CN116866026A - Data access policy generation method and device, electronic equipment and storage medium - Google Patents

Data access policy generation method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN116866026A
CN116866026A CN202310810321.7A CN202310810321A CN116866026A CN 116866026 A CN116866026 A CN 116866026A CN 202310810321 A CN202310810321 A CN 202310810321A CN 116866026 A CN116866026 A CN 116866026A
Authority
CN
China
Prior art keywords
user
equipment
identifier
data
data access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310810321.7A
Other languages
Chinese (zh)
Inventor
许娇阳
陈锦祥
李粤
李磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202310810321.7A priority Critical patent/CN116866026A/en
Publication of CN116866026A publication Critical patent/CN116866026A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The present disclosure provides a method for generating a data access policy, which may be used in the big data technical field or the financial field, and the method includes: responding to a data access request, and acquiring a device identifier and a user identifier in the data access request; determining whether the equipment identifier is valid or not according to first preset verification data; responding to an instruction that the equipment identifier is valid, and determining whether the equipment user association relationship is valid according to second preset verification data, wherein the equipment user association relationship is generated according to the equipment identifier and the user identifier; responding to the instruction that the association relation of the equipment user is effective, and determining the user permission aiming at the target network according to the user identification; and generating a data access strategy aiming at the target network according to the equipment identifier and the user authority. A device for generating the data access policy, an electronic device and a storage medium are also provided.

Description

Data access policy generation method and device, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of big data technology, and more particularly, to a method, an apparatus, an electronic device, a computer readable storage medium, and a computer program product for generating a data access policy.
Background
The existing mobile office generally accesses the mobile terminal or the remote terminal to the internal enterprise network through VPN or similar access control modes, and accesses the internal enterprise application system through user password authentication and the like. The access control scheme adopts a unified access control mode, on one hand, the accessed enterprise application is uncontrollable, the risk that the application with higher importance is accessed indiscriminately exists, and information leakage is easy to cause; on the other hand, the method is unfavorable for realizing personalized adjustment, so that an application interface is complex and user experience is poor.
Disclosure of Invention
In view of the above problems, the present disclosure provides a method, an apparatus, an electronic device, a readable storage medium, and a computer program product for generating a data access policy, which can adjust the access policy according to the difference between a user and an access device, so as to implement differentiated access, and improve data security and user experience.
One aspect of the present disclosure provides a method for generating a data access policy, including but not limited to: responding to a data access request, and acquiring a device identifier and a user identifier in the data access request; determining whether the equipment identifier is valid or not according to first preset verification data; responding to an instruction that the equipment identifier is valid, and determining whether the equipment user association relationship is valid according to second preset verification data, wherein the equipment user association relationship is generated according to the equipment identifier and the user identifier; responding to the instruction that the association relation of the equipment user is effective, and determining the user permission aiming at the target network according to the user identification; and generating a data access strategy aiming at the target network according to the equipment identifier and the user authority.
In some exemplary embodiments of the present disclosure, determining whether the device identification is valid according to first preset verification data includes: checking whether the device identifier is contained in the first preset verification data; responding to an instruction that the first preset verification data contains the equipment identifier, and checking the equipment state associated with the equipment identifier; and determining that the device identification is valid in response to the command that the device status is available.
In some exemplary embodiments of the present disclosure, determining whether the device user association is valid according to second preset verification data includes: generating a device user association relationship according to the device identifier and the user identifier; checking whether the association relation of the equipment user is contained in the second preset verification data; responding to the second preset verification data to contain the association relationship of the equipment user, and determining whether the association relationship of the equipment user is normal; and responding to the instruction that the association relationship of the equipment user is normal, and determining that the association relationship of the equipment user is effective.
In some exemplary embodiments of the present disclosure, the target network includes m network environments, each network environment including n applications, where m, n are positive integers; responding to the instruction that the association relation of the equipment user is effective, determining the user authority aiming at the target network according to the user identification, and comprises the following steps: responding to the instruction that the association relation of the equipment user is effective, and inquiring the type and the level of the user according to the user identification; according to the user type and the user level, p network environments in m network environments and q application programs in each network environment are determined, wherein p and q are positive integers; and generating the user authority of the target network according to the p network environments and q application programs contained in each network environment.
In some exemplary embodiments of the present disclosure, generating a data access policy for the target network according to the device identification and the user rights includes: determining the equipment type according to the equipment identifier; determining i network environments from p network environments of the user permission according to the equipment type, and determining j application programs from q application programs in each network environment, wherein i and j are positive integers; determining the access authority of each application program in j application programs according to the user identification corresponding to the user authority; and generating a data access policy for the target network according to the i network environments, j application programs in each network environment and the access rights of each application program.
In some exemplary embodiments of the present disclosure, the method further comprises: the first preset authentication data and the second preset authentication data are updated before responding to a data access request.
In some exemplary embodiments of the present disclosure, the method further comprises: responding to an instruction that the equipment identifier is invalid, and generating first prompt information according to the equipment identifier, wherein the first prompt information is used for reminding a first target object to update the first preset verification data; and responding to the instruction that the association relation of the equipment user is invalid, and generating second prompt information according to the association relation of the equipment user, wherein the second prompt information is used for reminding a second target object to update the second preset verification data.
In some exemplary embodiments of the present disclosure, the method further comprises: responding to a user login request, and acquiring login information associated with the user identifier; and responding to the instruction that the login information passes verification, and acquiring the data resource of the target network according to the data access strategy.
In another aspect of the present disclosure, there is also provided a device for generating a data access policy, including: the acquisition module is configured to respond to the data access request and acquire the equipment identifier and the user identifier in the data access request; the first determining module is configured to determine whether the equipment identifier is valid according to first preset verification data; the second determining module is configured to respond to the instruction that the equipment identifier is valid, determine whether the equipment user association relationship is valid according to second preset verification data, and generate the equipment user association relationship according to the equipment identifier and the user identifier; the third determining module is configured to respond to the instruction that the association relation of the equipment user is valid, and determine the user authority for the target network according to the user identification; and the generation module is configured to generate a data access strategy for the target network according to the equipment identifier and the user authority.
In some exemplary embodiments of the present disclosure, the first determination module includes a first determination subunit configured to: checking whether the device identifier is contained in the first preset verification data; responding to an instruction that the first preset verification data contains the equipment identifier, and checking the equipment state associated with the equipment identifier; and determining that the device identification is valid in response to the command that the device status is available.
In some exemplary embodiments of the present disclosure, the second determination module includes a second determination subunit configured to: generating a device user association relationship according to the device identifier and the user identifier; checking whether the association relation of the equipment user is contained in the second preset verification data; responding to the second preset verification data to contain the association relationship of the equipment user, and determining whether the association relationship of the equipment user is normal; and responding to the instruction that the association relationship of the equipment user is normal, and determining that the association relationship of the equipment user is effective.
In some exemplary embodiments of the present disclosure, the target network includes m network environments, each network environment including n applications, where m, n are positive integers; the third determination module includes a third determination subunit configured to: responding to the instruction that the association relation of the equipment user is effective, and inquiring the type and the level of the user according to the user identification; according to the user type and the user level, p network environments in m network environments and q application programs in each network environment are determined, wherein p and q are positive integers; and generating the user authority of the target network according to the p network environments and q application programs contained in each network environment.
In some example embodiments of the present disclosure, the generation module includes a generation subunit configured to: determining the equipment type according to the equipment identifier; determining i application programs from q application programs in each network environment of the user permission according to the equipment type, wherein i is a positive integer; determining the access authority of each application program in the i application programs according to the user identification corresponding to the user authority; and generating a data access policy for the target network according to the p network environments, i application programs in each network environment, and the access rights of each application program.
In some exemplary embodiments of the present disclosure, the apparatus further comprises an update module configured to: the first preset authentication data and the second preset authentication data are updated before responding to a data access request.
In some exemplary embodiments of the present disclosure, the apparatus further includes a hint information generating module configured to: responding to an instruction that the equipment identifier is invalid, and generating first prompt information according to the equipment identifier, wherein the first prompt information is used for reminding a first target object to update the first preset verification data; and responding to the instruction that the association relation of the equipment user is invalid, and generating second prompt information according to the association relation of the equipment user, wherein the second prompt information is used for reminding a second target object to update the second preset verification data.
In some exemplary embodiments of the present disclosure, the apparatus further comprises a data resource acquisition module configured to: responding to a user login request, and acquiring login information associated with the user identifier; and responding to the instruction that the login information passes verification, and acquiring the data resource of the target network according to the data access strategy.
Another aspect of the disclosure provides an electronic device comprising one or more processors and a storage device for storing executable instructions that when executed by the processors implement the method as above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions that, when executed, are configured to implement a method as above.
Another aspect of the present disclosure provides a computer program comprising computer executable instructions which when executed are for implementing a method as above.
According to the embodiment of the disclosure, the security of data access is ensured by determining whether the device identifier is valid based on the first preset verification data and determining whether the association relationship of the device user is valid based on the second preset verification data. By generating the data access policy of the target network based on the device identifier and the user authority, different access policies can be generated according to different devices, so that differentiated access is realized, and meanwhile, when the same user adopts different devices, the access policies can be adjusted, so that the performance requirements of different devices are met, quick and efficient data access is realized, and the user experience is improved.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates a schematic diagram of a system architecture to which a method of generating a data access policy of embodiments of the present disclosure may be applied;
FIG. 2 schematically illustrates a flow chart of a method of generating a data access policy according to an embodiment of the disclosure;
fig. 3 schematically illustrates a flowchart of a method of generating a data access policy in operation S220 according to an embodiment of the present disclosure;
fig. 4 schematically illustrates a flowchart of a method of generating a data access policy in operation S230 according to an embodiment of the present disclosure;
fig. 5 schematically illustrates a flowchart of a method of generating a data access policy in operation S240 according to an embodiment of the present disclosure;
fig. 6 schematically illustrates a flowchart of a method of generating a data access policy in operation S250 according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates operations of a method of generating a data access policy prior to responding to a data access request in accordance with an embodiment of the present disclosure;
FIG. 8 schematically illustrates a schematic diagram of a flow 400 further included in a method of generating a data access policy according to an embodiment of the present disclosure;
FIG. 9 schematically illustrates a schematic diagram of a flow 500 further included in a method for generating a data access policy according to an embodiment of the disclosure;
fig. 10 schematically illustrates a block diagram of a data access policy generation apparatus according to an embodiment of the present disclosure; and
fig. 11 schematically illustrates a block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where a formulation similar to at least one of "A, B or C, etc." is used, in general such a formulation should be interpreted in accordance with the ordinary understanding of one skilled in the art (e.g. "a system with at least one of A, B or C" would include but not be limited to systems with a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). The terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more features.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the related personal information of the user all conform to the regulations of related laws and regulations, necessary security measures are taken, and the public order harmony is not violated.
In the technical scheme of the disclosure, related operations such as acquisition, storage, application and the like of the personal information of the user are all authorized by the user.
Herein, the term "first preset verification data" refers to data set in advance for verifying the device identifier, and may be, for example, a data linked list or the like. The term "second preset verification data" refers to data used for verifying the association relation of the device user and set in advance, and may be a data linked list and key value peer information.
In the prior art, when a mobile office or a remote office is performed and a certain enterprise internal network is accessed through a mobile terminal or a remote terminal, access to the enterprise internal network is generally realized by adopting a VPN or a similar authentication mode, and in the process of accessing the enterprise internal network, after authentication of a user login password, the network in the enterprise can be accessed. However, there is an application of importance level in the enterprise internal network, and after the user accesses the enterprise internal network through the mobile terminal or the remote terminal, the user can perform indiscriminate access, which will cause sensitive information leakage and cause information security problem. On the other hand, when the user accesses the internal network by adopting different devices, the internal network is loaded aiming at all applications of the internal network, and part of functions cannot be adapted to the access devices, so that the problems of long loading time, low access speed, low access efficiency, poor user experience and the like are caused.
In order to solve the above-mentioned problems, embodiments of the present disclosure provide a method, an apparatus, an electronic device, a readable storage medium, and a computer program product for generating a data access policy, which can adjust a data access policy of a target network according to a device identifier and a user permission generated based on the user identifier, thereby meeting access requirements of different users and different devices, and improving data access efficiency and security of data access.
The method for generating the data access policy in the embodiment of the disclosure includes, but is not limited to: responding to the data access request, and acquiring a device identifier and a user identifier in the data access request; determining whether the equipment identifier is valid according to the first preset verification data; responding to the instruction that the equipment identifier is valid, and determining whether the equipment user association relationship is valid according to second preset verification data, wherein the equipment user association relationship is generated according to the equipment identifier and the user identifier; responding to an instruction that the association relation of the equipment user is effective, and determining the user authority aiming at the target network according to the user identification; and generating a data access strategy aiming at the target network according to the equipment identification and the user authority.
According to the embodiment of the disclosure, the security of data access is ensured by determining whether the device identifier is valid based on the first preset verification data and determining whether the association relationship of the device user is valid based on the second preset verification data. By generating the data access policy of the target network based on the device identifier and the user authority, different access policies can be generated according to different devices, so that differentiated access is realized, and meanwhile, when the same user adopts different devices, the access policies can be adjusted, so that the performance requirements of different devices are met, quick and efficient data access is realized, and the user experience is improved.
Fig. 1 schematically illustrates a schematic diagram of a system architecture to which a generation method of a data access policy of an embodiment of the present disclosure may be applied. It should be noted that fig. 1 is only an example of a system architecture to which embodiments of the present disclosure may be applied to assist those skilled in the art in understanding the technical content of the present disclosure, but does not mean that embodiments of the present disclosure may not be used in other devices, systems, environments, or scenarios. It should be noted that, the method for generating the data access policy provided by the embodiment of the present disclosure may be used in the big data technical field, the related aspect of the big data field in the financial field, and also may be used in any field other than the financial field, and the method and the device for generating the data access policy provided by the embodiment of the present disclosure do not limit the application field.
As shown in fig. 1, an exemplary system architecture 100, to which a method of generating a data access policy may be applied, may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as mail client applications, file processing class applications, shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc., may be installed on the terminal devices 101, 102, 103, as just examples.
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting functions of data input, file transmission, data analysis, data processing, web browsing, etc., including but not limited to smartphones, tablet computers, laptop and desktop computers, etc.
The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for a user to utilize data acquired by the terminal devices 101, 102, 103 or a browsed website. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device. The file or the like transmitted by the user may be analyzed or processed, and the terminal device may be controlled based on the processing result, for example, access to the terminal device may be restricted.
It should be noted that, the method for generating the data access policy provided by the embodiments of the present disclosure may be generally performed by the server 105. Accordingly, the generation apparatus of the data access policy provided by the embodiments of the present disclosure may be generally disposed in the server 105. The method of generating a data access policy provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the generation apparatus of the data access policy provided by the embodiments of the present disclosure may also be provided in a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The method of generating the data access policy of the embodiment of the present disclosure will be described in detail below with reference to fig. 2 to 9.
Fig. 2 schematically illustrates a flowchart of a method of generating a data access policy according to an embodiment of the present disclosure.
As shown in fig. 2, a flow 200 of a method of generating a data access policy according to an embodiment of the present disclosure includes operations S210 to S250.
In operation S210, in response to the data access request, a device identifier and a user identifier in the data access request are acquired.
In some embodiments of the present disclosure, a user may access an enterprise internal network through a mobile terminal, a remote terminal, or the like, for example, and before verifying login information of the user, a data access policy may be generated according to the mobile terminal used by the user and a user identifier input at the mobile terminal, so as to facilitate data access by the user.
Illustratively, each terminal device has a corresponding device identifier for identifying the device to determine the type of device, the status of the device, and the like. The user identity is used to characterize the user identity, and may be, for example, the user name of the user operating the terminal device, etc.
For example, after a user inputs a user identifier in a terminal device, a data access policy is generated before user login information is verified, so that efficiency can be improved. And when the data access strategy is generated, login information related to the user identification does not need to be input, so that the data security is improved.
In some embodiments, a user accesses an enterprise internal network using a terminal device, and the user sends a data access request through the terminal device. The data access request includes a device identifier and a user identifier. For example, the device identifier is obtained from the terminal device that sent the data access request, and the user identifier may be generated based on information entered by the user at the terminal device. For example generated from a user name encryption entered by the user on the terminal device.
After receiving the data access request, the data access request is processed, such as splitting, information extraction and other operations, so as to obtain the equipment identifier and the user identifier in the data access request.
In operation S220, it is determined whether the device identification is valid according to the first preset authentication data.
In some exemplary embodiments of the present disclosure, the first preset authentication data may be preset data for authenticating the device identification. For example, the first preset verification data may be an enterprise device whitelist, only devices in the enterprise device whitelist having access to data of the enterprise internal network.
Furthermore, whether the device identification is valid may be, for example, whether the device identification is in an enterprise white list, and whether the device identification corresponds to a device status available. Even if the device identifier is in the enterprise white list, the device state corresponding to the device identifier is in an unavailable state, and the device identifier is still invalid. Therefore, the device identification is verified from multiple aspects through the first preset verification data, and the security of data access is improved.
In operation S230, in response to the instruction that the device identifier is valid, it is determined whether the device user association relationship is valid according to the second preset verification data, and the device user association relationship is generated according to the device identifier and the user identifier.
In some embodiments of the present disclosure, after operation S220, when the device identifier is valid, it is continuously determined whether the device user association relationship generated according to the device identifier and the user identifier in the access request is valid.
For example, the association relationship of the device user refers to the binding relationship between the terminal device and the user, and when the binding relationship exists between the terminal device and the user, data access cannot be performed, so that the security of data access is improved. In addition, whether the association relation of the device user is effective or not is determined, so that the data access strategy is determined in the follow-up operation.
In operation S240, in response to the instruction that the association relationship of the device user is valid, the user right for the target network is determined according to the user identifier.
In an embodiment of the present disclosure, the target network includes, for example, a plurality of network environments, each of which includes a plurality of applications, e.g., the network environments include an office environment, a production environment, and the like. Each office environment may include a plurality of office applications, each production environment may include a plurality of production applications, etc.
If all the rights of the target network are allocated to the user corresponding to each user identifier, the security of data access is reduced, and meanwhile, when the user performs data access, all the data of the target network are loaded, so that the loading efficiency is low, and the user experience is reduced.
According to the embodiment of the disclosure, the user permission for the target network is determined according to the user identifications, so that on one hand, all data of the target network are prevented from being accessed by the users corresponding to each user identification, namely, the users corresponding to each user identification can only access the data in the user permission, the data security is improved, and on the other hand, when the accessed data is loaded, the data in the user permission can be loaded, the data loading quantity is greatly reduced, and the data loading efficiency is improved. The security of data access is improved, the efficiency of data access is improved, and the user experience is improved.
In operation S250, a data access policy for the target network is generated according to the device identification and the user authority.
In some embodiments of the present disclosure, when devices used by users are different, because of different configurations of the devices, processing efficiency and processing modes of the devices may change for different contents, which necessarily results in a problem that user experiences have a large difference and even cannot access data if unified data access policies are performed for different devices.
According to the embodiment of the disclosure, the data access strategy for the target network is generated according to the equipment identifier and the user authority, and when the equipment adopted by the same user in accessing the data of the target network is different, the generated data access strategy is also different, so that the requirements of different equipment processing capacities and processing modes are met, the efficiency of data access is further improved, and the user experience is improved.
Fig. 3 schematically illustrates a flowchart of a method of generating a data access policy in operation S220 according to an embodiment of the present disclosure.
As shown in fig. 3, operation S220 includes operations S221 to S223.
In operation S221, it is checked whether the device identification is included in the first preset authentication data.
For example, the first preset verification data includes an enterprise white list, where the enterprise white list is a preset entered device list, and it is determined whether a device corresponding to the device identifier is included in the enterprise white list, if the device corresponding to the device identifier is located in the enterprise white list, operation S222 may be executed, and if not, a data access policy is not generated, for example, a result of failure in generating the data access policy is returned. According to the embodiment of the disclosure, by checking whether the device identifier is contained in the first preset verification data, other devices can be prevented from accessing the data of the target network, and the security risk of data access is reduced.
In operation S222, in response to an instruction that the first preset authentication data contains a device identification, a device state associated with the device identification is checked.
For example, when the first preset verification data comprises a device identification, the device status associated with the device identification is further checked, e.g. the device status comprises an unavailable status or an available status. By checking the device states associated with the device identifiers, the occurrence of problems such as device conflict and the like can be avoided, and data access errors are avoided.
In operation S223, in response to the instruction that the device status is available, it is determined that the device identification is valid.
In an embodiment of the present disclosure, when the first preset authentication data contains a device identifier and a device state associated with the device identifier is an available state, the device identifier is determined to be valid. Otherwise, the device identification is determined to be invalid, so that the security of data access is improved. That is, the enterprise white list must have the device identifier associated with the data access request, and when the device state corresponding to the device identifier is available, the device identifier is valid, so that the problem that the security of the data access is reduced due to the fact that the device identifier is forged is avoided.
For example, when some crackers acquire or crack the data access rights of the target network, an access policy may be generated by impersonating the existing device identifier, and by judging the device state, the situation that the device identifier is impersonated can be avoided. For example, when the device identification corresponds to a device being used, the device status is unavailable. Even if the device identification is included in the first preset authentication data, the device identification is eventually invalid.
Fig. 4 schematically illustrates a flowchart of a method of generating a data access policy in operation S230 according to an embodiment of the present disclosure.
As shown in fig. 4, operation S230 includes operations S231 to S234.
In operation S231, a device user association relationship is generated according to the device identification and the user identification.
In some exemplary embodiments, when the user sends a data access request from a different terminal, the device identification in the data access request may also change. And generating an association relation of the device and the user based on the device identifier and the user identifier in the data access request, so as to be convenient for judging whether the terminal currently used by the user meets the requirement or not in the subsequent operation, for example, whether the user permits the use of the terminal device or not.
In operation S232, it is checked whether the device user association relationship is included in the second preset authentication data.
In some embodiments, the second preset verification data may include, for example, a binding relationship between the enterprise device and the user, and the second preset verification data is preset and may be updated according to adjustments of the enterprise device and the user. After generating the device user association relationship in operation S231, it is further checked in operation S232 whether the device user association relationship generated in operation S231 is included in the second preset authentication data. If the terminal equipment is included, the terminal equipment currently used by the user is indicated to meet the requirement, if the terminal equipment is not included, the terminal equipment currently used by the user is indicated to not meet the requirement, namely, the user is not allowed to use the current terminal equipment to access data.
In operation S233, it is determined whether the device user association is normal in response to the second preset authentication data containing the device user association.
And when the second preset verification data contains the association relation of the equipment users, further determining whether the association relation of the equipment users is normal. For example, when the state of the user corresponding to the currently used user identifier has an abnormal state, such as an off-duty state, an on-duty state, or the state of the device corresponding to the device identifier has an abnormal state, such as a lost state, a loss state, or the like, although the association relationship of the device user is included in the second preset verification data, the association relationship of the user is abnormal because the state of the user corresponding to the user identifier is abnormal or the state of the device corresponding to the device identifier is abnormal. According to the embodiment of the disclosure, when special conditions occur to the user or the equipment, the user or the equipment is prevented from accessing the target network based on counterfeiting, and the security of data access is improved.
In operation S234, in response to the instruction that the device user association relationship is normal, it is determined that the device user association relationship is valid.
According to operations S231 to S234, it may be ensured that the device user association generated based on the device identifier and the user identifier is included in the second preset authentication data, and that the device user association is normal, that is, the above-mentioned conditions need to be satisfied at the same time, thereby improving the stability of data access.
Fig. 5 schematically illustrates a flowchart of a method of generating a data access policy in operation S240 according to an embodiment of the present disclosure.
In some embodiments of the present disclosure, the target network comprises m network environments, each network environment comprising n applications, where m, n are positive integers. If each user accesses the target network, all data can be accessed and loaded, and because the users corresponding to different network environments are different and the importance degree of each application program is different, if each user can access all data indifferently, on the one hand, the risk that the data with higher importance degree is easy to leak is caused, and on the other hand, because the user needs to load all data when accessing the data, the loading speed is slower and the user experience is poorer. In this regard, the scheme adopted in the present disclosure is that, when data access is performed, different data access policies are generated according to different users and different devices used, and the following details are described in connection with fig. 5 to 6.
As shown in fig. 5, operation S240 includes operations S241 to S243.
In operation S241, in response to the instruction that the association relationship of the device user is valid, the user category and the user level are queried according to the user identification.
In some embodiments, after performing operations S220 and S230, it is indicated that both the currently used user identity and the device identity meet the data access requirements of the target network. And further inquiring the user type and the user level according to the user identification.
The user categories include, for example, internal users, external users, office users, operation and maintenance users, and the like. The user level includes, for example, administrative users, general users, and the like.
The user category and the user level are queried according to the user identification, so that the network environment and the application program of the target network which can be accessed by the user are further determined based on the user category and the user level.
In operation S242, p network environments among m network environments and q applications in each network environment are determined according to the user type and user level, p, q being a positive integer.
In some embodiments, p network environments are determined from m network environments, for example, according to the user category, and q applications included in each network environment are determined from p network environments based further on the user level, q applications being determined from n applications, i.e., q.ltoreq.n. Therefore, different data access ranges can be determined according to different user identifications, application programs with higher importance levels are effectively prevented from being accessed to each user, and the risk of leakage of confidential or sensitive information is reduced.
In operation S243, user rights of the target network are generated from p network environments and q applications included in each network environment.
In some embodiments of the present disclosure, the generated user rights of the target network identify all rights of the corresponding user for the user. According to the embodiment, as all rights of different users are different, accessible data are also different, so that the data are prevented from being accessed indiscriminately, the data security is improved, and the risk of information leakage is reduced.
In the embodiment of the disclosure, after the user permission is generated, when the user accesses data according to the currently used terminal device, the difference exists between the terminal devices used by the user, for example, the terminal devices can be mobile phones, tablet computers, notebook computers and the like, and the display interface, the operation method and the processing performance of each device have larger difference. If the same data access policy is adopted for all the terminal devices based on the user permission, the user has different operation experiences when operating on different terminal devices due to different processing capacities, display interfaces, operation methods and the like of the terminal devices, and particularly for devices with weaker data processing capacities, the problem that data access cannot be performed may exist when more data are accessed. To further solve this problem, the present disclosure further employs operation S250 to generate a data access policy for the target network, thereby meeting the requirements of different devices, improving the efficiency of data access and improving the user experience.
Fig. 6 schematically illustrates a flowchart of a method of generating a data access policy in operation S250 according to an embodiment of the present disclosure.
As shown in fig. 6, operation S250 includes operations S251 to S254.
In operation S251, a device type is determined according to the device identification.
In some embodiments, the device type refers to a class of device, e.g., the device type of the terminal device includes: the mobile phone, the tablet personal computer, the notebook personal computer, the desktop personal computer, the server and the like have differences according to different equipment types, and the operation modes, the display interfaces, the processing capacity and the like. The device type is determined according to the device identifier, for example, the device type-device type association relation is queried, or the device type is determined according to other association relations.
In operation S252, i network environments are determined from among p network environments of the user authority according to the device type, and j applications are determined from among q applications in each network environment, i, j being a positive integer.
In some embodiments, the user rights include p network environments, each having q applications therein, where p.ltoreq.m, q.ltoreq.n. When a user uses different terminal equipment to access data to a target network, according to different equipment types of the terminal equipment used by the user, the network environment which can be accessed and application programs in the network environment are adjusted, so that the requirements of different equipment are met, and the user experience is improved.
According to the embodiment of the disclosure, when the same user uses different terminal equipment, the types of the terminal equipment are changed, the data access strategy is adjusted, specifically, i network environments are determined from the user authority, j application programs are determined in each network environment, i is less than or equal to p, j is less than or equal to q, so that the data access strategy of the same user is adjusted according to the equipment types, the data access requirements of different equipment types are met, and the effectiveness of data access is improved.
In operation S253, the access right of each of the j applications is determined according to the user identification corresponding to the user right.
In some exemplary embodiments, each application corresponds to a plurality of users, and access rights of different users are different, so that security of data access is improved by determining access rights of each application in j applications based on user identification.
In operation S254, a data access policy for the target network is generated according to the i network environments, j applications in each network environment, and access rights of each application.
In the embodiment of the disclosure, the network environment of the target network, the application programs in the network environment and the access authority of each application program are finally adjusted through the device type determined based on the device identification, the data access strategy is finally generated, different access strategies can be generated according to different devices, so that differentiated access is realized, meanwhile, when the same user adopts different devices, the access strategy can be adjusted, so that the performance requirements of different devices are met, quick and efficient data access is realized, and the user experience is improved.
Fig. 7 schematically illustrates operations of a method of generating a data access policy prior to responding to a data access request according to an embodiment of the present disclosure.
As shown in fig. 7, in some embodiments, the method of generating a data access policy further includes an operation S300, in which the first preset authentication data and the second preset authentication data are updated before responding to the data access request in operation S300.
In some embodiments, when the user changes or the device is updated, the first preset verification data and the second preset verification data need to be updated, so that the accuracy of the first preset verification data and the second preset verification data is ensured.
Fig. 8 schematically illustrates a schematic diagram of a flow 400 further included in a method for generating a data access policy according to an embodiment of the disclosure.
As shown in fig. 8, in some exemplary embodiments of the present disclosure, the method of generating a data access policy further includes a flow 400, the flow 400 including, for example, operations S410 and S420.
In operation S410, in response to the instruction that the device identifier is invalid, first prompt information is generated according to the device identifier, where the first prompt information is used to remind the first target object to update the first preset verification data.
In some exemplary embodiments, when the device identification is invalid, there may be a device corresponding to the device identification that has not been updated in time, or that the interested party has not effectively reviewed or approved for the updated information. For example, the first target object is a manager of the first preset verification data, and the manager is reminded of updating the first preset verification data by generating first prompt information, so that the accuracy of the data is ensured.
In operation S420, in response to the instruction that the association relationship of the device user is invalid, second prompt information is generated according to the association relationship of the device user, where the second prompt information is used to remind the second target object to update the second preset verification data.
In some embodiments, the second target object may be, for example, a manager of the second preset verification data, or a user related to the second preset verification data, and by generating the second prompt information, the manager may be reminded to update the second preset verification data, so as to ensure accuracy of the data.
Fig. 9 schematically illustrates a schematic diagram of a flow 500 further included in a method for generating a data access policy according to an embodiment of the disclosure.
As shown in fig. 9, in some exemplary embodiments of the present disclosure, the method of generating a data access policy further includes a flow 500, the flow 500 including, for example, operations S510 and S520.
In operation S510, login information associated with a user identification is acquired in response to a user login request.
In operation S520, in response to the instruction that the login information is verified, the data resource of the target network is acquired according to the data access policy.
According to the embodiment of the disclosure, the data access policy generation method is generated before the login information verification of the user, namely, the login information of the user is not required to be acquired in the process of generating the data access policy, so that the risk of data leakage caused by the fact that the login information is input in advance is avoided. In the embodiment of the disclosure, firstly, a data access policy is generated based on a user identifier and a device identifier, login information of a user is further verified, and after the login information passes the verification, data resources of a target network are obtained according to the data access policy, so that different data accesses are realized according to different users and/or different terminal devices, the data security is ensured, the data access efficiency is improved, and the user experience is improved.
The method for generating the data access policy of the present disclosure is described in detail below with reference to specific embodiments.
Firstly, an access request is initiated, an enterprise device white list is queried according to a device identifier, whether the current terminal device belongs to a device in the enterprise white list is checked, and whether the terminal device is in a valid and available state is checked. If yes, generating an association relation of the equipment user, and inquiring a preset association relation table of the equipment user. If not, the alarm prompts the user to check the equipment registration condition at the same time, and timely informs the administrator to examine and approve the newly-added equipment of the enterprise, and updates the enterprise equipment white list in the enterprise asset library.
Next, for the terminal device for which the device identifier is determined to be valid, judging whether the device user association relationship is in a preset device user association relationship table, and checking whether the binding relationship between the terminal device and the user is normal. And if the conditions are all met (for example, yes), acquiring the equipment type of the current terminal equipment according to the equipment identifier. If at least one of the conditions is not satisfied, prompting the user to check whether the binding relationship between the current terminal and the user is abnormal, for example, whether the user has insufficient authority and should not use the terminal, etc. And prompting an administrator to update a preset device user association relation table.
And then, after the device identification of the terminal device and the association relation of the device user pass verification, determining the network environment and the application program of the enterprise intranet which can be accessed by the user corresponding to the user identification, namely determining the user authority according to the user type and the user level corresponding to the user identification. Further based on the device type, the data access policy possessed by the user according to the current terminal device is further determined according to the user rights.
For example, if the access device is a mobile phone or a tablet, the office user can only access limited common office applications, such as a mailbox system, an instant messaging system, an attendance system, and the like; besides the common office application, the production operation and maintenance personnel can also access the production operation and maintenance monitoring system.
If the access device is a notebook computer and is a common office user in a row, the access device can access a common test environment and a common office application; if the user is an administrator office user, the management and approval functions of accessing the common test environment office and office application can be added.
If the access equipment is a notebook computer and is a common in-line production operation and maintenance user, the access equipment can access a common office environment and a production application system; if the production system operation and maintenance personnel are involved, the operation and maintenance environment of the production server can be increased; if the production administrator user is produced, management and approval functions for accessing the production environment application can be added.
If the access device is a notebook computer and the user is an exogenous employee, only common test environment applications and the like can be accessed.
Finally, after the access strategy is generated, the user inputs login information, the login information is verified, after the login information passes the verification, the data resource of the enterprise intranet is obtained according to the generated data access strategy, and the data resource is displayed on the terminal equipment.
Another aspect of the present disclosure provides a data access policy generating apparatus.
Fig. 10 schematically shows a block diagram of a data access policy generation apparatus according to an embodiment of the present disclosure.
As shown in fig. 10, the generating device 600 of the data access policy includes an acquiring module 601, a first determining module 602, a second determining module 603, a third determining module 604, and a generating module 605.
The acquiring module 601 is configured to respond to a data access request and acquire a device identifier and a user identifier in the data access request. In an embodiment, the obtaining module 601 may be configured to perform the operation S210 described above, which is not described herein.
A first determining module 602 is configured to determine whether the device identifier is valid according to first preset authentication data. In an embodiment, the first determining module 602 may be configured to perform the operation S220 described above, which is not described herein.
And the second determining module 603 is configured to determine, according to second preset verification data, whether the device user association relationship is valid in response to the instruction that the device identifier is valid, where the device user association relationship is generated according to the device identifier and the user identifier. In an embodiment, the second determining module 603 may be configured to perform the operation S230 described above, which is not described herein.
And a third determining module 604, configured to determine the user authority for the target network according to the user identifier in response to the instruction that the association relationship of the device user is valid. In an embodiment, the first determining module 604 may be configured to perform the operation S240 described above, which is not described herein.
A generating module 605 is configured to generate a data access policy for the target network according to the device identification and the user rights. In an embodiment, the generating module 605 may be configured to perform the operation S250 described above, which is not described herein.
In some exemplary embodiments of the present disclosure, the first determination module includes a first determination subunit configured to: checking whether the device identifier is contained in the first preset verification data; responding to an instruction that the first preset verification data contains the equipment identifier, and checking the equipment state associated with the equipment identifier; and determining that the device identification is valid in response to the command that the device status is available.
In some exemplary embodiments of the present disclosure, the second determination module includes a second determination subunit configured to: generating a device user association relationship according to the device identifier and the user identifier; checking whether the association relation of the equipment user is contained in the second preset verification data; responding to the second preset verification data to contain the association relationship of the equipment user, and determining whether the association relationship of the equipment user is normal; and responding to the instruction that the association relationship of the equipment user is normal, and determining that the association relationship of the equipment user is effective.
In some exemplary embodiments of the present disclosure, the target network includes m network environments, each network environment including n applications, where m, n are positive integers; the third determination module includes a third determination subunit configured to: responding to the instruction that the association relation of the equipment user is effective, and inquiring the type and the level of the user according to the user identification; according to the user type and the user level, p network environments in m network environments and q application programs in each network environment are determined, wherein p and q are positive integers; and generating the user authority of the target network according to the p network environments and q application programs contained in each network environment.
In some example embodiments of the present disclosure, the generation module includes a generation subunit configured to: determining the equipment type according to the equipment identifier; determining i application programs from q application programs in each network environment of the user permission according to the equipment type, wherein i is a positive integer; determining the access authority of each application program in the i application programs according to the user identification corresponding to the user authority; and generating a data access policy for the target network according to the p network environments, i application programs in each network environment, and the access rights of each application program.
In some exemplary embodiments of the present disclosure, the apparatus further comprises an update module configured to: the first preset authentication data and the second preset authentication data are updated before responding to a data access request.
In some exemplary embodiments of the present disclosure, the apparatus further includes a hint information generating module configured to: responding to an instruction that the equipment identifier is invalid, and generating first prompt information according to the equipment identifier, wherein the first prompt information is used for reminding a first target object to update the first preset verification data; and responding to the instruction that the association relation of the equipment user is invalid, and generating second prompt information according to the association relation of the equipment user, wherein the second prompt information is used for reminding a second target object to update the second preset verification data.
In some exemplary embodiments of the present disclosure, the apparatus further comprises a data resource acquisition module configured to: responding to a user login request, and acquiring login information associated with the user identifier; and responding to the instruction that the login information passes verification, and acquiring the data resource of the target network according to the data access strategy.
According to an embodiment of the present disclosure, any of the acquisition module 601, the first determination module 602, the second determination module 603, the third determination module 604, and the generation module 605 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the acquisition module 601, the first determination module 602, the second determination module 603, the third determination module 604, and the generation module 605 may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable way of integrating or packaging the circuits, or in any one of or a suitable combination of any of the three. Alternatively, at least one of the acquisition module 601, the first determination module 602, the second determination module 603, the third determination module 604 and the generation module 605 may be at least partially implemented as computer program modules, which when executed, may perform the respective functions.
Fig. 11 schematically illustrates a block diagram of an electronic device according to an embodiment of the disclosure. The electronic device shown in fig. 11 is merely an example, and should not impose any limitations on the functionality and scope of use of embodiments of the present disclosure.
As shown in fig. 11, an electronic device 700 according to an embodiment of the present disclosure includes a processor 701 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. The processor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 701 may also include on-board memory for caching purposes. The processor 701 may comprise a single processing unit or a plurality of processing units for performing different actions of the method flows according to embodiments of the disclosure.
In the RAM 703, various programs and data necessary for the operation of the electronic apparatus 700 are stored. The processor 701, the ROM 702, and the RAM 703 are connected to each other through a bus 704. The processor 701 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 702 and/or the RAM 703. Note that the program may be stored in one or more memories other than the ROM 702 and the RAM 703. The processor 701 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, the electronic device 700 may further include an input/output (I/O) interface 705, the input/output (I/O) interface 705 also being connected to the bus 704. The electronic device 700 may also include one or more of the following components connected to the I/O interface 705: an input section 706 including a keyboard, a mouse, and the like; an output portion 707 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 708 including a hard disk or the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. The drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read therefrom is mounted into the storage section 708 as necessary.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 702 and/or RAM 703 and/or one or more memories other than ROM 702 and RAM 703 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to perform the methods provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 701. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed over a network medium in the form of signals, downloaded and installed via the communication section 709, and/or installed from the removable medium 711. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 709, and/or installed from the removable medium 711. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 70 l. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (12)

1. A method for generating a data access policy includes:
responding to a data access request, and acquiring a device identifier and a user identifier in the data access request;
Determining whether the equipment identifier is valid or not according to first preset verification data;
responding to an instruction that the equipment identifier is valid, and determining whether the equipment user association relationship is valid according to second preset verification data, wherein the equipment user association relationship is generated according to the equipment identifier and the user identifier;
responding to the instruction that the association relation of the equipment user is effective, and determining the user permission aiming at the target network according to the user identification;
and generating a data access strategy aiming at the target network according to the equipment identifier and the user authority.
2. The method of claim 1, wherein,
determining whether the device identifier is valid according to first preset verification data comprises the following steps:
checking whether the device identifier is contained in the first preset verification data;
responding to an instruction that the first preset verification data contains the equipment identifier, and checking the equipment state associated with the equipment identifier;
and determining that the device identification is valid in response to the command that the device status is available.
3. The method of claim 1, wherein,
according to second preset verification data, determining whether the association relationship of the device user is valid comprises:
Generating a device user association relationship according to the device identifier and the user identifier;
checking whether the association relation of the equipment user is contained in the second preset verification data;
responding to the second preset verification data to contain the association relationship of the equipment user, and determining whether the association relationship of the equipment user is normal;
and responding to the instruction that the association relationship of the equipment user is normal, and determining that the association relationship of the equipment user is effective.
4. The method of claim 1, wherein the target network comprises m network environments, each network environment comprising n applications, wherein m, n are positive integers;
responding to the instruction that the association relation of the equipment user is effective, determining the user authority aiming at the target network according to the user identification, and comprises the following steps:
responding to the instruction that the association relation of the equipment user is effective, and inquiring the type and the level of the user according to the user identification;
according to the user type and the user level, p network environments in m network environments and q application programs in each network environment are determined, wherein p and q are positive integers;
and generating the user authority of the target network according to the p network environments and q application programs contained in each network environment.
5. The method of claim 4, wherein,
generating a data access policy for the target network according to the device identifier and the user authority, including:
determining the equipment type according to the equipment identifier;
determining i network environments from p network environments of the user permission according to the equipment type, and determining j application programs from q application programs in each network environment, wherein i and j are positive integers;
determining the access authority of each application program in j application programs according to the user identification corresponding to the user authority; and
and generating a data access strategy for the target network according to the i network environments, the j application programs in each network environment and the access authority of each application program.
6. The method of claim 1, further comprising:
the first preset authentication data and the second preset authentication data are updated before responding to a data access request.
7. The method of claim 1, further comprising:
responding to an instruction that the equipment identifier is invalid, and generating first prompt information according to the equipment identifier, wherein the first prompt information is used for reminding a first target object to update the first preset verification data; and
And responding to the instruction that the association relation of the equipment user is invalid, and generating second prompt information according to the association relation of the equipment user, wherein the second prompt information is used for prompting a second target object to update the second preset verification data.
8. The method of claim 1, further comprising:
responding to a user login request, and acquiring login information associated with the user identifier; and
and responding to the instruction of passing the login information verification, and acquiring the data resource of the target network according to the data access strategy.
9. A data access policy generation apparatus, comprising:
the acquisition module is configured to respond to the data access request and acquire the equipment identifier and the user identifier in the data access request;
the first determining module is configured to determine whether the equipment identifier is valid according to first preset verification data;
the second determining module is configured to respond to the instruction that the equipment identifier is valid, determine whether the equipment user association relationship is valid according to second preset verification data, and generate the equipment user association relationship according to the equipment identifier and the user identifier;
the third determining module is configured to respond to the instruction that the association relation of the equipment user is valid, and determine the user authority for the target network according to the user identification;
And the generation module is configured to generate a data access strategy for the target network according to the equipment identifier and the user authority.
10. One or more processors;
storage means for storing executable instructions which when executed by the processor implement the method according to any one of claims 1 to 8.
11. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, implement the method according to any of claims 1 to 8.
12. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 8.
CN202310810321.7A 2023-07-04 2023-07-04 Data access policy generation method and device, electronic equipment and storage medium Pending CN116866026A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310810321.7A CN116866026A (en) 2023-07-04 2023-07-04 Data access policy generation method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310810321.7A CN116866026A (en) 2023-07-04 2023-07-04 Data access policy generation method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116866026A true CN116866026A (en) 2023-10-10

Family

ID=88222797

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310810321.7A Pending CN116866026A (en) 2023-07-04 2023-07-04 Data access policy generation method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116866026A (en)

Similar Documents

Publication Publication Date Title
US20240119129A1 (en) Supervised learning system for identity compromise risk computation
US10740411B2 (en) Determining repeat website users via browser uniqueness tracking
US7509497B2 (en) System and method for providing security to an application
US8423651B1 (en) Cross-domain communications with a shared worker application
CN110069911B (en) Access control method, device, system, electronic equipment and readable storage medium
US11765112B2 (en) Context driven dynamic actions embedded in messages
US20210390510A1 (en) Dynamically Providing Cybersecurity Training Based on User-Specific Threat Information
US20220334896A1 (en) Managing and Routing Messages to Distributed User Devices in an Enterprise Computing Environment
CN116760640B (en) Access control method, device, equipment and storage medium
CN114556867A (en) Authentication mechanism using location validation
CN108830441B (en) Resource query method and device
CN116866026A (en) Data access policy generation method and device, electronic equipment and storage medium
CN111885006B (en) Page access and authorized access method and device
US20220255970A1 (en) Deploying And Maintaining A Trust Store To Dynamically Manage Web Browser Extensions On End User Computing Devices
CN114780807A (en) Service detection method, device, computer system and readable storage medium
CN114006758B (en) Method, device and storage medium for managing equipment identification
CN116074118B (en) API access control method, system, intelligent terminal and storage medium
US20240305653A1 (en) Controls for cloud computing environment
CN118171251B (en) Dynamic authority control method and device
CN113946295A (en) Authority control method and device
CN116910406A (en) Deployment method and device of browser configuration policy, electronic equipment and storage medium
CN117422416A (en) Block chain-based business handling method, device, equipment, medium and product
CN117176576A (en) Network resource changing method, device, equipment and storage medium
CN117540361A (en) Single sign-on authentication method, device, apparatus, medium and program product
CN118427879A (en) Data processing strategy generation method and device, equipment, storage medium and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination