protection measure.
The human resource management refers to a general term of a series of activities for effectively utilizing relevant human resources inside and outside an organization through management forms such as recruitment, screening, training, consideration and the like under the guidance of economics and human thought, meeting the requirements of the current and future development of the organization and ensuring the achievement of the organization target and the maximization of the efficiency of member development. Specifically, the method is the whole process of predicting the human resource demand of an organization, planning the human demand, recruiting a selecting person, performing effective organization, evaluating performance, paying payment, performing effective incentive and performing effective development by combining the needs of the organization and individuals so as to realize the optimal organization performance.
In the actual enterprise management process, for a large-scale company, a human resource management system is usually provided, for managing internal employee information and work related processes of a company, however, in the prior art, in the management process of the manpower resource management system, each employee generally corresponds to a system account number, and the employee has the authority of logging in the system according to the system account number and is used for checking and acquiring related information, because a large amount of employee information is stored in the human resource management system, the information management mode only through login authority is single at present, a reasonable data management method for limiting system use authorities of employees at different levels is lacked, the risk of internal information leakage exists, the internal information leakage of a company is easily caused, the personnel information of the company cannot be protected, and the talent information of the company is easily stolen by competitors.
Disclosure of Invention
Based on this, the present invention aims to provide a data security protection method, system, storage medium and device, which are used for solving the technical problem that the human resource management system in the prior art has a single management mode for personnel information, which is easy to cause internal information leakage of a company.
One aspect of the present invention provides a data security protection method, where the method includes:
acquiring a plurality of groups of employee information data, wherein each employee information data corresponds to an employee ID, performing data division on the employee information data according to attribute information of employees to obtain a plurality of information sub-libraries, the attribute information comprises department information and level information, and determining system operation authority of each employee in a current department according to the level information, and the operation authority comprises data output authority;
data segmentation is carried out on each employee information data in the information subbase to obtain a plurality of sections of subdata, the obtained plurality of sections of subdata are distributed to different storage areas to be stored, each storage area corresponds to an encryption key to carry out multiple protection on each employee information data, the safety protection level of each employee information is improved, and the data output authority has decryption keys of all the storage areas for storing the same employee information;
acquiring an information calling instruction, determining target employee information data according to the information calling instruction, acquiring target department information corresponding to the target employee information data according to the target employee information data, acquiring a current user ID according to the calling instruction, determining current user department information and current user level information according to the current user ID, and judging whether the current user department information is consistent with the target department information according to the current user department information;
if the information of the current user department is consistent with the information of the target department, determining the system operation authority of the current user in the current department according to the level information of the current user, judging whether the current user has the data output authority of the target employee information data according to the system operation authority of the current user in the current department, and if the current user does not have the data output authority of the target employee information data, failing to call the information and recording the ID of the current user so as to protect the data security of the target employee information data.
The data security protection method comprises the steps of dividing employee information data into a plurality of information sub-libraries, segmenting the employee information data in the information sub-libraries to obtain a plurality of sections of subdata, distributing the obtained plurality of sections of subdata to different storage areas for data storage, wherein each storage area corresponds to one encryption key to carry out multiple protection on the employee information data, so that the risk that the employee information is easily stolen when stored in the same storage area is avoided, the security protection level of each employee information is improved, the data output authority has decryption keys of all the storage areas for storing the same employee information, when certain employee information needs to be obtained, the decryption keys of all the storage areas need to be obtained, the security degree of the employee information is improved, when an information calling instruction is obtained, a user needs to be called according to the current user ID to lock the current information, the method comprises the steps of determining current user department information and current user level information according to a current user ID, judging whether the current user department information is consistent with target department information according to the current user department information so as to determine the system operation authority of a current user in the current department, judging whether the current user has the data output authority of target employee information data, performing hierarchical management on users calling employee information, and ensuring the security of employee information.
In addition, the data security protection method according to the present invention may further have the following additional technical features:
further, after the step of determining whether the current user department information is consistent with the target department information according to the current user department information, the method further includes:
and if the information of the current user department is inconsistent with the information of the target department, the information calling fails and the current user ID is recorded so as to protect the data security of the information data of the target staff.
Further, after the step of judging whether the current user has the data output authority of the target employee information data according to the system operation authority of the current user in the current department, the method further comprises the following steps:
if the current user has the data output authority of the target employee information data, the target employee information data is allowed to be called, and the system operation authority of the current user in the current department is exited.
Further, the step of exiting the system operation authority of the current user in the current department further comprises the following steps:
and automatically cleaning the called target employee information data.
Further, the operation authority further includes a data read-only authority and a data editing authority, the data read-only authority does not have a decryption key of any storage area, and the data editing authority cannot simultaneously have decryption keys of more than two storage areas for storing the same employee information.
Further, the step of performing data segmentation on each employee information data in the information subbase to obtain a plurality of sections of sub-data includes:
acquiring a sub-library ID of each information sub-library, and judging whether the current information sub-library belongs to a secret information sub-library or not according to the sub-library ID;
if yes, performing data segmentation on each employee information data in the confidential information sub-library to obtain a plurality of sections of sub-data;
if not, data segmentation is not needed to be carried out on each employee information data in the current information sub-library.
Another aspect of the present invention provides a data security protection system, including:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring a plurality of groups of employee information data, each employee information data corresponds to an employee ID, the employee information data is subjected to data division according to attribute information of employees to obtain a plurality of information sub-libraries, the attribute information comprises department information and level information, and the system operation authority of each employee in the current department is determined according to the level information, and the operation authority comprises data output authority;
the storage module is used for carrying out data segmentation on each employee information data in the information subbase to obtain a plurality of sections of subdata, distributing the obtained plurality of sections of subdata to different storage areas for data storage, wherein each storage area corresponds to an encryption key to carry out multiple protection on each employee information data, so that the safety protection level of each employee information is improved, and the data output authority has decryption keys of all the storage areas for storing the same employee information;
the judging module is used for acquiring an information calling instruction, determining target employee information data according to the information calling instruction, acquiring target department information corresponding to the target employee information data according to the target employee information data, acquiring a current user ID according to the calling instruction, determining current user department information and current user level information according to the current user ID, and judging whether the current user department information is consistent with the target department information or not according to the current user department information;
and the protection module is used for determining the system operation authority of the current user in the current department according to the current user level information if the current user department information is consistent with the target department information, judging whether the current user has the data output authority of the target employee information data according to the system operation authority of the current user in the current department, and if the current user does not have the data output authority of the target employee information data, failing to call information and recording the ID of the current user so as to protect the data security of the target employee information data.
Another aspect of the present invention provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements the data security protection method as described above.
Another aspect of the present invention also provides a data processing apparatus comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the computer program to implement the data security protection method as described above.
Drawings
FIG. 1 is a flow chart of a data security protection method according to a first embodiment of the present invention;
FIG. 2 is a flow chart of a data security protection method according to a second embodiment of the present invention;
FIG. 3 is a flowchart illustrating the step S202 in the second embodiment of the present invention;
FIG. 4 is a system block diagram of a data security protection system according to a third embodiment of the present invention;
the following detailed description will further illustrate the invention in conjunction with the above-described figures.
Detailed Description
To facilitate an understanding of the invention, the invention will now be described more fully with reference to the accompanying drawings. Several embodiments of the invention are presented in the drawings. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
Example one
Referring to fig. 1, a data security protection method according to a first embodiment of the present invention is shown, the method includes steps S101 to S104:
s101, obtaining a plurality of groups of employee information data, wherein each employee information data corresponds to an employee ID, performing data division on the employee information data according to attribute information of employees to obtain a plurality of information sub-libraries, the attribute information comprises department information and level information, and determining system operation authority of each employee in the current department according to the level information, and the operation authority comprises data output authority.
In the above step, each employee information data corresponds to an employee ID, and the employee information data of each employee is divided into a plurality of information sub-libraries, so that a complete employee information data is stored in different information sub-libraries, and therefore, when information is called, the employee information data is stored in the same information sub-library, a user can easily acquire the target employee information data, the complexity of the information calling is improved, the threshold of the information calling is improved, and the information security of the employee information data is ensured.
Specifically, a plurality of groups of employee information data are gathered according to different departments and levels, and the departments and the levels are respectively corresponding to an information sub-library, namely a department sub-library and a level sub-library, so that the plurality of groups of employee information data are grouped to obtain the department sub-library and the level sub-library corresponding to the plurality of groups of employees.
S102, performing data segmentation on each employee information data in the information subbase to obtain multiple sections of subdata, distributing the obtained multiple sections of subdata to different storage areas for data storage, wherein each storage area corresponds to an encryption key to perform multiple protection on each employee information data, so that the security protection level of each employee information is improved, and the data output authority has decryption keys of all the storage areas for storing the same employee information.
For example, Zhang III is divided into a research and development sub-base, and when the research and development sub-base where Zhang III is located is divided, the method comprises the steps of obtaining upstream and downstream information of the department where Zhang III is located and current project information of projects made by Zhang III, wherein the upstream and downstream information comprises direct upper-limit information of Zhang III and downstream work dockee information of Zhang III, the direct upper-limit information, the downstream work dockee information and the current project information jointly establish role data of Zhang III in a current company, and each role data corresponds to a specific character, so that the only specific person is determined. Specifically, direct boss information, downstream work dockee information and current project information related to zhang san are respectively stored in different storage areas, when employee information data of zhang san needs to be called, a decryption key of the storage area related to zhang san is needed to be possessed at the same time, and then the data output right can be obtained.
S103, acquiring an information calling instruction, determining target employee information data according to the information calling instruction, acquiring target department information corresponding to the target employee information data according to the target employee information data, acquiring a current user ID according to the calling instruction, determining current user department information and current user level information according to the current user ID, and judging whether the current user department information is consistent with the target department information according to the current user department information.
In the above steps, when the system identifies the information calling instruction, the information calling instruction is disassembled to obtain the target employee information data related to the information calling instruction so as to compare the target employee information data with the employee information of the current user, so as to judge whether the current user has the authority to call the target employee information data. Specifically, whether the current user and the target employee are in the same department is judged according to the information of the department of the current user, specifically, the "same department" includes the same department with divided functions, such as a certain project group, and also includes the same department with divided administration, such as a research and development department.
It should be further noted that, in the actual use process, the high-level leader of the company is higher than the staff of the department in the level relationship of the company, so to a certain extent, the high-level leader has the authority to manage the staff of the company, and at this time, if the high-level leader needs to call the staff information data of the target staff, the level authority is satisfied, and the staff information data of the target staff can be called only by acquiring the decryption key of the storage area. In the process of acquiring the decryption key by the high-level leader, for the convenience of the operation of the high-level leader, the system account number of the high-level leader is subjected to level management so as to have direct green permission. Specifically, the number of system accounts of the high-level leader with the green direct authority is not more than 2, for example, taking research and development departments as examples, the high-level leader with the green direct authority can be a system administrator or a research and development chief prison, so that an operation user for calling data is conveniently positioned at a later stage.
It should be further noted that each employee corresponds to a system account, so that the employee can log in the system to perform data acquisition or work operation.
And S104, if the information of the department of the current user is consistent with the information of the target department, determining the system operation authority of the current user in the current department according to the level information of the current user, judging whether the current user has the data output authority of the information data of the target employee according to the system operation authority of the current user in the current department, and if the current user does not have the data output authority of the information data of the target employee, failing to call the information and recording the ID of the current user so as to protect the data security of the information data of the target employee.
The current user ID is obtained, so that the target employee information data can be conveniently traced in the later period, and the employee information is prevented from being stolen.
In summary, in the data security protection method in the above embodiment of the present invention, the employee information data is divided into a plurality of information sub-libraries, each employee information data in the information sub-libraries is further divided into a plurality of sections of sub-data, and the obtained plurality of sections of sub-data are allocated to different storage areas for data storage, each storage area corresponds to one encryption key for performing multiple protection on each employee information data, so as to avoid a risk that the employee information is stored in the same storage area and is easily stolen, improve the security protection level for each employee information, and the data output authority has decryption keys of all storage areas storing the same employee information, so that when a certain employee information needs to be obtained, decryption keys of all storage areas need to be obtained, and improve the security degree of the employee information;
when an information calling instruction is obtained, a current information calling user is locked according to the obtained current user ID, current user department information and current user level information are determined according to the current user ID, whether the current user department information is consistent with target department information is judged according to the current user department information, the system operation authority of the current user in the current department is determined, whether the current user has the data output authority of target employee information data is judged, hierarchical management is performed on the user calling employee information, the security of the employee information is ensured, if the current user does not have the data output authority of the target employee information data, the information calling is failed, the current user ID is recorded so as to protect the data security of the target employee information data, and the problem that a human resource management system in the prior art has a single management mode on the employee information is solved, the technical problem of internal information leakage of companies is easily caused.
Example two
Referring to fig. 2, a data security protection method according to a second embodiment of the present invention is shown, the method includes steps S201 to S210:
s201, obtaining multiple groups of employee information data, wherein each employee information data corresponds to an employee ID, performing data division on the employee information data according to attribute information of employees to obtain multiple information sub-libraries, the attribute information comprises department information and level information, and system operation authority of each employee in the current department is determined according to the level information, and the operation authority comprises data output authority.
S202, data segmentation is carried out on each employee information data in the information sub-base to obtain multiple sections of subdata, the obtained multiple sections of subdata are distributed to different storage areas to be stored, each storage area corresponds to an encryption key to carry out multiple protection on each employee information data, the safety protection level of each employee information is improved, and the data output authority has decryption keys of all the storage areas for storing the same employee information.
The operation authority further comprises a data read-only authority and a data editing authority, and if the current user only has a decryption key of a certain storage area, the current user only has the data read-only authority of the storage area corresponding to the decryption key; if the current user only has the decryption keys of a certain two storage areas, the current user has the data editing permission and the data read-only permission of the two storage areas corresponding to the decryption key, namely the data editing permission is the permission that the user has when the current user cannot simultaneously have the decryption keys of more than two storage areas corresponding to the same employee information.
The method comprises the steps that a decryption key is correspondingly arranged in each storage area, so that the number of the decryption keys is positioned according to the number of answers of the area problems, the data operation authority of a current user is determined, namely different operation authorities correspond to different decryption keys, the requirements of users in different levels are met, on one hand, the use of daily work can be met, and on the other hand, staff information data can be traced to protect the staff information data from being stolen.
For example, when a certain user calls the information data of the third page, if the user can only answer the problem of the area of a certain storage area, the third page only has the data read-only authority of the corresponding storage area, so that the information security of the storage area is protected.
Specifically, as shown in fig. 3, in the process of performing data segmentation on each employee information data in the information sub-library to obtain multiple pieces of sub-data, the method includes steps S2021 to S2024;
s2021, acquiring a sub-library ID of each information sub-library;
s2022, judging whether the current information sub-library belongs to the secret information sub-library according to the sub-library ID.
In order to save the computing resources of the system and improve the running capacity and efficiency of the system, the information sub-base in the system needs to be classified to perform cluster management on the information sub-base, namely, the information sub-base is classified into a confidential information sub-base which needs to be kept secret and a common information sub-base which only needs to be generally managed, and the information carried by the common information sub-base belongs to conventional information and does not reach the secret level; the employee information borne by the confidential information sub-library belongs to the employee information of the employees needing to be protected in a key mode.
For example, in the actual use process, the department sub-library may be set as a security information sub-library, so as to secure the department information of the department where the employee of the company is located, so that each employee cannot easily obtain the department information of some other employee, thereby securing the employee data of the employee. Therefore, even if a user knows that a certain employee belongs to the employee of the company, the user cannot easily know or cannot know the department information of the employee, so that the identity of the employee and the working content engaged in the company cannot be obtained, thereby keeping the information of the employee secret from the source and further ensuring the information security of the employee.
If the current information sub-library belongs to the confidential information sub-library, executing step S2023;
if the current information sub-library does not belong to the secret information sub-library, executing the step S2024;
s2023, performing data segmentation on each employee information data in the confidential information sub-library to obtain a plurality of sections of sub-data.
And S2024, data segmentation is not needed to be carried out on each employee information data in the current information sub-base.
In order to improve the computing efficiency of the system and avoid the waste of computing resources of the computing system, before data segmentation is carried out on employee information, the ID of the sublibrary is judged to determine whether the current information sublibrary belongs to a secret information sublibrary, and if yes, data segmentation is carried out; if not, the data segmentation is not carried out, so that the segmentation times of the system are reasonably used, and the calculation resources are prevented from being occupied during segmentation.
S203, obtaining an information calling instruction, determining target employee information data according to the information calling instruction, obtaining target department information corresponding to the target employee information data according to the target employee information data, obtaining a current user ID according to the calling instruction, and determining current user department information and current user level information according to the current user ID.
In order to determine the target employee information data required by the current user, when the information calling instruction is obtained, the information calling instruction is identified to obtain the target employee information data according to the information calling instruction, so that the relevant information of the target employee can be further determined, for example: and further comparing the information of the current user and the information of the target employee to determine the department relationship and the level relationship of the current user and the target employee so as to determine whether the current user has the level for calling the information data of the target employee.
And S204, judging whether the information of the current user department is consistent with the information of the target department according to the information of the current user department.
If the current user has the grade of calling the target employee information data, the department relation between the current user and the target employee is further judged so as to prevent employees in other departments from calling employee information data of other departments except the own department at will, reduce the risk of information leakage and avoid information leakage from the source.
If the current user department information is consistent with the target department information, executing step S205;
if the information of the current user department is inconsistent with the information of the target department, executing the step S210;
s205, determining the system operation authority of the current user in the current department according to the level information of the current user.
And S206, judging whether the current user has the data output authority of the target employee information data according to the system operation authority.
According to the judgment on the data output authority, the threshold of outputting the employee information data by the user is further improved, malicious persons are prevented from entering the system to call the employee information data, and the safety protection on the employee information data is improved.
If the current user does not have the data output authority of the target employee information data, executing step S207;
if the current user has the data output authority of possessing the target employee information data, executing step S208;
and S207, failing to call the information and recording the current user ID so as to protect the data security of the target employee information data.
And S208, allowing to call the target employee information data, and quitting the system operation authority of the current user in the current department.
And S209, automatically cleaning the called target employee information data.
S210, information calling fails and the current user ID is recorded so as to protect the data security of the target employee information data.
It should be noted that, the method provided by the second embodiment of the present invention, which implements the same principle and produces some technical effects as the first embodiment, can refer to the corresponding contents in the first embodiment for the sake of brief description, where this embodiment is not mentioned.
In summary, in the data security protection method in the above embodiment of the present invention, the employee information data is divided into a plurality of information sub-libraries, each employee information data in the information sub-libraries is further divided into a plurality of sections of sub-data, and the obtained plurality of sections of sub-data are allocated to different storage areas for data storage, each storage area corresponds to one encryption key for performing multiple protection on each employee information data, so as to avoid a risk that the employee information is stored in the same storage area and is easily stolen, improve the security protection level for each employee information, and the data output authority has decryption keys of all storage areas storing the same employee information, so that when a certain employee information needs to be obtained, decryption keys of all storage areas need to be obtained, and improve the security degree of the employee information;
when an information calling instruction is obtained, a current information calling user is locked according to an obtained current user ID, current user department information and current user level information are determined according to the current user ID, whether the current user department information is consistent with target department information is judged according to the current user department information so as to determine the system operation authority of the current user in the current department, whether the current user has the data output authority of target employee information data is judged, hierarchical management is performed on the user calling employee information so as to ensure the security of the employee information, if the current user does not have the data output authority of the target employee information data, information calling is failed, the current user ID is recorded so as to protect the data security of the target employee information data, and the problem that a human resource management system in the prior art has a single management mode on the employee information is solved, the technical problem of internal information leakage of companies is easily caused.
EXAMPLE III
Referring to fig. 4, a data security protection system according to a third embodiment of the present invention is shown, where the system includes:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring a plurality of groups of employee information data, each employee information data corresponds to an employee ID, the employee information data is subjected to data division according to attribute information of employees to obtain a plurality of information sub-libraries, the attribute information comprises department information and level information, the system operation authority of each employee in the current department is determined according to the level information, and the operation authority comprises data output authority;
the storage module is used for carrying out data segmentation on each employee information data in the information subbase to obtain a plurality of sections of subdata, distributing the obtained plurality of sections of subdata to different storage areas for data storage, wherein each storage area corresponds to an encryption key to carry out multiple protection on each employee information data, so that the safety protection level of each employee information is improved, and the data output authority has decryption keys of all the storage areas for storing the same employee information;
the judging module is used for acquiring an information calling instruction, determining target employee information data according to the information calling instruction, acquiring target department information corresponding to the target employee information data according to the target employee information data, acquiring a current user ID according to the calling instruction, determining current user department information and current user level information according to the current user ID, and judging whether the current user department information is consistent with the target department information or not according to the current user department information;
and the protection module is used for determining the system operation authority of the current user in the current department according to the current user level information if the current user department information is consistent with the target department information, judging whether the current user has the data output authority of the target employee information data according to the system operation authority of the current user in the current department, and if the current user does not have the data output authority of the target employee information data, failing to call information and recording the ID of the current user so as to protect the data security of the target employee information data.
In some optional embodiments, the determining module comprises:
and the first execution module is used for failing to call the information and recording the current user ID to protect the data security of the target employee information data if the current user department information is inconsistent with the target department information.
In some optional embodiments, the protection module comprises, after:
and the second execution module is used for allowing the target employee information data to be called and quitting the system operation authority of the current user in the current department if the current user has the data output authority of the target employee information data.
In some optional embodiments, the second execution module thereafter comprises:
and the automatic cleaning module is used for automatically cleaning the called target employee information data.
In some optional embodiments, the storage module comprises:
the judging unit is used for acquiring the sub-library ID of each information sub-library and judging whether the current information sub-library belongs to the secret information sub-library or not according to the sub-library ID;
the first execution subunit is used for performing data segmentation on each employee information data in the secret information sub-library to obtain a plurality of sections of sub-data when the current information sub-library belongs to the secret information sub-library;
and the second execution subunit is used for performing data segmentation on each employee information data in the current information sub-library when the current information sub-library does not belong to the secret information sub-library.
In summary, in the data security protection system in the above embodiment of the present invention, the employee information data is divided into a plurality of information sub-libraries, each employee information data in the information sub-libraries is further divided into a plurality of sections of sub-data, and the obtained plurality of sections of sub-data are allocated to different storage areas for data storage, each storage area corresponds to one encryption key for performing multiple protection on each employee information data, so as to avoid a risk that the employee information is stored in the same storage area and is easily stolen, improve the security protection level for each employee information, and the data output authority has decryption keys of all storage areas storing the same employee information, so that when a certain employee information needs to be obtained, decryption keys of all storage areas need to be obtained, and improve the security degree of the employee information;
when an information calling instruction is obtained, a current information calling user is locked according to the obtained current user ID, current user department information and current user level information are determined according to the current user ID, whether the current user department information is consistent with target department information is judged according to the current user department information, the system operation authority of the current user in the current department is determined, whether the current user has the data output authority of target employee information data is judged, hierarchical management is performed on the user calling employee information, the security of the employee information is ensured, if the current user does not have the data output authority of the target employee information data, the information calling is failed, the current user ID is recorded so as to protect the data security of the target employee information data, and the problem that a human resource management system in the prior art has a single management mode on the employee information is solved, the technical problem of internal information leakage of companies is easily caused.
Furthermore, an embodiment of the present invention also proposes a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the method in the above-described embodiment.
Furthermore, an embodiment of the present invention also provides a data processing device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the steps of the method in the foregoing embodiments are implemented.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Further, the computer readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the invention have been shown and described, it will be understood by those of ordinary skill in the art that: various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.
Claims (9)
1. A method for securing data, the method comprising:
acquiring a plurality of groups of employee information data, wherein each employee information data corresponds to an employee ID, performing data division on the employee information data according to attribute information of employees to obtain a plurality of information sub-libraries, the attribute information comprises department information and level information, and determining system operation authority of each employee in a current department according to the level information, and the operation authority comprises data output authority;
data segmentation is carried out on each employee information data in the information subbase to obtain a plurality of sections of subdata, the obtained plurality of sections of subdata are distributed to different storage areas to be stored, each storage area corresponds to an encryption key to carry out multiple protection on each employee information data, the safety protection level of each employee information is improved, and the data output authority has decryption keys of all the storage areas for storing the same employee information;
acquiring an information calling instruction, determining target employee information data according to the information calling instruction, acquiring target department information corresponding to the target employee information data according to the target employee information data, acquiring a current user ID according to the calling instruction, determining current user department information and current user level information according to the current user ID, and judging whether the current user department information is consistent with the target department information according to the current user department information;
if the information of the current user department is consistent with the information of the target department, determining the system operation authority of the current user in the current department according to the level information of the current user, judging whether the current user has the data output authority of the target employee information data according to the system operation authority of the current user in the current department, and if the current user does not have the data output authority of the target employee information data, failing to call the information and recording the ID of the current user so as to protect the data security of the target employee information data.
2. The data security protection method according to claim 1, wherein the step of determining whether the current user department information is consistent with the target department information according to the current user department information further comprises:
if the information of the current user department is inconsistent with the information of the target department, the information calling fails and the current user ID is recorded so as to protect the data security of the information data of the target staff.
3. The data security protection method of claim 1, wherein the step of judging whether the current user has the data output authority of the target employee information data according to the system operation authority of the current user in the current department further comprises:
and if the current user has the data output authority of the target employee information data, allowing the target employee information data to be called, and quitting the system operation authority of the current user in the current department.
4. The data security protection method of claim 3, wherein the step of exiting the system operation authority of the current user in the current department further comprises:
and automatically cleaning the called target employee information data.
5. The data security protection method according to claim 1, wherein the operation right further includes a data read-only right and a data editing right, and if the current user only has a decryption key of a certain storage area, the current user only has the data read-only right of the storage area corresponding to the decryption key;
if the current user only has the decryption keys of a certain two storage areas, the current user has the data editing permission and the data read-only permission of the two storage areas corresponding to the decryption key, namely the data editing permission is the permission that the user has when the decryption keys of more than two storage areas corresponding to the same employee information cannot be simultaneously possessed.
6. The data security protection method of claim 1, wherein the step of performing data segmentation on each employee information data in the information sub-library to obtain a plurality of sub-data comprises:
acquiring a sub-library ID of each information sub-library, and judging whether the current information sub-library belongs to a secret information sub-library or not according to the sub-library ID;
if yes, performing data segmentation on each employee information data in the confidential information sub-library to obtain multiple sections of sub-data;
if not, data segmentation is not needed to be carried out on each employee information data in the current information sub-library.
7. A data security protection system, the system comprising:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring a plurality of groups of employee information data, each employee information data corresponds to an employee ID, the employee information data is subjected to data division according to attribute information of employees to obtain a plurality of information sub-libraries, the attribute information comprises department information and level information, the system operation authority of each employee in the current department is determined according to the level information, and the operation authority comprises data output authority;
the storage module is used for carrying out data segmentation on each employee information data in the information subbase to obtain a plurality of sections of subdata, distributing the obtained plurality of sections of subdata to different storage areas for data storage, wherein each storage area corresponds to an encryption key to carry out multiple protection on each employee information data, so that the safety protection level of each employee information is improved, and the data output authority has decryption keys of all the storage areas for storing the same employee information;
the judging module is used for acquiring an information calling instruction, determining target employee information data according to the information calling instruction, acquiring target department information corresponding to the target employee information data according to the target employee information data, acquiring a current user ID according to the calling instruction, determining current user department information and current user level information according to the current user ID, and judging whether the current user department information is consistent with the target department information or not according to the current user department information;
and the protection module is used for determining the system operation authority of the current user in the current department according to the current user level information if the current user department information is consistent with the target department information, judging whether the current user has the data output authority of the target employee information data according to the system operation authority of the current user in the current department, and if the current user does not have the data output authority of the target employee information data, failing to call information and recording the ID of the current user so as to protect the data security of the target employee information data.
8. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of data security protection according to any one of claims 1 to 6.
9. A data processing apparatus comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the data security method of any one of claims 1 to 6 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211043735.3A CN115130138B (en) | 2022-08-30 | 2022-08-30 | Data security protection method, system, storage medium and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211043735.3A CN115130138B (en) | 2022-08-30 | 2022-08-30 | Data security protection method, system, storage medium and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115130138A true CN115130138A (en) | 2022-09-30 |
| CN115130138B CN115130138B (en) | 2022-12-27 |
Family
ID=83387727
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211043735.3A Active CN115130138B (en) | 2022-08-30 | 2022-08-30 | Data security protection method, system, storage medium and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115130138B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115688069A (en) * | 2022-11-04 | 2023-02-03 | 江西五十铃汽车有限公司 | System login request response method, device and equipment |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090022321A1 (en) * | 2007-07-17 | 2009-01-22 | Shinichi Saito | Personal information management system, personal information management program, and personal information protecting method |
| WO2010133074A1 (en) * | 2009-05-22 | 2010-11-25 | 中兴通讯股份有限公司 | Privilege management system and method based on object |
| CN104809369A (en) * | 2014-01-26 | 2015-07-29 | 四川长虹电器股份有限公司 | Method, client, server and system for grouping device access permissions |
| CN107609416A (en) * | 2017-09-11 | 2018-01-19 | 浙江志诚软件有限公司 | Safe encryption method, system, computer installation and the computer-readable recording medium of user data |
| CN108133155A (en) * | 2017-12-29 | 2018-06-08 | 北京联想核芯科技有限公司 | Data encryption storage method and device |
| CN110502906A (en) * | 2019-07-04 | 2019-11-26 | 北京泰立鑫科技有限公司 | A kind of method and system of data safety outgoing |
| CN110852634A (en) * | 2019-11-14 | 2020-02-28 | 启迪数华科技有限公司 | Data storage method, storage device, server, readable storage medium and equipment |
| CN114329388A (en) * | 2021-12-31 | 2022-04-12 | 杭州猿宝互联网科技有限公司 | Authority management method and device |
-
2022
- 2022-08-30 CN CN202211043735.3A patent/CN115130138B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090022321A1 (en) * | 2007-07-17 | 2009-01-22 | Shinichi Saito | Personal information management system, personal information management program, and personal information protecting method |
| WO2010133074A1 (en) * | 2009-05-22 | 2010-11-25 | 中兴通讯股份有限公司 | Privilege management system and method based on object |
| CN104809369A (en) * | 2014-01-26 | 2015-07-29 | 四川长虹电器股份有限公司 | Method, client, server and system for grouping device access permissions |
| CN107609416A (en) * | 2017-09-11 | 2018-01-19 | 浙江志诚软件有限公司 | Safe encryption method, system, computer installation and the computer-readable recording medium of user data |
| CN108133155A (en) * | 2017-12-29 | 2018-06-08 | 北京联想核芯科技有限公司 | Data encryption storage method and device |
| CN110502906A (en) * | 2019-07-04 | 2019-11-26 | 北京泰立鑫科技有限公司 | A kind of method and system of data safety outgoing |
| CN110852634A (en) * | 2019-11-14 | 2020-02-28 | 启迪数华科技有限公司 | Data storage method, storage device, server, readable storage medium and equipment |
| CN114329388A (en) * | 2021-12-31 | 2022-04-12 | 杭州猿宝互联网科技有限公司 | Authority management method and device |
Non-Patent Citations (1)
| Title |
|---|
| 张楠: "企业员工信息管理系统", 《智能城市》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115688069A (en) * | 2022-11-04 | 2023-02-03 | 江西五十铃汽车有限公司 | System login request response method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115130138B (en) | 2022-12-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20060136327A1 (en) | Risk control system | |
| Oh et al. | Task-role based access control (T-RBAC): An improved access control model for enterprise environment | |
| Hansen et al. | Conformance checking of RBAC policy and its implementation | |
| CN115130138B (en) | Data security protection method, system, storage medium and equipment | |
| CN112487458B (en) | Implementation method and system using government affair open sensitive data | |
| Collard et al. | A definition of Information Security Classification in cybersecurity context | |
| Dreyling et al. | Cyber security risk analysis for a virtual assistant G2C digital service using FAIR model | |
| CN110457529B (en) | Post data processing method and device, computer equipment and storage medium | |
| CN116595573B (en) | Data security reinforcement method and device for traffic management information system | |
| Zuccato et al. | Service security requirement profiles for telecom: how software engineers may tackle security | |
| Palko et al. | Determining Key Risks for Modern Distributed Information Systems. | |
| Davidson et al. | Provenance: Privacy and Security. | |
| Huang et al. | A study on information security management with personal data protection | |
| Gardazi et al. | Compliance-driven architecture for healthcare industry | |
| Tashi et al. | Efficient security measurements and metrics for risk assessment | |
| Goldstein et al. | A language for multi-perspective modelling of IT security: objectives and analysis of requirements | |
| Luma et al. | Comparision of maturity model frameworks in information security and their implementtation | |
| Salman et al. | Analysis and Development of Information Security Framework for Distributed E-Procurement System | |
| Jaferian et al. | RUPSec: extending business modeling and requirements disciplines of RUP for developing secure systems | |
| Westin | Civil liberties issues in public databanks | |
| Othman et al. | A Conceptual Framework of Information Security Database Audit and Assessment | |
| McConnell | National training standard for information systems security (INFOSEC) professionals | |
| Akkuzu et al. | Data-driven Chinese walls | |
| Susan Goodman | Aligning privacy and IM within the IG framework | |
| Ogunseye et al. | Meta-heuristics based multi-layer access control technique (MBMAC) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |