CN115878653A - Data access control method and device, electronic equipment and storage medium - Google Patents

Data access control method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115878653A
CN115878653A CN202211309940.XA CN202211309940A CN115878653A CN 115878653 A CN115878653 A CN 115878653A CN 202211309940 A CN202211309940 A CN 202211309940A CN 115878653 A CN115878653 A CN 115878653A
Authority
CN
China
Prior art keywords
data
query request
data query
desensitization
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211309940.XA
Other languages
Chinese (zh)
Inventor
徐小平
谢俊
张健
回艳玲
金嘉诚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN202211309940.XA priority Critical patent/CN115878653A/en
Publication of CN115878653A publication Critical patent/CN115878653A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The invention discloses a data access control method, a data access control device, electronic equipment and a storage medium. Wherein the method is applied to a desensitization adapter, comprising: receiving a first data query request initiated by a target user through an application system, and desensitizing and rewriting the first data query request to obtain a second data query request; forwarding the second data query request to a database for execution; and receiving a desensitization query result fed back by the database, and forwarding the desensitization query result to the application system so as to be conveniently viewed by the target user. The scheme of the invention does not need to modify the database or the application system, but adopts the desensitization adapter to desensitize and rewrite the data query request, thereby realizing the effective protection of sensitive data in the database.

Description

Data access control method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a data access control method and apparatus, an electronic device, and a storage medium.
Background
With the development of the information age, the information data is increased explosively, and the data security is more and more important, particularly, sensitive information such as user privacy and company confidentiality is involved, and the data needs to be desensitized so as to reliably protect the sensitive privacy data. At present, a plurality of sensitive data protection systems are developed by adopting a mode of singly deploying a set of applications, targeted protection and special maintenance are needed, the case coverage range is limited, the application systems need to be modified in a matching mode, the investment is large, the output is low, and the sensitive data protection systems cannot adapt to various changing conditions.
Disclosure of Invention
The invention provides a data access control method, a data access control device, electronic equipment and a storage medium.
According to an aspect of the present invention, there is provided a data access control method applied to a desensitization adapter, including:
receiving a first data query request initiated by a target user through an application system, and desensitizing and rewriting the first data query request to obtain a second data query request;
forwarding the second data query request to a database for execution;
and receiving a desensitization query result fed back by the database, and forwarding the desensitization query result to the application system so as to be checked by the target user.
According to another aspect of the present invention, there is provided a data access control device,
configured on a desensitizing adapter, comprising:
the request rewriting module is used for receiving a first data query request initiated by a target user through an application system, and desensitizing and rewriting the first data query request to obtain a second data query request;
the request forwarding module is used for forwarding the second data query request to a database for execution;
and the query result receiving and forwarding module is used for receiving the desensitization query result fed back by the database and forwarding the desensitization query result to the application system so as to be conveniently viewed by the target user.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the first and the second end of the pipe are connected with each other,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform the data access control method according to an embodiment of the present invention.
According to another aspect of the present invention, there is provided a computer-readable storage medium storing computer instructions for causing a processor to implement a data access control method according to an embodiment of the present invention when the computer instructions are executed.
According to the technical scheme of the embodiment of the invention, the database or the application system is not required to be modified, the desensitization adapter is adopted to desensitize and rewrite the data query request, and the effective protection of sensitive data in the database is realized.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flowchart of a data access control method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a data access control method according to a second embodiment of the present invention;
FIG. 3 is a logic diagram illustrating a data access control method according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a data access control apparatus according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device implementing the data access control method according to the embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
Fig. 1 is a flowchart of a data access control method, which is applicable to a case of protecting sensitive data in a database according to an embodiment of the present invention, and the method may be implemented by a data access control device, which may be implemented in a form of hardware and/or software, and the data access control device may be configured in a desensitization adapter in an electronic device. I.e. the implementation body of the inventive solution is a desensitization adapter.
As shown in fig. 1, the data access control method includes:
s101, receiving a first data query request initiated by a target user through an application system, and desensitizing and rewriting the first data query request to obtain a second data query request.
The application system may be any software application system, and may include client software and a backend server deployed on a user terminal. The user can perform business operation on the client software, and the back-end server generates a corresponding business request and performs corresponding processing according to the business operation of the target user. In this embodiment, the first data query request is a data query request for accessing data in a database, which is generated by an application system according to a service operation and a service processing logic of a target user on client software and by using a database operation language; for example, the application system may generate a first data query request based on the SOL statement. The first data query request may include data such as a table and a field that the user desires to access.
In this embodiment, the data stored in the database includes two types, namely sensitive data and non-sensitive data, where the sensitive data refers to data that may cause serious harm to the society or an individual after leakage, and includes personal privacy data, such as name, identification number, address, telephone, bank account, mailbox, password, medical information, educational background, and the like; but also include data that is not suitable for publishing by the enterprise or social institution, such as business conditions of the enterprise, network structure of the enterprise, IP address lists, and the like. Since the first data query request generated by the application system may involve access to sensitive fields and tables, in order to prevent sensitive data leakage, the present invention proposes to add a desensitization adapter between the application system and the database without modifying the application system or the data. In this way, the first data query request generated by the application system is not sent directly to the database for execution, but is redirected to the desensitization adapter first. After receiving a first data query request initiated by a target user through an application system, a desensitization adapter may perform desensitization rewriting on the first data query request, where the desensitization rewriting may be adding a desensitization processing instruction to replace or cover a sensitive field or table requested by the desensitization adapter in the first data query request, and the desensitization processing instruction may include a keyword or a pattern for replacing sensitive data. In this manner, a second data query request including desensitization processing instructions may be obtained, where the second data query request may be a database query request generated based on SOL statements. It should be noted that if the first data query request does not include a sensitive field or table, the first data query request does not need to be rewritten.
And S102, forwarding the second data query request to a database for execution.
Since the second data query request may be a database query request generated based on SOL statements, where SQL statements are a database operation language, the SQL statements may be executed directly in the database. The desensitization adapter may therefore directly forward the second data query request including desensitization processing instructions to the database for execution. The execution process is as follows: and the database acquires corresponding data according to the field or table to be inquired in the request, and if the data corresponding to the field or table to be inquired is sensitive data, the sensitive data is directly replaced or covered according to the desensitization instruction, so that a desensitization inquiry result without the sensitive data is obtained.
S103, receiving a desensitization query result fed back by the database, and forwarding the desensitization query result to an application system so as to be checked by a target user.
After the database query is completed, the desensitization query result is sent to desensitization adaptation, and then the desensitization adapter forwards the desensitization query result to an application system so that a target user can check the desensitization query result.
In the embodiment, under the condition that the application system or the database is not modified, a desensitization adapter is added between the application system and the database, and the desensitization adapter is adopted to desensitize and rewrite the data query request, so that all requested sensitive data are replaced or covered in the process that the database queries data according to the rewritten query request, and desensitization data which can be viewed by a user are obtained, thereby avoiding sensitive data in the database from being leaked, and realizing effective protection of sensitive data in the database.
Further, before desensitizing rewriting of the first data query request, the desensitizing adapter may also perform validity check on the first data query request; if the first data query request is illegal, intercepting the first data query request; and if the first data query request is legal, performing desensitization rewriting operation on the first data query request. Therefore, through the validity check, the illegal data query request can be intercepted, and the sensitive data is prevented from being illegally stolen.
Example two
Fig. 2 is a flowchart of a data access control method according to a second embodiment of the present invention. In this embodiment, a detailed process of desensitizing rewriting the first data query request is added. Referring to fig. 2, the process flow of the method includes the following steps:
s201, receiving a first data query request initiated by a target user through an application system, identifying the first data query request, and determining target data to be queried by the target user.
In this embodiment, after receiving a first data query request initiated by a target user through an application system, a desensitization adapter first identifies the first data query request, for example, identifies a table or a field included in the first data query request, and then determines target data to be queried by the target user according to the identified table, field, and the like. Further, whether the target data is sensitive data or not can be determined according to a sensitive data table constructed in advance, and if the target data is sensitive data, the steps of S202-S205 are executed; if the data is not sensitive data, the first data query request can be directly forwarded to the database for execution, the query result fed back by the database is received, and the query result is forwarded to the application system so as to be viewable by the target user.
S202, under the condition that the target data are sensitive data, determining the sensitivity level of the target data and/or the data access authority level of the target user.
The sensitivity level can be used for measuring the privacy degree of the target data, and the data with higher privacy degree has higher sensitivity level. Illustratively, the sensitivity level may be represented by data 1, 2, 3, with the greater the number, the greater the sensitivity. The data access authority level of the target user can be determined according to the user type of the target user in the application system, and the data access authorities owned by different types of users are different. For example, if the target user is a normal user, the data access permission level of the target user may be 1, and normal data can be accessed at this level, and sensitive data cannot be accessed; if the target user is a high-level user, the data access permission level of the target user can be 2, and the sensitive data with the sensitivity level of 1-2 can be accessed besides the common data; if the target user is a super user, the data access permission level of the target user can be 3, and all sensitive data in the database can be normally accessed under the level.
S203, desensitizing and rewriting the first data query request according to the sensitivity level and/or the data access permission level to obtain a second data query request.
In an optional implementation manner, a target desensitization rule corresponding to target data is determined according to the sensitivity level and/or the data access permission level; wherein the target desensitization rule may be semi-desensitization or full desensitization; and then desensitizing and rewriting the first data query request according to a target desensitization rule to obtain a second data query request. The method comprises the following steps of performing desensitization rewriting on a first data query request according to a target desensitization rule to obtain a second data query request, wherein the desensitization rewriting is performed on the first data query request according to a target desensitization rule, and the method comprises the following steps of: determining a desensitization processing function corresponding to a target desensitization rule, wherein the desensitization processing function is a processing function for realizing data full desensitization or half desensitization; and desensitizing and rewriting the first data query request according to the desensitizing processing function to obtain a second data query request.
In specific implementation, according to the sensitivity level, the process of desensitizing and rewriting the first data query request is as follows: if the sensitivity level of the target data is 1-2, determining that the target desensitization rule corresponding to the target data is semi-desensitization (namely, the sensitive data is partially replaced or covered, for example, the target data is a mobile phone number, and the semi-desensitization can be covered on the middle four digits of the mobile phone number); and adding an instruction for partially replacing the target data in the first data query request according to a first desensitization processing function corresponding to the semi-desensitization rule to obtain a second data query request. If the sensitivity level of the target data is 3, determining that the target desensitization rule corresponding to the target data is full desensitization (namely, all sensitive data are replaced or covered); and adding an instruction for replacing all target data in the first data query request according to a second desensitization processing function corresponding to the full desensitization rule to obtain a second data query request.
According to the data access permission level of the target user, the process of desensitizing and rewriting the first data query request is as follows: if the target user is a common user (does not have access to the sensitive data), determining that the target desensitization rule corresponding to the target data is a full desensitization rule; and adding an instruction for completely replacing the target data in the first data query request according to a second desensitization processing function corresponding to the full desensitization rule to obtain a second data query request. If the target user is a super user (all sensitive data in the database can be normally accessed), desensitization rewriting of the first data query request is not needed, and the database is directly forwarded for execution. If the target user is a high-level user (can access sensitive data with a sensitivity level of 1-2), desensitization rewriting is required to be performed by combining the sensitivity level of the target data, for example, if the sensitivity level of the requested target data is 1 or 2, desensitization rewriting is not required to be performed on the first data query request, and the first data query request is directly forwarded to the database for execution; if the sensitivity level of the requested target data is 3, determining that the target user does not have access to the target data, wherein the target desensitization rule corresponding to the target data is a full desensitization rule; and adding an instruction for replacing all target data in the first data query request according to a second desensitization processing function corresponding to the Quan Min rule to obtain a second data query request.
And S204, forwarding the second data query request to a database for execution.
Since the second data query request may be a database query request generated based on SOL statements, where SQL statements are a database operation language, the SQL statements may be executed directly in the database. The desensitization adapter may therefore directly forward the second data query instruction including the desensitization processing instruction to the database for execution. The execution process is as follows: and acquiring corresponding data according to the field or table to be queried in the instruction, and if the data corresponding to the field or table to be queried is sensitive data, directly replacing or covering the sensitive data according to the desensitization instruction to obtain a desensitization query result without the sensitive data.
S205, receiving a desensitization query result fed back by the database, and forwarding the desensitization query result to an application system so as to be conveniently viewed by a target user.
In this embodiment, when the target data is sensitive data, desensitization rewriting is performed according to the sensitivity level to which the target data belongs and/or the data access permission level of the target user, so that not only is the sensitive data not leaked, but also the user with the viewing permission can normally view the sensitive data within the permission range.
EXAMPLE III
Fig. 3 is a logic flow diagram of a data access control method according to a third embodiment of the present invention. Referring to fig. 3, the logic of the method is as follows:
first, a client (i.e., a target user) initiates a service request operation to an application system. Further, the application system generates a database query statement (i.e., a first data query request) according to the service logic, and sends the first data query request to the desensitization adapter. Further, the desensitization adapter identifies the first data request, determines a table, a field and the like requested by a target user, screens sensitive information according to the requested table and field, and automatically performs field desensitization rewriting on the first data query request if the desensitization adapter belongs to the table and field (namely sensitive data) to be managed, forms a statement (namely a second data query request) finally requesting the database, and sends the statement to the database for execution. Further, the database executes according to the statement in the second data query request, and the query result is returned to the requesting end (i.e. desensitization adapter). Further, the desensitization adapter forwards the return result to the application system. And the application system displays the request result to the client.
Therefore, under the condition that an application system and a database are not modified, the sensitive data in the database can be protected only by desensitizing and rewriting the data query request through the adapter.
Example four
Fig. 4 is a schematic structural diagram of a data access control apparatus according to a fourth embodiment of the present invention, where this embodiment is applicable to a case of protecting sensitive data in a database. The device is configured with a desensitization adapter, as shown in fig. 4, the device comprising:
a request rewriting module 401, configured to receive a first data query request initiated by a target user through an application system, and perform desensitization rewriting on the first data query request to obtain a second data query request;
a request forwarding module 402, configured to forward the second data query request to the database for execution;
and the query result receiving and forwarding module 403 is configured to receive the desensitization query result fed back by the database, and forward the desensitization query result to the application system for the target user to view.
Optionally, in some embodiments, the request rewriting module further includes:
the identification unit is used for identifying the first data query request and determining target data to be queried by a target user;
the determining unit is used for determining the sensitivity level of the target data and/or the data access authority level of the target user under the condition that the target data is sensitive data;
and the rewriting unit is used for performing desensitization rewriting on the first data query request according to the sensitivity level and/or the data access permission level to obtain a second data query request.
Optionally, in some embodiments, the rewriting unit further includes:
the rule determining subunit is used for determining a target desensitization rule corresponding to the target data according to the sensitivity level and/or the data access permission level;
and the rewriting subunit is used for performing desensitization rewriting on the first data query request according to the target desensitization rule to obtain a second data query request.
Optionally, in some embodiments, the rewrite subunit is further configured to:
determining a desensitization processing function corresponding to the target desensitization rule;
and desensitizing and rewriting the first data query request according to the desensitizing processing function to obtain a second data query request.
Optionally, in some embodiments, the method further includes:
the validity checking module is used for checking the validity of the first data query request;
the intercepting module is used for intercepting the first data query request if the first data query request is illegal;
and the execution indicating module is used for executing desensitization rewriting operation on the first data query request if the first data query request is legal.
Optionally, in some embodiments, the first data query request and the second data query request are database query requests generated based on SOL statements.
The data access control device provided by the embodiment of the invention can execute the data access control method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
EXAMPLE five
FIG. 5 illustrates a schematic diagram of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 5, the electronic device 10 includes at least one processor 11, and a memory communicatively connected to the at least one processor 11, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM13, various programs and data necessary for the operation of the electronic apparatus 10 can also be stored. The processor 11, the ROM12, and the RAM13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to the bus 14.
A number of components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, or the like; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
Processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. The processor 11 performs the respective methods and processes described above, for example, performs a data access control method.
In some embodiments, the data access control method may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM12 and/or the communication unit 19. When the computer program is loaded into RAM13 and executed by processor 11, one or more steps of the data access control method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the data access control method by any other suitable means (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Computer programs for implementing the methods of the present invention can be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on a machine, as a stand-alone software package partly on a machine and partly on a remote machine or entirely on a remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the Internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A data access control method applied to a desensitization adapter comprises the following steps:
receiving a first data query request initiated by a target user through an application system, and desensitizing and rewriting the first data query request to obtain a second data query request;
forwarding the second data query request to a database for execution;
and receiving a desensitization query result fed back by the database, and forwarding the desensitization query result to the application system so as to be conveniently viewed by the target user.
2. The method of claim 1, wherein desensitizing overwriting the first data query request to obtain a second data query request comprises:
identifying the first data query request, and determining target data to be queried by the target user;
determining the sensitivity level of the target data and/or the data access authority level of the target user under the condition that the target data is sensitive data;
and performing desensitization rewriting on the first data query request according to the sensitivity level and/or the data access permission level to obtain a second data query request.
3. The method of claim 2, wherein de-overwriting the first data query request based on the sensitivity level and/or data access permission level to obtain a second data query request, comprises:
determining a target desensitization rule corresponding to the target data according to the sensitivity level and/or the data access permission level;
and desensitizing and rewriting the first data query request according to the target desensitization rule to obtain a second data query request.
4. The method of claim 3, wherein desensitizing overwriting the first data query request according to the target desensitization rule to obtain a second data query request comprises:
determining a desensitization processing function corresponding to the target desensitization rule;
and desensitizing and rewriting the first data query request according to the desensitization processing function to obtain a second data query request.
5. The method of claim 1, further comprising:
carrying out validity check on the first data query request;
if the first data query request is illegal, intercepting the first data query request;
and if the first data query request is legal, performing desensitization rewriting operation on the first data query request.
6. The method of any one of claims 1-5, wherein the first data query request and the second data query request are database query requests generated based on SOL statements.
7. A data access control device configured for a desensitization adapter, comprising:
the request rewriting module is used for receiving a first data query request initiated by a target user through an application system, and desensitizing and rewriting the first data query request to obtain a second data query request;
the request forwarding module is used for forwarding the second data query request to a database for execution;
and the query result receiving and forwarding module is used for receiving the desensitization query result fed back by the database and forwarding the desensitization query result to the application system so as to be conveniently viewed by the target user.
8. The apparatus of claim 7, wherein the request rewrite module further comprises:
the identification unit is used for identifying the first data query request and determining target data to be queried by the target user;
the determining unit is used for determining the sensitivity level of the target data and/or the data access authority level of the target user under the condition that the target data is sensitive data;
and the rewriting unit is used for performing desensitization rewriting on the first data query request according to the sensitivity level and/or the data access permission level to obtain a second data query request.
9. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-6.
10. A computer-readable storage medium storing computer instructions for causing a processor to perform the method of any one of claims 1-6 when executed.
CN202211309940.XA 2022-10-25 2022-10-25 Data access control method and device, electronic equipment and storage medium Pending CN115878653A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211309940.XA CN115878653A (en) 2022-10-25 2022-10-25 Data access control method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211309940.XA CN115878653A (en) 2022-10-25 2022-10-25 Data access control method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115878653A true CN115878653A (en) 2023-03-31

Family

ID=85758942

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211309940.XA Pending CN115878653A (en) 2022-10-25 2022-10-25 Data access control method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115878653A (en)

Similar Documents

Publication Publication Date Title
US20210029089A1 (en) Enforcing security policies on client-side generated content in cloud application communications
US9679159B2 (en) Mobile privacy information proxy
US20150254577A1 (en) System and methods for location based management of cloud platform data
US10587652B2 (en) Generating false data for suspicious users
CN112417443A (en) Database protection method and device, firewall and computer readable storage medium
US20220083347A1 (en) Adding cycle noise to enclaved execution environment
CN115587575A (en) Data table creation method, target data query method, device and equipment
JP2019503021A (en) System environment and user behavior analysis based self-defense security device and its operation method
CN116015840B (en) Data operation auditing method, system, equipment and storage medium
CN116644473A (en) Data desensitization method and device
CN116244751A (en) Data desensitization method, device, electronic equipment, storage medium and program product
CN115878653A (en) Data access control method and device, electronic equipment and storage medium
US10929307B2 (en) Memory tagging for sensitive data redaction in memory dump
US10706150B2 (en) Detecting malicious software by inspecting table look-aside buffers
CN115935421B (en) Data product release method, system and storage medium
US11954231B2 (en) Recursively adapting a sensitive content masking technique
US20230153457A1 (en) Privacy data management in distributed computing systems
US11176108B2 (en) Data resolution among disparate data sources
CN114528592A (en) Service processing method, device, equipment, medium and program product
CN115935420A (en) Data processing method, device, server and medium
CN116340965A (en) Resource access method, device, equipment and storage medium
CN115801357A (en) Global exception handling method, device, equipment and storage medium
CN117131088A (en) Menu permission query method and device based on multistage distributed cache
WO2022238948A1 (en) Method and system for transforming personally identifiable information
CN117216783A (en) Access control method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination