CN116094832A - Data access method, device, equipment and medium based on business scene - Google Patents

Data access method, device, equipment and medium based on business scene Download PDF

Info

Publication number
CN116094832A
CN116094832A CN202310130186.1A CN202310130186A CN116094832A CN 116094832 A CN116094832 A CN 116094832A CN 202310130186 A CN202310130186 A CN 202310130186A CN 116094832 A CN116094832 A CN 116094832A
Authority
CN
China
Prior art keywords
service
scene
information
authority
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310130186.1A
Other languages
Chinese (zh)
Inventor
杨帅
陈静国
廖过房
郝艳茹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202310130186.1A priority Critical patent/CN116094832A/en
Publication of CN116094832A publication Critical patent/CN116094832A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The disclosure provides a data access method based on a business scene, and relates to the field of information security. The method comprises the following steps: receiving a data access request of a service calling party, wherein the data access request comprises service scene information called by the service calling party at the time; determining corresponding scene authority information according to the service scene information, wherein the service calling party is configured with N scene authorities in one-to-one correspondence based on N service scenes, and N is greater than or equal to 1; screening access data in the authority range according to the scene authority information, wherein any one authority of the N scene authorities and at least one other authority have different authority ranges; and sending the access data to the service calling party. The present disclosure also provides a data access apparatus, a device, a storage medium and a program product based on the business scenario.

Description

Data access method, device, equipment and medium based on business scene
Technical Field
The present disclosure relates to the field of information security, and more particularly, to a business scenario-based data access method, apparatus, device, medium, and program product.
Background
Enterprise customer information is used as basic data information, and integration and sharing services of the customer information are required to be provided for various business systems of the whole enterprise. Enterprise customer information data is increasingly large, and the amount of customer information query is also increasing.
When processing customer information queries, all the customer information is generally returned, so that the personal information protection specification is not met, and the security risk in the information transfer or exchange process is not considered.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a data access method, apparatus, device, medium, and program product based on business scenarios.
In one aspect of the embodiments of the present disclosure, a data access method based on a service scenario is provided, including: receiving a data access request of a service calling party, wherein the data access request comprises service scene information called by the service calling party at the time; determining corresponding scene authority information according to the service scene information, wherein the service calling party is configured with N scene authorities in one-to-one correspondence based on N service scenes, and N is greater than or equal to 1; screening access data in the authority range according to the scene authority information, wherein any one authority of the N scene authorities and at least one other authority have different authority ranges; and sending the access data to the service calling party.
According to an embodiment of the present disclosure, before determining corresponding scene authority information according to the service scene information, the method further includes identifying the N service scenes of the service caller, and specifically includes: receiving registration call information of the service calling party, wherein the registration call information comprises M service attributes of the service calling party, and M is greater than or equal to 1; each business scenario is identified based on at least one of the M business attributes.
According to an embodiment of the present disclosure, the M service attributes include at least one of: the user attribute at least comprises a user category and a channel category of the service calling party; the environment attribute at least comprises the data access time and the data access place of the service calling party; the operation attribute at least comprises the data access requirement and the data flow of the service calling party; and the resource attribute at least comprises data table information and field information which are accessed by the service calling party.
According to an embodiment of the present disclosure, the authority range of the scene authority information includes S fields, and after identifying the N service scenes of the service caller, the method further includes configuring the N scene authorities of the service caller, and specifically includes: determining S fields of each service scene as scene authorities of the scene, wherein any one scene of the N service scenes and at least one other scene have S fields which are not completely identical, and S is greater than or equal to 1; and/or generating a first channel service table according to the S fields of each business scene, wherein the first channel service table comprises the corresponding relation between the N business scenes and the N scene authorities.
According to an embodiment of the present disclosure, after identifying the N service scenarios of the service caller, the method further includes configuring N access rights of the service caller, specifically including: determining a calling service name and a calling method name of each service scene in the N service scenes, wherein the calling service name and the calling method name of each service scene are used for accessing the S fields of the service scene; and writing the calling service name and the calling method name of each business scene into a second channel service table as access rights of the scene, wherein the second channel service table is the same as or different from the first channel service table.
According to an embodiment of the present disclosure, the data access request includes a call service name and a call method name of the call, and determining the corresponding scene authority information according to the service scene information includes: checking the access right of the service calling party based on the second channel service table according to the service scene information, the calling service name and the calling method name of the call; after the check passes, the scene authority information is determined from the first channel service table.
According to an embodiment of the present disclosure, the sending the access data to the service caller includes: determining the access amount of the service calling party to the service scene information in a preset time period; and sending the access data to the service calling party under the condition that the access quantity is smaller than or equal to a preset threshold value.
According to an embodiment of the present disclosure, the sending the access data to the service caller includes: determining corresponding encryption information according to the service scene information under the condition that the access data comprises a specific field, wherein any one scene of the N service scenes and at least one scene of the N service scenes have different encryption information; and sending the access data encrypted by the encryption information to the service calling party.
According to an embodiment of the present disclosure, after receiving a data access request of a service caller, the method further comprises: and responding to the data access request, generating a data access log of the service calling party, wherein the data access log comprises the business scene information and the access data.
Another aspect of the embodiments of the present disclosure provides a data access device based on a service scenario, including: the request receiving module is used for receiving a data access request of a service calling party, wherein the data access request comprises service scene information called by the service calling party at the time; the permission determining module is used for determining corresponding scene permission information according to the service scene information, wherein the service calling party is configured with N scene permissions corresponding to N service scenes one by one, and N is greater than or equal to 1; the minimum authority filtering module is used for filtering access data in the authority range according to the scene authority information, wherein any one authority of the N scene authorities and at least one other authority have different authority ranges; and the data return module is used for sending the access data to the service calling party.
The apparatus comprises means for performing the steps of the method as claimed in any one of the preceding claims, respectively.
Another aspect of an embodiment of the present disclosure provides an electronic device, including: one or more processors; and a storage means for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method as described above.
Another aspect of the disclosed embodiments also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the method as described above.
Another aspect of the disclosed embodiments also provides a computer program product comprising a computer program which, when executed by a processor, implements a method as described above.
The one or more embodiments described above have at least the following advantages: n business scenes can be divided according to the actual business needs of a service calling party, scene authorities are configured one by one, corresponding scene authority information can be determined based on business scene information in the business scenes according to data access requests of the service calling party, the business scenes are refined to fine granularity according to the actual business scenes, data access authority control is carried out within the authority range, access data subjected to authority control is returned to the service calling party, the business needs and the minimum authority principles are realized, and fine granularity access control and whole process audit are carried out on personal information.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates a system architecture diagram of a business scenario-based data access method according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a business scenario-based data access method according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart identifying each business scenario according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of configuring scene rights in accordance with an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow chart of configuring scene rights in accordance with another embodiment of the present disclosure;
FIG. 6 schematically illustrates a flow chart of configuring access rights in accordance with an embodiment of the present disclosure;
FIG. 7 schematically illustrates a flow chart of determining scene entitlement information for the access in accordance with an embodiment of the present disclosure;
FIG. 8 schematically illustrates a flow chart of flow monitoring according to an embodiment of the present disclosure;
fig. 9 schematically illustrates a flow diagram of encrypted transmissions according to an embodiment of the disclosure;
FIG. 10 schematically illustrates a flow chart of a business scenario-based data access method according to another embodiment of the present disclosure;
FIG. 11 schematically illustrates a block diagram of a business scenario-based data access apparatus according to an embodiment of the present disclosure; and
fig. 12 schematically illustrates a block diagram of an electronic device adapted to implement a business scenario-based data access method, according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Taking a customer information management system based on a distributed technology system as an example, the distributed architecture of the system encapsulates different types of customer data information into individual micro services for each business system of the whole enterprise to call. For example, customer base information is packaged into a micro-service, certificate information is packaged into a micro-service, financial information is packaged into a micro-service, etc.
In general, in order to reduce the change of the micro services, each micro service returns all information basically, which makes it difficult to ensure that the micro service returns the customer information according to the minimum authority. In some embodiments, to improve service efficiency, the customer information management system provides a method of returning different field dimensions, for example, newly building a micro service corresponding to each field combination (including at least one field), or modifying an original micro service. For service invoker, field combinations actually used are varied, and similar methods are too many, so that code redundancy (such as micro service redundancy) is caused, and the transformation influence range is wide.
According to the data access method, the device, the equipment, the medium and the program product based on the service scenes, N service scenes can be divided according to the actual service needs of a service calling party, scene authorities are configured one by one, corresponding scene authority information can be determined based on service scene information of the service calling party according to the data access requests of the service calling party, the data access authority control is performed within the authority range according to the fine granularity of the actual service scenes, access data subjected to authority control is returned to the service calling party, and fine granularity access control and whole process audit are performed on personal information according to the business needs and the minimum authority principles.
In addition, according to the scene authority corresponding to each service scene, an access control layer is arranged in the distributed architecture to uniformly control the data access authority within the authority range according to the fine granularity of the actual service scene, a single micro service is not required to be modified, the increase and decrease variation of the service scene has no influence on the existing logic, the relevant parameter configuration of a service calling party is modified, the fine granularity access control and the whole process audit can be performed on personal information according to the service requirement and the minimum authority principle, and the influence range is controllable.
Fig. 1 schematically illustrates a system architecture diagram of a business scenario-based data access method according to an embodiment of the present disclosure. The present disclosure is not limited to the architecture shown in fig. 1.
As shown in fig. 1, the service caller has N service scenarios from scenario 1 to scenario N, and the service provider (such as the above-mentioned customer information management system) includes an access control layer, a plurality of micro services, and a database, where the access control layer may implement at least one function including channel element inspection, access right inspection, traffic monitoring, service call, minimum right filtering, data encryption transmission, and log asynchronous registration. The plurality of micro-services are used to access customer data information in the management database in different categories.
In some embodiments, the service caller may be any business system within the enterprise. In other embodiments, taking a bank as an example, the service invoker may include various channel ends of the bank (each channel end may integrate multiple business systems), such as a mobile phone bank, an online bank, or a third party channel.
The data access method based on the service scenario according to the embodiments of the present disclosure will be described in detail below with reference to fig. 2 to 10 based on the architecture described in fig. 1.
Fig. 2 schematically illustrates a flowchart of a business scenario-based data access method according to an embodiment of the present disclosure.
As shown in fig. 2, the data access method based on the service scenario of the embodiment includes operations S210 to S240. The data access method of this embodiment may be performed by the access control layer shown in fig. 1, which may be implemented by a micro service.
In operation S210, a data access request of a service caller is received, the data access request including service scenario information that the service caller calls for the time.
Illustratively, the service scenario information includes information, such as a service scenario, that is invoked based on which service scenario this time. The service calling party can determine which service scene the call belongs to by himself when processing the service transacted by the user, and the service calling party carries the service request. The service caller may be one of a plurality of callers to which the service provider interfaces.
In operation S220, corresponding scene authority information is determined according to the service scene information, wherein the service caller is configured with N scene authorities in one-to-one correspondence based on N service scenes thereof, N being greater than or equal to 1.
Illustratively, the scene authority information includes which of the N scene authorities. The N scene rights may be configured in advance or may be configured in real time in response to the data access request. If the access scene permission information is preconfigured, the access scene permission information can be determined according to the one-to-one correspondence between the service scene and the scene permission.
In operation S230, access data within the scope of authority is filtered according to the scene authority information, wherein any one authority of the N scene authorities has a different scope of authority from the rest of at least one authority.
Illustratively, corresponding micro services are invoked to acquire data in response to a data access request, and the acquired data is filtered according to the scope of authority. The access data includes one or more field values within the scope of the rights. The field refers to the information field of the client data, such as an identity card field, a balance field, an age field and the like, and the field value is the specific data value of each client.
In operation S240, the access data is transmitted to the service caller.
According to the embodiment of the disclosure, corresponding scene authority information can be determined based on the service scene information, the data access authority control is performed within the authority range according to the fine granularity of the actual service scene, access data subjected to the authority control is returned to the service calling party, and the fine granularity access control and the whole process audit on personal information according to the service requirement and the minimum authority principle are realized.
For the distributed architecture system shown in fig. 1, the access control layer uniformly performs data access authority control within the authority range according to the fine granularity of the actual service scene, no single micro service is required to be modified, the increase and decrease variation of the service scene has no influence on the existing logic, the relevant parameter configuration of the service caller is modified, the fine granularity access control and the whole process audit can be performed on personal information according to the business requirement and minimum authority principles, and the influence range is controllable.
Fig. 3 schematically illustrates a flowchart for identifying each business scenario according to an embodiment of the present disclosure.
Before determining the corresponding scene authority information according to the service scene information, as shown in fig. 3, the embodiment further includes identifying N service scenes of the service caller, and specifically includes operations S310 to S320.
In operation S310, registration call information of a service caller is received, the registration call information including M service attributes of the service caller, M being greater than or equal to 1.
Illustratively, the registration invocation information includes information required for access, such as access target data information, estimated traffic, traffic attributes, channel information, user information, or service information provided to the user, registered in advance with the service provider by the service invoker. The business attributes include characteristic information of one or more dimensions of the transacted business offered by the service provider to the user.
In operation S320, each business scenario is identified based on at least one of the M business attributes.
By way of example, a business scenario may be identified based solely on business attributes, and may also be identified in combination with business attributes and other information, including, for example, one or more of channel information, user information, service information provided to the user, access policies, regulations, overall rights information for the service invoker, and the like.
According to the embodiment of the disclosure, the real requirements of the service calling party for data access are determined through different service attributes, so that the actual service scene is determined, the access requirements of the service calling party can be met, the 'minimum authority' principle can be realized, and the client data can be effectively protected.
In some embodiments, the M business attributes include at least one of:
the user attributes include at least a user category and a channel category of the service caller. The user attributes include characteristic information of the user to which the service caller is connected, such as user gender distribution, age distribution, category information, from what channel the user is coming from, and the like.
The environment attribute at least comprises the data access time and the data access place of the service calling party. The context attribute includes context information in which the service caller was located when the data access request was received, e.g., the data access time is the time each time the data access request was sent, and the data access location is where the user sent the data access request using the service caller.
The operation attribute at least comprises the data access requirement and the data flow of the service calling party. The operation attribute includes processing operation information of the service caller for the data when the data access request is received, and the data access requirement includes a data size, a time range, a time limit requirement of returning access data, and the like. The data flow includes where the access data will be sent after reaching the service caller.
The resource attribute at least comprises data table information and field information which are accessed by the service calling party. The resource attributes include the stored information in the database of the data accessed by the service invoker.
Illustratively, according to the principle that the data access control is developed to the multi-dimension and dynamic management and control, the data access authority control is performed in a fine-grained manner according to the specific business scenes divided into one by one according to the access policy, the regulation system and the actual business needs of the calling party based on the user attribute (user category, channel category and the like), the environment attribute (current time and place), the operation attribute (data access requirement, data flow and the like), the resource attribute (data table, field and the like).
For example: the access personal client information operation can be subdivided into the following different business scenes according to one or more of user attributes, environment attributes, operation attributes, resource attributes and the like of each calling party.
A. The user inquires the personal client information through bank counter transaction to obtain the fields 1-N.
B. The user inquires personal client information through the bank self-service terminal transaction to acquire a field 1 to a field N-1.
C. And the user inquires the personal client information through the bank marketing terminal to acquire the fields 1-N-2.
D. The user inquires personal client information through a personal mobile phone bank to obtain the fields 1-N-3.
E. The user inquires the personal client information through the external partners such as payment treasures, weChat and the like, and obtains the fields 1-N-4.
According to access policies, regulations and the like, the information which can be displayed in different business scenes is different, and the access authority and the access field are also different.
According to the embodiment of the disclosure, the identification of the service scene is realized from multiple dimensions such as the user attribute, the environment attribute, the operation attribute, the resource attribute and the like, so that the subdivision accuracy of the service scene can be improved, and the accurate configuration of the follow-up scene authority is facilitated.
Fig. 4 schematically illustrates a flow chart of configuring scene rights according to an embodiment of the disclosure.
In some embodiments, the authority range of the scene authority information includes S fields, and after identifying N service scenes of the service caller, as shown in fig. 4, the embodiment further includes configuring N scene authorities of the service caller, specifically including operation S410 and/or operation S420.
In operation S410, S fields of each service scene are determined as scene permissions of the scene, wherein any one of the N service scenes has S fields that are not exactly the same as at least one of the remaining scenes, and S is greater than or equal to 1.
Illustratively, non-identical includes at least partially identical or completely different. The range of S fields is the authority range of each scene authority under the principle of 'minimum authority'. The control effect that any one scene authority has different authority ranges with at least one scene authority is realized through the control that different fields can be accessed by each business scene. It can be appreciated that each business scenario includes the same number or a different number of fields within the scope of the respective scenario permissions.
In operation S420, a first channel service table is generated according to S fields of each service scenario, where the first channel service table includes correspondence between N service scenarios and N scenario authorities.
It will be appreciated that when only operation S410 is included, it is possible to determine S fields and implement configuration in a form different from a channel service table, for example, a separate rights file is configured for each service scenario, and the file includes field information of the service scenario. When only operation S420 is included, S fields of each business scenario may be manually filled in the first channel service table. Upon including operations S410 and S420, S fields of each business scenario may be automatically determined and a first channel service table may be generated and registered therein.
According to the embodiment of the disclosure, according to the actual service requirement of a calling party, the data access authority control parameters are divided into individual specific service scenes, and the data access authority control parameters are determined according to the fine granularity (namely S fields) of the service scene configuration fields in the channel service table.
In addition, the increase or decrease of business scenes or scene authority change of each business scene can be modified in the channel service table, which is different from the mode of newly establishing a micro service corresponding to each field combination (comprising at least one field) or modifying the original micro service. In other words, the change of the service scene or the scene authority has no influence on the existing logic, the control is more flexible in the way of modifying the parameter configuration in the channel service table, and the influence range is controllable.
Fig. 5 schematically illustrates a flow chart of configuring scene rights according to another embodiment of the present disclosure.
As shown in fig. 5, the configuration scene authority of this embodiment includes operations S510 to S540.
In operation S510, call registration call information is received, and reference may be made to operation S310 described above, which is not described here.
In operation S520, it is verified whether the registration call information is authentic, and the situation of fraud by the service caller is avoided.
In operation S530, scene authority information is generated according to an actual service scene. For example, one or more actual service scenes are identified according to operations S310 to S320, and then scene authority information is automatically generated. The generating process can be realized by using a machine learning model which is completed through training, access fields can be extracted from registration calling information, and screening is carried out by combining access policies and legal requirements, so that S fields of each business scene are finally determined as scene authorities.
In operation S540, the scene authority is configured. For example, a channel service table is generated, and a correspondence between the maintenance service scene and the scene authority is configured therein.
According to the embodiment of the disclosure, the access control layer performs unified control, a single service is not required to be modified, the increase and decrease change of a service scene has no influence on the existing logic, the fine-grained access control and whole process audit can be performed on personal financial information according to the business requirement and minimum authority principles only by modifying parameter configuration, and the influence range is controllable. For the information leakage scene identified by monitoring alarm, the corresponding service scene can be closed in real time in an emergency mode, and other normal service scenes are not affected.
Fig. 6 schematically illustrates a flow chart of configuring access rights according to an embodiment of the disclosure.
After identifying N service scenarios of the service caller, as shown in fig. 6, the embodiment further includes configuring N access rights of the service caller, specifically including operations S610 to S620.
In operation S610, a call service name and a call method name of each of the N service scenarios are determined, wherein the call service name and the call method name of each service scenario are used to access S fields of the service scenario.
Illustratively, the calling service name includes a micro-service name called when the data is within the access authority range of the business scenario, and the calling method name is a method name executed by the called micro-service to acquire the data from the database. The method is a term in programming for enabling multiplexing of codes. For example, a method is defined in a class body, and the method body is formed by Java sentences, and after definition, the method needs to be called for execution.
In operation S620, the call service name and the call method name of each business scenario are written into a second channel service table as access rights of the scenario, wherein the second channel service table is the same as or different from the first channel service table. If the two tables are identical, only one table exists, and if the two tables are different, the two tables exist.
The method has the effect of realizing the control of access rights from the dimensions of the micro-services and the methods, and if a service caller uses service scene information, call service names and call method names in a data access request, the access of the service caller can be refused.
In particular, the present disclosure does not limit the order in which access rights and scene rights are configured, for example, access rights may be configured first, scene rights may be configured second, or both may be configured simultaneously.
Fig. 7 schematically illustrates a flowchart of determining scene entitlement information for the access in accordance with an embodiment of the present disclosure.
As shown in fig. 7, determining corresponding scene authority information according to the service scene information in operation S220 includes operations S710 to S720. The data access request includes the call service name and the call method name of the call.
In operation S710, the access right of the service caller is checked based on the second channel service table according to the service scenario information, the call service name and the call method name of the call.
Illustratively, access authority checking is performed first, and data access control authority of each service scenario is checked according to a calling service name, a service calling party application, a calling method name and a service scenario query channel service table.
In operation S720, after the check is passed, the scene authority information is determined from the first channel service table.
In the related art, access authority control is performed according to a channel (calling party), the control granularity is not accurate enough, and the switching is not flexible enough. According to the embodiment of the disclosure, through two-stage control of the access authority and the scene authority, the control granularity can be effectively refined, and the data access flexibility and the data security are improved.
Fig. 8 schematically illustrates a flow chart of flow monitoring according to an embodiment of the present disclosure.
As shown in fig. 8, transmitting the access data to the service caller in operation S240 includes operations S810 to S820.
In operation S810, an access amount of the service caller to the service scenario information for a predetermined period of time is determined.
The predetermined period of time is illustratively 24 hours of the day. The access volume includes the total number of times the service caller sent data access requests within 24 hours.
In operation S820, in case the access amount is less than or equal to a preset threshold, the access data is transmitted to the service caller.
For example, after the access amount K of each service scenario exceeds a preset threshold (for example, only 1000 requests) configured by the service scenario, or a certain proportion X (for example, 0-5%, only examples) of other thresholds, for example, the access amount K [ scenario i ] > threshold L [ scenario i ] (1+alarm proportion X [ scenario i ]) is monitored, alarm information is sent, and data leakage caused by database-out inquiry is prevented.
In some embodiments, data access monitoring may be performed from a user dimension for multiple service invokers of one or more users. For example, a bank self-service terminal, a bank marketing terminal and a personal mobile phone bank act as different service invokers, and a plurality of service invokers access different data of the customer in a short time aiming at the same customer, thus the leakage of all information of the customer can be caused, and an alarm is sent out when the situation is monitored.
Fig. 9 schematically illustrates a flow chart of encrypted transmissions according to an embodiment of the disclosure.
As shown in fig. 9, transmitting the access data to the service caller in operation S240 includes operations S910 to S920.
In operation S910, in case that the access data includes a specific field, corresponding encryption information is determined according to the service scenario information, wherein any one of the N service scenarios has different encryption information from the rest of at least one scenario.
Illustratively, the encryption information may include an encryption algorithm and generating a key based on the algorithm. If the symmetric encryption algorithm is adopted, the service calling party and the service provider master the same secret key. If the algorithm is an asymmetric encryption algorithm, one of the service caller and the service provider grasps the public key, and the other grasps the private key. The specific fields may include one or more sensitive fields in a database and may also include one or more fields customized to the privacy requirements.
It can be appreciated that different service scenarios may have different encryption algorithms, or different keys under the same encryption algorithm, so as to further improve confidentiality of data.
The access data encrypted with the encryption information is transmitted to the service caller in operation S920.
According to the embodiment of the disclosure, the returned important data is encrypted according to the service scene, so that confidentiality of the important data of the system in the transmission process is improved.
In some embodiments, after receiving the data access request of the service caller, further comprising: and responding to the data access request, generating a data access log of the service calling party, wherein the data access log comprises service scene information and access data.
For example, each time a data access request is received, a data access log may be synchronously or asynchronously registered, and generation refers to writing the information of the request into the log. For example, each call detail information is registered, so that personal financial information sharing and transfer conditions can be accurately recorded, stored and traced, and transaction amount statistics can be realized.
Specifically, according to the service scene refinement data access authority control parameters, recording the service scene use fields, service scene description, calling party, authority validity period and the like. And registering each piece of detailed calling information, so that the personal financial information sharing and transferring conditions can be accurately recorded, stored and traced, and transaction amount statistics can be realized. The sharing and transferring condition of personal information (such as financial information) is accurately recorded and stored, so that the sharing and transferring information and the process thereof can be traced.
Fig. 10 schematically illustrates a flow chart of a business scenario-based data access method according to another embodiment of the present disclosure.
As shown in fig. 10, the data access method based on the service scenario of the embodiment includes operations S1001 to S1011.
In operation S1001, the caller accesses data, and receives a data access request as referred to in operation S110.
In operation S1002, channel element inspection: and checking whether the information is legal or not, such as whether the channel elements are perfect or correct. The service caller is the channel and the channel element is used, for example, to identify the channel identity.
In operation S1003, if the channel element check is not passed, the caller is not permitted to access.
In operation S1004, if the channel element check passes, the access right is continuously checked, and the operation S710 is referred to.
In operation S1005, if the access authority check is not passed, the caller is not allowed to access.
In operation S1006, when the access right check is passed, the flow rate is monitored, and the operations S810 to S820 are referred to.
In operation S1007, if the access amount of the caller exceeds a predetermined threshold, an alarm is monitored and access is prohibited.
In operation S1008, the service call: and calling corresponding micro-services and methods according to the information configured by the service scene to acquire data.
In operation S1009, the log is asynchronously registered, forming a data access traceable record.
In operation S1010, the minimum authority filters: and returning access data according to the field granularity in the authority range configured by the service scene and the minimum authority. Such as an identification card field, a name field, a gender field, and a occupation field within the scope of authority.
In operation S1011, data encryption transmission: and encrypting the returned important data according to the service scene. The data receiver decrypts according to the secret key agreed by the service scene.
In particular, the above-mentioned sequential implementation of the steps of channel element inspection, access rights inspection, flow monitoring, log asynchronous registration, and minimum rights filtering, and the like, with access control and whole process audit (i.e., one or more security protection steps), is only one embodiment of the present disclosure, and the present disclosure is not limited to the above-mentioned sequence, and may be adjusted according to actual requirements, for example, the log asynchronous registration step may be started before channel element inspection.
Based on the data access method based on the service scene, the disclosure also provides a data access device based on the service scene. The device will be described in detail below in connection with fig. 8.
Fig. 11 schematically illustrates a block diagram of a data access apparatus based on a business scenario according to an embodiment of the present disclosure.
As shown in fig. 11, the service scenario-based data access apparatus 1100 of this embodiment includes a request receiving module 1110, a right determining module 1120, a minimum right filtering module 1130, and a data returning module 1140.
The request receiving module 1110 may perform operation S210 for receiving a data access request of a service caller, the data access request including traffic scenario information that the service caller calls for the time.
The authority determination module 1120 may perform operation S220 to determine corresponding scene authority information according to the service scene information, wherein the service caller is configured with N scene authorities in one-to-one correspondence based on N service scenes thereof, N being greater than or equal to 1.
In some embodiments, the rights determining module 1120 may perform operations S710 to S720, which are not described herein.
The minimum authority filtering module 1130 may perform operation S230 for filtering access data within an authority range thereof according to scene authority information, wherein any one authority of the N scene authorities has a different authority range from the rest of at least one authority.
The data return module 1140 may perform operation S240 for transmitting the access data to the service caller.
In some embodiments, the data return module 1140 may perform operations S810-S820, and operations S910-S920, which are not described herein.
In some embodiments, the data access apparatus 1100 may further include a service identification module, which may perform operations S310 to S320, which are not described herein.
In some embodiments, the data access apparatus 1100 may further include a scene authority configuration module, which may perform operations S410 to S420, which are not described herein.
In some embodiments, the data access device 1100 may further include an access right configuration module, which may perform operations S510 to S520, which are not described herein.
It should be noted that the data access apparatus 1100 includes modules for performing the respective steps of any of the embodiments described above with reference to fig. 2 to 10. The implementation manner, the solved technical problems, the realized functions and the realized technical effects of each module/unit/sub-unit and the like in the apparatus part embodiment are the same as or similar to the implementation manner, the solved technical problems, the realized functions and the realized technical effects of each corresponding step in the method part embodiment, and are not repeated herein.
Any of the plurality of modules of request receiving module 1110, rights determining module 1120, minimum rights filtering module 1130, and data returning module 1140 may be combined in one module or any of the plurality of modules may be split into a plurality of modules according to embodiments of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module.
According to embodiments of the present disclosure, at least one of request receiving module 1110, rights determining module 1120, minimum rights filtering module 1130, and data returning module 1140 may be implemented, at least in part, as hardware circuitry, such as a Field Programmable Gate Array (FPGA), programmable Logic Array (PLA), system-on-chip, system-on-substrate, system-on-package, application Specific Integrated Circuit (ASIC), or in hardware or firmware, such as any other reasonable manner of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the request receiving module 1110, the rights determining module 1120, the minimum rights filtering module 1130, and the data returning module 1140 may be at least partially implemented as a computer program module, which when executed, may perform the corresponding functions.
Fig. 12 schematically illustrates a block diagram of an electronic device adapted to implement a business scenario-based data access method, according to an embodiment of the present disclosure.
As shown in fig. 12, an electronic device 1200 according to an embodiment of the present disclosure includes a processor 1201, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1202 or a program loaded from a storage section 1208 into a Random Access Memory (RAM) 1203. The processor 1201 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 1201 may also include on-board memory for caching purposes. The processor 1201 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the disclosure.
In the RAM 1203, various programs and data required for the operation of the electronic apparatus 1200 are stored. The processor 1201, the ROM 1202, and the RAM 1203 are connected to each other through a bus 1204. The processor 1201 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 1202 and/or RAM 1203. Note that the program may be stored in one or more memories other than the ROM 1202 and the RAM 1203. The processor 1201 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in one or more memories.
According to an embodiment of the disclosure, the electronic device 1200 may also include an input/output (I/O) interface 1205, the input/output (I/O) interface 1205 also being connected to the bus 1204. The electronic device 1200 may also include one or more of the following components connected to the I/O interface 1205: including an input section 1206 for a keyboard, mouse, etc. Including an output portion 1207 such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), etc., and a speaker, etc. Including a storage portion 1208 of a hard disk or the like. And a communication section 1209 including a network interface card such as a LAN card, a modem, or the like. The communication section 1209 performs communication processing via a network such as the internet. The drive 1210 is also connected to the I/O interface 1205 as needed. A removable medium 1211 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 1210 so that a computer program read out therefrom is installed into the storage section 1208 as needed.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments. Or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include the ROM 1202 and/or the RAM 1203 and/or one or more memories other than the ROM 1202 and the RAM 1203 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to perform the methods provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1201. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program can also be transmitted, distributed over a network medium in the form of signals, and downloaded and installed via a communication portion 1209, and/or from a removable medium 1211. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program can be downloaded and installed from a network via the communication portion 1209, and/or installed from the removable media 1211. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1201. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (13)

1. A data access method based on business scene includes:
receiving a data access request of a service calling party, wherein the data access request comprises service scene information called by the service calling party at the time;
Determining corresponding scene authority information according to the service scene information, wherein the service calling party is configured with N scene authorities in one-to-one correspondence based on N service scenes, and N is greater than or equal to 1;
screening access data in the authority range according to the scene authority information, wherein any one authority of the N scene authorities and at least one other authority have different authority ranges;
and sending the access data to the service calling party.
2. The method according to claim 1, wherein before determining corresponding scene authority information from the service scene information, the method further comprises identifying the N service scenes of the service caller, in particular comprising:
receiving registration call information of the service calling party, wherein the registration call information comprises M service attributes of the service calling party, and M is greater than or equal to 1;
each business scenario is identified based on at least one of the M business attributes.
3. The method of claim 2, wherein the M business attributes comprise at least one of:
the user attribute at least comprises a user category and a channel category of the service calling party;
The environment attribute at least comprises the data access time and the data access place of the service calling party;
the operation attribute at least comprises the data access requirement and the data flow of the service calling party;
and the resource attribute at least comprises data table information and field information which are accessed by the service calling party.
4. The method according to claim 2, wherein the scope of authority of the scene authority information comprises S fields, the method further comprising configuring the N scene authorities of the service caller after identifying the N business scenes of the service caller, in particular comprising:
determining S fields of each service scene as scene authorities of the scene, wherein any one scene of the N service scenes and at least one other scene have S fields which are not completely identical, and S is greater than or equal to 1; and/or
And generating a first channel service table according to the S fields of each business scene, wherein the first channel service table comprises the corresponding relation between the N business scenes and the N scene authorities.
5. The method of claim 4, wherein after identifying the N business scenarios of the service caller, the method further comprises configuring N access rights of the service caller, comprising:
Determining a calling service name and a calling method name of each service scene in the N service scenes, wherein the calling service name and the calling method name of each service scene are used for accessing the S fields of the service scene;
and writing the calling service name and the calling method name of each business scene into a second channel service table as access rights of the scene, wherein the second channel service table is the same as or different from the first channel service table.
6. The method of claim 5, wherein the data access request includes a call service name and a call method name of the call, and the determining the corresponding scene authority information according to the service scene information includes:
checking the access right of the service calling party based on the second channel service table according to the service scene information, the calling service name and the calling method name of the call;
after the check passes, the scene authority information is determined from the first channel service table.
7. The method of any of claims 1-6, wherein the sending the access data to the service caller comprises:
determining the access amount of the service calling party to the service scene information in a preset time period;
And sending the access data to the service calling party under the condition that the access quantity is smaller than or equal to a preset threshold value.
8. The method of any of claims 1-6, wherein the sending the access data to the service caller comprises:
determining corresponding encryption information according to the service scene information under the condition that the access data comprises a specific field, wherein any one scene of the N service scenes and at least one scene of the N service scenes have different encryption information;
and sending the access data encrypted by the encryption information to the service calling party.
9. The method of any of claims 1-6, wherein after receiving a data access request of a service caller, the method further comprises:
and responding to the data access request, generating a data access log of the service calling party, wherein the data access log comprises the business scene information and the access data.
10. A business scenario-based data access apparatus, comprising:
the request receiving module is used for receiving a data access request of a service calling party, wherein the data access request comprises service scene information called by the service calling party at the time;
The permission determining module is used for determining corresponding scene permission information according to the service scene information, wherein the service calling party is configured with N scene permissions corresponding to N service scenes one by one, and N is greater than or equal to 1;
the minimum authority filtering module is used for filtering access data in the authority range according to the scene authority information, wherein any one authority of the N scene authorities and at least one other authority have different authority ranges;
and the data return module is used for sending the access data to the service calling party.
11. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-9.
12. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1 to 9.
13. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 9.
CN202310130186.1A 2023-02-08 2023-02-08 Data access method, device, equipment and medium based on business scene Pending CN116094832A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310130186.1A CN116094832A (en) 2023-02-08 2023-02-08 Data access method, device, equipment and medium based on business scene

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310130186.1A CN116094832A (en) 2023-02-08 2023-02-08 Data access method, device, equipment and medium based on business scene

Publications (1)

Publication Number Publication Date
CN116094832A true CN116094832A (en) 2023-05-09

Family

ID=86213990

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310130186.1A Pending CN116094832A (en) 2023-02-08 2023-02-08 Data access method, device, equipment and medium based on business scene

Country Status (1)

Country Link
CN (1) CN116094832A (en)

Similar Documents

Publication Publication Date Title
US11244393B2 (en) Credit blockchain system, credit data storage method, device, and medium
US20220171876A1 (en) Blockchain based information management
TWI720596B (en) Block chain certificate deposit method, device and computer equipment
CN109447811B (en) Method, accounting node and medium for inquiring transaction information in blockchain network
CN109697204B (en) Data auditing method and device
CN109716707B (en) Server apparatus and method for distributed electronic recording and transaction history
US11582040B2 (en) Permissions from entities to access information
JP2020514904A (en) Method, apparatus and non-transitory computer readable storage medium for automatic generation of analysis results from blockchain data
US20220326997A1 (en) Secure resource management to prevent resource abuse
US20210049299A1 (en) System and methods for providing data analytics for secure cloud compute data
CN111292174A (en) Tax payment information processing method and device and computer readable storage medium
CN111383018A (en) Node group creating method and node group-based transaction method in alliance chain network
CN111259448A (en) Data sharing method and device
CN112907243A (en) Block chain transaction auditing method and device
CN106951795A (en) A kind of application data access partition method and device
CN110766548A (en) Block chain based information processing method and device, storage medium and electronic equipment
Safa et al. Privacy Enhancing Technologies (PETs) for connected vehicles in smart cities
CA3050487A1 (en) System and method for storing and distributing consumer information
US20230085763A1 (en) Method and system for unified social media ecosystem with self verification and privacy preserving proofs
US11861037B2 (en) Unified data fabric for managing data lifecycles and data flows
CN116739596A (en) Blockchain-based transaction supervision method, device, equipment, medium and product
Salmony Rethinking digital identity
CN116094832A (en) Data access method, device, equipment and medium based on business scene
Cirillo et al. Empowering citizens by a blockchain-Based Robinson list
US20220358237A1 (en) Secure data analytics

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination