CN115344888A - Data access method and device, electronic equipment and storage medium - Google Patents
Data access method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115344888A CN115344888A CN202210951389.2A CN202210951389A CN115344888A CN 115344888 A CN115344888 A CN 115344888A CN 202210951389 A CN202210951389 A CN 202210951389A CN 115344888 A CN115344888 A CN 115344888A
- Authority
- CN
- China
- Prior art keywords
- data
- target
- access
- user
- level
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The method comprises the steps of firstly receiving a data access request of a target user for target data, then determining the access authority level of the target user according to the data access request, determining a target data security classification rule with access authority of the target user from a plurality of different data security classification rules according to a preset mapping relation between the user and the data security classification rule and the data access request, and then obtaining the target security level of the target data under each target data security classification rule; and matching the access authority level of the target user with each target security level of the target data, judging whether the target user has the access authority to the target data according to the matching result, and if so, returning the target data to the target user. According to the method and the device, the data are acquired in a differentiated mode by the users with the same authority level, the requirements of complex scenes are met, and the efficiency is improved remarkably.
Description
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a data access method and apparatus, an electronic device, and a storage medium.
Background
With the emphasis of the state on data security, various laws and regulations are released continuously, and the compliance and security of data use are also more and more emphasized by various financial institutions when popularizing businesses. The data needs to be marked with security level before being used, meanwhile, the users are endowed with access authority levels, all users with a certain authority level can only access the data which is not higher than the corresponding security level, and if the high-level data needs to be accessed, application needs to be provided and audited.
When the current business department processes data access, the processes of security level marking, access authority application, access authority examination and the like are all completed manually, so that the workload is large, the working efficiency is low, the accuracy is low, and the system management is lacked. In addition, when the security level of the data is labeled, the data is classified according to a single security classification rule, and the access permission levels of all users needing to acquire the data are matched with the security level. However, in an actual scenario, due to complexity of work requirements, the data acquisition requirements of users with the same authority level are different, some users only need to acquire data with a low security level, and other users may need to additionally acquire a part of data with a high security level, at this time, if the authority level of the latter is directly increased, a part of data with a high security level is still unavailable for the user, and optionally increasing the authority level brings a leakage risk; if the grade of the user is not improved, the user needs to submit an authority application when wanting to acquire high-security-grade data each time, then obtains corresponding data through manual auditing, and performs authority recovery of the data after querying, so that the process of auditing and authority recovery needs to be performed once for each querying, a plurality of users needing to acquire certain high-security-grade data may exist in an actual scene, the high-security-grade data needed by different users are different, or the high-security-grade data needed to be acquired by the same user each time are also different, and the authority of auditing and authority recovery needs to be performed independently each time, so that the workload of auditors is larger, and the efficiency is influenced.
Therefore, the current data access method has the technical problems that the requirements of complex scenes cannot be met and the efficiency is low, and needs to be improved.
Disclosure of Invention
Embodiments of the present application provide a data access method, an apparatus, an electronic device, and a storage medium, so as to alleviate the technical problems that the current data access method cannot meet the requirements of complex scenes and is low in efficiency.
In order to solve the above technical problem, an embodiment of the present application provides the following technical solutions:
the application provides a data access method, which comprises the following steps:
receiving a data access request of a target user for target data;
determining the access authority level of the target user according to the data access request, and determining a target data security classification rule with access authority of the target user from a plurality of different data security classification rules according to a preset mapping relation between the user and the data security classification rule and the data access request;
acquiring target security levels of the target data under each target data security classification rule;
matching the access authority level of the target user with each target security level of the target data, and judging whether the target user has the access authority to the target data according to a matching result;
and if so, returning the target data to the target user.
Meanwhile, an embodiment of the present application further provides a data access apparatus, including:
the receiving module is used for receiving a data access request of a target user for target data;
the determining module is used for determining the access authority level of the target user according to the data access request, and determining a target data security classification rule with access authority of the target user from a plurality of different data security classification rules according to a preset mapping relation between users and data security classification rules and the data access request;
the acquisition module is used for acquiring the target security level of the target data under each target data security classification rule;
the matching module is used for matching the access authority level of the target user with each target security level of the target data and judging whether the target user has the access authority to the target data or not according to a matching result;
and if so, returning the target data to the target user.
The application also provides an electronic device comprising a memory and a processor; the memory stores an application program, and the processor is configured to run the application program in the memory to perform the steps of the data access method.
An embodiment of the present application provides a computer-readable storage medium, where a plurality of instructions are stored in the computer-readable storage medium, and the instructions are suitable for being loaded by a processor to perform the steps in the data access method.
Has the advantages that: the method comprises the steps of firstly receiving a data access request of a target user for target data, then determining the access authority level of the target user according to the data access request, determining a target data security classification rule of the target user with access authority according to a preset mapping relation between users and data security classification rules and the data access request, then obtaining the target security level of the target data under each target data security classification rule, matching the access authority level of the target user with each target security level of the target data, judging whether the target user has the access authority of the target data according to a matching result, and if so, returning the target data to the target user. According to the method and the device, a plurality of different data security classification rules are set, so that the security levels of the same data under the different data security classification rules are not completely the same, a preset mapping relation is established, different users with the same access right level have access rights to the different data security classification rules, the same target data can only have access rights to one part of users, and the other part of users do not have access rights, namely the same target data has different security levels to different users, so that the data can be acquired in a differentiated mode by the users with the same access right level, the requirements of complex scenes are met, the users who want to access the high security level data do not need to be checked for the rights and recovered for the rights at each time, and the efficiency is remarkably improved.
Drawings
The technical solution and other advantages of the present application will become apparent from the detailed description of the embodiments of the present application with reference to the accompanying drawings.
Fig. 1 is a schematic view of an application scenario of a data access method provided in an embodiment of the present application.
Fig. 2 is a schematic flowchart of a first data access method according to an embodiment of the present application.
Fig. 3 is an interface schematic diagram of a configuration interface in an embodiment of the present application.
Fig. 4 is an interface schematic diagram of a query interface in an embodiment of the present application.
Fig. 5 is a second flowchart of a data access method according to an embodiment of the present application.
Fig. 6 is a schematic structural diagram of a data access device according to an embodiment of the present application.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It should be apparent that the described embodiments are only a few embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application provides a data access method, a data access device, an electronic device and a computer-readable storage medium, wherein the data access device can be integrated in the electronic device, and the electronic device can be a server or a terminal.
Referring to fig. 1, fig. 1 is a schematic view of a scenario of an application of a data access method provided in an embodiment of the present application, where the scenario may include terminals and servers, and the terminals, the servers, and the terminals and the servers are connected and communicated through an internet formed by various gateways, and the application scenario includes a user terminal 11 and a server 12; the user terminal 11 may be a device with a human-computer interaction function; the server 12 includes a local server and/or a remote server, etc.
The user terminal 11 and the server 12 are located in a wireless network or a wired network to realize data interaction between the two, wherein:
the server 12 receives a data access request, which is sent by a target user on the user terminal 11 and is directed to target data, determines an access authority level of the target user according to the data access request, determines a target data security classification rule of which the target user has access authority from a plurality of different data security classification rules according to a preset mapping relation between the user and the data security classification rule and the data access request, acquires the target security level of the target data under each target data security classification rule, matches the access authority level of the target user with each target security level of the target data, judges whether the target user has the access authority to the target data according to a matching result, and returns the target data to the user terminal 11 where the target user is located if the target data has the access authority.
It should be noted that the system scenario schematic diagram shown in fig. 1 is only an example, and the server and the scenario described in the embodiment of the present application are used to illustrate the technical solution of the embodiment of the present application more clearly, and do not form a limitation on the technical solution provided in the embodiment of the present application, and as a person of ordinary skill in the art knows, with the evolution of the system and the occurrence of a new service scenario, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems. The following are detailed below. It should be noted that the following description of the embodiments is not intended to limit the preferred order of the embodiments.
Referring to fig. 2, fig. 2 is a schematic flowchart of a first flow chart of a data access method according to an embodiment of the present application, where the method specifically includes:
s1: and receiving a data access request of a target user for target data.
The data in the present application refers to data contained in the financial system, such as various data including customer information, transaction information, organization information, and the like, and various data may be stored in corresponding databases. A user refers to a person who has access to some or all of the data, and in particular to a financial institution staff member. When a target user generates an access demand on target data in the target data, a data access request aiming at the target data needs to be sent to the server, and the server receives the request and responds.
In one embodiment, before S1, the method further comprises: receiving a configuration operation for a plurality of different data security classification rules; generating a plurality of data security classification rules in response to a configuration operation; auditing the plurality of data security classification rules based on preset auditing conditions; and when the audit is passed, carrying out different safety grades on the data based on the plurality of data safety grading rules to obtain the safety grades of the data under different data safety grading rules.
For all the data mentioned above, in order to ensure the security of the data, it is necessary to perform security classification on the data first and perform access permission classification on the client at the same time, the data with higher security level can only be accessed by the user with higher access permission level, and the data with lower security level can be accessed by the users with higher and lower access permission levels at the same time. For example, the security level of data such as transaction institutions and transaction dates of multiple transactions is low, and the data can be accessed by users with low access right levels and high access right levels inside banks, and only the user with the high access right level can access the information of clients, transaction amount information and the like related to each transaction, and the user with the low access right level cannot access the information. Through the data grading and access authority grading modes, the safety of the data can be improved, and information leakage is prevented.
Before a user initiates an access request, data is subjected to security classification according to a preset data security classification rule, wherein the data security classification rule refers to a classification rule which is made by combining relevant laws and regulations inside a financial institution and is used for specifying a classification target, a classification range, classification basis and the like. In the embodiment of the application, the data has a plurality of different data security classification rules, the classification targets, the classification ranges, the classification bases and the like corresponding to the data security classification rules are not completely equal, and the finally obtained security levels of the same data are different under different data security classification rules. For example, the classification target of the data security classification rule S is all data of the databases 2 to 4, the classification range is S1 to S5, the data security levels sequentially decrease from S1 to S5, and the classification basis is the sensitivity of the data field; the grading target of the data safety grading rule Q is all data in the databases 1 to 5, the grading range is Q1 to Q5, the data safety grades are sequentially reduced from Q1 to Q5, and the grading basis is the sensitivity of the business category to which the data belong; for data a in database 3, under data security classification rule S, the security level may be S3, and under data security classification rule Q, the security level may be Q2.
In the embodiment of the application, the data can be subjected to attribute analysis from a plurality of different dimensions, so that a data security classification rule of the plurality of dimensions is constructed. For example, the data with field 1 is ranked one level and the data with field 2 is ranked another level, ranked by field sensitivity; for another example, the classification is performed according to the service sensitivity dimension, data belonging to service 1 is of one class, data belonging to service 2 is of another class, and the like.
In this embodiment of the present application, a user performs configuration operations on a configuration interface for a plurality of different data security classification rules, and as shown in fig. 3, a data security classification rule table may be first constructed during configuration, where the table includes elements such as a rule classification (a first-level classification, a second-level classification, a third-level classification, and the like of each data security classification rule), a rule name (a name set by the current rule in the system), a rule grade (classification of data in the current rule), a matching mode or a matching condition (a full matching mode, an incremental matching mode, and the like when data is matched with a rule), and then each element is sequentially configured on the interface based on the table. The server generates a plurality of data security classification rules in response to the configuration operation. In order to ensure the accuracy of the final data classification, the generated data security classification rules are checked based on preset checking conditions, the data security classification rules are issued in a corresponding system when the checking is passed, and then different security classifications are performed on the data based on a plurality of data security classification rules to obtain the security levels of the data under different data security classification rules. As shown in fig. 4, a part or all of the data security classification rules may be selected first, then all data in the current system is selected to be queried (full mode) or data with empty query security level (incremental mode) is selected, then the selected data is automatically matched one by one based on the data security classification rules, and the corresponding security level under the current data security classification rule is marked on the data.
S2: and determining the access authority level of the target user according to the data access request, and determining the target data security classification rule with the access authority of the target user from a plurality of different data security classification rules according to the preset mapping relation between the user and the data security classification rule and the data access request.
Before each user initiates an access request, corresponding access authority levels are distributed to the users, the access authority levels are used for limiting the access authority of the users to data with different security levels, and when the access authority level of a certain user is 2 level, the user can access all data with the security level of 2 level and below in the system. Each user has the corresponding access authority level, when a target user initiates a data access request, the access authority level of the target user can be determined according to the user identification corresponding to the data access request, and the preset mapping relation between all the users and the data security classification rule is obtained.
The preset mapping relationship is used for indicating that each user can access data under which data security level rules (data which is subjected to security level labeling by the data security level rules) and cannot access data under which data security level rules (data which is not subjected to security level labeling by the data security level rules), for example, the system has 3 data security level rules S, Q and P, and a user has a mapping relationship with the data security level rules S and Q, and indicates that the user can only access the data which is subjected to security level labeling by the data security level rules S and Q, and if the user is only subjected to security level labeling by the data security level rules P, the user cannot access the data. After the preset mapping relation is obtained, the identity of the target user can be determined according to the data access request, and then the target data security classification rule having the mapping relation with the target user can be determined from the preset mapping relation containing all the users and all the data security classification rules, so that the target user has access authority to the target data security classification rule.
In one embodiment, before S2, further comprising: acquiring role information and service information of a plurality of users; and establishing a preset mapping relation between each user and each data security classification rule according to the role information and the service information of each user. When the preset mapping relation is established, the role information and the business information of each user can be referred at the same time, wherein the role information is used for representing the work role of each user in the organization, such as sales, managers, operation and the like, and the business information is used for representing the business category which needs to be responsible for each user, such as report summarization, information release, transaction accounting and the like. Theoretically, if the two roles are the same, the services in charge of the two roles are consistent, but in an actual scene, the situation that people are multiplexed frequently occurs, and the situation that one role is only in charge of a single service and the other role is in charge of multiple services also occurs, so that the role information and the service information of each user can be comprehensively considered, and the data security classification rule closely related to each user can be determined from the multiple data security classification rules. If the limiting conditions of the data which the role and the business of a certain user represent need to be accessed for work are only related to the business which the role and the business of the certain user represent, only a preset mapping relation needs to be established between the limiting conditions and the data security classification rule which takes the business sensitivity as the reference, and if the limiting conditions of the data which the role and the business of the certain user represent need to be accessed for work are simultaneously related to the business which the role and the business represent and the fields of the related data, the preset mapping relation between the business data security classification rule and the field business data security classification rule needs to be simultaneously established.
S3: and acquiring the target security level of the target data under each target data security classification rule.
The data security classification rules established based on different conditions have different classification standards for the sensitivity of data, and the same data has independent security levels under different data security classification rules, and the independent security levels may be the same level (for example, the security levels of S2 and Q2 are both 2 levels) or different levels (for example, S2 is 2 levels, Q3 is 3 levels, and the security level of S2 is higher than that of Q3). After the target data security classification rule with the access right of the target user is determined in the above steps, the target security level of the target data under each target data security classification rule is obtained, and if the target data is in the target data security classification rule with the service sensitivity as the reference, the security level is 2, and in the target data security classification rule with the field sensitivity as the reference, the security level is 3, the target security level of the target data is represented by S2 and Q3, respectively.
It should be noted that the target data security classification rule of the target user is at least one, that is, only one, at this time, the target data may be only marked by the target data security classification rule, or there may be two or more target data security classification rules, at this time, if the target data is only marked under the multiple target data security classification rules, multiple security levels may be obtained, but the target data may also be only marked under some of the target data security classification rules, at this time, only some security levels may be obtained.
S4: and matching the access authority level of the target user with each target security level of the target data, and judging whether the target user has the access authority to the target data according to the matching result.
When the security level of all data in the system comprises 1 to 5 levels, the access authority level of each user can also be 1 to 5 levels, and the security level of the data accessible by each user is not higher than the access authority level of the user. And matching the access authority level of the target user with each target security level of the target data, and judging that the target user has the access authority to the target data if the matching result shows that a certain target security level is not higher than the access authority level of the target user. For example, the access right level of the target user is 3 level, which is denoted by K3, the target data is in the target data security classification rule based on the service sensitivity, the target security level is 2 level, which is denoted by S2, the security level is 3 level, which is denoted by Q3, in the target data security classification rule based on the field sensitivity, and after matching, since K3 is less than S2 but not less than Q3, it is denoted that the target user has the access right to the target data.
In one embodiment, S4 specifically includes: determining a lowest target security level from the target security levels of the target data; matching the access authority level and the lowest target security level of the target user; and if the matching result represents that the access authority level is not less than the lowest target security level, judging that the target user has the access authority to the target data.
When the target security level of the target data includes a plurality of levels, as long as one target security level is not less than the access authority level, it indicates that the target user has the access authority for the target data. Therefore, the lowest target security level can be determined from the multiple target security levels, only the lowest target security level is matched with the access authority level, if the lowest target security level is not higher than the access authority level, the access authority is judged to be possessed, if the lowest target security level is higher than the access authority level, then the lower target security level which is positioned at the second place when the security levels are arranged from low to high is matched with the access authority level, and the like is carried out until the target security level which is higher than the access authority is found, or the matching of the highest target security level and the access authority is completed.
Specifically, assuming that there are a service m and a service n, according to a data security classification rule formulated according to a service sensitivity, a security level of data related to the service m is 3, a security level of data related to the service n is 2, and according to a data security classification rule formulated according to a field sensitivity, a certain account number related to all services has a level of only a part of numbers as 3, and a level of the other part of numbers as 2, it is assumed that access authority levels of a target user 1 and a target user 2 are both K3, and only access authority to the field data security classification rule is provided for the target user 1, and access authority to the two data security classification rules is provided for the target user 2. When the requested target data is a certain account number in the service m, only part of the numbers in the account number can be acquired by the target user 1 and the target user 2 under the field data security classification rule, but the target user 2 has a preset mapping relation with the service data security classification rule at the same time, and under the rule, the security level of the data involved in the service m is not lower than the access authority level, so that the target user 2 can acquire the rest of the numbers of the account number to obtain a complete account number. By the method, the data contents which can be accessed by two users with the same access right level are different.
In the prior art, each data is subjected to security classification according to a single standard, if the data is classified according to fields, each data has a unique security level, users with the same access authority level can only access the data with the same security level, when some users need to undertake some additional work and need to acquire the data with high security level, a manual auditing process needs to be performed once, the auditing only opens the authority of requesting the data, new data can be requested next time, and the authority needs to be opened once, so that the efficiency is low, and the applicable scene is single.
In the application, data are classified in advance according to different data security classification rules, and as long as a user is mapped with a certain data security classification rule, all data marked based on the data security classification rule can be directly accessed after pre-auditing as long as the security level is not higher than the access authority level of the user, and manual auditing is not required to be repeatedly performed, so that the efficiency is high. Because a plurality of different data security classification rules are set, the security levels of the same data under different data security classification rules are not completely the same, different users with the same access right level have access rights to different data security classification rules by constructing a preset mapping relation, the same target data can only have access rights to one part of users and have no access rights to the other part of users, namely, the security levels of the same target data to different users are different, thereby realizing the differential acquisition of the same right level user to the data and meeting the requirements of complex scenes.
S5: and if so, returning the target data to the target user.
After matching, if the target user has access rights to the target data, the target data may be returned to the target user, and the target user may perform subsequent other work based on the target data.
In one embodiment, after S4, the method further includes: if not, generating and sending an access authority verification request aiming at the target data to a verification user; and updating the access right of the target user to the target data according to the access right audit response returned by the audit user. If the target user does not have the access right to the target data after matching, starting a manual auditing mode, generating and sending an access right auditing request aiming at the target data to the auditing user, after the auditing user receives the request, determining whether to relax the access right of the target user to the target data according to the working condition of the user and a preset auditing standard, if the access right can be relaxed, returning an access right auditing response, and relaxing the access right of the target user to the target data according to the response by the server, so that the target user can have the right to access the target data and successfully obtain the target data. According to the method and the device, manual review is needed only when the data requested by the user under all safety level rules cannot be acquired by the user, and compared with the manual review which is needed in the prior art every time, the flow is simplified, and the efficiency is improved.
In one embodiment, after the step of updating the access right of the target user to the target data according to the access right audit response returned by the audit user, the method further includes: acquiring first access authority audit data of a plurality of users with the same access authority level in a first historical time period; according to the first access authority auditing data, determining override data corresponding to access authority auditing requests of a plurality of users, and determining the first override data with the request proportion larger than a first threshold; and determining a first data security classification rule corresponding to the first override data from a plurality of different data security classification rules, and reducing the security level of the first override data under the first data security classification rule.
The first historical time period can be a month or several months pushed forward from the current day, or tens of days pushed forward from the current day, or other time periods which have already passed, and the duration and period of the first historical time period can be selected as required. The first access permission auditing data refers to auditing data generated in a manual auditing stage after a plurality of users belonging to the same access permission level initiate access requests in a first historical time period and the access permission level is found to be not matched with the security level of the data through pre-auditing, and specifically includes information such as the type of the requested data, the security level of the data under each data security classification rule, a target data security classification rule forming a mapping relation with the requested user and the like, wherein the data subjected to manual auditing is called override data and indicates that the user does not have access permission to the data currently.
The method comprises the steps of counting all the override data of each batch of users belonging to the same grade in a first historical time period, determining first override data with a request proportion larger than a first threshold, wherein the first override data are override data with the most requests of all the users of the same access authority grade, determining the data security grading rules of the first override data to be marked, determining the data security grading rules to be the first data security grading rules, and then reducing the security grade of the first override data under the first data security grading rules. The existence of the first override data indicates that certain inaccuracy exists in the current data security classification rule, so that the current security level of the first override data is too high, more requests and manual auditing aiming at the first override data are required, resource waste is caused, the security level can be adjusted downwards, and subsequent requests aiming at the data cannot enter a manual auditing stage, so that the efficiency is improved.
In one embodiment, after the step of updating the access right of the target user to the target data according to the access right audit response returned by the audit user, the method further includes: acquiring second access authority auditing data of the same target user in a second historical time period; according to the second access authority auditing data, determining override data corresponding to the access authority auditing request of the target user, and determining second override data with the request proportion larger than a second threshold; determining the lowest non-target security level from the non-target security levels of the second override data, and determining a second data security classification rule corresponding to the lowest non-target security level; and updating the second data security classification rule to the target security level of the target user.
The second historical time period may be a month or several months, or several tens of days, or other time periods that have passed, and the duration and period of the second historical time period may be selected as desired. The first access permission auditing data refers to auditing data generated in a manual auditing stage, wherein after a certain target user initiates an access request in a first historical time period, the access permission level is found to be not matched with the security level of the data through pre-auditing, and the auditing data is transferred into manual auditing.
Counting all the cross-level data of the same target user in a second historical time period, determining second cross-level data with a request proportion larger than a second threshold value, wherein the second cross-level data is the cross-level data with the most request of the target user, determining the data security classification rules of the second cross-level data under which the second cross-level data has labels and the target data security classification rules corresponding to the target user, determining the rules of the second cross-level data with labels but not belonging to the target data security classification rules as the non-target data security classification rules, determining the security levels of the second cross-level data under the non-target data security classification rules as the non-target security levels, sequencing all the non-target security levels, wherein the lowest level is the lowest non-target security level, the non-target data security classification rules corresponding to the lowest non-target security level are the second data security classification rules, and updating the second data security classification rules to the target security level of the target user.
The existence of the second override data indicates that the current data security classification rule has certain inaccuracy, so that the security level of the second override data under all current target data security classification rules is too high, and then the second override data is manually checked each time a request for the second override data is initiated, which causes resource waste.
As shown in fig. 5, a second flowchart of the data access method provided in the embodiment of the present application is schematically illustrated, where the flowchart mainly includes:
101: and (4) logging in the platform by the target user.
102: the server receives a data access request aiming at target data sent by a target user.
103: the server checks whether the target user has the right to access the target data in the system, and the checking process refers to the specific steps in the above embodiment.
If so, execute 104: the target user accesses the target data. 107: and (6) ending.
If not, execute 105: the server automatically reminds the data administrator of the existence of the override application.
106: and manually checking and judging whether the override application can pass or not.
If the audit is passed, executing 104; if the audit is not passed, 107 is performed.
In the embodiment of the application, through the process, a systematic and automatic data security level management platform is provided for related workers, the user applies for auditing, data security query and rule application through the system, the workload of original manual data processing is saved, the security compliance and the efficiency of data checking are improved, the automation of rule application is realized, the data marking is efficiently realized, the requirements of a customer manager or other departments on data checking are accelerated, and the data enabling efficiency is improved. In addition, the method and the system achieve systematic detection on whether the user applies for the unauthorized application or not and automatically remind a data manager of pending items through the communication of links such as online application, system pre-approval, online manual approval and the like, log records are reserved in all the operations, and therefore safety compliance and trace-based checking of data checking and data capacity multiplexing are guaranteed.
According to the embodiment, the data access method has the advantages that the multiple different data security classification rules are set, so that the security levels of the same data under the different data security classification rules are not completely the same, the preset mapping relation is established, different users with the same access right level have access rights to the different data security classification rules, the same target data can only have access rights to one part of users, and do not have access rights to the other part of users, namely, the same target data has different security levels to the different users, so that the data can be acquired differentially by the users with the same access right level, the complex scene requirements are met, the rights audit and the rights recovery for the users who want to access the high-security-level data are not needed each time, and the efficiency is remarkably improved.
Based on the method described in the above embodiment, this embodiment will be further described from the perspective of a data access device, please refer to fig. 6, where the data access device may include:
a receiving module 110, configured to receive a data access request of a target user for target data;
a determining module 120, configured to determine, according to the data access request, an access permission level of the target user, and determine, according to a preset mapping relationship between a user and a data security classification rule and the data access request, a target data security classification rule that the target user has an access permission from among multiple different data security classification rules;
an obtaining module 130, configured to obtain a target security level of the target data under each target data security classification rule;
the matching module 140 is configured to match the access permission level of the target user with each target security level of the target data, and determine whether the target user has an access permission to the target data according to a matching result;
and a returning module 150, configured to return the target data to the target user if yes.
In one embodiment, the data access device further comprises:
a first receiving module, configured to receive configuration operations for a plurality of different data security classification rules;
a first generation module for generating a plurality of data security classification rules in response to the configuration operation;
the auditing module is used for auditing the plurality of data security classification rules based on preset auditing conditions;
and the obtaining module is used for carrying out different safety grades on the data based on the plurality of data safety grading rules when the data pass the auditing, so as to obtain the safety grades of the data under different data safety grading rules.
In one embodiment, the data access device further comprises:
the first acquisition module is used for acquiring role information and service information of a plurality of users;
and the establishing module is used for establishing a preset mapping relation between each user and each data security classification rule according to the role information and the service information of each user.
In one embodiment, the matching module 140 includes:
the determining submodule is used for determining the lowest target safety level from all target safety levels of the target data;
the matching submodule is used for matching the access authority level of the target user with the lowest target security level;
and the judging submodule is used for judging that the target user has the access right to the target data if the matching result represents that the access right level is not less than the lowest target security level.
In one embodiment, the data access device further comprises:
the second generation module is used for generating and sending an access authority verification request aiming at the target data to a verification user if the target data is not the target data;
and the first updating module is used for updating the access authority of the target user to the target data according to the access authority auditing response returned by the auditing user.
In one embodiment, the data access device further comprises:
the second acquisition module is used for acquiring first access authority audit data of a plurality of users with the same access authority level in a first historical time period;
the first determining module is used for determining override data corresponding to access authority checking requests of the users according to the first access authority checking data and determining first override data with a request proportion larger than a first threshold;
the second determining module is used for determining a first data security classification rule corresponding to the first override data from a plurality of different data security classification rules and reducing the data security classification of the first override data under the first data security classification rule.
In one embodiment, the data access device further comprises:
the third acquisition module is used for acquiring second access right audit data of the same target user in a second historical time period;
the third determining module is used for determining the override data corresponding to the access authority checking request of the target user according to the second access authority checking data and determining the second override data with the request proportion larger than a second threshold value;
a fourth determining module, configured to determine a lowest non-target security level from among the non-target security levels of the second override data, and determine a second data security classification rule corresponding to the lowest non-target security level;
and the second updating module is used for updating the second data security classification rule to the target security level of the target user.
Different from the prior art, the data access device provided by the application has the advantages that the multiple different data security classification rules are set, so that the security levels of the same data under the different data security classification rules are not completely the same, different users with the same access right level have access rights to the different data security classification rules by constructing the preset mapping relation, the same target data can only have access rights to one part of users, and the other part of users does not have access rights, namely the same target data has different security levels to the different users, so that the data differentiated acquisition of the users with the same access right level is realized, the complex scene requirements are met, the rights audit and the rights recovery of the users who want to access the high-security level data are not needed at each time, and the efficiency is remarkably improved.
Accordingly, an electronic device may include, as shown in fig. 7, a Radio Frequency (RF) circuit 701, a memory 702 including one or more computer-readable storage media, an input unit 703, a display unit 704, a sensor 705, an audio circuit 706, a WiFi module 707, a processor 708 including one or more processing cores, and a power supply 709. Those skilled in the art will appreciate that the electronic device configuration shown in fig. 7 does not constitute a limitation of the electronic device and may include more or fewer components than shown, or some components may be combined, or a different arrangement of components. Wherein:
the rf circuit 701 may be used for receiving and transmitting signals during information transmission and reception or during a call, and in particular, receives downlink information of a base station and then sends the received downlink information to the one or more processors 708 for processing; in addition, data relating to uplink is transmitted to the base station. The memory 702 may be used to store software programs and modules, and the processor 708 performs various functional applications and data access by operating the software programs and modules stored in the memory 702. The input unit 703 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to client settings and function control.
The display unit 704 may be used to display information entered by or provided to the client and various graphical client interfaces of the server, which may be made up of graphics, text, icons, video, and any combination thereof.
The electronic device may also include at least one sensor 705, such as a light sensor, motion sensor, and other sensors. The audio circuitry 706 includes speakers that can provide an audio interface between the customer and the electronic device.
WiFi belongs to a short-distance wireless transmission technology, and the electronic equipment can help a client to receive and send an electronic mail, browse a webpage, follow-up a streaming media and the like through a WiFi module 707 and provides wireless broadband internet follow-up for the client. Although fig. 7 shows the WiFi module 707, it is understood that it does not belong to the essential constitution of the electronic device, and may be omitted entirely as needed within the scope of not changing the essence of the application.
The processor 708 is a control center of the electronic device, connects various parts of the entire mobile phone using various interfaces and lines, and performs various functions of the electronic device and processes data by running or executing software programs and/or modules stored in the memory 702 and calling data stored in the memory 702, thereby performing overall monitoring of the mobile phone.
The electronic device further includes a power source 709 (e.g., a battery) for supplying power to various components, which may be preferably logically connected to the processor 708 via a power management system, such that functions of managing charging, discharging, and power consumption are performed via the power management system.
Although not shown, the electronic device may further include a camera, a bluetooth module, and the like, which are not described in detail herein. Specifically, in this embodiment, the processor 708 in the server loads the executable file corresponding to the process of one or more application programs into the memory 702 according to the following instructions, and the processor 708 runs the application programs stored in the memory 702, thereby implementing the following functions:
receiving a data access request of a target user for target data;
determining the access authority level of the target user according to the data access request, and determining a target data security classification rule with access authority of the target user from a plurality of different data security classification rules according to a preset mapping relation between the user and the data security classification rule and the data access request;
acquiring a target security level of the target data under each target data security classification rule;
matching the access authority level of the target user with each target security level of the target data, and judging whether the target user has the access authority to the target data according to a matching result;
and if so, returning the target data to the target user.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and parts that are not described in detail in a certain embodiment may refer to the above detailed description, and are not described herein again.
It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions, or by instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor.
To this end, an embodiment of the present application provides a computer-readable storage medium, in which a plurality of instructions are stored, and the instructions can be loaded by a processor to implement the following functions:
receiving a data access request of a target user for target data;
determining the access authority level of the target user according to the data access request, and determining a target data security classification rule with access authority of the target user from a plurality of different data security classification rules according to a preset mapping relation between a user and a data security classification rule and the data access request;
acquiring target security levels of the target data under each target data security classification rule;
matching the access authority level of the target user with each target security level of the target data, and judging whether the target user has the access authority to the target data according to a matching result;
and if so, returning the target data to the target user.
The data access method, the data access device, the electronic device, and the computer-readable storage medium provided in the embodiments of the present application are described in detail above, and a specific example is applied in the present application to explain the principles and implementations of the present application, and the description of the above embodiments is only used to help understand the technical solutions and core ideas of the present application; those of ordinary skill in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications or substitutions do not depart from the spirit and scope of the present disclosure as defined by the appended claims.
Claims (10)
1. A method of data access, comprising:
receiving a data access request of a target user for target data;
determining the access authority level of the target user according to the data access request, and determining a target data security classification rule with access authority of the target user from a plurality of different data security classification rules according to a preset mapping relation between the user and the data security classification rule and the data access request;
acquiring a target security level of the target data under each target data security classification rule;
matching the access authority level of the target user with each target security level of the target data, and judging whether the target user has the access authority to the target data according to a matching result;
and if so, returning the target data to the target user.
2. The data access method of claim 1, further comprising, prior to the step of receiving a data access request for the target data from the target user:
receiving a configuration operation for a plurality of different data security classification rules;
generating a plurality of data security classification rules in response to the configuration operation;
auditing the plurality of data security classification rules based on preset auditing conditions;
and when the audit is passed, carrying out different safety grades on the data based on the plurality of data safety grading rules to obtain the safety grades of the data under different data safety grading rules.
3. The data access method of claim 1, further comprising, prior to the step of determining the access privilege level of the target user based on the data access request:
acquiring role information and service information of a plurality of users;
and establishing a preset mapping relation between each user and each data security classification rule according to the role information and the service information of each user.
4. The data access method according to claim 1, wherein the step of matching the access right level of the target user with each target security level of the target data and determining whether the target user has an access right to the target data according to the matching result comprises:
determining a lowest target security level from the target security levels of the target data;
matching the access permission level of the target user with the lowest target security level;
and if the matching result represents that the access authority level is not less than the lowest target security level, judging that the target user has the access authority to the target data.
5. The data access method of claim 1, after the step of determining whether the target user has access rights to the target data according to the matching result, further comprising:
if not, generating and sending an access authority verification request aiming at the target data to a verification user;
and updating the access authority of the target user to the target data according to the access authority auditing response returned by the auditing user.
6. The data access method according to claim 5, further comprising, after the step of updating the access right of the target user to the target data according to the access right audit response returned by the audit user:
acquiring first access authority audit data of a plurality of users with the same access authority level in a first historical time period;
according to the first access authority checking data, determining override data corresponding to access authority checking requests of the multiple users, and determining first override data with a request proportion larger than a first threshold;
and determining a first data security classification rule corresponding to the first override data from a plurality of different data security classification rules, and reducing the security level of the first override data under the first data security classification rule.
7. The data access method according to claim 5, further comprising, after the step of updating the access right of the target user to the target data according to the access right audit response returned by the audit user:
acquiring second access authority auditing data of the same target user in a second historical time period;
according to the second access authority auditing data, determining override data corresponding to the access authority auditing request of the target user, and determining second override data with the request proportion larger than a second threshold;
determining the lowest non-target security level from the non-target security levels of the second override data, and determining a second data security classification rule corresponding to the lowest non-target security level;
and updating the second data security classification rule to the target security level of the target user.
8. A data access device, comprising:
the receiving module is used for receiving a data access request of a target user for target data;
the determining module is used for determining the access authority level of the target user according to the data access request, and determining a target data security classification rule which the target user has access authority from a plurality of different data security classification rules according to a preset mapping relation between a user and the data security classification rule and the data access request;
the acquisition module is used for acquiring the target security level of the target data under each target data security classification rule;
the matching module is used for matching the access authority level of the target user with each target security level of the target data and judging whether the target user has the access authority to the target data or not according to a matching result;
and if so, returning the target data to the target user.
9. An electronic device comprising a memory and a processor; the memory stores an application program, and the processor is configured to execute the application program in the memory to perform the steps of the data access method according to any one of claims 1 to 7.
10. A computer-readable storage medium, having stored thereon a computer program for execution by a processor to perform the steps of the data access method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210951389.2A CN115344888A (en) | 2022-08-09 | 2022-08-09 | Data access method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210951389.2A CN115344888A (en) | 2022-08-09 | 2022-08-09 | Data access method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115344888A true CN115344888A (en) | 2022-11-15 |
Family
ID=83951529
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210951389.2A Pending CN115344888A (en) | 2022-08-09 | 2022-08-09 | Data access method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115344888A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116723042A (en) * | 2023-07-12 | 2023-09-08 | 北汽蓝谷信息技术有限公司 | Data packet security protection method and system |
| CN116781329A (en) * | 2023-05-26 | 2023-09-19 | 内蒙古达闻电子科技有限责任公司 | Internet-based data security access system and method |
| CN117521043A (en) * | 2024-01-05 | 2024-02-06 | 邯郸鉴晨网络科技有限公司 | Data security system based on access rights |
-
2022
- 2022-08-09 CN CN202210951389.2A patent/CN115344888A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116781329A (en) * | 2023-05-26 | 2023-09-19 | 内蒙古达闻电子科技有限责任公司 | Internet-based data security access system and method |
| CN116723042A (en) * | 2023-07-12 | 2023-09-08 | 北汽蓝谷信息技术有限公司 | Data packet security protection method and system |
| CN116723042B (en) * | 2023-07-12 | 2024-01-26 | 北汽蓝谷信息技术有限公司 | Data packet security protection method and system |
| CN117521043A (en) * | 2024-01-05 | 2024-02-06 | 邯郸鉴晨网络科技有限公司 | Data security system based on access rights |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115344888A (en) | Data access method and device, electronic equipment and storage medium | |
| US9442915B2 (en) | Semantic application logging and analytics | |
| US20130290226A1 (en) | System and method for social graph and graph assets valuation and monetization | |
| US20110307474A1 (en) | Party reputation aggregation system and method | |
| CN112040429B (en) | Short message management system and method based on distributed storage | |
| CN113987541A (en) | Data access control method and device and electronic equipment | |
| CN112396397A (en) | Operation and maintenance affair collection and management system | |
| US20070208698A1 (en) | Avoiding duplicate service requests | |
| CN110490559A (en) | A kind of mobile law enforcement inspection method, device, system and server | |
| CN111143391A (en) | Data sharing exchange method and system | |
| CN114780971A (en) | Authority management method, authentication method and device | |
| CN112580065A (en) | Data query method and device | |
| CN115640457A (en) | Information management method, apparatus, device, medium, and program product | |
| US8832110B2 (en) | Management of class of service | |
| CN115481026A (en) | Test case generation method and device, computer equipment and storage medium | |
| CN116089490A (en) | Data analysis method, device, terminal and storage medium | |
| CN114428913A (en) | Data management method, device, equipment and storage medium | |
| CN112861140A (en) | Business data processing method and device and readable storage medium | |
| CN113190562A (en) | Report generation method and device and electronic equipment | |
| US11222026B1 (en) | Platform for staging transactions | |
| US10216830B2 (en) | Multicomputer processing of client device request data using centralized event orchestrator and link discovery engine | |
| CN111383087A (en) | Report access method and device, storage medium and electronic equipment | |
| US20230237189A1 (en) | Data categories for purpose-based processing of personal data | |
| CN113542245B (en) | Data traffic monitoring method, device, computer equipment and storage medium | |
| TWM554597U (en) | Batch loan application data processing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |