CN117290876A - User role-based data access control method and system - Google Patents

User role-based data access control method and system Download PDF

Info

Publication number
CN117290876A
CN117290876A CN202311041271.7A CN202311041271A CN117290876A CN 117290876 A CN117290876 A CN 117290876A CN 202311041271 A CN202311041271 A CN 202311041271A CN 117290876 A CN117290876 A CN 117290876A
Authority
CN
China
Prior art keywords
data
user
filtering
authority
data access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311041271.7A
Other languages
Chinese (zh)
Inventor
沈仁健
王志鹏
潘宇饶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangxi Digital Internet Connection Information Security Technology Co ltd
Original Assignee
Jiangxi Digital Internet Connection Information Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangxi Digital Internet Connection Information Security Technology Co ltd filed Critical Jiangxi Digital Internet Connection Information Security Technology Co ltd
Priority to CN202311041271.7A priority Critical patent/CN117290876A/en
Publication of CN117290876A publication Critical patent/CN117290876A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2282Tablespace storage structures; Management thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The application provides a data access control method and system based on a user role, and belongs to the technical field of data access control. The method carries out annotation analysis on the data access request of the user, judges whether the data access layer contains interception and neglect annotations, and returns corresponding return target data according to the request if the data access layer contains interception and neglect annotations. When the data access layer does not contain interception neglect notes, a preset data authority interceptor is called to intercept a data access request of query data, a data authority filtering SQL statement of a user is obtained, and the data authority filtering SQL statement is added into the data access request for recombination according to self-defined configuration, so that a recombined data access request is obtained; and calling the local thread to execute the recombined data access request, and returning the target data conforming to the data authority filtering SQL statement. The method and the device utilize the characteristic of mutual isolation of local threads to store and transmit the user permission data, and reduce the query pressure of the database.

Description

User role-based data access control method and system
Technical Field
The application belongs to the technical field of data access control, and particularly relates to a data access control method and system based on a user role.
Background
The business systems of enterprises are very data-intensive and often distribute business data to operators of different institutions, posts, teams, etc. for processing. The background management system of the enterprise at present realizes the access control of data, and the access authority of the data is usually controlled according to the roles of users. For example, a system administrator role may view all of the data of a module, while a guest role may only view a portion of the data of the module, or even have no access to view the data of the module. Therefore, authority control is required to be performed in each corresponding service module, so that partial authority management workload is repeated, content cannot be filtered according to personalized custom configuration data required by users, and the query pressure on a database is high when authority data is filtered.
Disclosure of Invention
Therefore, the data access control method and system based on the user roles are beneficial to solving the problems that the existing data access control method cannot self-define configuration data filtering content and has high query pressure on a database.
In order to achieve the above purpose, the present application adopts the following technical scheme:
in a first aspect, the present application provides a data access control method based on a user role, including:
acquiring a data access request of a user;
judging whether the data access layer contains interception and neglect notes, if the data access layer contains the interception and neglect notes, returning target data according to the data access request;
if the data access layer does not contain the interception neglect annotation, identifying the operation type of the data access request according to a preset data authority interceptor, and if the operation type is a non-data query operation, returning target data according to the data access request;
if the operation type is data query operation, acquiring a target data table accessed by a data access request, judging whether the target data table belongs to a preset static member variable set, and if the target data table does not belong to the preset static member variable set, returning target data according to the data access request;
if the target data table belongs to a preset static member variable set, acquiring a data authority filtering SQL statement of a user, and adding the data authority filtering SQL statement into the data access request to acquire a reorganized data access request;
creating a data authority filtering metadata object based on the recombined data access request, and carrying out association calling on the data authority filtering metadata object and a local thread to execute the recombined data access request, and returning target data conforming to the data authority filtering SQL statement.
Further, the preset data right interceptor includes: a data authority filtering metadata class, a data authority filtering type enumeration class, a data authority filtering interception class and a data transmission local thread pool class; wherein,
the data authority filtering metadata class is used for managing and transmitting data authority filtering information; the data authority filtering information comprises an enumeration type, an organization ID and a user ID of a data authority filtering range;
the data authority filtering type enumeration class is used for identifying different data authority filtering ranges; the data authority filtering range comprises a full data authority range, a current organization data authority range and a sub-level organization data authority range, a current organization data authority range and a common user data authority range;
the data authority filtering interception class is used for configuring the operation type of a data access request to be intercepted and configuring a preset static member variable set;
the data transfer local line Cheng Chilei is used to read the attributes of the data right filtering metadata class and create, acquire and empty the data right filtering metadata object.
Further, the obtaining the data authority filtering SQL statement of the user, and adding the data authority filtering SQL statement into the data access request, to obtain a reorganized data access request, includes:
acquiring role information and organization information of a user according to the current logged-in user information;
determining the data authority range of the user according to the role information and the organization information of the user;
generating a data authority filtering SQL statement of a corresponding data authority range according to the data authority range of the user;
and splicing and reorganizing the SQL statement of the data authority filtering and the SQL statement corresponding to the data access request to obtain a reorganized data access request.
Further, the creating a data authority filtering metadata object based on the reorganization data access request, and associating the data authority filtering metadata object with a local thread to call the local thread to execute the reorganization data access request, and returning target data conforming to the data authority filtering SQL statement, including:
calling the data transfer local thread pool class to acquire a data authority filtering metadata class attribute based on the recombined data access request, creating a data authority filtering metadata object based on the data authority filtering metadata class attribute, and associating the data authority filtering metadata object with a local thread;
acquiring a data authority filtering metadata object associated with a local thread, transmitting the data authority filtering metadata object by utilizing the local thread, executing a data authority filtering SQL statement, inquiring target data conforming to the data authority filtering SQL statement in a data table of a database, and returning the target data;
and after the target data is returned, the data authority filtering metadata object stored in the local thread pool is emptied.
Further, the determining the data authority range of the user according to the role information and the organization information of the user includes:
judging the role information and the organization information of the user, and if the role information is an administrator role, setting the enumeration type attribute value of the data authority filtering metadata class as all the data authority ranges;
if the organization manager role is adopted, setting an enumeration type attribute value of a data authority filtering metadata class as a current organization and a sub-level organization data authority range thereof, wherein an organization ID attribute value is an organization ID to which a current user belongs and a sub-organization ID contained in the organization ID;
if the organization user role is set, setting an enumeration type attribute value of the data authority filtering metadata class as a current organization data authority range, and setting an organization ID attribute value as an organization ID to which the current user belongs;
if the user is the common user role, setting the enumeration type attribute value of the data authority filtering metadata class as the common user data authority range, and setting the user ID attribute value as the current user ID.
Further, the generating the data authority filtering SQL statement of the corresponding data authority range according to the data authority range of the user includes:
judging the enumeration type attribute values in the data authority filtering metadata class, and if the enumeration type attribute values are all data authority ranges, not generating a data authority filtering SQL statement;
if the enumerated type attribute value is the current organization and the sub-level organization data authority range thereof, generating a data authority filtering SQL statement containing the organization ID of the current user and the sub-organization ID contained therein;
if the enumerated type attribute value is the current organization data authority range, generating a data authority filtering SQL statement containing the organization ID of the current user;
if the enumerated type attribute value is the common user data authority range, a data authority filtering SQL statement containing the user ID is generated.
Further, the preset static member variable set includes table names of a data table requiring permission filtering.
In a second aspect, the present application provides a data access control system based on user roles, including:
the request acquisition module is used for acquiring a data access request of a user;
the annotation analysis module is used for judging whether the data access layer contains interception and neglect annotations, and if the data access layer contains the interception and neglect annotations, returning target data according to the data access request;
the operation type analysis module is used for identifying the operation type of the data access request according to a preset data authority interceptor, and returning target data according to the data access request if the operation type is a non-data query operation;
the filtering analysis module is used for acquiring a target data table accessed by the data access request, judging whether the target data table belongs to a preset static member variable set, and returning target data according to the data access request if the target data table does not belong to the preset static member variable set;
the request reorganization module is used for acquiring the data authority filtering SQL statement of the user, adding the data authority filtering SQL statement into the data access request, and acquiring a reorganized data access request;
and the data access module is used for creating a data authority filtering metadata object based on the recombined data access request, carrying out association calling on the data authority filtering metadata object and a local thread to execute the recombined data access request, and returning target data conforming to the data authority filtering SQL statement.
The application adopts the technical scheme, possesses following beneficial effect at least:
according to the data access control method based on the user role, annotation analysis is firstly carried out on the data access request of the user, whether the data access layer contains interception and neglect annotations is judged, if the data access layer contains the interception and neglect annotations, the interception and neglect annotations can be flexibly configured according to the corresponding return target data of the request, whether authority filtering is needed or not is dynamically selected, a large amount of development time is saved, and development efficiency is improved. Meanwhile, when the data access layer does not contain interception neglect notes, the application calls a preset data authority interceptor to intercept the data access request of the query data, obtains a data authority filtering SQL statement of the user, adds the data authority filtering SQL statement into the data access request for recombination according to the self-defined configuration, obtains a recombined data access request, and can automatically perform data authority filtering according to the role information of the current login user. And finally, calling the local threads to execute the recombined data access request, storing and transmitting the user permission data by utilizing the characteristic that the local threads are mutually isolated, returning the target data conforming to the SQL statement of data permission filtering, and reducing the query pressure of the database.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.
FIG. 1 is a flow chart illustrating a method of user role based data access control in accordance with an exemplary embodiment;
fig. 2 is a functional block diagram of a user role based data access control system according to an exemplary embodiment.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of methods that are consistent with some aspects of the present application as detailed in the accompanying claims.
A sophisticated background management system should have a function of viewing a range of data according to a role to which a user belongs. For example, a system administrator role may view all of the data of a module, while a guest role may only view a portion of the data of the module, or even have no access to view the data of the module. In each corresponding module, authority control is needed, resulting in repetition of part of the workload. Therefore, in order to solve the problem of repeated wheel making, the module which needs to be subjected to authority control is extracted, and the authority control is intensively and uniformly performed. The development workload is reduced, the code redundancy is reduced, and the efficiency is improved well.
The current industry can see different data ranges for different roles, and the method in the prior art is as follows: inquiring the roles of the current login user in a module needing permission control, and writing corresponding permission control codes according to the different roles so as to inquire data in different data ranges according to the different roles. This approach may result in duplication of some rights management workload for rights control, increase development time of the system, and decrease development efficiency. When a plurality of service modules needing authority control exist, authority control is needed to be carried out in each corresponding service module, so that partial authority management workload is repeated, content cannot be filtered according to personalized custom configuration data required by a user, and the query pressure on a database is high when the authority data is filtered.
In order to solve the problems of the data access control technology, the present application provides a data access control method and system based on a user role, and the following embodiments are described in detail.
Example 1
Referring to fig. 1, fig. 1 is a diagram illustrating a data access control method based on a user role according to an embodiment of the present invention, which is directed to the above problem, and includes:
s1, acquiring a data access request of a user.
S2, judging whether the data access layer contains interception and neglect notes, and if the data access layer contains the interception and neglect notes, returning target data according to the data access request; the interception ignore note can be expressed as an @ interceptor Ignow note, which is one note in the Spring Boot framework and is used for controlling whether the interceptor intercepts a specified interface or not;
s3, if the data access layer does not contain the interception neglect annotation, identifying the operation type of the data access request according to a preset data authority interceptor, and if the operation type is a non-data query operation, returning target data according to the data access request;
s4, if the operation type is data query operation, acquiring a target data table accessed by a data access request, judging whether the target data table belongs to a preset static member variable set, and if the target data table does not belong to the preset static member variable set, returning target data according to the data access request;
s5, if the target data table belongs to a preset static member variable set, acquiring a data authority filtering SQL statement of a user, and adding the data authority filtering SQL statement into the data access request to acquire a reorganized data access request;
and S6, creating a data authority filtering metadata object based on the recombined data access request, and carrying out association calling on the data authority filtering metadata object and a local thread to execute the recombined data access request, and returning target data conforming to the data authority filtering SQL statement.
Further, in one embodiment, the preset data right interceptor in this embodiment includes: the system comprises a data authority filtering metadata class, a data authority filtering type enumeration class, a data authority filtering interception class and a data transmission local thread pool class.
The data authority filtering metadata class is used for managing and transmitting data authority filtering information; the data authority filtering information comprises an enumeration type, an organization ID and a user ID of a data authority filtering range.
The data rights filter type enumeration class is used to identify different data rights filter scopes. The data authority filtering range comprises a total data authority range, a current organization data authority range and a sub-level organization data authority range, a current organization data authority range and a common user data authority range.
The data authority filtering interception class is used for configuring the operation type of the data access request to be intercepted and configuring a preset static member variable set.
The data transfer local line Cheng Chilei is used to read the attributes of the data right filtering metadata class and create, acquire and empty the data right filtering metadata object.
In a specific practical process, the embodiment needs to preset a data authority interceptor, namely, a data authority filtering metadata class, a data authority filtering type enumeration class, a data authority filtering interception class and a data transmission local thread pool class. The specific definition process is as follows:
1. defining a data authority filtering metadata class which is expressed by DataFilterMetaData and contains the following attributes:
(1) The enumeration type of the data authority filtering metadata class represents different data authority filtering ranges.
(2) The organization ID list is used for storing the identification of the organization.
(3) The user ID is used for storing the identification of the user.
This class will be used to manage and communicate data rights filtered information in order to obtain corresponding data rights filtering conditions in the system, thereby ensuring that the user can only access data for which he is authorized.
2. Defining a data rights filter type enumeration class, denoted datafilter type enum, containing the following different data rights filter ranges:
(1) ALL: full data authority range.
(2) current_and_SUBORGANIZATIONS: the current organization and its sub-level organization data authority range.
(3) Current_organizatin: the scope of data rights is currently organized.
(4) Normal_user: normal user data rights range, etc.
This enumeration class will be used to identify different data rights filter scopes for accurate control and filtering of data rights in the system.
3. A data transfer local thread pool class named DataFilterThreadLocal is defined, and aims to realize unified management of data authority filtering metadata class. By using the local thread, the data rights filter metadata object can be passed inside the thread to create, acquire, and empty it uniformly managed throughout the thread lifecycle. This class may provide the following functions:
(1) A data rights filter metadata object is created and associated with the current thread.
(2) The data rights filter metadata object associated with the current thread is obtained to use the data rights filter information where needed.
(3) And (5) clearing the data authority filtering metadata object stored in the local thread pool, and ensuring isolation among threads and accuracy of the data authority.
Through the use of the local thread pool class of data transfer, the safe transfer and management of the data authority filtering information in a multithreading environment can be effectively realized.
4. A user-defined data authority filtering interceptor class named UserDataInterceptor is defined, and inherits the data authority filtering interceptor DataPermissionInterceptor in the existing development framework, and rewrites a preprocessing query statement method and a setting condition query method. In addition, a set is defined by using the static member variables, namely a preset static member variable set, for storing table names of data tables needing authority filtering, and initialization is performed in a static block so as to use the information in an interceptor to determine whether to perform data authority filtering on the query.
Specifically, the specific process of identifying the operation type of the data access request according to the preset data authority interceptor is as follows: and (3) rewriting a preprocessing query statement method in the user-defined data authority filtering interceptor, intercepting and acquiring an SQL statement (namely a data access request) of the database to be operated in the data layer, and judging whether the type of the SQL statement is PlanSelect. Plainlselect is a type of SQL query statement that represents a conventional SELECT query. This ensures that only SELECT query statements will perform data authority filtering processing without affecting other types of SQL operations. If the SQL statement is of the type SELECT, the process continues to the next step of static member variable determination of the data table. If the SQL sentences are UPDATE, DELETE, INSERT and other types of SQL sentences, no data authority operation and release operation are required to be carried out on the SQL sentences, and invalid data authority filtering is avoided.
Specifically, obtaining the target data table accessed by the data access request, and judging whether the target data table belongs to a preset static member variable set specifically includes: in order to determine whether the data table queried in the query SQL statement is in the defined preset static member variable set, the step of preprocessing the query statement can be performed for determination, and the data authority filtering operation can be performed only when the condition is satisfied. This avoids the need for invalid data authority handling of data tables that are not in the static member variable set.
Meanwhile, it may be further determined whether the data right operation is required after step S3. If the data table is in the preset static member variable set, continuing to execute the subsequent data authority filtering operation; if the data table is not in the preset static member variable set, the SQL statement is directly released without any data authority operation. By the steps, unnecessary data authority filtering can be avoided, and the performance and efficiency of the interceptor are improved.
Further, in one embodiment, obtaining a data authority filtering SQL statement of a user, and adding the data authority filtering SQL statement to the data access request to obtain a reorganized data access request, including:
acquiring role information and organization information of a user according to the current logged-in user information;
determining the data authority range of the user according to the role information and the organization information of the user;
generating a data authority filtering SQL statement of a corresponding data authority range according to the data authority range of the user;
and splicing and reorganizing the SQL statement of the data authority filtering and the SQL statement corresponding to the data access request to obtain a reorganized data access request.
When the SQL statement is filtered by the data authority of the user, the information of the current login user needs to be queried and the data authority is given according to the role information. Inquiring information of a current login user, and acquiring role information and organization information of the user. According to different roles of the users, assigning values to enumeration type attributes in the data authority filtering metadata class so as to determine the data authority range of the users, wherein the process specifically comprises the following steps:
judging the role information and organization information of the user, and if the role information is an administrator role, setting the enumeration type attribute value of the data authority filtering metadata class as all the data authority ranges.
If the organization manager role is set, setting an enumeration type attribute value of the data authority filtering metadata class as the current organization and a sub-level organization data authority range thereof, and setting an organization ID attribute value as the organization ID of the current user and a sub-organization ID contained in the organization ID.
If the organization user role is the organization user role, setting an enumeration type attribute value of the data authority filtering metadata class as a current organization data authority range, and setting an organization ID attribute value as an organization ID to which the current user belongs.
If the user is the common user role, setting the enumeration type attribute value of the data authority filtering metadata class as the common user data authority range, and setting the user ID attribute value as the current user ID.
The invention self-defines the data authority range and the ID attribute of the user based on the user role, is convenient for generating the corresponding data authority filtering SQL sentence according to the user role, and realizes the personalized self-defining configuration data filtering content according to the user requirement.
Specifically, generating a data authority filtering SQL sentence of a corresponding data authority range according to the data authority range of the user comprises:
judging the enumeration type attribute values in the data authority filtering metadata class, and if the enumeration type attribute values are all data authority ranges, not generating a data authority filtering SQL statement;
if the enumerated type attribute value is the current organization and the sub-level organization data authority range thereof, generating a data authority filtering SQL statement containing the organization ID of the current user and the sub-organization ID contained therein.
And if the enumerated type attribute value is the current organization data authority range, generating a data authority filtering SQL statement containing the organization ID of the current user.
If the enumerated type attribute value is the common user data authority range, a data authority filtering SQL statement containing the user ID is generated.
According to the invention, the data authority range of the user is determined through the enumeration type attribute of the data authority filtering metadata class, so that the data authority filtering SQL statement of the corresponding data authority range is generated, the subsequent query and filtering of the SQL statement in the database according to the data authority filtering is facilitated, the automatic data authority filtering based on the user role information is realized, and the data query and filtering efficiency is improved.
Further, in one embodiment, creating a data authority filtering metadata object based on the reorganized data access request, and associating the data authority filtering metadata object with a local thread to call the local thread to execute the reorganized data access request, and returning target data conforming to the data authority filtering SQL statement, including:
calling a data transfer local thread pool class to acquire a data authority filtering metadata class attribute based on the recombined data access request, creating a data authority filtering metadata object based on the data authority filtering metadata class attribute, and associating the data authority filtering metadata object with a local thread;
acquiring a data authority filtering metadata object associated with a local thread, transmitting the data authority filtering metadata object by utilizing the local thread, executing a data authority filtering SQL statement, inquiring target data conforming to the data authority filtering SQL statement in a data table of a database, and returning the target data;
and after the target data is returned, the data authority filtering metadata object stored in the local thread pool is emptied, so that the next use is convenient. Therefore, the isolation of the data authority among different queries is ensured, and corresponding data authority range conditions can be generated according to the current user role information for each query. After the data authority processing is finished, the data in the data transmission local thread pool class is emptied in time, so that the condition of data authority confusion is avoided, the next query operation is ensured to be based on new user role information, and the safety and performance of a service system are improved.
In a specific implementation, the data rights filter metadata object is set into a data transfer local thread pool class. By utilizing the characteristic of the local thread, the variable which can be filled in belongs to the current thread and is isolated from other threads. In this way, the copy variable of each thread can be accessed, thereby realizing the transfer of the user role and the related data authority. By the method, the permission of the user role is acquired by repeatedly inquiring the database for multiple times in the past is avoided, and therefore system performance and efficiency are improved. Each thread can quickly access own data authority filtering information without frequently inquiring a database, so that the processing of the data authority is more efficient and flexible. The optimization mode is very effective for controlling the data authority under the multi-user concurrent access scene.
Example 2
Referring to fig. 2, this embodiment provides, based on embodiment 1 described above, a data access control system based on a user role, including:
the request acquisition module is used for acquiring a data access request of a user;
the annotation analysis module is used for judging whether the data access layer contains interception and neglect annotations, and if the data access layer contains the interception and neglect annotations, returning target data according to the data access request;
the operation type analysis module is used for identifying the operation type of the data access request according to a preset data authority interceptor, and returning target data according to the data access request if the operation type is a non-data query operation;
the filtering analysis module is used for acquiring a target data table accessed by the data access request, judging whether the target data table belongs to a preset static member variable set, and returning target data according to the data access request if the target data table does not belong to the preset static member variable set;
the request reorganization module is used for acquiring the data authority filtering SQL statement of the user, adding the data authority filtering SQL statement into the data access request, and acquiring a reorganized data access request;
and the data access module is used for calling the local thread to execute the recombined data access request and returning target data conforming to the data authority filtering SQL statement.
Specifically, the workflow of the data access control system based on the user role in this embodiment is approximately as follows:
after a user logs in, when clicking a menu to check data, firstly judging whether a @ internitorignow annotation is added to a data access layer (namely, intercepting and ignoring the annotation), and if the annotation is added, skipping a custom data authority filtering interceptor to indicate that the module has a custom data authority filtering range; if the annotation is not added, the process continues to the next step for data authority.
In the user-defined data authority filtering interceptor, the intercepted SQL statement is judged to determine whether the SQL statement is a query statement (SELECT statement), namely, the request type of the data access request is judged. If the query statement is the query statement, continuing to the next step to process the data authority; if the query statement is not the query statement, the SQL statement is directly released, and data authority filtering is not needed.
In the user-defined data authority filtering interceptor, judging whether the data table of the query SQL statement is in a defined preset static member variable set or not:
if the data table is in the set, entering the next step to perform data authority operation;
if the data table is not in the set, no data authority operation is required to be performed on the SQL statement, and release is performed, so that unnecessary processing on the SQL statement which does not need to be subjected to data authority filtering can be avoided, and the performance and efficiency are improved.
In the user-defined data authority filtering interceptor, the data authority filtering condition of the current login user is obtained. According to the current login user information, a corresponding data authority filtering SQL statement is automatically obtained, and the data authority filtering SQL statement and the query SQL statement are processed to limit the data authority. Finally, returning the processed query SQL statement, wherein the query SQL statement takes the data authority of the current user into consideration, so that the user can only access the data with authority, and the safety and privacy of the data are ensured.
After the data authority filtering is completed, the corresponding data in the data table is queried by using the finally processed query SQL statement, and the result is returned to the front-end page for display. Through the processing, the user is ensured to only view the data with the authority, and meanwhile, the limitation of the data authority is followed, so that the safety and the compliance of the data are ensured. The front-end page displays the data subjected to data authority filtering, so that a user can only access the data matched with the role of the data, and safe and reliable data access experience is provided.
It is to be understood that the same or similar parts in the above embodiments may be referred to each other, and that in some embodiments, the same or similar parts in other embodiments may be referred to.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. Although embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives, and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.

Claims (8)

1. A data access control method based on user roles, comprising:
acquiring a data access request of a user;
judging whether the data access layer contains interception and neglect notes, if the data access layer contains the interception and neglect notes, returning target data according to the data access request;
if the data access layer does not contain the interception neglect annotation, identifying the operation type of the data access request according to a preset data authority interceptor, and if the operation type is a non-data query operation, returning target data according to the data access request;
if the operation type is data query operation, acquiring a target data table accessed by a data access request, judging whether the target data table belongs to a preset static member variable set, and if the target data table does not belong to the preset static member variable set, returning target data according to the data access request;
if the target data table belongs to a preset static member variable set, acquiring a data authority filtering SQL statement of a user, and adding the data authority filtering SQL statement into the data access request to acquire a reorganized data access request;
creating a data authority filtering metadata object based on the recombined data access request, and carrying out association calling on the data authority filtering metadata object and a local thread to execute the recombined data access request, and returning target data conforming to the data authority filtering SQL statement.
2. The user role based data access control method of claim 1, wherein the preset data right interceptor comprises: a data authority filtering metadata class, a data authority filtering type enumeration class, a data authority filtering interception class and a data transmission local thread pool class; wherein,
the data authority filtering metadata class is used for managing and transmitting data authority filtering information; the data authority filtering information comprises an enumeration type, an organization ID and a user ID of a data authority filtering range;
the data authority filtering type enumeration class is used for identifying different data authority filtering ranges; the data authority filtering range comprises a full data authority range, a current organization data authority range and a sub-level organization data authority range, a current organization data authority range and a common user data authority range;
the data authority filtering interception class is used for configuring the operation type of a data access request to be intercepted and configuring a preset static member variable set;
the data transfer local line Cheng Chilei is used to read the attributes of the data right filtering metadata class and create, acquire and empty the data right filtering metadata object.
3. The method for controlling data access based on user roles according to claim 1, wherein the steps of obtaining the data authority filtering SQL statement of the user, adding the data authority filtering SQL statement to the data access request, and obtaining the reorganized data access request include:
acquiring role information and organization information of a user according to the current logged-in user information;
determining the data authority range of the user according to the role information and the organization information of the user;
generating a data authority filtering SQL statement of a corresponding data authority range according to the data authority range of the user;
and splicing and reorganizing the SQL statement of the data authority filtering and the SQL statement corresponding to the data access request to obtain a reorganized data access request.
4. The method according to claim 1, wherein creating a data authority filtering metadata object based on the reorganized data access request, and associating the data authority filtering metadata object with a local thread to invoke the local thread to execute the reorganized data access request, and returning target data conforming to the data authority filtering SQL statement, includes:
calling a data transfer local thread pool class to acquire a data authority filtering metadata class attribute based on the recombined data access request, creating a data authority filtering metadata object based on the data authority filtering metadata class attribute, and associating the data authority filtering metadata object with a local thread;
acquiring a data authority filtering metadata object associated with a local thread, transmitting the data authority filtering metadata object by utilizing the local thread, executing a data authority filtering SQL statement, inquiring target data conforming to the data authority filtering SQL statement in a data table of a database, and returning the target data;
and after the target data is returned, the data authority filtering metadata object stored in the local thread pool is emptied.
5. The method for controlling data access based on user roles according to claim 3, wherein the determining the data authority range of the user according to the role information and the organization information to which the user belongs comprises:
judging the role information and the organization information of the user, and if the role information is an administrator role, setting the enumeration type attribute value of the data authority filtering metadata class as all the data authority ranges;
if the organization manager role is adopted, setting an enumeration type attribute value of a data authority filtering metadata class as a current organization and a sub-level organization data authority range thereof, wherein an organization ID attribute value is an organization ID to which a current user belongs and a sub-organization ID contained in the organization ID;
if the organization user role is set, setting an enumeration type attribute value of the data authority filtering metadata class as a current organization data authority range, and setting an organization ID attribute value as an organization ID to which the current user belongs;
if the user is the common user role, setting the enumeration type attribute value of the data authority filtering metadata class as the common user data authority range, and setting the user ID attribute value as the current user ID.
6. A method for controlling data access based on user roles according to claim 3, wherein the generating the data authority filtering SQL statement of the corresponding data authority range according to the data authority range of the user comprises:
judging the enumeration type attribute values in the data authority filtering metadata class, and if the enumeration type attribute values are all data authority ranges, not generating a data authority filtering SQL statement;
if the enumerated type attribute value is the current organization and the sub-level organization data authority range thereof, generating a data authority filtering SQL statement containing the organization ID of the current user and the sub-organization ID contained therein;
if the enumerated type attribute value is the current organization data authority range, generating a data authority filtering SQL statement containing the organization ID of the current user;
if the enumerated type attribute value is the common user data authority range, a data authority filtering SQL statement containing the user ID is generated.
7. The user role based data access control method of claim 1, wherein the preset static member variable set includes table names of a data table requiring authority filtering.
8. A user role based data access control system comprising:
the request acquisition module is used for acquiring a data access request of a user;
the annotation analysis module is used for judging whether the data access layer contains interception and neglect annotations, and if the data access layer contains the interception and neglect annotations, returning target data according to the data access request;
the operation type analysis module is used for identifying the operation type of the data access request according to a preset data authority interceptor, and returning target data according to the data access request if the operation type is a non-data query operation;
the filtering analysis module is used for acquiring a target data table accessed by the data access request, judging whether the target data table belongs to a preset static member variable set, and returning target data according to the data access request if the target data table does not belong to the preset static member variable set;
the request reorganization module is used for acquiring the data authority filtering SQL statement of the user, adding the data authority filtering SQL statement into the data access request, and acquiring a reorganized data access request;
and the data access module is used for creating a data authority filtering metadata object based on the recombined data access request, carrying out association calling on the data authority filtering metadata object and a local thread to execute the recombined data access request, and returning target data conforming to the data authority filtering SQL statement.
CN202311041271.7A 2023-08-17 2023-08-17 User role-based data access control method and system Pending CN117290876A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311041271.7A CN117290876A (en) 2023-08-17 2023-08-17 User role-based data access control method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311041271.7A CN117290876A (en) 2023-08-17 2023-08-17 User role-based data access control method and system

Publications (1)

Publication Number Publication Date
CN117290876A true CN117290876A (en) 2023-12-26

Family

ID=89257853

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311041271.7A Pending CN117290876A (en) 2023-08-17 2023-08-17 User role-based data access control method and system

Country Status (1)

Country Link
CN (1) CN117290876A (en)

Similar Documents

Publication Publication Date Title
CN111684440B (en) Secure data sharing in a multi-tenant database system
US8078595B2 (en) Secure normal forms
US9195707B2 (en) Distributed event system for relational models
US6606627B1 (en) Techniques for managing resources for multiple exclusive groups
US6487552B1 (en) Database fine-grained access control
US11574070B2 (en) Application specific schema extensions for a hierarchical data structure
EP2937782B1 (en) Data processing method and device
US9129129B2 (en) Automatic data protection in a computer system
US9336407B2 (en) Dynamic data masking system and method
US20080162483A1 (en) Methods and systems for protecting shared tables against unauthorized overwriting from a tenant space in a mega-tenancy environment
KR100820306B1 (en) Security system using the data masking and data security method thereof
KR20060071861A (en) Secured views for a crm database
KR20060089753A (en) System and method for selectively defining accesss to application features
US11163834B2 (en) Filtering collaboration activity
US20200092337A1 (en) Context-aware content object security
US20190026339A1 (en) Framework To Transfer Rows in Storage Format, Standard Format, or Combination Thereof
US20200233848A1 (en) Elastic data partitioning of a database
CN107944288B (en) Data access control method and device
US10733316B2 (en) Pluggable database lockdown profile
US20040139141A1 (en) Integration of virtual data within a host operating environment
CN116702213A (en) Service system data authority management method, device and equipment for multi-level enterprise
CN117290876A (en) User role-based data access control method and system
CN111680275A (en) Authority management method and system of industrial personal computer control system, storage medium and equipment
US20200220928A1 (en) Managing shared content directory structure metadata
US5546573A (en) Specification of cultural bias in database manager

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination