WO2017114210A1 - Apparatus and method for security control of data processing system - Google Patents

Apparatus and method for security control of data processing system Download PDF

Info

Publication number
WO2017114210A1
WO2017114210A1 PCT/CN2016/110715 CN2016110715W WO2017114210A1 WO 2017114210 A1 WO2017114210 A1 WO 2017114210A1 CN 2016110715 W CN2016110715 W CN 2016110715W WO 2017114210 A1 WO2017114210 A1 WO 2017114210A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
verification
task
consistent
permission
Prior art date
Application number
PCT/CN2016/110715
Other languages
French (fr)
Chinese (zh)
Inventor
李杨
Original Assignee
阿里巴巴集团控股有限公司
李杨
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司, 李杨 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2017114210A1 publication Critical patent/WO2017114210A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Definitions

  • the invention belongs to the technical field of system security, and in particular relates to a security control device and method for a data processing system.
  • the big data development system can help users to easily develop data and shield out processes and concepts that are difficult for users to understand during use.
  • this poses a security risk for the user's data protection. If the security mechanism of the system is not perfect, in the case of malicious attacks by users or improper operation of data, data leakage may occur, resulting in serious data security problems.
  • the security of data protection requires restrictions on user rights.
  • the implementation of security control for most known big data development systems is to verify whether users have permission to use the system, such as the account password system.
  • the user enters the system by entering an account and performing password verification, and obtains all the usage rights of the system function, and can use any function provided by the system.
  • the security control scheme of the existing big data development system has a single privilege control.
  • Most systems can use the system after being authenticated by user name and password, that is, having all the operations provided by the system, and all the functions provided by the operating system are not specific details. The operation is controlled. There is no permission control for business processes. Once you have obtained the system's usage rights, you can do whatever you want, which brings security risks to some operations.
  • the permission control is relatively rigid, and after obtaining the permission, the basic It will not change and it will not be able to control dynamically according to demand.
  • the object of the present invention is to provide a security control device and method for a data processing system, which provides an integrated control scheme for data security in the case of convenient use of the system, and solves the problem of single control of the prior art.
  • a security control device for a data processing system comprising a user terminal, a background server, and a task execution server, wherein the security control device comprises a user rights management module, a vertical rights verification module, and a horizontal authority school. Module, where:
  • the user rights management module is configured to pre-configure a permission point corresponding to the user, and receive a request for obtaining a permission point list sent by the background server after the user logs in through the user terminal, and return a list of the permission points corresponding to the user according to the pre-configuration;
  • the vertical right verification module is configured to perform vertical verification according to a task to be performed by the user, and verify whether the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module, if they are consistent The verification passes, otherwise the verification does not pass;
  • the horizontal right verification module is configured to perform level verification according to the meta information of the task to be performed by the user, and verify whether the meta information of the task is consistent with the meta information of the task that the user can operate, and if the consistency is met, the verification is passed; otherwise, The verification failed.
  • the user rights management module is further configured to configure a role corresponding to the user. After receiving the permission point list request sent by the user after the user logs in through the user terminal, the receiving background server returns a corresponding permission point list to the user according to the permission point corresponding to the role pre-configured by the user. Thereby assigning different permissions to different roles, further limiting the data content accessed by the user.
  • the vertical right verification module when the vertical right verification module performs vertical verification according to a task to be performed by the user, the following operations are performed:
  • the permission point corresponding to the task to be executed by the user in the vertical verification request it is verified whether the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module, and if yes, the verification passes, otherwise The verification failed.
  • the horizontal rights verification module performs the following operations when performing level verification according to the meta information of the task to be performed by the user:
  • the meta-information of the task to be executed by the user in the vertical verification request it is verified whether the meta-information of the task to be performed by the user is consistent with the meta-information of the task that the user can operate, and if they are consistent, the verification is passed, otherwise the verification fails.
  • the vertical right verification module when the vertical right verification module performs vertical verification according to a task to be performed by the user, the following operations are performed:
  • the horizontal rights verification module performs the following operations when performing level verification according to the meta information of the task to be performed by the user:
  • the present invention also provides a security control method for a data processing system.
  • the data processing system includes a user terminal, a background server, and a task execution server.
  • the security control method includes:
  • the level check is performed according to the meta-information of the task to be performed by the user, and the meta-information of the verification task is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails.
  • the pre-configuration further includes configuring a role corresponding to the user, and after receiving the permission point list request sent by the user after the user logs in through the user terminal, the user is configured according to the permission point corresponding to the role pre-configured by the user. Returns a list of corresponding permission points.
  • the vertical verification is performed according to the task to be performed by the user, and whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point, and if they are consistent, the verification is passed. Otherwise the verification fails, including:
  • the permission point corresponding to the task to be executed by the user in the vertical verification request it is verified whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point, and if they are consistent, the verification is passed, otherwise the verification fails. .
  • the level verification is performed according to the meta information of the task to be performed by the user, and the meta information of the verification task is consistent with the meta information of the task that the user can operate. If the information is consistent, the verification is passed, otherwise the verification fails.
  • the meta-information of the task to be executed by the user in the vertical verification request it is verified whether the meta-information of the task to be performed by the user is consistent with the meta-information of the task that the user can operate, and if they are consistent, the verification is passed, otherwise the verification fails.
  • the vertical verification is performed according to the task to be performed by the user, and whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point, and if they are consistent, the verification is passed. Otherwise the verification fails, including:
  • the level verification is performed according to the meta information of the task to be performed by the user, and the meta information of the verification task is consistent with the meta information of the task that the user can operate. If the information is consistent, the verification is passed, otherwise the verification fails.
  • the invention provides a security control device and method for a data processing system.
  • a corresponding permission point is defined for each user's possible operation process, so that fine-grained permissions are achieved.
  • Control; control of horizontal permissions, in fact, is to isolate the user's permissions, so that it can not manipulate other people's data, so that users can not succeed in operating other people's data through exhaustive means, ensuring data security
  • the role division of the user is performed, and the rights possessed by each role can be configured, so that the operation authority that a user can have can be flexibly controlled according to the need; the user terminal operation interface of the present invention selectively displays the operation button according to the authority of the current user. Even if the user bypasses the user terminal, the background system will still perform verification to ensure the robustness of the authority control and ensure that the security control is reliable.
  • 1 is a connection manner of a security control device according to an embodiment of the present invention
  • FIG. 2 is another connection manner of a security control device according to an embodiment of the present invention.
  • FIG. 3 is a schematic structural view of a safety control device according to the present invention.
  • FIG. 4 is a flow chart of a security control method of the present invention.
  • Each project represents a collection of work that contains the data, workflow, results, etc. required for the job. There may be multiple tasks under each project, and the task marks a small part of the work, completing a specific work content, such as data extraction, data conversion, and so on.
  • the present invention realizes security management by controlling the vertical permission of the user, the control of the user's horizontal authority, and the control of the user's role authority.
  • This embodiment is described in detail by taking a big data development system as an example, and is applicable to any data processing system that needs to centrally perform data storage, such as a financial system, an electronic process system, and the like.
  • the control of the user's vertical authority that is, the user's vertical use of the system's permission control, including the login system, whether it has the right to verify the operation of a process. For example: Is there permission to use the system, whether there is permission to operate a certain process, whether there is permission to view the data content, whether there is permission to change the data, and so on.
  • each operation of the process defines a corresponding permission point, and the permission points that the user can have are configured, so that fine-grained authority control is performed, that is, even if the user logs in to the system, if not The corresponding permission point is also unable to operate on the corresponding process.
  • User level authority control that is, the user level uses the system's permission control. For example, if a user has a certain permission for a project, then using this existing permission to operate on another project requires permission control. Ensure that users can only operate on their own data, and can not do anything with other people's data resources, even in the same organization or the same project. Ensure that users only operate under a licensed project. For example: the user only has the use of item one Permissions, then operations on other projects should be rejected, data using the permissions of project one to operate other projects should also be rejected, and so on. In this way, users can only do their own things, and any behavior that attempts to smash data of other users will be rejected, which ensures the security of the data.
  • User role permission control In order to facilitate and flexibly control the user's usage rights, the user is divided into system administrators, project administrators, development, operation and maintenance, testing, and visitors. Each role has different permissions.
  • the system administrator role has all the permissions provided by the system, including creating an organization, creating a project, deleting data, data calculations, etc.
  • the project administrator role has the ability to create projects, delete projects, Modify the permissions of the project team members
  • the development role has the authority to create data tables, access data, data calculations, view logs, etc.
  • the operation and maintenance role has the authority to view logs, create applications, delete applications, etc.
  • test roles have view data, data calculations, etc.
  • Permissions guest roles only have partial permissions, including viewing data structures, viewing organizational categories, viewing project categories, and more. Each user is assigned a different role, and each role has different permissions, so that through the combination of roles and permissions, you can flexibly control user permissions based on changes in requirements.
  • the big data development system generally includes a user terminal, a background server, and a task execution server.
  • the security control device of the embodiment is connected to the background server, or is connected between the background server and the task execution server, and is used for Security control of data based on user permissions.
  • a security control device for a data processing system includes a user rights management module, a vertical rights verification module, and a horizontal rights verification module. Described separately as follows:
  • the user rights management module is configured to pre-configure a permission point corresponding to the user, and receive a request for obtaining a permission point list sent by the background server after the user logs in through the user terminal, and return a list of the permission points corresponding to the user according to the pre-configuration.
  • the vertical right verification module is configured to perform vertical verification according to the task to be performed by the user, and verify whether the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module, and if they are consistent, the verification is performed. Pass, otherwise the verification will not pass;
  • Horizontal authority verification module for leveling according to meta information of tasks to be performed by the user Check whether the meta-information of the verification task is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails.
  • the following configurations may be performed in advance, such as configuration of a user role and configuration of a user permission point, that is, a user name, a user role, and a permission point list are configured in the user rights management module. relationship. Therefore, after the user logs in with the user name and password, for the legitimate user, after the user logs in successfully, the background server sends a request for obtaining a permission point list to the security control device, and the user rights management module sets the pre-configured permission point after receiving the request. The list is returned to the background server, which in turn sends it to the user terminal to display the operation interface on the user terminal.
  • the user terminal has a user login interface, and the user inputs a user name and password through the login interface to log in. After logging in, get a list of permission points that the user has permission to.
  • the permission point list is displayed through the operation interface, and each permission point corresponds to an operation button that the user can operate, that is, a corresponding task option.
  • the operation interface displays the system function to the user, it is selectively displayed according to the permission point list, and the function without the permission is hidden, and the user cannot see it, so that the first layer is intuitively controlled.
  • one user can correspond to multiple roles, and the permissions of each role can be dynamically changed.
  • the dynamic configuration can flexibly control the permissions of users, thereby satisfying the permission requirements of different users and ensuring the flexibility of system security control.
  • Dynamic configuration of user rights can be done through the portal provided by the User Rights Management module. For example, if you want to remove an execution permission of a user, you can remove the permission point corresponding to the user from the permission configuration management.
  • user role configuration is to divide the roles of users into system administrators, project administrators, development, operation and maintenance, testing, and visitors. Each role has different permissions.
  • users log in Also select your corresponding user role to log in.
  • the user rights management module After receiving the request for obtaining the permission point list, the user rights management module returns the list of the permission points to the background server according to the pre-configured user role of the user.
  • the user role of the user 1 is a guest, the user 1 can only obtain a list of the permission points corresponding to the visitor, such as viewing. If the user role of the user is a system administrator, after the user 1 logs in successfully, the user can obtain a list of permission points corresponding to the system administrator, such as editing, deleting, and the like.
  • Embodiment 1 As shown in FIG. 1, the security control device is connected to the background server.
  • the vertical right verification module of the embodiment is configured to receive a vertical verification request sent by the background server after the user selects the task to be performed by the user terminal, and performs verification according to the permission point corresponding to the task to be executed by the user in the vertical verification request. Whether the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module. If they are consistent, the verification is passed, otherwise the verification fails.
  • the user terminal After the user selects a specific operation task according to the displayed permission point list on the user terminal, the user terminal sends the selected task to the background server, and the background server initiates a vertical permission verification request to the vertical right verification module, and the vertical permission verification module After receiving the request, a vertical permission check is required.
  • the vertical right authority verification in this embodiment compares the user and the tasks performed by the user with the pre-configured tasks corresponding to the user's permission points and permission points. If the vertical authority verification is passed, the task is sent to the task. Execute the control server. Otherwise, the vertical permission check fails, the task request is rejected, and the error message is returned.
  • the vertical permission check is performed after the user selects a specific operation task, and is a further security control when the user performs the task. Even if someone bypasses the user terminal and attempts to access the system data, it will be denied access because it does not have a pre-configured permission point, thus ensuring system data security.
  • the horizontal privilege check module of the embodiment is configured to receive a horizontal check request sent by the background server after the vertical privilege check succeeds, and verify the user to perform according to the meta information of the task to be executed by the user in the vertical check request.
  • the meta-information of the task is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails.
  • this embodiment uses horizontal permission verification to perform security. Full control. After receiving the horizontal verification request, the horizontal permission verification module obviously has passed the vertical permission check, and needs to perform the horizontal permission check further.
  • the horizontal permission check is mainly to verify whether the current user's data of this operation is owned by the user and prevent unauthorized data from being manipulated by others. If the verification fails, the request is rejected and the error message is returned. If the verification is successful, the appropriate task execution server is selected according to the policy, and the task is delivered to the task execution server, and the task execution server is responsible for the specific execution of the task.
  • the meta information of the task needs to be extracted, and the meta information of the task is compared with the meta information of the task that the user can operate. If the same, the horizontal check is allowed to pass.
  • the meta-information of the task is recorded in the database, and the horizontal permission check depends on the meta-information, and the meta-information of the task that the same user can operate is the same.
  • the meta-information of the task includes: the ID of the task (taskId), and the application to which the task belongs (projectId) , the tenant (idantId) to which the application belongs, and the owner (ownerId) of the task.
  • Embodiment 2 As shown in FIG. 2, the security control device is connected between the background server and the task execution server.
  • the security control device of the second embodiment such as a bayonet, is released for the task that passes the verification, and is rejected for the task that fails the verification.
  • the vertical right authority verification module of the embodiment is configured to receive a task that the background management server forwards after the user selects the task to be executed by the user terminal, and verifies whether the permission point corresponding to the task to be executed by the user is The user permission points pre-configured by the user rights management module are consistent. If they are consistent, the verification is passed, otherwise the verification fails.
  • the horizontal right authority verification module of the embodiment is configured to receive a task to be executed by the vertical identity verification module after the vertical authority verification succeeds, and verify the meta information of the task to be performed by the user and the user can operate. Whether the meta-information of the task is consistent, if it is consistent, the verification is passed, otherwise the verification fails.
  • the background server directly forwards the tasks to be performed by the user, and the vertical permission verification module and the horizontal permission verification module perform vertical authority verification and horizontal authority verification according to the tasks to be performed by the user respectively, and the user is to perform the verification after the verification is passed.
  • this embodiment further provides a security control method for a data processing system, where the security control method includes:
  • the level check is performed according to the meta-information of the task to be performed by the user, and the meta-information of the verification task is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails.
  • the pre-configuration of the embodiment further includes: configuring the role corresponding to the user, and then receiving the corresponding permission point list sent by the user after the user logs in through the user terminal, and returning the corresponding information to the user according to the permission point corresponding to the role pre-configured by the user.
  • the security control method of this embodiment also has the following two embodiments:
  • Embodiment 3 As shown in FIG. 1, the security control device is connected to the background server.
  • the vertical check is performed to verify whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point. If the check is the same, the verification fails. Otherwise, the verification fails.
  • the permission point corresponding to the task to be executed by the user in the vertical verification request it is verified whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point, and if they are consistent, the verification is passed, otherwise the verification fails. .
  • the level check is performed, and the letter of the task is verified. Whether the information is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails, including:
  • the meta-information of the task to be executed by the user in the vertical verification request it is verified whether the meta-information of the task to be performed by the user is consistent with the meta-information of the task that the user can operate, and if they are consistent, the verification is passed, otherwise the verification fails.
  • Embodiment 4 As shown in FIG. 2, the security control device is connected between the background server and the task execution server.
  • the vertical check is performed to verify whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point. If the check is the same, the verification fails. Otherwise, the verification fails.
  • the level information is verified, and the meta-information of the task is consistent with the meta-information of the task that the user can operate. If the information is consistent, the verification is passed, otherwise the verification fails, including:

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

An apparatus and a method for security control of a data processing system, said apparatus for security control comprising a user permission management module, a vertical permission verification module and a horizontal permission verification module. According to said method for security control, a permission point list acquisition request sent, after a user logs in by means of a user terminal, by a backend server is first received; according to the permission points pre-configured for the user, a corresponding permission point list is returned to the user; and vertical verification and horizontal verification are performed according to tasks to be carried out by the user. The apparatus and method for security control are able to ensure data security by means of segmenting vertical permissions, and isolating horizontal permissions. At the same time, the user terminal operating interface selectively displays operation buttons, according to the current permission of the user, and further verification can be performed at the backend system to ensure the robustness of permission control.

Description

一种数据处理系统的安全控制装置及方法Safety control device and method for data processing system 技术领域Technical field
本发明属于系统安全技术领域,尤其涉及一种数据处理系统的安全控制装置及方法。The invention belongs to the technical field of system security, and in particular relates to a security control device and method for a data processing system.
背景技术Background technique
随着大数据时代的来临,数据已经成为企业发展的重要战略资源,数据的潜在价值在某种程度上更是代表了企业的核心竞争力。基于第二代数据仓库的数据开发进一步挖掘了数据的价值,大数据开发系统应运而生。然而随着数据量的不断增加,数据的安全风险也会逐渐增加,如何保证数据安全必将成为关注的重点。With the advent of the era of big data, data has become an important strategic resource for enterprise development. The potential value of data represents the core competitiveness of enterprises to some extent. The data development based on the second generation data warehouse further explored the value of data, and the big data development system came into being. However, as the amount of data continues to increase, the security risks of data will gradually increase. How to ensure data security will become the focus of attention.
大数据开发系统可以帮助用户方便地进行数据开发,屏蔽掉使用过程中用户难以理解的流程、概念等。但由于大数据开发系统对用户的数据进行逻辑上的集中存储,这就为用户的数据保护埋下了安全隐患。如果系统的安全机制不完善,那么在用户的恶意攻击或者对数据操作不当的情况下,很可能会造成数据的泄露,从而导致严重的数据的安全问题。The big data development system can help users to easily develop data and shield out processes and concepts that are difficult for users to understand during use. However, due to the logical centralized storage of the user's data by the big data development system, this poses a security risk for the user's data protection. If the security mechanism of the system is not perfect, in the case of malicious attacks by users or improper operation of data, data leakage may occur, resulting in serious data security problems.
保护数据的安全需要对用户权限进行限制,目前大部分已知大数据开发系统的安全控制的实现方案是通过用户凭证进行校验是否有权限使用系统,如账号密码体系。用户通过输入账号,并进行密码验证进入系统,并获得系统功能的所有使用权限,可以使用系统提供的任何功能。The security of data protection requires restrictions on user rights. At present, the implementation of security control for most known big data development systems is to verify whether users have permission to use the system, such as the account password system. The user enters the system by entering an account and performing password verification, and obtains all the usage rights of the system function, and can use any function provided by the system.
然而现有大数据开发系统的安全控制方案权限控制单一,多数系统通过用户名和密码验证后即可使用系统,即拥有系统提供的所有操作的权限,可以操作系统提供的所有功能,并不对具体细节的操作进行控制。没有针对业务流程的权限控制,一旦取得系统的使用权限后,就可以为所欲为,这就为一些操作带来安全隐患。同时权限控制比较死板,取得权限后基本 上就不会改变,无法根据需求进行动态的控制。However, the security control scheme of the existing big data development system has a single privilege control. Most systems can use the system after being authenticated by user name and password, that is, having all the operations provided by the system, and all the functions provided by the operating system are not specific details. The operation is controlled. There is no permission control for business processes. Once you have obtained the system's usage rights, you can do whatever you want, which brings security risks to some operations. At the same time, the permission control is relatively rigid, and after obtaining the permission, the basic It will not change and it will not be able to control dynamically according to demand.
发明内容Summary of the invention
本发明的目的是提供一种数据处理系统的安全控制装置及方法,在方便使用系统的情况下保证数据安全的综合控制方案,解决了现有技术权限控制单一的问题。The object of the present invention is to provide a security control device and method for a data processing system, which provides an integrated control scheme for data security in the case of convenient use of the system, and solves the problem of single control of the prior art.
为了实现上述目的,本发明技术方案如下:In order to achieve the above object, the technical solution of the present invention is as follows:
一种数据处理系统的安全控制装置,所述数据处理系统包括用户终端、后台服务器和任务执行服务器,其特征在于,所述安全控制装置包括用户权限管理模块、垂直权限校验模块和水平权限校验模块,其中:A security control device for a data processing system, the data processing system comprising a user terminal, a background server, and a task execution server, wherein the security control device comprises a user rights management module, a vertical rights verification module, and a horizontal authority school. Module, where:
所述用户权限管理模块,用于预配置用户对应的权限点,并接收后台服务器在用户通过用户终端登录后发送的获取权限点列表请求,根据预配置返回用户对应的权限点列表;The user rights management module is configured to pre-configure a permission point corresponding to the user, and receive a request for obtaining a permission point list sent by the background server after the user logs in through the user terminal, and return a list of the permission points corresponding to the user according to the pre-configuration;
所述垂直权限校验模块,用于根据用户所要执行的任务进行垂直校验,校验用户所要执行的任务对应的权限点是否与用户权限管理模块预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过;The vertical right verification module is configured to perform vertical verification according to a task to be performed by the user, and verify whether the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module, if they are consistent The verification passes, otherwise the verification does not pass;
所述水平权限校验模块,用于根据用户所要执行的任务的元信息进行水平校验,校验任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。The horizontal right verification module is configured to perform level verification according to the meta information of the task to be performed by the user, and verify whether the meta information of the task is consistent with the meta information of the task that the user can operate, and if the consistency is met, the verification is passed; otherwise, The verification failed.
进一步地,所述用户权限管理模块还用于配置用户对应的角色。则在接收后台服务器在用户通过用户终端登录后发送的获取权限点列表请求后,根据为该用户预配置的角色对应的权限点向用户返回对应的权限点列表。从而对不同角色分配不同的权限,进一步限制用户接入的数据内容。Further, the user rights management module is further configured to configure a role corresponding to the user. After receiving the permission point list request sent by the user after the user logs in through the user terminal, the receiving background server returns a corresponding permission point list to the user according to the permission point corresponding to the role pre-configured by the user. Thereby assigning different permissions to different roles, further limiting the data content accessed by the user.
本发明的一种实现方式,所述垂直权限校验模块在根据用户所要执行的任务进行垂直校验时,执行如下操作:In an implementation manner of the present invention, when the vertical right verification module performs vertical verification according to a task to be performed by the user, the following operations are performed:
接收后台服务器在用户通过用户终端选择所要执行的任务后发送的 垂直校验请求;Receiving the background server sent after the user selects the task to be performed through the user terminal Vertical verification request;
根据垂直校验请求中用户所要执行的任务对应的权限点,校验用户所要执行的任务对应的权限点是否与用户权限管理模块预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过。According to the permission point corresponding to the task to be executed by the user in the vertical verification request, it is verified whether the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module, and if yes, the verification passes, otherwise The verification failed.
进一步地,所述水平权限校验模块在根据用户所要执行的任务的元信息进行水平校验时,执行如下操作:Further, the horizontal rights verification module performs the following operations when performing level verification according to the meta information of the task to be performed by the user:
接收后台服务器在得知垂直权限校验成功后发送的水平校验请求;Receiving a horizontal verification request sent by the background server after learning that the vertical authority verification is successful;
根据垂直校验请求中用户所要执行的任务的元信息,校验用户所要执行的任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。According to the meta-information of the task to be executed by the user in the vertical verification request, it is verified whether the meta-information of the task to be performed by the user is consistent with the meta-information of the task that the user can operate, and if they are consistent, the verification is passed, otherwise the verification fails.
本发明的另一种实现方式,所述垂直权限校验模块在根据用户所要执行的任务进行垂直校验时,执行如下操作:In another implementation manner of the present invention, when the vertical right verification module performs vertical verification according to a task to be performed by the user, the following operations are performed:
接收后台管理服务器在用户通过用户终端选择所要执行的任务后转发的该用户所要执行的任务;Receiving, by the background management server, a task to be performed by the user after the user selects the task to be performed through the user terminal;
校验用户所要执行的任务对应的权限点是否与用户权限管理模块预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过。Verify that the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module. If they are consistent, the verification is passed, otherwise the verification fails.
进一步地,所述水平权限校验模块在根据用户所要执行的任务的元信息进行水平校验时,执行如下操作:Further, the horizontal rights verification module performs the following operations when performing level verification according to the meta information of the task to be performed by the user:
接收垂直权限校验模块在垂直权限校验成功后发送的该用户所要执行的任务;Receiving a task that the vertical permission verification module sends after the vertical authority verification succeeds;
校验用户所要执行的任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。Verify that the meta-information of the task to be performed by the user is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails.
本发明还提出了一种数据处理系统的安全控制方法,所述数据处理系统包括用户终端、后台服务器和任务执行服务器,所述安全控制方法包括:The present invention also provides a security control method for a data processing system. The data processing system includes a user terminal, a background server, and a task execution server. The security control method includes:
接收后台服务器在用户通过用户终端登录后发送的获取权限点列表请求,根据为该用户预配置的权限点向用户返回对应的权限点列表; Receiving a request point list request sent by the background server after the user logs in through the user terminal, and returning a corresponding permission point list to the user according to the permission point preconfigured for the user;
根据用户所要执行的任务进行垂直校验,校验用户所要执行的任务对应的权限点是否与预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过;Perform a vertical check according to the task to be performed by the user, and verify whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point. If they are consistent, the verification is passed, otherwise the verification fails;
根据用户所要执行的任务的元信息进行水平校验,校验任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。The level check is performed according to the meta-information of the task to be performed by the user, and the meta-information of the verification task is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails.
进一步地,所述预配置还包括配置用户对应的角色,则在接收后台服务器在用户通过用户终端登录后发送的获取权限点列表请求后,根据为该用户预配置的角色对应的权限点向用户返回对应的权限点列表。Further, the pre-configuration further includes configuring a role corresponding to the user, and after receiving the permission point list request sent by the user after the user logs in through the user terminal, the user is configured according to the permission point corresponding to the role pre-configured by the user. Returns a list of corresponding permission points.
本发明的一种实现方式,所述根据用户所要执行的任务进行垂直校验,校验用户所要执行的任务对应的权限点是否与预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过,包括:According to an implementation manner of the present invention, the vertical verification is performed according to the task to be performed by the user, and whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point, and if they are consistent, the verification is passed. Otherwise the verification fails, including:
接收后台服务器在用户通过用户终端选择所要执行的任务后发送的垂直校验请求;Receiving a vertical verification request sent by the background server after the user selects the task to be performed through the user terminal;
根据垂直校验请求中用户所要执行的任务对应的权限点,校验用户所要执行的任务对应的权限点是否与预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过。According to the permission point corresponding to the task to be executed by the user in the vertical verification request, it is verified whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point, and if they are consistent, the verification is passed, otherwise the verification fails. .
进一步地,所述根据用户所要执行的任务的元信息进行水平校验,校验任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过,包括:Further, the level verification is performed according to the meta information of the task to be performed by the user, and the meta information of the verification task is consistent with the meta information of the task that the user can operate. If the information is consistent, the verification is passed, otherwise the verification fails. include:
接收后台服务器在得知垂直权限校验成功后发送的水平校验请求;Receiving a horizontal verification request sent by the background server after learning that the vertical authority verification is successful;
根据垂直校验请求中用户所要执行的任务的元信息,校验用户所要执行的任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。According to the meta-information of the task to be executed by the user in the vertical verification request, it is verified whether the meta-information of the task to be performed by the user is consistent with the meta-information of the task that the user can operate, and if they are consistent, the verification is passed, otherwise the verification fails.
本发明另一种实现方式,所述根据用户所要执行的任务进行垂直校验,校验用户所要执行的任务对应的权限点是否与预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过,包括: According to another implementation manner of the present invention, the vertical verification is performed according to the task to be performed by the user, and whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point, and if they are consistent, the verification is passed. Otherwise the verification fails, including:
接收后台管理服务器在用户通过用户终端选择所要执行的任务后转发的该用户所要执行的任务;Receiving, by the background management server, a task to be performed by the user after the user selects the task to be performed through the user terminal;
校验用户所要执行的任务对应的权限点是否与用户权限管理模块预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过。Verify that the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module. If they are consistent, the verification is passed, otherwise the verification fails.
进一步地,所述根据用户所要执行的任务的元信息进行水平校验,校验任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过,包括:Further, the level verification is performed according to the meta information of the task to be performed by the user, and the meta information of the verification task is consistent with the meta information of the task that the user can operate. If the information is consistent, the verification is passed, otherwise the verification fails. include:
接收垂直权限校验模块在垂直权限校验成功后发送的该用户所要执行的任务;Receiving a task that the vertical permission verification module sends after the vertical authority verification succeeds;
校验用户所要执行的任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。Verify that the meta-information of the task to be performed by the user is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails.
本发明提出了一种数据处理系统的安全控制装置及方法,通过对垂直权限进行了细分,对每一种用户可能操作的流程都定义了与之对应的权限点,做到细粒度的权限控制;对水平权限进行控制,实际上是对用户的权限隔离,使其不能操作其他人的数据,从而使得用户即使通过穷举的方式操作其他人的数据也不能够成功,保证了数据的安全;对用户进行角色划分,对每种角色拥有的权限可配置,从而可以根据需要灵活地控制一个用户能够拥有的操作权限;本发明用户终端操作界面根据当前用户拥有的权限有选择地展示操作按钮,即使用户绕过用户终端,后台系统仍然会进行校验,保证权限控制的健壮性,保证安全控制是可靠的。The invention provides a security control device and method for a data processing system. By subdividing vertical rights, a corresponding permission point is defined for each user's possible operation process, so that fine-grained permissions are achieved. Control; control of horizontal permissions, in fact, is to isolate the user's permissions, so that it can not manipulate other people's data, so that users can not succeed in operating other people's data through exhaustive means, ensuring data security The role division of the user is performed, and the rights possessed by each role can be configured, so that the operation authority that a user can have can be flexibly controlled according to the need; the user terminal operation interface of the present invention selectively displays the operation button according to the authority of the current user. Even if the user bypasses the user terminal, the background system will still perform verification to ensure the robustness of the authority control and ensure that the security control is reliable.
附图说明DRAWINGS
图1为本发明实施例安全控制装置的一种连接方式;1 is a connection manner of a security control device according to an embodiment of the present invention;
图2为本发明实施例安全控制装置的另一种连接方式;2 is another connection manner of a security control device according to an embodiment of the present invention;
图3为本发明安全控制装置的结构示意图;3 is a schematic structural view of a safety control device according to the present invention;
图4为本发明安全控制方法的流程图。 4 is a flow chart of a security control method of the present invention.
具体实施方式detailed description
下面结合附图和实施例对本发明技术方案做进一步详细说明,以下实施例不构成对本发明的限定。The technical solutions of the present invention are further described in detail below with reference to the accompanying drawings and embodiments. The following embodiments are not to be construed as limiting.
大数据开发系统的使用者经常是一个组织,组织内的不同部门为了完成数据开发任务通常在一个组织下创建不同的项目以完成对应的工作。每个项目表示一项工作的集合,其中包含这项工作所需的数据、工作流程、结果等。而每个项目下可能有多个任务,任务标示工作的一个小部分,完成一个具体工作内容,例如数据抽取、数据转化等。Users of big data development systems are often an organization. Different departments within an organization usually create different projects under one organization to complete the corresponding tasks in order to complete data development tasks. Each project represents a collection of work that contains the data, workflow, results, etc. required for the job. There may be multiple tasks under each project, and the task marks a small part of the work, completing a specific work content, such as data extraction, data conversion, and so on.
由于组织内一个人可能在多个不同的项目中工作,如果没有用户权限的控制,将导致组织内所有用户都能够对数据进行操作,容易导致数据的泄漏或者破坏,影响数据的安全。为了解决大数据开发系统的数据安全问题,本发明通过对用户垂直权限的控制、用户水平权限的控制、以及用户角色权限的控制来实现安全管控。本实施例以大数据开发系统为例来进行详细阐述,对于任何需要集中进行数据存储的数据处理系统同样适用,例如财务系统、电子流程系统等。Since a person in an organization may work in a number of different projects, without the control of user rights, all users in the organization can operate on the data, which may easily lead to leakage or destruction of data and affect data security. In order to solve the data security problem of the big data development system, the present invention realizes security management by controlling the vertical permission of the user, the control of the user's horizontal authority, and the control of the user's role authority. This embodiment is described in detail by taking a big data development system as an example, and is applicable to any data processing system that needs to centrally perform data storage, such as a financial system, an electronic process system, and the like.
其中,用户垂直权限的控制:即用户垂直使用系统的权限控制,包括登陆系统、是否有权对一个流程进行操作的验证等。例如:是否有权限使用本系统,是否有权限操作某一个流程,是否有权限查看数据内容,是否有权限更改数据等。本实施例将每个流程的操作都定义一个与之对应的权限点,对用户能够拥有的权限点进行配置,这样就做到细粒度的权限控制,也就是说即使用户登录到系统,如果没有相应的权限点也是不能够对相应的流程进行操作的。Among them, the control of the user's vertical authority: that is, the user's vertical use of the system's permission control, including the login system, whether it has the right to verify the operation of a process. For example: Is there permission to use the system, whether there is permission to operate a certain process, whether there is permission to view the data content, whether there is permission to change the data, and so on. In this embodiment, each operation of the process defines a corresponding permission point, and the permission points that the user can have are configured, so that fine-grained authority control is performed, that is, even if the user logs in to the system, if not The corresponding permission point is also unable to operate on the corresponding process.
用户水平权限的控制:即用户水平使用系统的权限控制。例如:用户对一个项目有某个权限,那么使用这个已有的权限对另外一个项目进行操作就需要权限控制。保证用户只能够对自己的数据进行操作,而不能够对其他人的数据资源做任何的操作,即使在同一个组织或者同一个项目也不行。保证用户只有在有权限的项目下操作。例如:用户只有项目一的使用 权限,那么对其他项目的操作都应该被拒绝,使用项目一的权限去操作其他项目的数据也应该被拒绝,等等。这样就做到用户只能做自己分内的事儿,任何试图觊觎其他用户的数据的行为都是会被拒绝的,这保证了数据的安全性。User level authority control: that is, the user level uses the system's permission control. For example, if a user has a certain permission for a project, then using this existing permission to operate on another project requires permission control. Ensure that users can only operate on their own data, and can not do anything with other people's data resources, even in the same organization or the same project. Ensure that users only operate under a licensed project. For example: the user only has the use of item one Permissions, then operations on other projects should be rejected, data using the permissions of project one to operate other projects should also be rejected, and so on. In this way, users can only do their own things, and any behavior that attempts to smash data of other users will be rejected, which ensures the security of the data.
用户角色权限的控制:为了方便灵活地控制用户的使用权限,将用户进行角色划分,分为系统管理员、项目管理员、开发、运维、测试、访客。每一种角色拥有的权限是不一样的,例如:系统管理员角色拥有系统提供的所有权限,包括创建组织、创建项目、删除数据、数据计算等;项目管理员角色拥有创建项目、删除项目、修改项目组成员等权限;开发角色拥有创建数据表、存取数据、数据计算、查看日志等权限;运维角色拥有查看日志、创建应用、删除应用等权限;测试角色拥有查看数据、数据计算等权限;访客角色只拥有部分权限,包括查看数据结构、查看组织分类、查看项目分类等。将每个用户赋予不同的角色,而每种角色有不同的权限,这样通过角色和权限点的组合控制,就可以根据需求的变动灵活地控制用户权限。User role permission control: In order to facilitate and flexibly control the user's usage rights, the user is divided into system administrators, project administrators, development, operation and maintenance, testing, and visitors. Each role has different permissions. For example, the system administrator role has all the permissions provided by the system, including creating an organization, creating a project, deleting data, data calculations, etc.; the project administrator role has the ability to create projects, delete projects, Modify the permissions of the project team members; the development role has the authority to create data tables, access data, data calculations, view logs, etc.; the operation and maintenance role has the authority to view logs, create applications, delete applications, etc.; test roles have view data, data calculations, etc. Permissions; guest roles only have partial permissions, including viewing data structures, viewing organizational categories, viewing project categories, and more. Each user is assigned a different role, and each role has different permissions, so that through the combination of roles and permissions, you can flexibly control user permissions based on changes in requirements.
大数据开发系统一般包括用户终端、后台服务器和任务执行服务器,如图1、图2所示,本实施例的安全控制装置连接后台服务器,或连接在后台服务器与任务执行服务器之间,用于根据用户权限对数据进行安全控制。The big data development system generally includes a user terminal, a background server, and a task execution server. As shown in FIG. 1 and FIG. 2, the security control device of the embodiment is connected to the background server, or is connected between the background server and the task execution server, and is used for Security control of data based on user permissions.
本实施例一种数据处理系统的安全控制装置,如图3所示,包括用户权限管理模块、垂直权限校验模块和水平权限校验模块。分别描述如下:In this embodiment, a security control device for a data processing system, as shown in FIG. 3, includes a user rights management module, a vertical rights verification module, and a horizontal rights verification module. Described separately as follows:
用户权限管理模块,用于预配置用户对应的权限点,并接收后台服务器在用户通过用户终端登录后发送的获取权限点列表请求,根据预配置返回用户对应的权限点列表。The user rights management module is configured to pre-configure a permission point corresponding to the user, and receive a request for obtaining a permission point list sent by the background server after the user logs in through the user terminal, and return a list of the permission points corresponding to the user according to the pre-configuration.
垂直权限校验模块,用于根据用户所要执行的任务进行垂直校验,校验用户所要执行的任务对应的权限点是否与用户权限管理模块预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过;The vertical right verification module is configured to perform vertical verification according to the task to be performed by the user, and verify whether the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module, and if they are consistent, the verification is performed. Pass, otherwise the verification will not pass;
水平权限校验模块,用于根据用户所要执行的任务的元信息进行水平 校验,校验任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。Horizontal authority verification module for leveling according to meta information of tasks to be performed by the user Check whether the meta-information of the verification task is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails.
具体地,在用户权限管理模块中可以预先进行如下的配置,例如用户角色的配置、用户权限点的配置,即在用户权限管理模块中配置了用户的用户名、用户角色、权限点列表的对应关系。从而在用户采用用户名和密码登录后,对于合法的用户,后台服务器在用户登录成功后,向安全控制装置发送获取权限点列表请求,用户权限管理模块在收到请求后将其预配置的权限点列表返回给后台服务器,后台服务器再发送给用户终端,以便在用户终端上显示操作界面。用户终端作为用户操作的客户端,具有用户登录界面,用户通过登录界面输入用户名和密码,进行登录。在登录后,获取到该用户有权限的权限点列表。权限点列表通过操作界面展示,每个权限点对应有该用户可以操作的操作按钮,即对应的任务选项。操作界面将系统功能展示给用户的时候,根据权限点列表有选择地进行展示,没有权限的功能被隐藏起来,用户看不到,这样做到了第一层直观地权限控制。Specifically, in the user rights management module, the following configurations may be performed in advance, such as configuration of a user role and configuration of a user permission point, that is, a user name, a user role, and a permission point list are configured in the user rights management module. relationship. Therefore, after the user logs in with the user name and password, for the legitimate user, after the user logs in successfully, the background server sends a request for obtaining a permission point list to the security control device, and the user rights management module sets the pre-configured permission point after receiving the request. The list is returned to the background server, which in turn sends it to the user terminal to display the operation interface on the user terminal. As a client operated by the user, the user terminal has a user login interface, and the user inputs a user name and password through the login interface to log in. After logging in, get a list of permission points that the user has permission to. The permission point list is displayed through the operation interface, and each permission point corresponds to an operation button that the user can operate, that is, a corresponding task option. When the operation interface displays the system function to the user, it is selectively displayed according to the permission point list, and the function without the permission is hidden, and the user cannot see it, so that the first layer is intuitively controlled.
同时,一个用户可以对应多个角色,每种角色的权限也可以动态改变,通过动态配置就可以灵活地控制用户的权限,从而满足不同用户的权限需求,保证系统安全控制的灵活性。动态配置用户权限可以通过用户权限管理模块提供的入口进行。例如:想去掉某个用户的某个执行权限,可以从权限配置管理中去除这个用户对应的权限点。At the same time, one user can correspond to multiple roles, and the permissions of each role can be dynamically changed. The dynamic configuration can flexibly control the permissions of users, thereby satisfying the permission requirements of different users and ensuring the flexibility of system security control. Dynamic configuration of user rights can be done through the portal provided by the User Rights Management module. For example, if you want to remove an execution permission of a user, you can remove the permission point corresponding to the user from the permission configuration management.
如前所述,用户角色配置是对用户进行角色划分,分为系统管理员、项目管理员、开发、运维、测试、访客,每一种角色拥有的权限是不一样的,用户在登录时还选定自己对应的用户角色进行登录。用户权限管理模块在接收获取权限点列表请求后,根据预配置的该用户的用户角色,将其权限点列表返回给后台服务器。As mentioned earlier, user role configuration is to divide the roles of users into system administrators, project administrators, development, operation and maintenance, testing, and visitors. Each role has different permissions. When users log in, Also select your corresponding user role to log in. After receiving the request for obtaining the permission point list, the user rights management module returns the list of the permission points to the background server according to the pre-configured user role of the user.
例如用户1的用户角色为访客,则用户1登录成功后,只能获取访客对应的权限点列表,如查看等。而如果用户的用户角色为系统管理员,则用户1登录成功后,能够获取系统管理员对应的权限点列表,如编辑、删除等。 For example, if the user role of the user 1 is a guest, the user 1 can only obtain a list of the permission points corresponding to the visitor, such as viewing. If the user role of the user is a system administrator, after the user 1 logs in successfully, the user can obtain a list of permission points corresponding to the system administrator, such as editing, deleting, and the like.
对于垂直权限校验模块和水平权限校验模块,由于安全控制装置连接方式不同,其工作过程略有不同,以下通过图1和图2的实施例进行分别说明:For the vertical right verification module and the horizontal authority verification module, since the connection mode of the safety control device is different, the working process is slightly different. The following description is respectively made by the embodiments of FIG. 1 and FIG. 2:
实施例一、如图1所示,安全控制装置连接后台服务器。Embodiment 1 As shown in FIG. 1, the security control device is connected to the background server.
本实施例垂直权限校验模块,用于接收后台服务器在用户通过用户终端选择所要执行的任务后发送的垂直校验请求,根据垂直校验请求中用户所要执行的任务对应的权限点,校验用户所要执行的任务对应的权限点是否与用户权限管理模块预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过。The vertical right verification module of the embodiment is configured to receive a vertical verification request sent by the background server after the user selects the task to be performed by the user terminal, and performs verification according to the permission point corresponding to the task to be executed by the user in the vertical verification request. Whether the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module. If they are consistent, the verification is passed, otherwise the verification fails.
当用户在用户终端上根据显示的权限点列表选择具体的操作任务后,用户终端将选择的任务发送给后台服务器,后台服务器向垂直权限校验模块发起垂直权限校验请求,垂直权限校验模块接收到请求后,需要进行垂直权限校验。After the user selects a specific operation task according to the displayed permission point list on the user terminal, the user terminal sends the selected task to the background server, and the background server initiates a vertical permission verification request to the vertical right verification module, and the vertical permission verification module After receiving the request, a vertical permission check is required.
本实施例的垂直权限校验是将用户及其执行的任务与预配置的该用户的权限点及权限点对应的任务进行比对,如果匹配则垂直权限校验通过,将任务下发给任务执行控制服务器。否则垂直权限校验失败,拒绝此次任务请求,并将错误信息返回。The vertical right authority verification in this embodiment compares the user and the tasks performed by the user with the pre-configured tasks corresponding to the user's permission points and permission points. If the vertical authority verification is passed, the task is sent to the task. Execute the control server. Otherwise, the vertical permission check fails, the task request is rejected, and the error message is returned.
容易理解的是,垂直权限校验是在用户选择了具体的操作任务后进行的,是对用户在执行任务时的进一步安全控制。即使有人绕过用户终端非法攻击试图访问系统数据,由于其不具有预先配置的权限点,将被拒绝访问,从而保障了系统数据安全。It is easy to understand that the vertical permission check is performed after the user selects a specific operation task, and is a further security control when the user performs the task. Even if someone bypasses the user terminal and attempts to access the system data, it will be denied access because it does not have a pre-configured permission point, thus ensuring system data security.
本实施例水平权限校验模块,用于接收后台服务器在得知垂直权限校验成功后发送的水平校验请求,根据垂直校验请求中用户所要执行的任务的元信息,校验用户所要执行的任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。The horizontal privilege check module of the embodiment is configured to receive a horizontal check request sent by the background server after the vertical privilege check succeeds, and verify the user to perform according to the meta information of the task to be executed by the user in the vertical check request. The meta-information of the task is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails.
由于一个组织的项目很多,同一个项目下不同用户操作的数据也不相同,为了避免用户操作其他人的数据,本实施例利用水平权限校验进行安 全控制。水平权限校验模块在接收到水平校验请求后,显然该任务已经通过了垂直权限校验,需要进一步执行水平权限校验。水平权限校验,主要是校验当前用户本次操作的数据是否为本用户所有,防止越权操作其他人的数据。如果校验失败,则拒绝此次请求,并将错误信息返回;如果校验成功,根据策略选择合适的任务执行服务器,并将任务下发到任务执行服务器,任务执行服务器负责任务的具体执行。Since there are many projects in an organization, the data of different users operating under the same project is different. In order to prevent users from operating other people's data, this embodiment uses horizontal permission verification to perform security. Full control. After receiving the horizontal verification request, the horizontal permission verification module obviously has passed the vertical permission check, and needs to perform the horizontal permission check further. The horizontal permission check is mainly to verify whether the current user's data of this operation is owned by the user and prevent unauthorized data from being manipulated by others. If the verification fails, the request is rejected and the error message is returned. If the verification is successful, the appropriate task execution server is selected according to the policy, and the task is delivered to the task execution server, and the task execution server is responsible for the specific execution of the task.
在进行水平权限校验时,需要提取任务的元信息,并将任务的元信息与用户能够操作的任务的元信息进行比对,如果相同则允许水平校验通过。When the horizontal authority check is performed, the meta information of the task needs to be extracted, and the meta information of the task is compared with the meta information of the task that the user can operate. If the same, the horizontal check is allowed to pass.
任务的元信息记录在数据库中,水平权限校验依赖这些元信息,同一个用户可以操作的任务的元信息相同,任务的元信息包括:任务的Id(taskId)、任务所属的应用(projectId)、应用所属的租户(tenantId)、任务的所有者(ownerId)。The meta-information of the task is recorded in the database, and the horizontal permission check depends on the meta-information, and the meta-information of the task that the same user can operate is the same. The meta-information of the task includes: the ID of the task (taskId), and the application to which the task belongs (projectId) , the tenant (idantId) to which the application belongs, and the owner (ownerId) of the task.
实施例二、如图2所示,安全控制装置连接在后台服务器与任务执行服务器之间。Embodiment 2 As shown in FIG. 2, the security control device is connected between the background server and the task execution server.
与实施例一不同的是,实施例二的安全控制装置如一个卡口,对于通过校验的任务予以放行,而对于校验不通过的任务予以拒绝。Different from the first embodiment, the security control device of the second embodiment, such as a bayonet, is released for the task that passes the verification, and is rejected for the task that fails the verification.
因此本实施例的垂直权限校验模块,用于接收后台管理服务器在用户通过用户终端选择所要执行的任务后转发的该用户所要执行的任务,校验用户所要执行的任务对应的权限点是否与用户权限管理模块预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过。Therefore, the vertical right authority verification module of the embodiment is configured to receive a task that the background management server forwards after the user selects the task to be executed by the user terminal, and verifies whether the permission point corresponding to the task to be executed by the user is The user permission points pre-configured by the user rights management module are consistent. If they are consistent, the verification is passed, otherwise the verification fails.
同样,本实施例的水平权限校验模块,用于接收垂直权限校验模块在垂直权限校验成功后发送的该用户所要执行的任务,校验用户所要执行的任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。Similarly, the horizontal right authority verification module of the embodiment is configured to receive a task to be executed by the vertical identity verification module after the vertical authority verification succeeds, and verify the meta information of the task to be performed by the user and the user can operate. Whether the meta-information of the task is consistent, if it is consistent, the verification is passed, otherwise the verification fails.
可见后台服务器直接转发用户所要执行的任务,垂直权限校验模块、水平权限校验模块分别根据用户所要执行的任务进行垂直权限校验和水平权限校验,在校验通过后将用户所要执行的任务发送到任务执行服务器 进行处理,否则拒绝该任务通过。It can be seen that the background server directly forwards the tasks to be performed by the user, and the vertical permission verification module and the horizontal permission verification module perform vertical authority verification and horizontal authority verification according to the tasks to be performed by the user respectively, and the user is to perform the verification after the verification is passed. Task sent to task execution server Processing, otherwise the task is rejected.
如图4所示,本实施例还提出了一种数据处理系统的安全控制方法,该安全控制方法包括:As shown in FIG. 4, this embodiment further provides a security control method for a data processing system, where the security control method includes:
接收后台服务器在用户通过用户终端登录后发送的获取权限点列表请求,根据为该用户预配置的权限点向用户返回对应的权限点列表;Receiving a request point list request sent by the background server after the user logs in through the user terminal, and returning a corresponding permission point list to the user according to the permission point preconfigured for the user;
根据用户所要执行的任务进行垂直校验,校验用户所要执行的任务对应的权限点是否与预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过;Perform a vertical check according to the task to be performed by the user, and verify whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point. If they are consistent, the verification is passed, otherwise the verification fails;
根据用户所要执行的任务的元信息进行水平校验,校验任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。The level check is performed according to the meta-information of the task to be performed by the user, and the meta-information of the verification task is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails.
本实施例预配置还包括配置用户对应的角色,则在接收后台服务器在用户通过用户终端登录后发送的获取权限点列表请求后,根据为该用户预配置的角色对应的权限点向用户返回对应的权限点列表。The pre-configuration of the embodiment further includes: configuring the role corresponding to the user, and then receiving the corresponding permission point list sent by the user after the user logs in through the user terminal, and returning the corresponding information to the user according to the permission point corresponding to the role pre-configured by the user. A list of permission points.
根据图1和图2的两种连接方式,本实施例的安全控制方法也具有以下两个实施例:According to the two connection modes of FIG. 1 and FIG. 2, the security control method of this embodiment also has the following two embodiments:
实施例三、如图1所示,安全控制装置连接后台服务器。Embodiment 3 As shown in FIG. 1, the security control device is connected to the background server.
根据用户所要执行的任务进行垂直校验,校验用户所要执行的任务对应的权限点是否与预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过,包括:According to the task to be performed by the user, the vertical check is performed to verify whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point. If the check is the same, the verification fails. Otherwise, the verification fails.
接收后台服务器在用户通过用户终端选择所要执行的任务后发送的垂直校验请求;Receiving a vertical verification request sent by the background server after the user selects the task to be performed through the user terminal;
根据垂直校验请求中用户所要执行的任务对应的权限点,校验用户所要执行的任务对应的权限点是否与预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过。According to the permission point corresponding to the task to be executed by the user in the vertical verification request, it is verified whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point, and if they are consistent, the verification is passed, otherwise the verification fails. .
则根据用户所要执行的任务的元信息进行水平校验,校验任务的元信 息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过,包括:Then, according to the meta information of the task to be performed by the user, the level check is performed, and the letter of the task is verified. Whether the information is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails, including:
接收后台服务器在得知垂直权限校验成功后发送的水平校验请求;Receiving a horizontal verification request sent by the background server after learning that the vertical authority verification is successful;
根据垂直校验请求中用户所要执行的任务的元信息,校验用户所要执行的任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。According to the meta-information of the task to be executed by the user in the vertical verification request, it is verified whether the meta-information of the task to be performed by the user is consistent with the meta-information of the task that the user can operate, and if they are consistent, the verification is passed, otherwise the verification fails.
实施例四、如图2所示,安全控制装置连接在后台服务器与任务执行服务器之间。Embodiment 4 As shown in FIG. 2, the security control device is connected between the background server and the task execution server.
根据用户所要执行的任务进行垂直校验,校验用户所要执行的任务对应的权限点是否与预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过,包括:According to the task to be performed by the user, the vertical check is performed to verify whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point. If the check is the same, the verification fails. Otherwise, the verification fails.
接收后台管理服务器在用户通过用户终端选择所要执行的任务后转发的该用户所要执行的任务;Receiving, by the background management server, a task to be performed by the user after the user selects the task to be performed through the user terminal;
校验用户所要执行的任务对应的权限点是否与用户权限管理模块预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过。Verify that the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module. If they are consistent, the verification is passed, otherwise the verification fails.
则根据用户所要执行的任务的元信息进行水平校验,校验任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过,包括:Then, according to the meta-information of the task to be performed by the user, the level information is verified, and the meta-information of the task is consistent with the meta-information of the task that the user can operate. If the information is consistent, the verification is passed, otherwise the verification fails, including:
接收垂直权限校验模块在垂直权限校验成功后发送的该用户所要执行的任务;Receiving a task that the vertical permission verification module sends after the vertical authority verification succeeds;
校验用户所要执行的任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。Verify that the meta-information of the task to be performed by the user is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails.
以上实施例仅用以说明本发明的技术方案而非对其进行限制,在不背离本发明精神及其实质的情况下,熟悉本领域的技术人员当可根据本发明作出各种相应的改变和变形,但这些相应的改变和变形都应属于本发明所附的权利要求的保护范围。 The above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to be limiting, and those skilled in the art can make various corresponding changes according to the present invention and without departing from the spirit and scope of the present invention. Modifications, but such corresponding changes and modifications are intended to be included within the scope of the appended claims.

Claims (12)

  1. 一种数据处理系统的安全控制装置,所述数据处理系统包括用户终端、后台服务器和任务执行服务器,其特征在于,所述安全控制装置包括用户权限管理模块、垂直权限校验模块和水平权限校验模块,其中:A security control device for a data processing system, the data processing system comprising a user terminal, a background server, and a task execution server, wherein the security control device comprises a user rights management module, a vertical rights verification module, and a horizontal authority school. Module, where:
    所述用户权限管理模块,用于预配置用户对应的权限点,并接收后台服务器在用户通过用户终端登录后发送的获取权限点列表请求,根据预配置返回用户对应的权限点列表;The user rights management module is configured to pre-configure a permission point corresponding to the user, and receive a request for obtaining a permission point list sent by the background server after the user logs in through the user terminal, and return a list of the permission points corresponding to the user according to the pre-configuration;
    所述垂直权限校验模块,用于根据用户所要执行的任务进行垂直校验,校验用户所要执行的任务对应的权限点是否与用户权限管理模块预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过;The vertical right verification module is configured to perform vertical verification according to a task to be performed by the user, and verify whether the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module, if they are consistent The verification passes, otherwise the verification does not pass;
    所述水平权限校验模块,用于根据用户所要执行的任务的元信息进行水平校验,校验任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。The horizontal right verification module is configured to perform level verification according to the meta information of the task to be performed by the user, and verify whether the meta information of the task is consistent with the meta information of the task that the user can operate, and if the consistency is met, the verification is passed; otherwise, The verification failed.
  2. 根据权利要求1所述的安全控制装置,其特征在于,所述用户权限管理模块还用于配置用户对应的角色。The security control device according to claim 1, wherein the user rights management module is further configured to configure a role corresponding to the user.
  3. 根据权利要求1所述的安全控制装置,其特征在于,所述垂直权限校验模块在根据用户所要执行的任务进行垂直校验时,执行如下操作:The security control apparatus according to claim 1, wherein the vertical right verification module performs the following operations when performing vertical verification according to a task to be performed by the user:
    接收后台服务器在用户通过用户终端选择所要执行的任务后发送的垂直校验请求;Receiving a vertical verification request sent by the background server after the user selects the task to be performed through the user terminal;
    根据垂直校验请求中用户所要执行的任务对应的权限点,校验用户所要执行的任务对应的权限点是否与用户权限管理模块预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过。According to the permission point corresponding to the task to be executed by the user in the vertical verification request, it is verified whether the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module, and if yes, the verification passes, otherwise The verification failed.
  4. 根据权利要求3所述的安全控制装置,其特征在于,所述水平权限校验模块在根据用户所要执行的任务的元信息进行水平校验时,执行如下操作:The security control apparatus according to claim 3, wherein the horizontal authority verification module performs the following operations when performing level verification according to meta information of a task to be performed by the user:
    接收后台服务器在得知垂直权限校验成功后发送的水平校验请求; Receiving a horizontal verification request sent by the background server after learning that the vertical authority verification is successful;
    根据垂直校验请求中用户所要执行的任务的元信息,校验用户所要执行的任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。According to the meta-information of the task to be executed by the user in the vertical verification request, it is verified whether the meta-information of the task to be performed by the user is consistent with the meta-information of the task that the user can operate, and if they are consistent, the verification is passed, otherwise the verification fails.
  5. 根据权利要求1所述的安全控制装置,其特征在于,所述垂直权限校验模块在根据用户所要执行的任务进行垂直校验时,执行如下操作:The security control apparatus according to claim 1, wherein the vertical right verification module performs the following operations when performing vertical verification according to a task to be performed by the user:
    接收后台管理服务器在用户通过用户终端选择所要执行的任务后转发的该用户所要执行的任务;Receiving, by the background management server, a task to be performed by the user after the user selects the task to be performed through the user terminal;
    校验用户所要执行的任务对应的权限点是否与用户权限管理模块预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过。Verify that the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module. If they are consistent, the verification is passed, otherwise the verification fails.
  6. 根据权利要求5所述的安全控制装置,其特征在于,所述水平权限校验模块在根据用户所要执行的任务的元信息进行水平校验时,执行如下操作:The security control apparatus according to claim 5, wherein the horizontal authority verification module performs the following operations when performing level verification according to meta information of a task to be performed by the user:
    接收垂直权限校验模块在垂直权限校验成功后发送的该用户所要执行的任务;Receiving a task that the vertical permission verification module sends after the vertical authority verification succeeds;
    校验用户所要执行的任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。Verify that the meta-information of the task to be performed by the user is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails.
  7. 一种数据处理系统的安全控制方法,所述数据处理系统包括用户终端、后台服务器和任务执行服务器,其特征在于,所述安全控制方法包括:A security control method for a data processing system, the data processing system includes a user terminal, a background server, and a task execution server, wherein the security control method includes:
    接收后台服务器在用户通过用户终端登录后发送的获取权限点列表请求,根据为该用户预配置的权限点向用户返回对应的权限点列表;Receiving a request point list request sent by the background server after the user logs in through the user terminal, and returning a corresponding permission point list to the user according to the permission point preconfigured for the user;
    根据用户所要执行的任务进行垂直校验,校验用户所要执行的任务对应的权限点是否与预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过;Perform a vertical check according to the task to be performed by the user, and verify whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point. If they are consistent, the verification is passed, otherwise the verification fails;
    根据用户所要执行的任务的元信息进行水平校验,校验任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校 验不通过。Perform level verification according to the meta-information of the task to be performed by the user, and verify whether the meta-information of the task is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the school is The test will not pass.
  8. 根据权利要求7所述的安全控制方法,其特征在于,所述预配置还包括配置用户对应的角色,则在接收后台服务器在用户通过用户终端登录后发送的获取权限点列表请求后,根据为该用户预配置的角色对应的权限点向用户返回对应的权限点列表。The security control method according to claim 7, wherein the pre-configuration further comprises: configuring a role corresponding to the user, and then receiving, after receiving the permission point list request sent by the user after the user logs in through the user terminal, The permission point corresponding to the pre-configured role of the user returns a corresponding permission point list to the user.
  9. 根据权利要求7所述的安全控制方法,其特征在于,所述根据用户所要执行的任务进行垂直校验,校验用户所要执行的任务对应的权限点是否与预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过,包括:The security control method according to claim 7, wherein the vertical verification is performed according to a task to be performed by the user, and whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point. If they are consistent, the verification is passed, otherwise the verification fails, including:
    接收后台服务器在用户通过用户终端选择所要执行的任务后发送的垂直校验请求;Receiving a vertical verification request sent by the background server after the user selects the task to be performed through the user terminal;
    根据垂直校验请求中用户所要执行的任务对应的权限点,校验用户所要执行的任务对应的权限点是否与预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过。According to the permission point corresponding to the task to be executed by the user in the vertical verification request, it is verified whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point, and if they are consistent, the verification is passed, otherwise the verification fails. .
  10. 根据权利要求9所述的安全控制方法,其特征在于,所述根据用户所要执行的任务的元信息进行水平校验,校验任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过,包括:The security control method according to claim 9, wherein the level verification is performed according to the meta information of the task to be executed by the user, and whether the meta information of the task is consistent with the meta information of the task that the user can operate, if If the check is consistent, the check is passed, otherwise the check fails, including:
    接收后台服务器在得知垂直权限校验成功后发送的水平校验请求;Receiving a horizontal verification request sent by the background server after learning that the vertical authority verification is successful;
    根据垂直校验请求中用户所要执行的任务的元信息,校验用户所要执行的任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。According to the meta-information of the task to be executed by the user in the vertical verification request, it is verified whether the meta-information of the task to be performed by the user is consistent with the meta-information of the task that the user can operate, and if they are consistent, the verification is passed, otherwise the verification fails.
  11. 根据权利要求7所述的安全控制方法,其特征在于,所述根据用户所要执行的任务进行垂直校验,校验用户所要执行的任务对应的权限点是否与预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过,包括:The security control method according to claim 7, wherein the vertical verification is performed according to a task to be performed by the user, and whether the permission point corresponding to the task to be executed by the user is consistent with the pre-configured user permission point. If they are consistent, the verification is passed, otherwise the verification fails, including:
    接收后台管理服务器在用户通过用户终端选择所要执行的任务后转 发的该用户所要执行的任务;Receiving the background management server after the user selects the task to be performed through the user terminal The task to be performed by the user;
    校验用户所要执行的任务对应的权限点是否与用户权限管理模块预配置的该用户权限点一致,如果一致则校验通过,否则校验不通过。Verify that the permission point corresponding to the task to be executed by the user is consistent with the user permission point pre-configured by the user rights management module. If they are consistent, the verification is passed, otherwise the verification fails.
  12. 根据权利要求11所述的安全控制方法,其特征在于,所述根据用户所要执行的任务的元信息进行水平校验,校验任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过,包括:The security control method according to claim 11, wherein the level verification is performed according to the meta information of the task to be executed by the user, and whether the meta information of the task is consistent with the meta information of the task that the user can operate, if If the check is consistent, the check is passed, otherwise the check fails, including:
    接收垂直权限校验模块在垂直权限校验成功后发送的该用户所要执行的任务;Receiving a task that the vertical permission verification module sends after the vertical authority verification succeeds;
    校验用户所要执行的任务的元信息与用户能够操作的任务的元信息是否一致,如果一致则校验通过,否则校验不通过。 Verify that the meta-information of the task to be performed by the user is consistent with the meta-information of the task that the user can operate. If they are consistent, the verification is passed, otherwise the verification fails.
PCT/CN2016/110715 2015-12-31 2016-12-19 Apparatus and method for security control of data processing system WO2017114210A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201511030278.4 2015-12-31
CN201511030278.4A CN106934300A (en) 2015-12-31 2015-12-31 The safety control and method of a kind of data handling system

Publications (1)

Publication Number Publication Date
WO2017114210A1 true WO2017114210A1 (en) 2017-07-06

Family

ID=59225934

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/110715 WO2017114210A1 (en) 2015-12-31 2016-12-19 Apparatus and method for security control of data processing system

Country Status (2)

Country Link
CN (1) CN106934300A (en)
WO (1) WO2017114210A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113992406A (en) * 2021-10-27 2022-01-28 杭州云象网络技术有限公司 Authority access control method for alliance chain cross-chain

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107770173A (en) * 2017-10-20 2018-03-06 国信嘉宁数据技术有限公司 Subscriber Management System, related identification information creation method and request method of calibration
CN112667639A (en) * 2020-12-31 2021-04-16 恩亿科(北京)数据科技有限公司 Authority design method, system, equipment and storage medium based on SaaS multi-tenant
CN112861085A (en) * 2021-02-18 2021-05-28 北京通付盾人工智能技术有限公司 KYC security service system and method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0384610A2 (en) * 1989-02-24 1990-08-29 International Business Machines Corporation Tamper resistant access authorising method
CN101860436A (en) * 2009-04-08 2010-10-13 北京博越世纪科技有限公司 Technology for accurately controlling system user data authority
CN101917448A (en) * 2010-08-27 2010-12-15 山东中创软件工程股份有限公司 Control method for realizing RBAC access permission in application on basis of.NET
CN104052747A (en) * 2014-06-23 2014-09-17 桂林长海科技有限责任公司 Permission management system based on RBAC
CN104751077A (en) * 2015-04-21 2015-07-01 沈文策 Access control method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0384610A2 (en) * 1989-02-24 1990-08-29 International Business Machines Corporation Tamper resistant access authorising method
CN101860436A (en) * 2009-04-08 2010-10-13 北京博越世纪科技有限公司 Technology for accurately controlling system user data authority
CN101917448A (en) * 2010-08-27 2010-12-15 山东中创软件工程股份有限公司 Control method for realizing RBAC access permission in application on basis of.NET
CN104052747A (en) * 2014-06-23 2014-09-17 桂林长海科技有限责任公司 Permission management system based on RBAC
CN104751077A (en) * 2015-04-21 2015-07-01 沈文策 Access control method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113992406A (en) * 2021-10-27 2022-01-28 杭州云象网络技术有限公司 Authority access control method for alliance chain cross-chain

Also Published As

Publication number Publication date
CN106934300A (en) 2017-07-07

Similar Documents

Publication Publication Date Title
JP6718530B2 (en) Image analysis and management
CN107113302B (en) Security and permission architecture in multi-tenant computing systems
US10735964B2 (en) Associating services to perimeters
CN107430666B (en) Tenant lock box
US8839354B2 (en) Mobile enterprise server and client device interaction
US11108825B2 (en) Managed real-time communications between user devices
CN107111696B (en) Multi-tenant computing system and method implemented therein
CA2792772C (en) Dynamically generating perimeters
US8255419B2 (en) Exclusive scope model for role-based access control administration
US8881249B2 (en) Scalable and automated secret management
CN105378768A (en) Proximity and context aware mobile workspaces in enterprise systems
US20180183806A1 (en) Guest access provisioning
US11677696B2 (en) Architecture for performing action in a third-party service by an email client
US10911299B2 (en) Multiuser device staging
WO2017114210A1 (en) Apparatus and method for security control of data processing system
JP2020053091A (en) Individual number management device, individual number management method, and individual number management program
TW202225966A (en) Systems and methods for self-protecting and self-refreshing workspaces
US11411813B2 (en) Single user device staging
US10284554B2 (en) Systems for providing device-specific access to an e-mail server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16880999

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16880999

Country of ref document: EP

Kind code of ref document: A1