CN117332430A - User dynamic data authority control method and system - Google Patents
User dynamic data authority control method and system Download PDFInfo
- Publication number
- CN117332430A CN117332430A CN202311187530.7A CN202311187530A CN117332430A CN 117332430 A CN117332430 A CN 117332430A CN 202311187530 A CN202311187530 A CN 202311187530A CN 117332430 A CN117332430 A CN 117332430A
- Authority
- CN
- China
- Prior art keywords
- user
- strategy
- module
- resource
- data authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 238000011217 control strategy Methods 0.000 claims description 20
- 238000004364 calculation method Methods 0.000 claims description 13
- 230000002688 persistence Effects 0.000 claims description 3
- 238000003860 storage Methods 0.000 claims description 3
- 235000019580 granularity Nutrition 0.000 abstract description 3
- 238000011161 development Methods 0.000 abstract description 2
- 238000009826 distribution Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of data authority control, in particular to a user dynamic data authority control method and system, which are characterized in that policies are created according to all conditions corresponding to resources, the policies are integrated into definition sets, the definition sets are read, the policies corresponding to the users are distributed according to user identities, when the users send service inquiry requests, the service inquiry requests are intercepted, resource paths and request methods in the service inquiry requests are analyzed, the attributes of the resources needing to be inquired and the identity information of the users are obtained, the corresponding policies are matched, and inquiry results are output, so that the technical problems that the policy configuration in the existing data authority control cannot be dynamically added and validated, and the client requirements are difficult to flexibly respond are solved. The method can meet the control requirement of the data authority with multiple granularities and save the development cost.
Description
Technical Field
The present invention relates to the field of data authority control technologies, and in particular, to a method and a system for controlling user dynamic data authority.
Background
Data authority control is a technology for isolating sensitive data access in a multi-user information system, and may relate to multi-level and multi-dimensional business data in the system. The power grid construction engineering relates to transportation of various large-piece equipment, such as transformers, and the like, has high manufacturing cost and severe transportation conditions, and relates to a plurality of stakeholders: the material management department, the receiving unit, the construction unit, the equipment provider, the equipment carrier and the like all need to access the transportation on-line monitoring system, understand the equipment transportation state, manage and control transportation safety risks, and the related transportation information is sensitive, so that the information safety must be ensured, and fine-grained data access isolation is carried out according to the unit to which the access user belongs and the management authority.
In the prior art, on the premise that the user grading authority access is not realized, the method is generally realized based on the filtering of a query result set, the data scale of an online monitoring system is large, each user search is traversed in all databases, the system overhead is large, the dynamic effect of a data access authority strategy is not supported, the control code is required to be modified to be deployed and validated again after the strategy is changed, and the time and the resource are consumed.
Disclosure of Invention
In view of the above, the present invention aims to provide a method and a system for controlling user dynamic data rights, so as to solve the problems of large overhead and no support for dynamic validation of rights policies in the prior art.
Based on the above object, the present invention provides a method for controlling authority of user dynamic data, which comprises:
s1, inputting a plurality of conditions for resources, and inputting a logic calculation mode corresponding to each condition, wherein the resources are objects for controlling data authority;
s2, creating a strategy according to all conditions corresponding to the resource, and integrating the strategy into a definition set, wherein the strategy is a logic relation formula formed by combining all conditions according to a logic calculation mode of the strategy;
s3, reading the definition set and distributing the definition set to a corresponding strategy of a user according to the identity of the user;
s4, intercepting a service query request sent by a user, analyzing a resource path and a request method in the service query request, and acquiring the attribute of the resource to be queried and the identity information of the user;
s5, acquiring a corresponding strategy according to the resources and the attributes and the identity information of the user;
s6, executing the acquired strategy, dynamically constructing query conditions, and outputting a query result.
Preferably, the resources include transportation tasks, task state pose information, task progress information, and task alert information.
Preferably, in step S2, the administrator may perform operations of creating, saving, deleting, and modifying the definition set.
Preferably, the condition is rights formulated according to the role, category and department of the user.
Preferably, the service query request includes identity information of the user and information of the resource to be queried.
Preferably, the attributes of the resource are the name of the resource and the save path.
The invention also provides a user dynamic data authority control system, which comprises a client, a console, a database server and an authority server, wherein the client, the console, the database server and the authority server are communicated with each other through a network;
the authority server comprises a data authority control strategy module and a service interception module, wherein the data authority control strategy module comprises a definition set module and an allocation execution and module;
the console is used for inputting a plurality of conditions of the resource and a logic calculation mode corresponding to each condition;
the definition set module is used for creating a strategy according to all conditions corresponding to resources, and integrating the strategy into a definition set, wherein the resources are objects controlled by data authorities, the strategy is a logical relation formed by combining all conditions according to a self logical calculation mode, and the definition and module is also used for transmitting the definition set to a database server for persistence storage;
the allocation execution set module is used for reading the definition set from the definition set module and allocating the definition set to the corresponding strategy of the user according to the user identity;
the service interception module comprises a request interception judging module, a data authority control strategy acquisition module and a data authority control condition output module, wherein the request interception judging module is used for intercepting a service inquiry request of a user, analyzing a resource path and a request method in the service inquiry request and acquiring the attribute of a resource to be inquired and the identity information of the user;
the data authority control strategy acquisition module acquires a corresponding strategy from the allocation execution set module according to the acquired attribute of the resource and the identity information of the user;
the data right control condition output module is used for executing the strategy acquired by the data right control strategy acquisition module, dynamically constructing the query condition and outputting the query result for the user.
The invention has the beneficial effects that: the method solves the technical problems that policy configuration cannot be dynamically added and validated in the existing data authority control, and is difficult to flexibly respond to the demands of clients, separates business logic from data authority control, and can flexibly configure the data authority control, thereby realizing dynamic addition, modification or deletion of the data authority control policy without modifying codes. The method can meet the control requirement of the data authority with multiple granularities and save the development cost.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only of the invention and that other drawings can be obtained from them without inventive effort for a person skilled in the art.
FIG. 1 is a block diagram of a user dynamic data rights control system in accordance with an embodiment of the present invention;
FIG. 2 is a schematic diagram of a workflow of a user dynamic data rights control system in accordance with an embodiment of the present invention.
Detailed Description
The present invention will be further described in detail with reference to specific embodiments in order to make the objects, technical solutions and advantages of the present invention more apparent.
As shown in fig. 1 and 2, an embodiment of the present disclosure provides a method for controlling user dynamic data rights, including the following steps:
s1, inputting a plurality of conditions for resources, and inputting a logic calculation mode corresponding to each condition, wherein the resources are objects for controlling data authority;
s2, creating a strategy according to all conditions corresponding to the resource, and integrating the strategy into a definition set, wherein the strategy is a logic relation formula formed by combining all conditions according to a logic calculation mode of the strategy;
s3, reading the definition set and distributing the definition set to a corresponding strategy of a user according to the identity of the user;
s4, intercepting a service query request sent by a user, analyzing a resource path URL (Uniform Resource Locator) and a request method in the service query request, and acquiring the attribute of the resource to be queried and the identity information of the user;
s5, acquiring a corresponding strategy according to the resources and the attributes and the identity information of the user;
s6, executing the acquired strategy, dynamically constructing query conditions, and outputting a query result.
As one implementation, an administrator can perform operations of creating, saving, deleting and modifying the definition set, so as to dynamically adjust the authority policy and improve the flexibility of the system. When the method is used, an administrator can dynamically generate a corresponding strategy by only adding a condition and a logic calculation relation corresponding to the condition for a certain resource on a control console, and programming of program codes is not needed.
As an implementation mode, the condition is that rights formulated according to the roles, the categories and departments of users can be formulated according to the roles of corresponding users, the categories of users and departments of users, and classification management can be performed, and refined rights formulation of single users can be performed. On the basis of the data authority control strategy definition set, the control system can be distributed and executed on a multidimensional main body, such as a user, a role, a department, a unit and the like, is flexible in configuration, and can realize control of different granularities.
As one embodiment, the service query request includes identity information of the user and information of the resource to be queried.
As one embodiment, the attributes of the resource are the name of the resource and the save path.
The data authority control strategy can be defined and stored in a lasting way through a control console, and is distributed to a relevant subject after being tested to form a data authority control strategy distribution executing set, if the executing strategy is to be disabled, the relevant strategy in the data authority control strategy distribution executing set can be deleted, and the purpose that the control strategy can be defined and pluggable is achieved.
The embodiment of the specification also provides a user dynamic data authority control method, which comprises a client, a console, a database server and an authority server, wherein the client, the console, the database server and the authority server are communicated with each other through a network cable;
the authority server comprises a data authority control strategy module and a service interception module, wherein the data authority control strategy module comprises a definition set module and an allocation execution module;
the console is used for inputting a plurality of conditions of the resource and a logic calculation mode corresponding to each condition;
the definition set module is used for creating a strategy according to all conditions corresponding to the resources, integrating the strategy into a definition set, wherein the resources are objects for controlling the data authority, the strategy is a logical relational expression formed by combining all the conditions according to a logical calculation mode of the definition set module, and the definition set module is also used for transmitting the definition set to a database server for persistence storage;
the allocation execution set module is used for reading the definition set from the definition set module and allocating the definition set to the corresponding strategy of the user according to the user identity;
the service interception module comprises a request interception judging module, a data authority control strategy acquisition module and a data authority control condition output module, wherein a user sends a service inquiry request through a client, and the request interception judging module analyzes a resource path URL (Uniform Resource Locator) and a request method in the service inquiry request to acquire the attribute of a resource to be inquired and the identity information of the user; the request interception judging module is used for intercepting a service query request of a user, analyzing a resource path and a request method in the service query request and acquiring the attribute of the resource to be queried and the identity information of the user;
the data authority control strategy acquisition module acquires a corresponding strategy from the distribution execution set module according to the acquired attribute of the resource and the identity information of the user;
the data authority control condition output module is used for executing the strategy acquired by the data authority control strategy acquisition module, dynamically constructing the query condition and outputting the query result for the user.
Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the invention (including the claims) is limited to these examples; the technical features of the above embodiments or in the different embodiments may also be combined within the idea of the invention, the steps may be implemented in any order and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity.
The present invention is intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omission, modification, equivalent replacement, improvement, etc. of the present invention should be included in the scope of the present invention.
Claims (7)
1. A method for controlling authority of user dynamic data, the method comprising:
s1, inputting a plurality of conditions for resources, and inputting a logic calculation mode corresponding to each condition, wherein the resources are objects for controlling data authority;
s2, creating a strategy according to all conditions corresponding to the resource, and integrating the strategy into a definition set, wherein the strategy is a logic relation formula formed by combining all conditions according to a logic calculation mode of the strategy;
s3, reading the definition set and distributing the definition set to a corresponding strategy of a user according to the identity of the user;
s4, intercepting a service query request sent by a user, analyzing a resource path and a request method in the service query request, and acquiring the attribute of the resource to be queried and the identity information of the user;
s5, acquiring a corresponding strategy according to the resources and the attributes and the identity information of the user;
s6, executing the acquired strategy, dynamically constructing query conditions, and outputting a query result.
2. The user dynamic data authority control method according to claim 1, wherein the resources include transportation tasks, task state pose information, task progress information, and task alarm information.
3. The user dynamic data authority control method according to claim 1, wherein in step S2, an administrator can perform operations of creating, saving, deleting and modifying the definition set.
4. The user dynamic data authority control method according to claim 1, wherein the condition is an authority formulated according to a role, a category and a department of a user.
5. The user dynamic data authority control method according to claim 1, wherein the service inquiry request includes identity information of a user and information of a resource to be inquired.
6. The user dynamic data authority control method according to claim 1, wherein the attribute of the resource is a name of the resource and a save path.
7. The user dynamic data authority control system is characterized by comprising a client, a console, a database server and an authority server, wherein the client, the console, the database server and the authority server are communicated with each other through a network;
the authority server comprises a data authority control strategy module and a service interception module, wherein the data authority control strategy module comprises a definition set module and an allocation execution and module;
the console is used for inputting a plurality of conditions of the resource and a logic calculation mode corresponding to each condition;
the definition set module is used for creating a strategy according to all conditions corresponding to resources, and integrating the strategy into a definition set, wherein the resources are objects controlled by data authorities, the strategy is a logical relation formed by combining all conditions according to a self logical calculation mode, and the definition and module is also used for transmitting the definition set to a database server for persistence storage;
the allocation execution set module is used for reading the definition set from the definition set module and allocating the definition set to the corresponding strategy of the user according to the user identity;
the service interception module comprises a request interception judging module, a data authority control strategy acquisition module and a data authority control condition output module, wherein the request interception judging module is used for intercepting a service inquiry request of a user, analyzing a resource path and a request method in the service inquiry request and acquiring the attribute of a resource to be inquired and the identity information of the user;
the data authority control strategy acquisition module acquires a corresponding strategy from the allocation execution set module according to the acquired attribute of the resource and the identity information of the user;
the data right control condition output module is used for executing the strategy acquired by the data right control strategy acquisition module, dynamically constructing the query condition and outputting the query result for the user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311187530.7A CN117332430A (en) | 2023-09-14 | 2023-09-14 | User dynamic data authority control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311187530.7A CN117332430A (en) | 2023-09-14 | 2023-09-14 | User dynamic data authority control method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117332430A true CN117332430A (en) | 2024-01-02 |
Family
ID=89292356
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311187530.7A Pending CN117332430A (en) | 2023-09-14 | 2023-09-14 | User dynamic data authority control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117332430A (en) |
-
2023
- 2023-09-14 CN CN202311187530.7A patent/CN117332430A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112615849B (en) | Micro-service access method, device, equipment and storage medium | |
| JP5346010B2 (en) | Policy management infrastructure | |
| US11698818B2 (en) | Load balancing of machine learning algorithms | |
| US8117640B1 (en) | Systems and methods for analyzing application security policies | |
| US9195707B2 (en) | Distributed event system for relational models | |
| US20210142221A1 (en) | Autonomous logic modules | |
| EP3468145B1 (en) | Automated vulnerability grouping | |
| CN108280367A (en) | Management method, device, computing device and the storage medium of data manipulation permission | |
| CN110851278A (en) | Distribution network automation master station mobile application service management method and system based on micro-service architecture | |
| US8561053B2 (en) | Method and system for managing a computer system | |
| US20110010420A1 (en) | Client environment creation system, client environment creation method, client environment creation program and storage medium | |
| CN113821777B (en) | Authority control method and device, computer equipment and storage medium | |
| CN107491463B (en) | Optimization method and system for data query | |
| CN105376198A (en) | Access control method and device | |
| CN106452815A (en) | Informatization management method, device and system | |
| CN111752539B (en) | BI service cluster system and construction method thereof | |
| CA2518894C (en) | Request routing system for and method of request routing | |
| CN113127906A (en) | Unified authority management platform, method and storage medium based on C/S architecture | |
| CN110348184B (en) | Industrial cloud-based permission resource configuration method, system and storage medium | |
| CN115168474B (en) | Internet of things central station system building method based on big data model | |
| CN117332430A (en) | User dynamic data authority control method and system | |
| EP2348469A1 (en) | Defining additional resources in a MES user management system | |
| CN113742369B (en) | Data authority management method, system and storage medium | |
| US8290979B1 (en) | Software architecture for access control based on hierarchical characteristics | |
| US8561132B2 (en) | Access control apparatus, information management apparatus, and access control method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |