CN117216773A

CN117216773A - Access control method, device, electronic equipment, program product and medium

Info

Publication number: CN117216773A
Application number: CN202310639101.2A
Authority: CN
Inventors: 彭光前; 黎天翔
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2023-05-31
Filing date: 2023-05-31
Publication date: 2023-12-12

Abstract

The application provides an access control method, an apparatus, an electronic device, a computer program product and a storage medium, wherein the method comprises the following steps: responding to the data access request, and determining at least two authority detection dimensions of data to be accessed corresponding to the data access request; performing authority detection on the client according to the at least two authority detection dimensions to obtain an authority detection result of the client; determining the data access authority of the client according to the authority detection result; when the data access authority is used for representing that the client is allowed to access the data to be accessed, the data to be accessed is sent to the client; therefore, the data access rights of different clients can be finely managed, and the access process of the data to be accessed is simpler, more convenient and safer.

Description

Access control method, device, electronic equipment, program product and medium

Technical Field

The present application relates to an access control technology, and in particular, to an access control method, apparatus, electronic device, computer program product, and storage medium.

Background

In the related art, a client sends a data access request to a server, and after the server receives the data access request, the server obtains data corresponding to the data access request from a database and sends the data corresponding to the data access request to the client. Because sensitive data may be stored in the database, the above data access manner may cause the electronic device to send the sensitive data to the client, which causes leakage of the sensitive data and affects the security of the data. In order to ensure the security of remote login of the data to be accessed and the security of executing instruction information, the authority of the corresponding client needs to be controlled, but the existing authority control mode has the defect of insufficient granularity, so that a more refined access control method needs to be provided.

Disclosure of Invention

In view of this, embodiments of the present application provide an access control method, apparatus, electronic device, computer program product, and storage medium, which can implement more refined management of rights of a client accessing data, and implement more refined rights detection through at least two rights detection dimensions of data to be accessed corresponding to a data access request, so as to ensure security of the data.

The technical scheme of the embodiment of the application is realized as follows:

the embodiment of the application provides an access control method, which comprises the following steps:

receiving a data access request sent by a client;

responding to the data access request, and determining at least two authority detection dimensions of data to be accessed corresponding to the data access request;

performing authority detection on the client according to the at least two authority detection dimensions to obtain an authority detection result of the client;

determining the data access authority of the client according to the authority detection result;

and when the data access authority is used for characterizing that the client is allowed to access the data to be accessed, the data to be accessed is sent to the client.

The embodiment of the application also provides an access control device, which is characterized in that the device comprises:

the information transmission module is used for receiving a data access request sent by the client;

the information processing module is used for responding to the data access request and determining at least two authority detection dimensions of the data to be accessed corresponding to the data access request;

the detection module is used for carrying out authority detection on the client according to the at least two authority detection dimensions to obtain an authority detection result of the client;

The processing and transmitting module is further used for determining the data access authority of the client according to the authority detection result;

the processing and transmitting module is further configured to send the data to be accessed to the client when the data access right is used for characterizing that the client is allowed to access the data to be accessed.

In some embodiments, the processing and transmitting module is further configured to parse the data access request to obtain a data identifier carried in the data access request;

the processing transmission module is also used for determining data to be accessed according to the data identification and determining the type of the data to be accessed;

the processing and transmitting module is further configured to determine at least two rights detection dimensions of the data to be accessed according to the type of the data to be accessed, where the at least two rights detection dimensions include at least two of the following:

the processing and transmitting module is further configured to store an identifier of the client that is restricted to access any piece of data to be accessed, and a second restricted access object list by using credential information of the client, read permission information of the client, a uniform resource locator that is matched with the data access request, a first restricted access object list, and a second restricted access object list, where the first restricted access object list is used to store the identifier of the client that is restricted to access any piece of data to be accessed.

In some embodiments, the processing and transmitting module is further configured to, when the type of the data to be accessed is a first type, at least one of the at least two rights detection dimensions corresponding to the data to be accessed includes: the second restricted access object list and credential information of the client;

the processing and transmitting module is further configured to, when the type of the data to be accessed is a second type, at least one of the at least two rights detection dimensions corresponding to the data to be accessed includes: the second restricted access object list and the first restricted access object list, wherein the second type of sensitivity level is greater than the first type.

In some embodiments, the detection module is further configured to determine a detection order of the at least two rights detection dimensions;

the detection module is further used for detecting the client according to the detection sequence and each authority detection dimension to obtain a detection result of the client on each authority detection dimension;

the detection module is further configured to determine that the authority detection result of the client is passing authority detection when the detection results of the client in the authority detection dimensions are all passing detection;

And the detection module is further used for determining that the authority detection result of the client is failed authority detection when at least one of the detection results of the client in each authority detection dimension is failed.

In some embodiments, when the at least two rights detection dimensions include: a second restricted access object list, and the data access request is plural,

the information detection module is further used for acquiring a plurality of data access requests aiming at the data to be accessed;

the information detection module is further configured to perform authority detection on each client corresponding to each data access request according to the second restricted access object list, so as to obtain each detection result of each client in the dimension of the second restricted access object list;

the information detection module is also used for determining that the detection result is the target client identifier passing detection;

the information detection module is further configured to determine that a detection result corresponding to the target client identifier is an erroneous detection result when the target client identifier exists in the second restricted access object list;

the information detection module is further configured to determine that a detection result corresponding to the target client identifier is a correct detection result when the target client identifier does not exist in the second restricted access object list.

In some embodiments, the information detection module is further configured to, when it is determined that the detection result corresponding to the target client identifier is an erroneous detection result,

the information detection module is further used for determining a first total number of the error detection results and a second total number of the plurality of data access requests;

the information detection module is further used for determining the ratio of the first total number to the second total number as false detection probability;

the information detection module is further configured to adjust a client permission detection mode corresponding to the second restricted access object list when the error detection probability is greater than or equal to an error detection probability threshold, and send the error detection probability to a preset server.

In some embodiments, the information processing module is further configured to parse the data access request to obtain a type identifier of the client;

the information processing module is also used for determining the type of the client according to the type identifier of the client;

the information processing module is also used for adjusting the data read-write frequency corresponding to the data access request according to the type of the client.

In some embodiments, the information processing module is further configured to determine an initial data read-write frequency corresponding to the data access request;

the information processing module is also used for increasing the initial data read-write frequency when the type of the client is a type without data leakage risk;

the information processing module is further used for reducing the initial data read-write frequency when the type of the client is a type with data leakage risk.

The embodiment of the application also provides electronic equipment, which comprises:

a memory for storing executable instructions;

and the processor is used for realizing the access control method when running the executable instructions stored in the memory.

The embodiment of the application also provides a computer program product, which comprises a computer program or instructions, and is characterized in that the computer program or instructions realize the access control method when being executed by a processor.

The embodiment of the application also provides a computer readable storage medium which stores executable instructions which when executed by a processor realize the access control method.

The embodiment of the application has the following beneficial effects:

The method comprises the steps of detecting the authority of the client through at least two authority detection dimensions of data to be accessed corresponding to the data access request, and obtaining an authority detection result of the client; according to the right detection result, the data access right of the client is determined, so that the data access right of different clients can be finely managed, the access process of the data to be accessed is simpler, more convenient and safer, and the detection requirements of the data access right in different access control scenes can be met by adjusting at least two right detection dimensions of the data to be accessed corresponding to the data access request.

Drawings

Fig. 1 is a schematic view of a usage scenario of an access control method according to an embodiment of the present application;

FIG. 2 is a schematic flow chart of an alternative access control method according to an embodiment of the present application;

FIG. 3 is a schematic flow chart of an alternative access control method according to an embodiment of the present application;

FIG. 4 is a schematic diagram illustrating a processing procedure of an access control method for data access requests from different sources according to an embodiment of the present application;

FIG. 5A is a diagram illustrating a process for collecting rights detection dimensions in an embodiment of the present application;

FIG. 5B is a schematic diagram of an access control process for user feedback;

FIG. 6 is a schematic diagram of notification of the result of authority detection in an embodiment of the present application;

FIG. 7 is a schematic diagram of notification of rights detection content in an embodiment of the present application;

fig. 8 is a schematic structural diagram of an electronic device for executing the access control method provided by the embodiment of the present application.

Detailed Description

The present application will be further described in detail with reference to the accompanying drawings, for the purpose of making the objects, technical solutions and advantages of the present application more apparent, and the described embodiments should not be construed as limiting the present application, and all other embodiments obtained by those skilled in the art without making any inventive effort are within the scope of the present application.

In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.

Before describing embodiments of the present application in further detail, the terms and terminology involved in the embodiments of the present application will be described, and the terms and terminology involved in the embodiments of the present application will be used in the following explanation.

1) In response to a condition or state that is used to represent the condition or state upon which the performed operation depends, the performed operation or operations may be in real-time or with a set delay when the condition or state upon which it depends is satisfied; without being specifically described, there is no limitation in the execution sequence of the plurality of operations performed.

2) Terminals, including but not limited to: the system comprises a common terminal and a special cloud server, wherein the common terminal is in long connection and/or short connection with a sending channel, and the special cloud server is in long connection with the sending channel.

3) A client, a carrier in a terminal that implements a specific function, e.g. a mobile client (APP), is a carrier in a mobile terminal that performs a specific function, e.g. a data query function or a data processing function.

4) Bloom filters (Bloom filters), a space-efficient, time-efficient data structure for determining whether an element exists in a collection.

5) And the number packet is used for storing at least one user account list.

6) Employee notes, credentials for employee identity.

7) Lateral override in a system, one user or character has access to resources of other users or characters beyond the rights that it has.

8) Longitudinal override, in a system, a low-authority user or character overrides its authority and accesses the resources of a high-authority user or character.

4) Cross-Site Attack (Cross-Site Attack): a common Web security vulnerability is that an attacker can achieve the purpose of attack by injecting malicious scripts into a Web page so that a user executes the scripts when browsing the page.

The inventor finds in the study that in order to realize the management of the authorities of different users during the data access, the related technology generally adopts a authority system to carry out corresponding authority management and control, and supports different roles, authorities and operations to be authorized and managed for different people so as to limit the functional range of the operators with different roles. The industry performs corresponding rights management based on a common rights management model (Role Based Access Control, RBAC), but has the following drawbacks:

1) At present, the authority management mode is mainly to independently realize the authority management at the interface level and the page level, and has larger granularity of authority control and insufficient refinement degree.

2) At present, the right management mode is to verify whether the user has the right of the interface or not, which is insufficient to distinguish the sensitivity of different data to be accessed, and the user through the right detection can not only access the common data in the server, but also easily obtain the sensitive data and the related data which can be referred by other users through the transverse override and the longitudinal override, and cannot guarantee the data security.

3) The rights management method generally obtains rights through application and approval, but strict rights control is carried out on some more complex sensitive operations, and each operation needs to be applied. The risk of different operators is not considered, and the personnel with higher proficiency and lower risk should have higher authority. The user proficiency cannot be dynamically identified, so that the user is inconvenient to use.

In order to solve the above-mentioned drawbacks, embodiments of the present application provide an access control method, apparatus, electronic device, computer readable storage medium, and computer program product, which can implement more refined management of rights of a target object, so that rights detection of a client is simpler, more convenient and safer. An exemplary application of the electronic device provided by the embodiment of the present application is described below, where the electronic device provided by the embodiment of the present application may be implemented in conjunction with a server with a rights management function and a terminal device with a target interface triggering function.

Fig. 1 is a schematic view of a usage scenario of an access control method provided by an embodiment of the present application, referring to fig. 1, a terminal (including a terminal 10-1 and a terminal 10-2) is provided with corresponding clients capable of executing different functions, where the terminal 10-1 and the terminal 10-2 acquire different information from corresponding servers 200 through a network 300, and may deploy different services in a cloud server by calling different operation interfaces, for example, by using an interface "Run interfaces" of the servers 200, to implement creation of a cloud host V3 to implement acquisition of data to be accessed, or by using an operation interface "Modify Instances Project" to implement read-write operation on the accessed data. The terminal is connected to the server 200 through the network 300, and the network 300 may be a wide area network or a local area network, or a combination of the two, and uses a wireless link to implement data transmission.

With the continuous development of computer technology, cloud servers (Cloud Virtual Machine, CVM) can provide secure and reliable elastic computing services, and can also provide different interfaces for transmission to meet user-specific usage scenarios. In some embodiments, the server 200 may be an independent physical server in a cloud network, may be a server cluster or a distributed system formed by a plurality of physical servers, and may also be a cloud server providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDNs), and big data and artificial intelligence platforms, where the cloud services may be writing operations, reading operations, and listing operations of data, and the terminals 10-1 and 10-2 may be smart phones, tablet computers, notebook computers, desktop computers, smart televisions, smart watches, vehicle-mounted terminals, and the like, but are not limited thereto. The terminals 10-1 and 10-2 and the server 200 may be directly or indirectly connected through wired or wireless communication, which is not limited in the embodiment of the present application.

In order to more clearly describe the working process of the access control method provided by the embodiment of the present application, the access control method provided by the embodiment of the present application is specifically described below in connection with different execution subjects from the perspective of performing rights management on a target object participating in an access management (Cloud Access Management, CAM) transaction by a cloud server.

The embodiment of the application can be realized by combining Cloud technology, wherein Cloud technology (Cloud technology) refers to a hosting technology for integrating hardware, software, network and other series resources in a wide area network or a local area network to realize calculation, storage, processing and sharing of data, and can also be understood as the general term of network technology, information technology, integration technology, management platform technology, application technology and the like applied based on a Cloud computing business model. Background services of technical network systems require a large amount of computing and storage resources, such as video websites, picture websites and more portal websites, so cloud technologies need to be supported by cloud computing.

It should be noted that cloud computing is a computing mode, which distributes computing tasks on a resource pool formed by a large number of computers, so that various application systems can acquire computing power, storage space and information service as required. The network that provides the resources is referred to as the "cloud". Resources in the cloud are infinitely expandable in the sense of users, and can be acquired at any time, used as needed, expanded at any time and paid for use as needed. As a basic capability provider of cloud computing, a cloud computing resource pool platform, referred to as a cloud platform for short, is generally called an infrastructure as a service (Infrastructure as a Service, iaaS), and multiple types of virtual resources are deployed in the resource pool for external clients to select for use. The cloud computing resource pool mainly comprises: computing devices (which may be virtualized machines, including operating systems), storage devices, and network devices. And giving different operation authorities to users who perform data processing through the cloud server.

Cloud storage (cloud storage) is a new concept that extends and develops in the concept of cloud computing, and a distributed cloud storage system (hereinafter referred to as a storage system for short) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of various types in a network to work cooperatively through application software or application interfaces through functions such as cluster application, grid technology, and a distributed storage file system, so as to provide data storage and service access functions for the outside. At present, the storage method of the storage system is as follows: when creating logical volumes, each logical volume is allocated a physical storage space, which may be a disk composition of a certain storage device or of several storage devices. The client stores data on a certain logical volume, that is, the data is stored on a file system, the file system divides the data into a plurality of parts, each part is an object, the object not only contains the data but also contains additional information such as data identification (IDentity, ID) and the like, the file system writes each object into a physical storage space of the logical volume respectively, and the file system records storage position information of each object, so that when the client requests to access the data, the file system can enable the client to access the data according to the storage position information of each object. The process of allocating physical storage space for the logical volume by the storage system specifically includes: physical storage space is divided into stripes in advance according to the set of capacity measures for objects stored on a logical volume (which measures tend to have a large margin with respect to the capacity of the object actually to be stored) and redundant array of independent disks (Redundant Array of Independent Disk, RAID), and a logical volume can be understood as a stripe, whereby physical storage space is allocated for the logical volume.

The following is a description of the steps shown in fig. 2. Referring to fig. 2, fig. 2 is an optional flowchart of an access control method according to an embodiment of the present application, and it may be understood that an execution body of the steps shown in fig. 2 may be implemented by a terminal running an access control device alone or may be implemented by a server running the access control device. Of the processing steps shown in fig. 2, a server is taken as an implementation example, and the steps shown in fig. 2 are described below.

Step 201: and receiving a data access request sent by the client.

In some embodiments, when The terminals 10-1 and 10-2 and The server 200 perform data query in conjunction with The implementation environment of The access control method shown in fig. 1, the remote procedure call (Remote Procedure Call, RPC) may be used, the client executed in The terminals 10-1 and 10-2 may be an anonymous client based on an anonymous network technology (Tor), referred to as a Tor client for short, the Tor client may be used as a tool for a user to access The Tor anonymous network or The internet (when accessing The internet, the access request is transmitted through The Tor anonymous network), the Tor client may be software of other browsers such as a Tor browser or other similar functions, and The client executed in The terminals 10-1 and 10-2 may also be a mail client for sending data query mail to The server 200.

In some embodiments, where the client being operated in the terminals 10-1 and 10-2 is a Torr client, the server 200 may be a Torr server, which may be software for sending Torr client requests to a Torr anonymous network (the Torr server encrypts access requests to the Torr anonymous network) or the Internet (the Torr server encrypts access requests to the Torr anonymous network when accessing the Internet), where the Torr server encrypts access requests to the Torr anonymous network, to obtain sensitive data in the corresponding data server.

In some embodiments, when the number of data access requests sent by the client exceeds the threshold number of access requests, the processing speed of the data to be accessed needs to be increased, in which process the client and the server executing the access control method may form an access control system, wherein the access control system may implement a remote procedure call, which is a protocol that requests services from a remote computer program over a network without knowing the underlying network technology. The RPC protocol assumes the existence of certain transmission protocols, such as TCP or UDP, to carry information data between communication programs; the main functional goal of RPC is to make it easier to build distributed computing (applications) without losing the semantic simplicity of local calls while providing powerful remote call capabilities. In the access control system, the client can transmit the encoded RPC request message to the server executing the access control method, and the server executing the access control method returns a result message or a confirmation message to the client after executing the access control method, so that the TCP protocol of the long connection mode can be selected to obtain higher data processing efficiency.

In some embodiments of the present application, when the number of data access requests sent by the client exceeds the threshold of the number of access requests, a sending buffer and a receiving buffer of data to be accessed may also be set in the server executing the access control method provided by the present application, so that the data to be accessed corresponding to the data access requests may be dispersed in different connection buffers, resulting in better throughput efficiency, and reduced waiting time for a user to obtain the data to be accessed.

Step 202: and responding to the data access request, and determining at least two authority detection dimensions of the data to be accessed corresponding to the data access request.

In some embodiments, the permission detection dimension of the data to be accessed needs to be matched with the usage scenario of the data access, in order to ensure the security of the data and avoid the leakage of sensitive data, the requirements of the permission detection dimension include: 1. and limiting the range of the accessed account numbers and preventing the lateral override. 2. Limiting the data/table types accessed prevents cross-table longitudinal override. 3. The read-write authority is separated, and the write authority is higher than the read authority, so that the longitudinal override problems such as data tampering/false deletion and the like are prevented. 4. Access portals (OA web pages/server tools/offline jobs) are restricted to prevent misuse rights.

In some embodiments, determining at least two rights detection dimensions for data to be accessed corresponding to a data access request may be implemented by:

analyzing the data access request to obtain a data identifier carried in the data access request; determining data to be accessed according to the data identification, and determining the type of the data to be accessed; and determining at least two permission detection dimensions of the data to be accessed according to the type of the data to be accessed. For example: when the data identifier carried in the data access request is 101, determining that the type of the data to be accessed is common data 1011 stored in the common data area; when the data identifier carried in the data access request is 102, determining that the type of the data to be accessed is common data 1021 stored in a common data area; when the data identifier carried in the data access request is 201, the type of the data to be accessed is determined to be the sensitive data 2011 stored in the sensitive data area. And then, determining at least two permission detection dimensions of the data to be accessed according to the type of the data to be accessed.

In some embodiments, the data stored in the server includes: sensitive data, non-sensitive data, sensitive data being understood as private data, common sensitive data may include: the name of the target object, the ID card number and the mailbox information of the user, and the non-sensitive data is the data with the lowest security level. When the target object has the data access right for the non-sensitive data, the target object does not have the data access right for the sensitive data and the sensitive data after the data compliance processing. That is, when the data access right of the target object includes the data access right of the target object for the non-sensitive data, and the server acquires the target data, the server may transmit the target data to the client of the target object only when the target data is the non-sensitive data, and when the target data is the sensitive data or the sensitive data after the data compliance processing, the server generates the hint information for hint that the target object does not have the data access right.

In some embodiments, the at least two rights detection dimensions include at least two of: the method comprises the steps of client side credential information, client side read authority information, a uniform resource locator matched with a data access request, a first limited access object list and a second limited access object list, wherein the first limited access object list is used for storing identification of a client side which is limited to access any piece of data to be accessed, and when data a and data b are stored in a server, a client side identification 1 in the first limited access object list can represent that the client side 1 is limited to access the data a, but the data b is allowed to be accessed; the second restricted access object list is used to hold an identification of clients that are restricted from accessing each piece of data to be accessed. When data a and data b are stored in the server, the client identifier 1 in the second restricted access object list may characterize that the client 1 is restricted from accessing data a and data b.

In some embodiments, determining at least two rights detection dimensions corresponding to the data to be accessed according to the type of data to be accessed may be accomplished by:

when the type of the data to be accessed is the first type, at least two permission detection dimensions corresponding to the data to be accessed at least comprise: the second restricted access object list and credential information of the client; when the type of the data to be accessed is the second type, at least two permission detection dimensions corresponding to the data to be accessed at least comprise: a second restricted access object list and a first restricted access object list, wherein the second type of sensitivity level is greater than the first type. For example: the first type of access data is non-sensitive data, the second type of access data is sensitive data, and the sensitive data comprises: the name, the ID card number and the contact mode of the user of the target object are not included in the non-sensitive data: name of target object, ID card number, contact mode of user. The first type of data to be accessed can be divided into primary sensitive data (only carrying the name of the target object), secondary sensitive data (carrying the name and the ID card number of the target object) and tertiary sensitive data (carrying the name, the ID card number and the contact way of the target object) according to different types of the carried sensitive data. The at least two rights detection dimensions corresponding to the first type of data to be accessed may include the following types: 1) For primary sensitive data, the rights detection dimension includes: the second restriction accesses the object list and credential information of the client. 2) For secondary sensitive data, the rights detection dimension includes: the second restricted access object list, credential information of the client, read permission information of the client. 3) For three levels of sensitive data, the rights detection dimension includes: the second restricted access object list, credential information of the client, read authority information of the client, and uniform resource locator matched with the data access request. It should be noted that, the first type of data to be accessed may be further divided according to the types of the carried sensitive data, and the primary sensitive data, the secondary sensitive data and the tertiary sensitive data shown in the embodiments are only used as an optional embodiment, and the present application is not limited in particular to the number of levels of the sensitive data.

Step 203: and detecting the authority of the client according to at least two authority detection dimensions to obtain an authority detection result of the client.

In some embodiments, according to at least two rights detection dimensions, rights detection is performed on a client, and a rights detection result of the client is obtained, which may be implemented in the following manner:

determining the detection sequence of at least two authority detection dimensions; detecting the client according to the detection sequence and each authority detection dimension to obtain a detection result of the client on each authority detection dimension; as shown in connection with the previous embodiments, for example: the data to be accessed by the client a is sensitive data, and for the primary sensitive data, the authority detection dimension comprises: the second restricted access object list and the credential information of the client determine that the corresponding detection order is: 1) The method comprises the steps of 1) detecting a client a in sequence according to the detection sequence 1) the credential information of the client, 2) a second restricted access object list, and obtaining detection results of the client in 2 authority detection dimensions.

In some embodiments, the data to be accessed by client a is sensitive data, and for three levels of sensitive data, the rights detection dimension includes: the second restricted access object list, the credential information of the client, the read authority information of the client, and the uniform resource locator matched with the data access request, and at this time, the detection sequence is: 1. 1) credential information of the client, 2) a second restricted access object list, 3) a uniform resource locator matched with the data access request, 4) read permission information of the client, 1) credential information of the client according to a detection sequence, 2) the second restricted access object list, 3) the uniform resource locator matched with the data access request, and 4) read permission information of the client, detecting the client a in sequence, and obtaining detection results of the client in 4 permission detection dimensions.

In some embodiments, when the detection results of the client in each authority detection dimension are all passing detection, determining that the authority detection result of the client is passing authority detection; and when at least one of the detection results of the client in each authority detection dimension is failed detection, determining that the authority detection result of the client is failed authority detection. As shown in connection with the previous embodiments, for example: the data to be accessed by the client a is three-level sensitive data, and according to the detection sequence, 1) the credential information of the client, 2) the second restricted access object list, 3) the uniform resource locator matched with the data access request, and 4) the read permission information of the client, when the client a is detected in sequence, when the identification of the client a appears in the second restricted access object list, the permission detection result of the client a is indicated as the failed permission detection.

In some embodiments, the second access-restricted object list dimension detection process may be implemented by a bloom filter, which is a probabilistic data structure featuring efficient insertion and query, that can determine that a certain string must exist or may exist. The bloom filter does not store specific data, so that the occupied space is small, the query result has errors, the errors are controllable, and meanwhile, the deleting operation is not supported. The bloom filter used in the present application may include two cases: 1) For the primary sensitive data, since the number of users allowed to access the primary sensitive data may be 10000 (people) or more, in order to simultaneously satisfy the requirements of low query efficiency block and small storage space occupation, the identification of the client terminal restricted to access the corresponding primary sensitive data may be stored in the second restricted access object list. 2) 1) for the third-level sensitive data, since the number of users allowed to access the first-level sensitive data can be less than or equal to 100 (people), in order to meet the requirements of high query efficiency and small storage space occupation at the same time, the identification of the client allowed to access the corresponding third-level sensitive data can be stored in the second restricted access object list. Before the access control method provided by the application is executed, the content of the second restricted access object list can be adjusted in the server according to different types of data to be accessed, meanwhile, the requirements of high query efficiency and small occupied storage space are met, the execution time of the access control method provided by the application is shortened, the hardware consumption of the storage space is reduced, and the hardware resources of the storage space are saved.

In some embodiments, for a certain data to be accessed, multiple concurrent data access requests may occur that require access to the data to be accessed at the same time, so when at least two rights detection dimensions include: when the second restricted access object list is multiple in number, in order to ensure accuracy of authority detection, the method may be implemented as follows:

acquiring a plurality of data access requests aiming at data to be accessed; performing authority detection on each client corresponding to each data access request according to the second restricted access object list to obtain each detection result of each client in the dimension of the second restricted access object list; determining that the detection result is the target client identifier passing the detection; as shown in connection with the previous embodiments, for example: the data to be accessed by the client a, the client b and the client c are three-level sensitive data, and according to the detection sequence, 1) the credential information of the client, 2) a second restricted access object list, 3) a uniform resource locator matched with a data access request and 4) the read authority information of the client, the bloom filter is utilized to detect the client a, the client b and the client c at the same time, and the authority detection result of each client is obtained.

In some embodiments, when the target client identifier exists in the second restricted access object list, determining that the detection result corresponding to the target client identifier is an erroneous detection result; when the target client identifier does not exist in the second restricted access object list, determining that the detection result corresponding to the target client identifier is a correct detection result, wherein when the identifier of the client a should appear in the detection result of the second restricted access object list, the identifiers of the client b and the client c should not appear in the detection result of the second restricted access object list, but because the bloom filter has the probability of miss detection and false detection, the authority detection result of the client a is wrong, and the authority false detection of the client a is caused, and at the moment, if the client a obtains three-level sensitive data, three-level sensitive data leakage is caused.

In some embodiments, to ensure accuracy of access control, when it is determined that the detection result corresponding to the target client identification is an erroneous detection result, a first total number of erroneous detection results and a second total number of the plurality of data access requests may be determined; determining the ratio of the first total number to the second total number as the false detection probability; in combination with the foregoing embodiment, the data to be accessed by the client a, the client b and the client c are three-level sensitive data, according to the detection sequence, 1) the credential information of the client, 2) the second restricted access object list, 3) the uniform resource locator matched with the data access request, and 4) the read permission information of the client, the bloom filter is utilized to detect the client a, the client b and the client c at the same time, so as to obtain the permission detection result of each client, wherein the permission detection result of the client a is wrong, the permission detection result of the client b and the client c is correct, and at the moment, the error detection probability is 1/3.

In some embodiments, when the false detection probability is greater than or equal to the false detection probability threshold, the client permission detection mode corresponding to the second restricted access object list is adjusted, and the false detection probability is sent to the preset server, for example, when the false detection probability threshold is 3%, the permission detection results of the client a are wrong, the permission detection results of the client b and the client c are correct, at this time, the false detection probability is 1/3, and the false detection probability is greater than the false detection probability threshold, at this time, the second restricted access object list used by the bloom filter is not applicable to the use environment of the current access control method, so that the second restricted access object list needs to be adjusted until the false detection probability of the client permission detection result using the second restricted access object list is less than the false detection probability threshold, and the adjustment of the second restricted access object list is stopped.

Step 204: and determining the data access authority of the client according to the authority detection result.

In some embodiments, the identifier of the data to be accessed stored in the server is Q, when the data access request received by the server is respectively derived from the client a, the client b and the client c, the authority detection result of the client a is 1, the authority detection result of the client b is 1 and the authority detection result of the client c is 0, wherein the authority detection result is 1 to allow the corresponding client to access the data to be accessed, and the authority detection result is 0 to limit the corresponding client to access the data to be accessed; and determining that the data access authority of the client a is allowed to be accessed for the data to be accessed, which is marked as Q, the data access authority of the client b is allowed to be accessed, and the data access authority of the client c is limited to be accessed according to the authority detection result of each client.

Step 205: and when the data access authority is used for characterizing that the client is allowed to access the data to be accessed, sending the data to be accessed to the client.

In some embodiments, since the operations of different clients after obtaining the data to be accessed are different, the following situations are specifically included: 1) Performing a read operation on the acquired data to be accessed, 2) performing a write operation on the acquired data to be accessed, 1) performing a read+write operation on the acquired data to be accessed; however, in any specific operation manner, since there is a probability of missing detection in the bloom filter performing the second restricted access object list, there is a possibility that sensitive data may be leaked. In order to further prevent the risk of data leakage, the following operations may be performed:

firstly, analyzing a data access request to obtain a type identifier of a client; determining the type of the client according to the type identifier of the client; in some embodiments, the type identification of the client may be divided into: a type identifier 101 for characterizing the type of client as risk of no data leakage (including, but not limited to, data administrators and server operations administrators); type identifier 102, which characterizes the type of client as being at risk of data leakage (including, but not limited to, developer, operator, legal personnel, process personnel, data editor).

And then, according to the type of the client, adjusting the data read-write frequency corresponding to the data access request. By adjusting the data read-write frequency corresponding to the data access request, the leakage speed of the access data can be controlled, when the detection of the detection log finds that the data leakage risk exists (namely, the leakage detection occurs), the transmission of the access data is interrupted in time, and the data read-write operation is retracted, so that the integrity of the data to be accessed is ensured.

In some embodiments, the adjustment of the data read-write frequency corresponding to the data access request according to the type of the client may be achieved by:

an initial data read-write frequency corresponding to the data access request is determined, wherein the optional initial data read frequency is 88.32MB/s and the optional initial data write frequency is 254.76MB/s. When the type of the client is a type without leakage risk, increasing the initial data read-write frequency; and when the type of the client is the type with the risk of data leakage, reducing the initial data read-write frequency. For example: a type identifier 101, configured to characterize the type of the client as no data leakage risk; type identifier 102, which is used to characterize the type of the client as having a risk of data leakage, and when the type of the client is identified as 101, the data reading frequency can be increased from 88.32MB/s to 176.64MB/s, and the writing frequency is increased from 254.76MB/s to 509.52MB/s. When the type of client is identified as 102, the data read frequency can be reduced from 88.32MB/s to 44.64MB/s and the write frequency from 254.76MB/s to 128.52MB/s.

In order to better illustrate the working process of the access control method provided by the application, the working process of the access control method provided by the application is illustrated below by taking the acquisition of corresponding sensitive data in the feedback of the processing target object as an example, wherein the feedback of the target object can be the feedback of the internet of vehicles scene or the feedback of the office data processing scene, and the application is not particularly limited.

Referring to fig. 3, fig. 3 is an optional flowchart of an access control method according to an embodiment of the present application, and it may be understood that an execution body of the steps shown in fig. 3 may be implemented by a terminal running an access control device alone or may be implemented by a server running the access control device. The processing steps shown in fig. 3 will be described with respect to the implementation of the server storing sensitive data as the execution body, and the steps shown in fig. 3 will be described below.

Step 301: and receiving a data access request sent by the client.

In some embodiments, since the data to be accessed is stored in the server, the types of the data to be accessed are different, and therefore, the data access request can be from different clients, when the access control method provided by the application is used for the feedback of the internet of vehicles scene, the server can store any one of sensitive data, non-sensitive data or sensitive data processed by data compliance in the internet of vehicles environment, the server can acquire the sensitive data, and the sensitive data is stored in the first storage area, wherein the sensitive data comprises at least one of geographic position data, license plate data, appearance data of an object or road data; performing data compliance processing on the sensitive data, and storing the sensitive data subjected to the data compliance processing in a second storage area; and acquiring non-sensitive data, and storing the non-sensitive data in a third storage area.

The sensitive data in the car networking environment refers to data which may bring serious harm to society or individuals after leakage, and the sensitive data in the embodiment of the application comprises but is not limited to geographic position data, license plate data, appearance data of objects and road data. The geographic location is coordinate data of an object, for example, theodolite coordinate data of a building, GPS data of an automobile, point cloud data of an aircraft, and the like. The license plate data is number data for identifying the vehicle, and the region to which the vehicle belongs, the owner of the vehicle, registration information of the vehicle, and the like can be known from the license plate data. Appearance data of the object includes, but is not limited to, face data, appearance data of a building, and the like. The road data includes, but is not limited to, lane line data, and the like.

The sensitive data in the office data feedback scene comprises: the name, the ID card number and the contact mode of the user of the target object are not included in the non-sensitive data: sensitive data disclosure can infringe the data privacy of the target object by the name, the identification card number and the contact way of the user of the target object.

Referring to fig. 4, fig. 4 is a schematic diagram illustrating a processing procedure of an access control method for processing data access requests from different sources in an embodiment of the present application, where the data access requests may originate from an external terminal, a third party node, an external mail, and an office system (including offline access), and the present application is not limited in particular. As shown in fig. 4, after the access layer of the server obtains the data access request, the login information of the target object can be obtained through the logic layer, and after the login information passes the verification, the whole-process ticket of the target object is obtained, the interface layer of the server detects the access authority of the client through at least two authority detection dimensions, and when the access authority passes the detection, the corresponding data to be accessed can be obtained through the storage layer of the server.

Step 302: and responding to the data access request, and determining the authority detection dimension of the data to be accessed corresponding to the data access request according to the use environment of the access control method.

In some embodiments, in order to implement finer control over the rights detection dimension, all optional rights detection dimensions need to be determined according to the type of data to be accessed stored in the server, referring to fig. 5A, fig. 5A is a schematic diagram of a collection process of the rights detection dimension in the embodiment of the present application, as shown in fig. 5A, in order to ensure security of data, avoid leakage of sensitive data, requirements of the rights detection dimension include:

1. the range of accounts (number package) to be accessed is limited, and lateral override is prevented. The employee obtains the authority by applying for the number package in advance and automatically expires after a period of time.

2. Limiting the data/table types accessed prevents cross-table longitudinal override. The employee needs to apply for the access rights of the corresponding module in advance.

3. The read-write authority is separated, and the write authority is higher than the read authority, so that the longitudinal override problems such as data tampering/false deletion and the like are prevented. The realization method is to separate the read-write permission at the application stage.

4. Access portals (OA web pages/server tools/offline jobs) are restricted to prevent misuse rights. Different access portals can carry employee notes of different types, and the purpose of limiting can be achieved by identifying the types in the verification stage.

In order to meet the use requirement of the authority detection dimension, the application provides the credential information of the client, the read authority information of the client, the uniform resource locator matched with the data access request, the first limited access object list and the second limited access object list (i.e. the number package).

In some embodiments, the data to be accessed held in the server may include different types of data: general data, compliance data, sensitive data. Taking Data storage of an electronic map as an example, the collected original Data Raw Data and metadata Meta Data obtained through a Data cleaning process are stored in a sensitive Data area of a server. In addition, when applied to the technical field of automatic driving, map Data can also be stored in the sensitive Data area. For example, according to the mapping method of the people's republic of China, only entities who possess mapping resource evidence can perform mapping activities in the middle of the mapping activities. In the development and mass production operation process of automatic driving, particularly in the development stage, video, millimeter wave radar, laser radar and the like can be installed to collect a large amount of original video images, laser point clouds and other data, and the general accuracy of the data is higher than that of map related data issued by China, including license plates, faces, high-accuracy GPS information, continuous influence and continuous high-level information, even sensitive place information; according to national security laws and mapping-related laws and regulations, these data belong to sensitive data.

And the compliance data area of the server stores the data which can be checked by authorized compliance persons through a compliance environment, including access by a client with compliance authority, and read-write operation.

The data stored in the general data area of the server typically includes an algorithmic model of autopilot, a log, and KPI Report output by model training. KPI Report refers to a key operation result Report output by an algorithm model in the automatic driving research and development process; the KPI Report belongs to sensitive data if it includes high-precision GPS information and sensitive information specified by national surveying and mapping regulations. The sensitive data area, the compliance data area and the common data area in the resource system are stored in a diversity group independently, and the data in each data area cannot be transmitted mutually and needs to be physically isolated.

In some embodiments, when the feedback to the target object may be a car networking scene, 5 rights detection dimensions may be obtained, and the feedback to the office data processing scene may obtain less than 2 rights detection dimensions, which are described below.

Analyzing the data access request to obtain a data identifier carried in the data access request;

determining data to be accessed according to the data identification, and determining the type of the data to be accessed; according to the type of the data to be accessed, determining at least two authority detection dimensions of the data to be accessed, wherein the at least two authority detection dimensions comprise at least two of the following: the system comprises credential information of a client, read authority information of the client, a uniform resource locator matched with a data access request, a first limited access object list and a second limited access object list, wherein the first limited access object list is used for storing the identification of the client which is limited to access any piece of data to be accessed, and the second limited access object list is used for storing the identification of the client which is limited to access each piece of data to be accessed. For example: when the data identifier carried in the data access request is 1101, determining that the type of the data to be accessed is common data 11011 stored in a common data area; when the data identifier carried in the data access request is 1102, determining that the type of the data to be accessed is common data 11021 stored in a common data area; when the data identifier carried in the data access request is 1201, the type of the data to be accessed is determined to be sensitive data 12011 stored in the sensitive data area. And then, determining at least 2 permission detection dimensions of the data to be accessed according to the type of the data to be accessed.

when the type of the data to be accessed is the first type, at least two permission detection dimensions corresponding to the data to be accessed at least comprise: second restricting access to the object list and the credential information of the client; when the type of the data to be accessed is the second type, at least two permission detection dimensions corresponding to the data to be accessed at least comprise: a second restricted access object list and a first restricted access object list, wherein the second type of sensitivity level is greater than the first type. For example: when the type of the data to be accessed is the common data 1021 stored in the common data area, the at least two rights detection dimensions may be: the certificate information of the client, the read authority information of the client and the second limited access object list (number package); when the type of the access data is the common data 2011 stored in the sensitive data area, the at least two rights detection dimensions may be: the client side certificate information, the client side read authority information, the uniform resource locator matched with the data access request, the first limited access object list and the second limited access object list (number package).

Step 303: and detecting the authority of the client according to the corresponding authority detection dimension to obtain an authority detection result of the client.

determining the detection sequence of at least two authority detection dimensions; detecting the client according to the detection sequence and each authority detection dimension to obtain a detection result of the client on each authority detection dimension; when the detection results of the client in each authority detection dimension are all passing detection, determining that the authority detection result of the client is passing authority detection; and when at least one of the detection results of the client in each authority detection dimension is failed detection, determining that the authority detection result of the client is failed authority detection. For example: when the type of the access data is the common data 2011 stored in the sensitive data area, the at least two rights detection dimensions may be: the client side certificate information, the client side read authority information, the uniform resource locator matched with the data access request, the first limited access object list and the second limited access object list (number package). The detection sequence is as follows: 1) credential information of the client, 2) read authority information of the client, realizing read and write authority separation, wherein the write authority is higher than the read authority, and the longitudinal override problems such as data tampering/misdeletion and the like are prevented, 3) uniform resource locators matched with data access requests are realized, 4. Access entry (OA webpage/server tool/offline operation) is limited, and abuse authority is prevented. 4) The first restricted access object list realizes the data/table type of restricted access and prevents cross-table longitudinal override; 5) And a second access limiting object list (number package) for realizing the account range (number package) for limiting access and preventing the transverse override.

In order to better illustrate the access control method provided by the present application, the following describes an access control process for user feedback by taking processing user feedback as an example, referring to fig. 5B, fig. 5B is a schematic diagram of the access control process for user feedback, and the execution body is a server with an access control function, specifically including the following steps:

step 501: and checking employee notes.

Through the processing of step 501, when the employee ticket checking result is that the employee ticket received by the server is verified (i.e. the employee ticket received by the server is in accordance with the preset standard employee ticket), it can be ensured that the request is indeed initiated by the employee, and the risk of data leakage caused by misuse of the data access authority of the target object is avoided.

Step 502: and performing read permission verification.

Because different clients can be controlled by the target object to access data, when the client a is operated by the target object 1, the client a obtains the data access right, and at this time, when the client a is operated by the target object 2, the client a cannot obtain the data access right, so that the read right check is required to prevent the longitudinal override problems such as data tampering/misplacement, and the like, and the online application/approval mechanism ensures that staff really has the read right of corresponding data through the processing of the step 502.

Step 503: the uniform resource locator of the source of the request is checked.

Through step 503, the access layer writes the url in the employee ticket and verifies the url, thus preventing a potential cross-site attack.

Step 504: limiting the read-write access frequency.

By adjusting the data read-write frequency corresponding to the data access request in step 504, the leakage speed of the access data can be controlled, when the data leakage risk (i.e. the occurrence of missing detection of the bloom filter) is found, the transmission of the access data can be immediately interrupted, and the data read-write operation is rolled back, so that the integrity of the data to be accessed is ensured, and the sensitive data stored by the server is prevented from being leaked.

Step 505: and detecting the access authority by using the limited access list.

In some embodiments, the restricted access list may be a list in a first restricted access object list, and access may be denied to the corresponding target client, via step 505, for example: the method comprises the steps of processing primary sensitive data (only carrying the name of a target object), secondary sensitive data (carrying the name and the identification card number of the target object) and tertiary sensitive data (carrying the name, the identification card number and the contact way of the target object) when a user feeds back, allowing the primary sensitive data to be accessed by a client a through access authority when accessing the sensitive data, and limiting access of the secondary sensitive data and the tertiary sensitive data, so that the identification of the client a is not included in a limited access list of the primary sensitive data, the identification of the client a is included in a limited access list of the secondary sensitive data, and the identification of the client a is included in a limited access list of the tertiary sensitive data. By performing step 505, it can be determined that client a can only access the primary sensitive data.

Step 506: and checking the feedback account number package.

Through step 506, access to only complaint/feedback accounts may be restricted, preventing access to lateral override.

In order to avoid leakage of sensitive data caused by missing detection of the bloom filter, the identification of the data to be accessed to be sent to the client may be detected, and when the identification of the data to be accessed is determined to be sensitive data, step 507 is executed.

Step 507: and carrying out packet returning desensitization treatment to prevent sensitive data from leaking.

In some embodiments, the optional manner of packet-back desensitization includes:

mode one: and carrying out encryption and desensitization processing on the sensitive data through the target encryption key to obtain encrypted sensitive data.

Mode two: and carrying out deformation desensitization treatment on the sensitive data through a preset deformation rule to obtain desensitized data.

Mode three: and carrying out replacement desensitization treatment on the sensitive data through a preset replacement rule to obtain desensitized data.

Step 304: and determining the data access authority of the client according to the authority detection result.

In some embodiments, determining the data access rights of the client may include the following two cases:

1) The detection result corresponding to the target client identifier is a correct detection result, and at this time, the server sends the data to be accessed to the corresponding client, and the corresponding data to be accessed can be read or modified through the corresponding client.

2) When the detection result corresponding to the target client identifier is determined to be the error detection result, determining a first total number of the error detection result and a second total number of the plurality of data access requests; determining the ratio of the first total number to the second total number as the false detection probability; when the false detection probability is greater than or equal to the false detection probability threshold, the client permission detection mode corresponding to the second restricted access object list is adjusted, and the false detection probability is sent to a preset server. Because the number package of part of the scenes is large in query quantity (from one hundred thousand to one million per minute) and the number of accounts is large (from one hundred thousand) the problems of query efficiency and space occupation are introduced. The application uses the bloom filter, and can simultaneously meet the requirements of query efficiency and space occupation. One account number (uin) is 64 bits long, and by adjusting the target error rate, the actual memory occupation refers to table 1:

table 1 correlation parameter statistics of bloom filter occupancy memory

The error rate shown in table 1 refers to false positive in the rights detection domain, that is, some requests are misplaced with a low probability. As shown in Table 1, although the error exists in the authority detection result of the bloom filter, for small number packets with the number less than 1kw, the number of hash functions used is only 14, the number of bytes occupied by each account is only 20.16bits, for large number packets with the number greater than or equal to 1kw, the number of hash functions used is only 7, the number of bytes occupied by each account is only 14.4.16bits, and meanwhile, the requirements of quick query efficiency and small occupied storage space are met, the execution time of the access control method provided by the application is reduced, the hardware consumption of the storage space is reduced, and the hardware resources of the storage space are saved

In some embodiments, to detect these exception requests (including the error detection data access request and the missed data access request of the bloom filter), a request log and an original number packet are combined, and audit reconciliation is performed after the task is finished, where the request log is recorded by a server, and is used to record all received data access requests in the form of log information, and in order to implement backtracking of the data access requests, the server may perform the following steps:

1. ) When applying for the number package, the server stores the original number package file and leaves the checking material

2. ) When checking the request, reporting a log to each request passing the check, wherein the log content is as follows: account uin + package id.

3. ) After the task execution is finished (if the user is promoted), the server generates an offline task, pulls all logs of the number package id, extracts account uins one by one, and compares the account uins with the original number package file. If the account uin is found not to be in the number package, the description is a misplaced request. At this time, the server sends the alarm information to a preset target client (e.g., a detection client or an administrator client).

Step 305: and judging whether the data access authority allows the data to be accessed.

If yes, go to step 306, step 306: and when the data access authority is used for characterizing that the client is allowed to access the data to be accessed, sending the data to be accessed to the client.

Otherwise, step 307 is executed, step 307: access to the data to be accessed is denied.

Through steps 301 to 307, after detecting the rights to access the corresponding data to be accessed, the rights detection results may be summarized, referring to fig. 6 and fig. 7, fig. 6 is a notification schematic diagram of the rights detection result in the embodiment of the present application, and in the detection notification shown in fig. 6, the detection notification may include: client identification (represented by a target object number of an operation client), use scene identification of an access control method, number package id (second restricted access object list identification), number package size (number of second restricted access object list), identification of a target object (applicant work number) of data to be accessed, and time of data access. Since the second restricted access object list changes with the use scenario of the access control method of the present application, the notification information of the processing procedure of the access control method may further include: the reminding of the first access number packet indicates that a certain task starts to run, and the realization method is to record access states for each number packet, modify the states into accessed states when the first access is performed, and review corresponding notification information according to corresponding state changes.

Referring to fig. 7, fig. 7 is a schematic diagram of notification of rights detection content in an embodiment of the present application, and as shown in fig. 7, the notification of rights detection content may include: identification of data to be accessed, for example: mail text, mail list, account information, attribute information and address book information of the target object; the method comprises the steps of reading times of data to be accessed, writing times of the data to be accessed, interception times of the data to be accessed, normal access records of the data to be accessed and illegal access records of the data to be accessed. By the notification schematic diagram of the authority detection content shown in fig. 7, the access record of any data to be accessed in the server can be traced back, and the tracing time of the data to be accessed is saved.

1) The method comprises the steps of detecting the authority of a client through at least two authority detection dimensions of data to be accessed corresponding to a determined data access request, and obtaining an authority detection result of the client; according to the authority detection result, the data access authorities of the clients are determined, so that the data access authorities of different clients can be finely managed, the access process of the data to be accessed is simpler, more convenient and safer, and the detection requirements of the data access authorities in different access control scenes can be met by adjusting at least two authority detection dimensions of the data to be accessed corresponding to the data access request.

2) The method can realize real-time detection of the data access rights in different access control scenes and backtracking of the data access rights, and is convenient for an administrator to review in time.

Referring to fig. 8, fig. 8 is a schematic structural diagram of an electronic device for executing an access control method provided by an embodiment of the present application, and the electronic device 100 shown in fig. 8 includes: at least one processor 410, a memory 450, at least one network interface 420, and a user interface 430. The various components in the electronic device 100 are coupled together by a bus system 440. It is understood that the bus system 440 is used to enable connected communication between these components. The bus system 440 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration the various buses are labeled in fig. 8 as bus system 440.

The processor 410 may be an integrated circuit chip having signal processing capabilities such as a general purpose processor, such as a microprocessor or any conventional processor, a digital signal processor (Digital Signal Processor, DSP), or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like.

The user interface 430 includes one or more output devices 431, including one or more speakers and/or one or more visual displays, that enable presentation of the media content. The user interface 430 also includes one or more input devices 432, including user interface components that facilitate user input, such as a keyboard, mouse, microphone, touch screen display, camera, other input buttons and controls.

Memory 450 may be removable, non-removable, or a combination thereof. Exemplary hardware devices include solid state memory, hard drives, optical drives, and the like. Memory 450 optionally includes one or more storage devices physically remote from processor 410.

Memory 450 includes volatile memory or nonvolatile memory, and may also include both volatile and nonvolatile memory. The non-volatile Memory may be a Read Only Memory (ROM) and the volatile Memory may be a random access Memory (Random Access Memory, RAM). The memory 450 described in embodiments of the present application is intended to comprise any suitable type of memory.

In some embodiments, memory 450 is capable of storing data to support various operations, examples of which include programs, modules and data structures, or subsets or supersets thereof, as exemplified below.

An operating system 451 including system programs, e.g., framework layer, core library layer, driver layer, etc., for handling various basic system services and performing hardware-related tasks, for implementing various basic services and handling hardware-based tasks;

a network communication module 452 for accessing other electronic devices via one or more (wired or wireless) network interfaces 420, the exemplary network interface 420 comprising: bluetooth, wireless compatibility authentication (WiFi), and universal serial bus (Universal Serial Bus, USB), etc.;

a presentation module 453 for enabling presentation of information (e.g., a user interface for operating peripheral devices and displaying content and information) via one or more output devices 431 (e.g., a display screen, speakers, etc.) associated with the user interface 430;

an input processing module 454 for detecting one or more user inputs or interactions from one of the one or more input devices 432 and translating the detected inputs or interactions.

In some embodiments, the apparatus provided in the embodiments of the present application may be implemented in software, and fig. 8 shows the access control device 455 stored in the memory 450, which may be software in the form of a program, a plug-in, or the like, including the following software modules: the information transmission module 4551, the information processing module 4552, and the detection module 4553 are logical, and thus may be arbitrarily combined or further split according to the functions implemented. The functions of the respective modules will be described hereinafter.

An information transmission module 4551, configured to receive a data access request sent by a client;

the information processing module 4552 is configured to determine at least two permission detection dimensions of data to be accessed corresponding to the data access request in response to the data access request;

the detection module 4553 is configured to perform authority detection on the client according to at least two authority detection dimensions, to obtain an authority detection result of the client;

the processing transmission module is also used for determining the data access authority of the client according to the authority detection result;

the processing and transmitting module is further used for analyzing the data access request to obtain a data identifier carried in the data access request when the data access authority is used for characterizing that the client is allowed to perform the processing and transmitting on the data access request in some embodiments;

the processing transmission module is also used for determining the data to be accessed according to the data identification and determining the type of the data to be accessed;

the processing and transmitting module is used for determining at least two authority detection dimensions of the data to be accessed according to the type of the data to be accessed, wherein the at least two authority detection dimensions comprise at least two of the following:

the processing and transmitting module is further used for storing the identification of the client for limiting access to any piece of data to be accessed by using the credential information of the client, the read authority information of the client, the uniform resource locator matched with the data access request, a first limited access object list and a second limited access object list, wherein the first limited access object list is used for storing the identification of the client for limiting access to any piece of data to be accessed, and the second limited access object list is used for storing the identification of the client for limiting access to each piece of data to be accessed.

In some embodiments, the processing and transmitting module is further configured to, when the type of the data to be accessed is the first type, at least one of the at least two rights detection dimensions corresponding to the data to be accessed includes: second restricting access to the object list and the credential information of the client;

the processing and transmitting module is further configured to, when the type of the data to be accessed is the second type, at least one of the at least two permission detection dimensions corresponding to the data to be accessed includes: a second restricted access object list and a first restricted access object list, wherein the second type of sensitivity level is greater than the first type.

In some embodiments, the detection module 4553 is further configured to determine a detection order of at least two rights detection dimensions;

the detection module 4553 is further configured to detect, according to the detection order, the client according to each authority detection dimension, to obtain a detection result of the client on each authority detection dimension;

the detection module 4553 is further configured to determine that the authority detection result of the client is passing authority detection when the detection results of the client in each authority detection dimension are all passing detection;

the detection module 4553 is further configured to determine that the detection result of the authority of the client is failed authority detection when at least one of the detection results of the client in the respective authority detection dimensions is failed.

In some embodiments, when at least two rights detection dimensions include: a second restricted access object list, and the data access request is plural,

the information detection module 4553 is further configured to obtain a plurality of data access requests for the data to be accessed;

the information detection module 4553 is further configured to perform authority detection on each client corresponding to each data access request according to the second restricted access object list, so as to obtain each detection result of each client in the dimension of the second restricted access object list;

the information detection module 4553 is further configured to determine that the detection result is the target client identifier passing the detection;

the information detection module 4553 is further configured to determine that the detection result corresponding to the target client identifier is an erroneous detection result when the target client identifier exists in the second restricted access object list;

the information detection module 4553 is further configured to determine that the detection result corresponding to the target client identifier is a correct detection result when the target client identifier does not exist in the second restricted access object list.

In some embodiments, the information detection module 4553 is further configured to, when it is determined that the detection result corresponding to the target client identifier is an erroneous detection result,

The information detection module 4553 is further configured to determine a first total number of false detection results and a second total number of the plurality of data access requests;

the information detection module 4553 is further configured to determine a ratio of the first total number to the second total number as a false detection probability;

the information detection module 4553 is further configured to adjust a client permission detection manner corresponding to the second restricted access object list when the error detection probability is greater than or equal to the error detection probability threshold, and send the error detection probability to the preset server.

In some embodiments, the information processing module 4552 is further configured to parse the data access request to obtain a type identifier of the client;

the information processing module 4552 is further configured to determine a type of the client according to the type identifier of the client;

the information processing module 4552 is further configured to adjust a data read-write frequency corresponding to the data access request according to the type of the client.

In some embodiments, the information processing module 4552 is further configured to determine an initial data read-write frequency corresponding to the data access request;

the information processing module 4552 is further configured to increase the initial data read-write frequency when the type of the client is a type of risk of no data leakage;

The information processing module 4552 is further configured to reduce the initial data read-write frequency when the type of the client is a type in which there is a risk of data leakage.

a memory for storing executable instructions;

and the processor is used for realizing the access control method when executing the executable instructions stored in the memory.

The embodiment of the application also provides a computer readable storage medium which stores executable instructions, and the executable instructions realize the access control method when being executed by a processor. And when the data to be accessed is accessed, the data to be accessed is sent to the client.

According to the electronic device shown in fig. 8, in one aspect of the application, the application also provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions are read from the computer-readable storage medium by a processor of a computer device, which executes the computer instructions, causing the computer device to perform the different embodiments and combinations of embodiments provided in the various alternative implementations of the access control methods provided by the application.

The above embodiments are merely examples of the present application, and are not intended to limit the scope of the present application, so any modifications, equivalent substitutions and improvements made within the spirit and principle of the present application should be included in the scope of the present application.

Claims

1. An access control method, the method comprising:

receiving a data access request sent by a client;

2. The method of claim 1, wherein determining at least two rights detection dimensions of data to be accessed corresponding to the data access request comprises:

Determining data to be accessed according to the data identifier, and determining the type of the data to be accessed;

determining at least two right detection dimensions of the data to be accessed according to the type of the data to be accessed, wherein the at least two right detection dimensions comprise at least two of the following:

the method comprises the steps of providing credential information of a client, read permission information of the client, a uniform resource locator matched with a data access request, a first limited access object list and a second limited access object list, wherein the first limited access object list is used for storing identification of the client which is limited to access any piece of data to be accessed, and the second limited access object list is used for storing identification of the client which is limited to access each piece of data to be accessed.

3. The method of claim 2, wherein determining at least two rights detection dimensions corresponding to the data to be accessed according to the type of the data to be accessed comprises:

when the type of the data to be accessed is a first type, at least two permission detection dimensions corresponding to the data to be accessed at least comprise: the second restricted access object list and credential information of the client;

When the type of the data to be accessed is the second type, at least two permission detection dimensions corresponding to the data to be accessed at least comprise: the second restricted access object list and the first restricted access object list, wherein the second type of sensitivity level is greater than the first type.

4. The method according to claim 1, wherein performing rights detection on the client according to the at least two rights detection dimensions to obtain a rights detection result of the client includes:

determining the detection sequence of the at least two authority detection dimensions;

detecting the client according to the detection sequence and each authority detection dimension to obtain a detection result of the client on each authority detection dimension;

when the detection results of the client in each authority detection dimension are all passing detection, determining that the authority detection result of the client is passing authority detection;

and when at least one of the detection results of the client in each authority detection dimension is failed detection, determining that the authority detection result of the client is failed authority detection.

5. The method of claim 2, wherein when the at least two rights detection dimensions comprise: a second restricted access object list, and the data access request is plural,

the method further comprises the steps of:

acquiring a plurality of data access requests aiming at the data to be accessed;

performing authority detection on each client corresponding to each data access request according to the second restricted access object list to obtain each detection result of each client under the dimension of the second restricted access object list;

determining that the detection result is the target client identifier passing the detection;

when the target client identifier exists in the second restricted access object list, determining that a detection result corresponding to the target client identifier is an error detection result;

and when the target client identifier does not exist in the second restricted access object list, determining that the detection result corresponding to the target client identifier is a correct detection result.

6. The method as recited in claim 5, wherein the method further comprises:

when it is determined that the detection result corresponding to the target client identification is an erroneous detection result,

Determining a first total number of detection results of the errors and a second total number of the plurality of data access requests;

determining the ratio of the first total number to the second total number as a false detection probability;

and when the false detection probability is greater than or equal to a false detection probability threshold, adjusting a client permission detection mode corresponding to the second restricted access object list, and sending the false detection probability to a preset server.

7. The method according to claim 2, wherein the method further comprises:

analyzing the data access request to obtain the type identifier of the client;

determining the type of the client according to the type identifier of the client;

and adjusting the data read-write frequency corresponding to the data access request according to the type of the client.

8. The method of claim 7, wherein adjusting the data read-write frequency corresponding to the data access request according to the type of the client comprises:

determining an initial data read-write frequency corresponding to the data access request;

when the type of the client is a type without risk of leakage of data, increasing the read-write frequency of the initial data;

And when the type of the client is a type with data leakage risk, reducing the initial data read-write frequency.

9. An access control apparatus, the apparatus comprising:

10. An electronic device, the electronic device comprising:

a memory for storing executable instructions;

a processor for implementing the access control method of any one of claims 1 to 8 when executing executable instructions stored in said memory.

11. A computer program product comprising a computer program or instructions which, when executed by a processor, implements the access control method of any one of claims 1 to 8.

12. A computer readable storage medium storing executable instructions which when executed by a processor implement the access control method of any one of claims 1 to 8.