WO2019075966A1 - Data operation permission isolation method, application server and computer readable storage medium - Google Patents

Data operation permission isolation method, application server and computer readable storage medium Download PDF

Info

Publication number
WO2019075966A1
WO2019075966A1 PCT/CN2018/076143 CN2018076143W WO2019075966A1 WO 2019075966 A1 WO2019075966 A1 WO 2019075966A1 CN 2018076143 W CN2018076143 W CN 2018076143W WO 2019075966 A1 WO2019075966 A1 WO 2019075966A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
user
context information
data view
view
Prior art date
Application number
PCT/CN2018/076143
Other languages
French (fr)
Chinese (zh)
Inventor
李佳
王浩
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2019075966A1 publication Critical patent/WO2019075966A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • FIG. 1 it is a schematic diagram of an optional hardware architecture of the application server 2 of the present application.
  • the processor 12 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data processing chip in some embodiments.
  • the processor 12 is typically used to control the overall operation of the application server 2.
  • the processor 12 is configured to run program code or process data stored in the memory 11, such as running the data operation authority isolation program 200 and the like.
  • the data operation authority isolation program 200 includes a series of computer program instructions stored in the memory 11, and when the computer program instructions are executed by the processor 12, the data operation authority of each embodiment of the present application can be implemented. Isolation operation.
  • the data manipulation authority isolation program 200 can be divided into one or more modules based on the particular operations implemented by the various portions of the computer program instructions. For example, in FIG. 3, the data operation authority isolation program 200 can be divided into an acquisition module 201, a synchronization module 202, a view creation module 203, and a display module 204. among them:
  • the obtaining module 201 is configured to acquire user information of an operation user currently logged into the application system, and save the user information to the first context information of the application system.
  • the obtaining module 201 may acquire user information of the user when the user logs in to the application system.
  • the operable mechanism is a departmental institution where the user is currently located.
  • the mechanism in which the first user is located is A
  • the operable mechanism of the first user is A.
  • the obtaining module 201 is further configured to save the user information into the first context information of the application system.
  • the synchronization module 301 when the application system connects to the database, the synchronization module 301 first acquires its own context information.
  • the context information includes user information of the user.
  • the context information includes the username and the operable mechanism.
  • the synchronization module 202 is further configured to set the acquired context information into context information of the database in a current database session.
  • the application system can be a J2EE architecture system.
  • the view creation module 203 is configured to create a data view based on the data table.
  • the display module 204 is configured to display specific data through the data view according to the second context information of the database session.
  • the data operation authority isolation program 200 proposed by the present application firstly acquires user information of an operation user currently logged into the application system, and saves the user information to the first context information of the application system. Secondly, the first context information is synchronized to the second context information currently connected to the database session; again, the data view is created based on the data table; finally, according to the second context information of the database session, The data view shows specific data. In this way, the database information can be quickly obtained by the database by setting the context information of the application system to the context information of the current database session.
  • the data operation authority isolation program 200 includes a series of computer program instructions stored in the memory 11, and when the computer program instructions are executed by the processor 12, the data operation authority of each embodiment of the present application can be implemented. Isolation operation.
  • the data manipulation authority isolation program 200 can be divided into one or more modules based on the particular operations implemented by the various portions of the computer program instructions.
  • the data operation authority isolation program 200 can be divided into an acquisition module 201, a synchronization module 202, a view creation module 203, a display module 204, and an operation module 205.
  • the program modules 201-204 are the same as the first embodiment of the data operation authority isolation program 200 of the present application, and the operation module 205 is added thereto. among them:
  • the operation module 205 rejects the addition, deletion, and deletion operation request performed by the user on the base table by using the data view.
  • the data operation authority isolation program 200 proposed by the present application firstly acquires user information of an operation user currently logged into the application system, and saves the user information to the first context information of the application system. Secondly, the first context information is synchronized to the second context information currently connected to the database session; again, the data view is created based on the data table; secondly, according to the second context information of the database session, The data view displays specific data; finally, it is determined whether to respond to the user's operation request according to the operation attribute of the data view. In this way, the database information can be quickly obtained by the database by setting the context information of the application system to the context information of the current database session.
  • the present application also proposes a data operation authority isolation method.
  • Step S401 Acquire user information of an operation user currently logged into the application system, and save the user information to the first context information of the application system.
  • the user information includes a username and an operable mechanism.
  • the operable mechanism is a departmental institution where the user is currently located.
  • the mechanism in which the first user is located is A, and the operable mechanism of the first user is A.
  • Step S402 synchronizing the first context information into the second context information currently connected to the database session.
  • the application system when the application system connects to the database, the application system first acquires the first context information of itself.
  • the first context information includes user information of the user. Further, the context information includes the username and the operable mechanism.
  • the obtained context information is set into the first context information of the database in the current database session.
  • the database can be an oracle database.
  • the application system can be a J2EE architecture system.
  • Step S403 creating a data view based on the data table.
  • the step of creating a data view based on the data table further includes:
  • the data table is created by using the organization name/institutional code as a keyword condition;
  • the operation attribute may be set as an editable attribute or a read-only attribute.
  • the data content in the data table includes data materials under the respective organizations, and the data materials may include customer data, salesperson data, policy information, and attendance data.
  • the data view may default to an editable attribute, that is, the addition, deletion, and deletion operations may be performed on the base table by using the data view.
  • the data view may be set to a read-only attribute, that is, the data of the data table cannot be added, deleted or changed through the data view.
  • Step S404 displaying specific data through the data view according to the second context information of the database session.
  • the step of displaying the specific data according to the second context information of the database session includes:
  • the data view acquires second context information of the database session
  • the database acquires an organization name/institution number of the operable mechanism of the user by using the context information.
  • the data view retrieves and displays corresponding data in the data view according to the operable mechanism of the operating user and the mechanism relationship map.
  • the method for establishing the organization chart may include the following steps:
  • the organization information includes an organization name, an organization number, and a relationship between the upper and lower levels;
  • the institution information and the institutional relationship map are saved to the database.
  • the data view retrieves and displays corresponding data in the data view according to the organization name/institution number of the user's operable mechanism and the mechanism relationship diagram.
  • the operable mechanism of the first user is A
  • the upper mechanism of the mechanism A is the head office
  • the lower mechanism of the mechanism A includes the mechanism B and the mechanism C
  • the lower layer of the head office The mechanism may further include a mechanism D, the mechanism B and the mechanism C having no underlying mechanism.
  • the first specific data includes the mechanism A, the mechanism B, and the mechanism C Data.
  • the data operation authority isolation method proposed by the present application firstly acquires the user information of the operation user currently logged into the application system, and saves the user information to the first context information of the application system; Secondly, the first context information is synchronized to the second context information currently connected to the database session; again, the data view is created based on the data table; finally, the data is transmitted according to the second context information of the database session The view shows specific data.
  • the database information can be quickly obtained by the database by setting the context information of the application system to the context information of the current database session.
  • FIG. 5 it is a schematic flowchart of the implementation of the second embodiment of the data operation authority isolation method of the present application.
  • the order of execution of the steps in the flowchart shown in FIG. 5 may be changed according to different requirements, and some steps may be omitted.
  • Step S501 Acquire user information of an operation user currently logged into the application system, and save the user information to the first context information of the application system.
  • Step S502 Synchronize the first context information into the second context information currently connected to the database session.
  • Step S503 creating a data view based on the data table.
  • Step S504 displaying specific data through the data view according to the second context information of the database session.
  • Step S505 determining, according to an operation attribute of the data view, whether to respond to an operation request of the user;
  • the operation module 205 responds to the add/delete operation request performed by the user on the base table by using the data view;
  • the operation module 205 rejects the addition, deletion, and deletion operation request performed by the user on the base table by using the data view.
  • the data operation authority isolation method proposed by the present application firstly acquires the user information of the operation user currently logged into the application system, and saves the user information to the first context information of the application system; Secondly, the first context information is synchronized to the second context information currently connected to the database session; again, the data view is created based on the data table; and most, according to the second context information of the database session, The data view displays specific data; finally, it is determined whether to respond to the user's operation request according to the operation attribute of the data view.
  • the database information can be quickly obtained by the database by setting the context information of the application system to the context information of the current database session.
  • the current user information of the first user is obtained, and the user information is saved in the first context information of the application system.
  • the mechanism in which the first user is located is A, that is, the operable mechanism of the first user is A.
  • the user operable information of the first user is saved into the first context information of the application system.
  • the application system When the application system connects to the database, the application system first acquires the first context information of itself. At this time, the first context information includes user information of the first user. Further, the first context information includes a username of the first user and the operable mechanism A. The obtained first context information is set into the second context information of the database in the current database session. Therefore, the second context information includes the user information of the first user, that is, the second context information includes the user name of the first user and the operable mechanism A.
  • the data content in the data table includes data materials under the respective organizations, and the data materials may include customer data, salesperson data, policy information, and attendance data.
  • the data view may default to an editable attribute, that is, the addition, deletion, and deletion operations may be performed on the base table by using the data view.
  • the data view may also be set to a read-only attribute, that is, the data of the data table cannot be added, deleted or changed through the data view.
  • the data view retrieves and displays corresponding data in the data view according to the operable mechanism of the operating user and the mechanism relationship map.
  • the foregoing embodiment method can be implemented by means of software plus a necessary general hardware platform, and of course, can also be through hardware, but in many cases, the former is better.
  • Implementation Based on such understanding, the technical solution of the present application, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk,
  • the optical disc includes a number of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the methods described in various embodiments of the present application.

Abstract

Disclosed in the invention are a data operation permission isolation method, an application server and computer readable storage medium. The method comprises: obtaining user information of an operation user logging in an application system currently, and storing the user information in first context information of the application system (S401); synchronizing the first context information to second context information connected to a database session currently (S402); based on a data table, creating a data view (S403); and according to the second context information of the database session, displaying specific data through the data view (S404). The method can acquire the user information by synchronizing the context information. An institution relationship graph is established and stored in a database, and in combination with a mode of establishing the view through the basic table, different specific data is displayed for specific users having different permissions, so that the technical effect that the users can access not only data of their department institutions but also data of lower institutions is achieved.

Description

数据操作权限隔离方法、应用服务器及计算机可读存储介质Data operation authority isolation method, application server, and computer readable storage medium
本申请要求于2017年10月16日提交中国专利局、申请号为201710962907.X、发明名称为“数据操作权限隔离方法、应用服务器及计算机可读存储介质”的中国专利申请的优先权,其全部内容通过引用结合在申请中。This application claims the priority of the Chinese Patent Application filed on October 16, 2017, the Chinese Patent Office, the application number is 201710962907.X, and the invention name is "data operation authority isolation method, application server and computer readable storage medium". All content is incorporated by reference in the application.
技术领域Technical field
本申请涉及数据库技术领域,尤其涉及数据操作权限隔离方法、应用服务器及计算机可读存储介质。The present application relates to the field of database technologies, and in particular, to a data operation authority isolation method, an application server, and a computer readable storage medium.
背景技术Background technique
出于权限隔离和安全管理要求,通常IT系统的数据都要隔离权限进行操作,即只能操作自身授权能操作的数据,不能操作未授权的数据。常见的一种操作权限隔离要求,是上下级权限隔离。举个例子,A机构有下级机构B和C,对数据操作权限隔离的要求是,A机构能操作自身和向下B、C的数据,B机构只能操作自身的数据,C机构同理。For the purposes of privilege isolation and security management, the data of the IT system usually needs to be quarantined for operation, that is, it can only operate the data that it can authorize and cannot operate the unauthorized data. A common operational permission isolation requirement is the isolation of upper and lower authority. For example, the A organization has subordinate organizations B and C. The requirement for data operation authority isolation is that the A organization can operate its own data and the B and C data downwards. The B organization can only operate its own data, and the C organization has the same reason.
以前对于此类数据操作权限隔离的需求,一般都是通过在系统实现过程中,在代码逻辑中写入,导致每实现一个功能,就必须在代码逻辑中添加权限控制代码。造成了系统管理员开发维护工作量大,且使得功能开发较慢,一旦发生遗漏添加的情况,将出现安全风险。Previously, the need for such data manipulation permission isolation was generally written in the code logic during system implementation, resulting in the addition of permission control code in the code logic for each function implemented. This has caused the system administrator to develop and maintain a large amount of work, and the function development is slow. Once the omission is added, there will be a security risk.
发明内容Summary of the invention
有鉴于此,本申请提出一种数据操作权限隔离方法、应用服务器及计算机可读存储介质,可以通过将应用系统的上下文信息设置到当前数据库会话的上下文信息中,可以迅速完成所述数据库对用户信息的获取。在数据库中 建立并保存机构关系图,并结合通过基本表建立视图的方式,实现了对拥有不同权限的特定用户显示不同的特定数据,达到了所述用户可以访问自身部门机构的数据,也可访问下层机构的数据的技术效果。In view of this, the present application provides a data operation authority isolation method, an application server, and a computer readable storage medium, which can quickly complete the database to the user by setting the context information of the application system to the context information of the current database session. Acquisition of information. Establishing and preserving the organization relationship diagram in the database, and combining the way of establishing the view through the basic table, realizes displaying different specific data for a specific user having different rights, and achieving data that the user can access the department of the department, or Access to the technical effects of the data of the underlying organization.
首先,为实现上述目的,本申请提出一种应用服务器,所述应用服务器包括存储器、处理器,所述存储器上存储有可在所述处理器上运行的数据操作权限隔离程序,所述数据操作权限隔离程序被所述处理器执行时实现如下步骤:First, in order to achieve the above object, the present application provides an application server, where the application server includes a memory and a processor, and the memory stores a data operation authority isolation program operable on the processor, and the data operation The privilege isolation program is implemented by the processor to implement the following steps:
获取当前登入应用系统的操作用户的用户信息,将所述用户信息保存至所述应用系统的第一上下文信息中;Obtaining user information of an operation user currently logged into the application system, and saving the user information to the first context information of the application system;
将所述第一上下文信息同步至当前连接到数据库会话的第二上下文信息中;Synchronizing the first context information into second context information currently connected to the database session;
基于数据表创建数据视图;及Create a data view based on a data table; and
根据所述数据库会话的第二上下文信息,透过所述数据视图显示特定数据。Displaying specific data through the data view according to the second context information of the database session.
此外,为实现上述目的,本申请还提供一种数据操作权限隔离方法,该方法应用于应用服务器,所述方法包括:In addition, to achieve the above object, the present application further provides a data operation authority isolation method, which is applied to an application server, and the method includes:
获取当前登入应用系统的操作用户的用户信息,将所述用户信息保存至所述应用系统的第一上下文信息中;Obtaining user information of an operation user currently logged into the application system, and saving the user information to the first context information of the application system;
将所述第一上下文信息同步至当前连接到数据库会话的第二上下文信息中;Synchronizing the first context information into second context information currently connected to the database session;
基于数据表创建数据视图;及Create a data view based on a data table; and
根据所述数据库会话的第二上下文信息,透过所述数据视图显示特定数据。Displaying specific data through the data view according to the second context information of the database session.
进一步地,为实现上述目的,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质存储有数据操作权限隔离程序,所述数据操作权限隔离程序可被至少一个处理器执行,以使所述至少一个处理器执行如上述的 数据操作权限隔离方法的步骤。Further, in order to achieve the above object, the present application further provides a computer readable storage medium storing a data operation authority isolation program, the data operation authority isolation program being executable by at least one processor, The step of causing the at least one processor to perform the data operation authority isolation method as described above.
相较于现有技术,本申请所提出的应用服务器、数据操作权限隔离方法及计算机可读存储介质,首先,获取当前登入应用系统的操作用户的用户信息,将所述用户信息保存至所述应用系统的第一上下文信息中;其次,将所述第一上下文信息同步至当前连接到数据库会话的第二上下文信息中;再次,基于数据表创建数据视图;最后,根据所述数据库会话的第二上下文信息,透过所述数据视图显示特定数据。这样,可以通过将应用系统的上下文信息设置到当前数据库会话的上下文信息中,可以迅速完成所述数据库对用户信息的获取。在数据库中建立并保存机构关系图,并结合通过基本表建立视图的方式,实现了对拥有不同权限的特定用户显示不同的特定数据,达到了所述用户可以访问自身部门机构的数据,也可访问下层机构的数据的技术效果。Compared with the prior art, the application server, the data operation authority isolation method, and the computer readable storage medium proposed by the present application firstly acquire user information of an operation user currently logged into the application system, and save the user information to the The first context information of the application system; secondly, the first context information is synchronized to the second context information currently connected to the database session; again, the data view is created based on the data table; finally, according to the database session Second context information through which specific data is displayed. In this way, the database information can be quickly obtained by the database by setting the context information of the application system to the context information of the current database session. Establishing and preserving the organization relationship diagram in the database, and combining the way of establishing the view through the basic table, realizes displaying different specific data for a specific user having different rights, and achieving data that the user can access the department of the department, or Access to the technical effects of the data of the underlying organization.
附图说明DRAWINGS
图1是本申请应用服务器一可选的硬件架构的示意图;1 is a schematic diagram of an optional hardware architecture of an application server of the present application;
图2是本申请数据操作权限隔离程序第一实施例的程序模块示意图;2 is a schematic diagram of a program module of a first embodiment of the data operation authority isolation program of the present application;
图3是本申请数据操作权限隔离程序第二实施例的程序模块示意图;3 is a schematic diagram of a program module of a second embodiment of the data operation authority isolation program of the present application;
图4为本申请数据操作权限隔离方法第一实施例的实施流程示意图;4 is a schematic diagram of an implementation process of a first embodiment of a data operation authority isolation method according to the present application;
图5为本申请数据操作权限隔离方法第二实施例的实施流程示意图。FIG. 5 is a schematic diagram of an implementation process of a second embodiment of a data operation authority isolation method according to the present application.
本申请目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The implementation, functional features and advantages of the present application will be further described with reference to the accompanying drawings.
具体实施方式Detailed ways
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都 属于本申请保护的范围。In order to make the objects, technical solutions, and advantages of the present application more comprehensible, the present application will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the application and are not intended to be limiting. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope are the scope of the present application.
需要说明的是,在本申请中涉及“第一”、“第二”等的描述仅用于描述目的,而不能理解为指示或暗示其相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括至少一个该特征。另外,各个实施例之间的技术方案可以相互结合,但是必须是以本领域普通技术人员能够实现为基础,当技术方案的结合出现相互矛盾或无法实现时应当认为这种技术方案的结合不存在,也不在本申请要求的保护范围之内。It should be noted that the descriptions of "first", "second" and the like in the present application are for the purpose of description only, and are not to be construed as indicating or implying their relative importance or implicitly indicating the number of technical features indicated. . Thus, features defining "first" and "second" may include at least one of the features, either explicitly or implicitly. In addition, the technical solutions between the various embodiments may be combined with each other, but must be based on the realization of those skilled in the art, and when the combination of the technical solutions is contradictory or impossible to implement, it should be considered that the combination of the technical solutions does not exist. Nor is it within the scope of protection required by this application.
参阅图1所示,是本申请应用服务器2一可选的硬件架构的示意图。Referring to FIG. 1, it is a schematic diagram of an optional hardware architecture of the application server 2 of the present application.
本实施例中,所述应用服务器2可包括,但不仅限于,可通过系统总线相互通信连接存储器11、处理器12、网络接口13。需要指出的是,图2仅示出了具有组件11-13的应用服务器2,但是应理解的是,并不要求实施所有示出的组件,可以替代的实施更多或者更少的组件。In this embodiment, the application server 2 may include, but is not limited to, the memory 11, the processor 12, and the network interface 13 being communicably connected to each other through a system bus. It is to be noted that FIG. 2 only shows the application server 2 with components 11-13, but it should be understood that not all illustrated components may be implemented, and more or fewer components may be implemented instead.
其中,所述应用服务器2可以是机架式服务器、刀片式服务器、塔式服务器或机柜式服务器等计算设备,该应用服务器2可以是独立的服务器,也可以是多个服务器所组成的服务器集群。The application server 2 may be a computing device such as a rack server, a blade server, a tower server, or a rack server. The application server 2 may be an independent server or a server cluster composed of multiple servers. .
所述存储器11至少包括一种类型的可读存储介质,所述可读存储介质包括闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器等)、随机访问存储器(RAM)、静态随机访问存储器(SRAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、可编程只读存储器(PROM)、磁性存储器、磁盘、光盘等。在一些实施例中,所述存储器11可以是所述应用服务器2的内部存储单元,例如该应用服务器2的硬盘或内存。在另一些实施例中,所述存储器11也可以是所述应用服务器2的外部存储设备,例如该应用服务器2上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。当然,所述存储器11还可以既包括所述应用服务器2的内部存储单元也包括其外部存储设备。本实施例 中,所述存储器11通常用于存储安装于所述应用服务器2的操作系统和各类应用软件,例如数据操作权限隔离程序200的程序代码等。此外,所述存储器11还可以用于暂时地存储已经输出或者将要输出的各类数据。The memory 11 includes at least one type of readable storage medium including a flash memory, a hard disk, a multimedia card, a card type memory (eg, SD or DX memory, etc.), a random access memory (RAM), a static Random access memory (SRAM), read only memory (ROM), electrically erasable programmable read only memory (EEPROM), programmable read only memory (PROM), magnetic memory, magnetic disk, optical disk, and the like. In some embodiments, the memory 11 may be an internal storage unit of the application server 2, such as a hard disk or memory of the application server 2. In other embodiments, the memory 11 may also be an external storage device of the application server 2, such as a plug-in hard disk equipped on the application server 2, a smart memory card (SMC), and a secure digital number. (Secure Digital, SD) card, flash card, etc. Of course, the memory 11 can also include both the internal storage unit of the application server 2 and its external storage device. In this embodiment, the memory 11 is generally used to store an operating system installed in the application server 2 and various types of application software, such as program code of the data operation authority isolation program 200. Further, the memory 11 can also be used to temporarily store various types of data that have been output or are to be output.
所述处理器12在一些实施例中可以是中央处理器(Central Processing Unit,CPU)、控制器、微控制器、微处理器、或其他数据处理芯片。该处理器12通常用于控制所述应用服务器2的总体操作。本实施例中,所述处理器12用于运行所述存储器11中存储的程序代码或者处理数据,例如运行所述的数据操作权限隔离程序200等。The processor 12 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data processing chip in some embodiments. The processor 12 is typically used to control the overall operation of the application server 2. In this embodiment, the processor 12 is configured to run program code or process data stored in the memory 11, such as running the data operation authority isolation program 200 and the like.
所述网络接口13可包括无线网络接口或有线网络接口,该网络接口13通常用于在所述应用服务器2与其他电子设备之间建立通信连接。The network interface 13 may comprise a wireless network interface or a wired network interface, which is typically used to establish a communication connection between the application server 2 and other electronic devices.
至此,己经详细介绍了本申请相关设备的硬件结构和功能。下面,将基于上述介绍提出本申请的各个实施例。So far, the hardware structure and functions of the devices related to this application have been described in detail. Hereinafter, various embodiments of the present application will be made based on the above description.
首先,本申请提出一种数据操作权限隔离程序200。First, the present application proposes a data operation authority isolation program 200.
参阅图2所示,是本申请数据操作权限隔离程序200第一实施例的程序模块图。Referring to FIG. 2, it is a program module diagram of the first embodiment of the data operation authority isolation program 200 of the present application.
本实施例中,所述数据操作权限隔离程序200包括一系列的存储于存储器11上的计算机程序指令,当该计算机程序指令被处理器12执行时,可以实现本申请各实施例的数据操作权限隔离操作。在一些实施例中,基于该计算机程序指令各部分所实现的特定的操作,数据操作权限隔离程序200可以被划分为一个或多个模块。例如,在图3中,数据操作权限隔离程序200可以被分割成获取模块201、同步模块202、视图创建模块203及显示模块204。其中:In this embodiment, the data operation authority isolation program 200 includes a series of computer program instructions stored in the memory 11, and when the computer program instructions are executed by the processor 12, the data operation authority of each embodiment of the present application can be implemented. Isolation operation. In some embodiments, the data manipulation authority isolation program 200 can be divided into one or more modules based on the particular operations implemented by the various portions of the computer program instructions. For example, in FIG. 3, the data operation authority isolation program 200 can be divided into an acquisition module 201, a synchronization module 202, a view creation module 203, and a display module 204. among them:
所述获取模块201,用于获取当前登入应用系统的操作用户的用户信息,将所述用户信息保存至所述应用系统的第一上下文信息中。The obtaining module 201 is configured to acquire user information of an operation user currently logged into the application system, and save the user information to the first context information of the application system.
在一实施例中,所述获取模块201可以在所述用户登录所述应用系统时,获取所述用户的用户信息。In an embodiment, the obtaining module 201 may acquire user information of the user when the user logs in to the application system.
所述用户信息包括用户名及可操作机构。The user information includes a username and an operable mechanism.
所述可操作机构为所述用户当前所在的部门机构。在一实施例中,第一用户所在的机构为A,所述第一用户的可操作机构为A。The operable mechanism is a departmental institution where the user is currently located. In an embodiment, the mechanism in which the first user is located is A, and the operable mechanism of the first user is A.
所述获取模块201还用于将所述用户信息保存至所述应用系统的第一上下文信息中。The obtaining module 201 is further configured to save the user information into the first context information of the application system.
所述同步模块202,用于将所述第一上下文信息同步至当前连接到数据库会话的第二上下文信息中;The synchronization module 202 is configured to synchronize the first context information to the second context information currently connected to the database session;
在一实施例中,在所述应用系统连接所述数据库时,所述同步模块301首先获取自身的上下文信息。In an embodiment, when the application system connects to the database, the synchronization module 301 first acquires its own context information.
所述上下文信息包括所述用户的用户信息。The context information includes user information of the user.
所述上下文信息包括所述用户名及所述可操作机构。The context information includes the username and the operable mechanism.
所述同步模块202还用于将获取的所述上下文信息设置到当前数据库会话中的所述数据库的上下文信息中。The synchronization module 202 is further configured to set the acquired context information into context information of the database in a current database session.
在一优选实施例中,所述数据库可以为oracle数据库。In a preferred embodiment, the database can be an oracle database.
在一优选实施例中,所述应用系统可以为J2EE架构系统。In a preferred embodiment, the application system can be a J2EE architecture system.
所述视图创建模块203,用于基于数据表创建数据视图。The view creation module 203 is configured to create a data view based on the data table.
在一实施例中,所述视图创建模块203具体用于获取所述数据表;以所述数据表为基表,以机构名称/机构编码为关键字条件对所述数据表进行所述数据视图的创建;设置所述数据视图的操作属性。In an embodiment, the view creating module 203 is specifically configured to acquire the data table, and use the data table as a base table to perform the data view on the data table by using an organization name/institution coding as a key condition. Create; set the operational properties of the data view.
在一优选实施例中,所述操作属性可设置为可编辑属性或只读属性。In a preferred embodiment, the operational attribute can be set to an editable attribute or a read-only attribute.
所述显示模块204,用于根据所述数据库会话的第二上下文信息,透过所述数据视图显示特定数据。The display module 204 is configured to display specific data through the data view according to the second context information of the database session.
在一实施例中,所述显示模块204具体用于获取所述数据库会话的第二上下文信息;从所述数据库中获取机构关系图,所述机构关系图用于储存各个机构之间的从属关系;从所述第二上下文信息提取所述操作用户的可操作机构;根据所述操作用户的可操作机构以及所述机构关系图在所述数据视图中检索并显示对应数据。In an embodiment, the display module 204 is specifically configured to acquire second context information of the database session, and obtain an organization relationship diagram from the database, where the mechanism relationship diagram is used to store affiliation between organizations. Extracting an operable mechanism of the operating user from the second context information; retrieving and displaying corresponding data in the data view according to the operable mechanism of the operating user and the mechanism relationship map.
通过上述程序模块201-204,本申请所提出的数据操作权限隔离程序200,首先,获取当前登入应用系统的操作用户的用户信息,将所述用户信息保存至所述应用系统的第一上下文信息中;其次,将所述第一上下文信息同步至当前连接到数据库会话的第二上下文信息中;再次,基于数据表创建数据视图;最后,根据所述数据库会话的第二上下文信息,透过所述数据视图显示特定数据。这样,可以通过将应用系统的上下文信息设置到当前数据库会话的上下文信息中,可以迅速完成所述数据库对用户信息的获取。在数据库中建立并保存机构关系图,并结合通过基本表建立视图的方式,实现了对拥有不同权限的特定用户显示不同的特定数据,达到了所述用户可以访问自身部门机构的数据,也可访问下层机构的数据的技术效果。Through the above-mentioned program modules 201-204, the data operation authority isolation program 200 proposed by the present application firstly acquires user information of an operation user currently logged into the application system, and saves the user information to the first context information of the application system. Secondly, the first context information is synchronized to the second context information currently connected to the database session; again, the data view is created based on the data table; finally, according to the second context information of the database session, The data view shows specific data. In this way, the database information can be quickly obtained by the database by setting the context information of the application system to the context information of the current database session. Establishing and preserving the organization relationship diagram in the database, and combining the way of establishing the view through the basic table, realizes displaying different specific data for a specific user having different rights, and achieving data that the user can access the department of the department, or Access to the technical effects of the data of the underlying organization.
参阅图3所示,是本申请数据操作权限隔离程序200第二实施例的程序模块图。本实施例中,所述数据操作权限隔离程序200包括一系列的存储于存储器11上的计算机程序指令,当该计算机程序指令被处理器12执行时,可以实现本申请各实施例的数据操作权限隔离操作。在一些实施例中,基于该计算机程序指令各部分所实现的特定的操作,数据操作权限隔离程序200可以被划分为一个或多个模块。例如,在图3中,数据操作权限隔离程序200可以被分割成获取模块201、同步模块202、视图创建模块203、显示模块204及操作模块205。所述各程序模块201-204与本申请数据操作权限隔离程序200第一实施例相同,并在此基础上增加操作模块205。其中:Referring to FIG. 3, it is a program module diagram of the second embodiment of the data operation authority isolation program 200 of the present application. In this embodiment, the data operation authority isolation program 200 includes a series of computer program instructions stored in the memory 11, and when the computer program instructions are executed by the processor 12, the data operation authority of each embodiment of the present application can be implemented. Isolation operation. In some embodiments, the data manipulation authority isolation program 200 can be divided into one or more modules based on the particular operations implemented by the various portions of the computer program instructions. For example, in FIG. 3, the data operation authority isolation program 200 can be divided into an acquisition module 201, a synchronization module 202, a view creation module 203, a display module 204, and an operation module 205. The program modules 201-204 are the same as the first embodiment of the data operation authority isolation program 200 of the present application, and the operation module 205 is added thereto. among them:
所述操作模块205,用于根据所述数据视图的操作属性判断是否响应所述用户的操作请求;The operation module 205 is configured to determine, according to an operation attribute of the data view, whether to respond to an operation request of the user;
在一实施例中,若所述数据视图为可编辑属性,所述操作模块205响应所述用户通过所述数据视图对所述基表执行的增删改操作请求;In an embodiment, if the data view is an editable attribute, the operation module 205 responds to the add/delete operation request performed by the user on the base table by using the data view;
在另一实施例中,若所述数据视图为只读属性,所述操作模块205拒绝所述用户通过所述数据视图对所述基表执行的增删改操作请求。In another embodiment, if the data view is a read-only attribute, the operation module 205 rejects the addition, deletion, and deletion operation request performed by the user on the base table by using the data view.
通过上述程序模块201-205,本申请所提出的数据操作权限隔离程序200, 首先,获取当前登入应用系统的操作用户的用户信息,将所述用户信息保存至所述应用系统的第一上下文信息中;其次,将所述第一上下文信息同步至当前连接到数据库会话的第二上下文信息中;再次,基于数据表创建数据视图;其次,根据所述数据库会话的第二上下文信息,透过所述数据视图显示特定数据;最后,根据所述数据视图的操作属性判断是否响应所述用户的操作请求。这样,可以通过将应用系统的上下文信息设置到当前数据库会话的上下文信息中,可以迅速完成所述数据库对用户信息的获取。在数据库中建立并保存机构关系图,并结合通过基本表建立视图的方式,实现了对拥有不同权限的特定用户显示不同的特定数据,达到了所述用户可以访问自身部门机构的数据,也可访问下层机构的数据的技术效果。同时,通过获取所述数据视图的操作属性,实现了对用户发出的操作请求的响应或拒绝。Through the above-mentioned program modules 201-205, the data operation authority isolation program 200 proposed by the present application firstly acquires user information of an operation user currently logged into the application system, and saves the user information to the first context information of the application system. Secondly, the first context information is synchronized to the second context information currently connected to the database session; again, the data view is created based on the data table; secondly, according to the second context information of the database session, The data view displays specific data; finally, it is determined whether to respond to the user's operation request according to the operation attribute of the data view. In this way, the database information can be quickly obtained by the database by setting the context information of the application system to the context information of the current database session. Establishing and preserving the organization relationship diagram in the database, and combining the way of establishing the view through the basic table, realizes displaying different specific data for a specific user having different rights, and achieving data that the user can access the department of the department, or Access to the technical effects of the data of the underlying organization. At the same time, by obtaining the operation attribute of the data view, the response or rejection of the operation request issued by the user is realized.
此外,本申请还提出一种数据操作权限隔离方法。In addition, the present application also proposes a data operation authority isolation method.
参阅图4所示,是本申请数据操作权限隔离方法第一实施例的实施流程示意图。在本实施例中,根据不同的需求,图4所示的流程图中的步骤的执行顺序可以改变,某些步骤可以省略。Referring to FIG. 4, it is a schematic flowchart of the implementation of the first embodiment of the data operation authority isolation method of the present application. In this embodiment, the order of execution of the steps in the flowchart shown in FIG. 4 may be changed according to different requirements, and some steps may be omitted.
步骤S401,获取当前登入应用系统的操作用户的用户信息,将所述用户信息保存至所述应用系统的第一上下文信息中。Step S401: Acquire user information of an operation user currently logged into the application system, and save the user information to the first context information of the application system.
在一实施例中,应用系统可以在所述用户登录所述应用系统时,获取所述用户的用户信息。In an embodiment, the application system may acquire user information of the user when the user logs in to the application system.
在一优选实施例中,所述用户信息包括用户名及可操作机构。所述可操作机构为所述用户当前所在的部门机构。在一实施例中,第一用户所在的机构为A,所述第一用户的可操作机构为A。In a preferred embodiment, the user information includes a username and an operable mechanism. The operable mechanism is a departmental institution where the user is currently located. In an embodiment, the mechanism in which the first user is located is A, and the operable mechanism of the first user is A.
在另一优选实施例中,将所述用户信息保存至所述应用系统的第一上下文信息中。In another preferred embodiment, the user information is saved to the first context information of the application system.
步骤S402,将所述第一上下文信息同步至当前连接到数据库会话的第二上下文信息中。Step S402, synchronizing the first context information into the second context information currently connected to the database session.
在本实施例中,在所述应用系统连接所述数据库时,所述应用系统首先获取自身的所述第一上下文信息。所述第一上下文信息包括所述用户的用户信息。进一步的,所述上下文信息包括所述用户名及所述可操作机构。In this embodiment, when the application system connects to the database, the application system first acquires the first context information of itself. The first context information includes user information of the user. Further, the context information includes the username and the operable mechanism.
将获取的所述上下文信息设置到当前数据库会话中的所述数据库的所述第一上下文信息中。The obtained context information is set into the first context information of the database in the current database session.
在一优选实施例中,所述数据库可以为oracle数据库。所述应用系统可以为J2EE架构系统。In a preferred embodiment, the database can be an oracle database. The application system can be a J2EE architecture system.
步骤S403,基于数据表创建数据视图。Step S403, creating a data view based on the data table.
在一优选实施例中,所述基于数据表创建数据视图的步骤还包括:In a preferred embodiment, the step of creating a data view based on the data table further includes:
获取所述数据表;Obtaining the data table;
以所述数据表为基表,以机构名称/机构编码为关键字条件对所述数据表进行所述数据视图的创建;Using the data table as a base table, the data table is created by using the organization name/institutional code as a keyword condition;
设置所述数据视图的操作属性,所述操作属性可设置为可编辑属性或只读属性。Setting an operation attribute of the data view, the operation attribute may be set as an editable attribute or a read-only attribute.
所述数据表内的数据内容包括所述各个机构下的数据资料,所述数据资料可以包括客户资料、业务员资料、保单资料及考勤资料等。The data content in the data table includes data materials under the respective organizations, and the data materials may include customer data, salesperson data, policy information, and attendance data.
在本实施例中,所述数据视图可以默认为可编辑属性,即可以通过所述数据视图对所述基表执行增删改操作。In this embodiment, the data view may default to an editable attribute, that is, the addition, deletion, and deletion operations may be performed on the base table by using the data view.
在一优选实施例中,所述数据视图可以设置为只读属性,即不能通过所述数据视图对所述数据表的数据进行增删改操作。In a preferred embodiment, the data view may be set to a read-only attribute, that is, the data of the data table cannot be added, deleted or changed through the data view.
步骤S404,根据所述数据库会话的第二上下文信息,透过所述数据视图显示特定数据。Step S404, displaying specific data through the data view according to the second context information of the database session.
在本实施例中,所述数据视图根据所述数据库会话的第二上下文信息,显示特定数据的步骤具体包括:In this embodiment, the step of displaying the specific data according to the second context information of the database session includes:
所述数据视图获取所述数据库会话的第二上下文信息;The data view acquires second context information of the database session;
从所述数据库中获取机构关系图,所述机构关系图用于储存各个机构之 间的从属关系;Obtaining an institutional relationship map from the database, the institutional relationship map for storing affiliation between the various institutions;
从所述第二上下文信息提取所述操作用户的可操作机构,具体的,所述数据库会通过所述上下文信息获取所述用户的可操作机构的机构名称/机构编号。And extracting, from the second context information, an operable mechanism of the operation user. Specifically, the database acquires an organization name/institution number of the operable mechanism of the user by using the context information.
所述数据视图根据所述操作用户的可操作机构以及所述机构关系图在所述数据视图中检索并显示对应数据。The data view retrieves and displays corresponding data in the data view according to the operable mechanism of the operating user and the mechanism relationship map.
可选地,所述组织结构图的建立方法可以包括步骤:Optionally, the method for establishing the organization chart may include the following steps:
获取所述各个机构的机构信息,所述机构信息包括机构名称、机构编号及上下级关系;Obtaining institutional information of each institution, where the organization information includes an organization name, an organization number, and a relationship between the upper and lower levels;
根据所述机构信息定义所述机构关系图;Defining the institutional relationship map according to the institution information;
保存所述机构信息和所述机构关系图至所述数据库中。The institution information and the institutional relationship map are saved to the database.
在本实施例中,所述数据视图根据所述用户的可操作机构的机构名称/机构编号以及所述机构关系图在所述数据视图中检索并显示对应数据。在本实施例中,若所述第一用户的可操作机构为A,所述机构A的上层机构为总公司,所述机构A的下层机构包括机构B与机构C,所述总公司的下层机构还可以包括机构D,所述机构B与所述机构C无下层机构,此时,对于所述第一用户,第一特定数据包括所述机构A、所述机构B与所述机构C下的数据资料。In this embodiment, the data view retrieves and displays corresponding data in the data view according to the organization name/institution number of the user's operable mechanism and the mechanism relationship diagram. In this embodiment, if the operable mechanism of the first user is A, the upper mechanism of the mechanism A is the head office, and the lower mechanism of the mechanism A includes the mechanism B and the mechanism C, and the lower layer of the head office The mechanism may further include a mechanism D, the mechanism B and the mechanism C having no underlying mechanism. At this time, for the first user, the first specific data includes the mechanism A, the mechanism B, and the mechanism C Data.
通过上述步骤S401-404,本申请所提出的数据操作权限隔离方法,首先,获取当前登入应用系统的操作用户的用户信息,将所述用户信息保存至所述应用系统的第一上下文信息中;其次,将所述第一上下文信息同步至当前连接到数据库会话的第二上下文信息中;再次,基于数据表创建数据视图;最后,根据所述数据库会话的第二上下文信息,透过所述数据视图显示特定数据。这样,可以通过将应用系统的上下文信息设置到当前数据库会话的上下文信息中,可以迅速完成所述数据库对用户信息的获取。在数据库中建立并保存机构关系图,并结合通过基本表建立视图的方式,实现了对拥有不同权限的特定用户显示不同的特定数据,达到了所述用户可以访问自身部门机构 的数据,也可访问下层机构的数据的技术效果。Through the above steps S401-404, the data operation authority isolation method proposed by the present application firstly acquires the user information of the operation user currently logged into the application system, and saves the user information to the first context information of the application system; Secondly, the first context information is synchronized to the second context information currently connected to the database session; again, the data view is created based on the data table; finally, the data is transmitted according to the second context information of the database session The view shows specific data. In this way, the database information can be quickly obtained by the database by setting the context information of the application system to the context information of the current database session. Establishing and preserving the organization relationship diagram in the database, and combining the way of establishing the view through the basic table, realizes displaying different specific data for a specific user having different rights, and achieving data that the user can access the department of the department, or Access to the technical effects of the data of the underlying organization.
参阅图5所示,是本申请数据操作权限隔离方法第二实施例的实施流程示意图。在本实施例中,根据不同的需求,图5所示的流程图中的步骤的执行顺序可以改变,某些步骤可以省略。Referring to FIG. 5, it is a schematic flowchart of the implementation of the second embodiment of the data operation authority isolation method of the present application. In this embodiment, the order of execution of the steps in the flowchart shown in FIG. 5 may be changed according to different requirements, and some steps may be omitted.
步骤S501,获取当前登入应用系统的操作用户的用户信息,将所述用户信息保存至所述应用系统的第一上下文信息中。Step S501: Acquire user information of an operation user currently logged into the application system, and save the user information to the first context information of the application system.
步骤S502,将所述第一上下文信息同步至当前连接到数据库会话的第二上下文信息中。Step S502: Synchronize the first context information into the second context information currently connected to the database session.
步骤S503,基于数据表创建数据视图。Step S503, creating a data view based on the data table.
步骤S504,根据所述数据库会话的第二上下文信息,透过所述数据视图显示特定数据。Step S504, displaying specific data through the data view according to the second context information of the database session.
步骤S505,用于根据所述数据视图的操作属性判断是否响应所述用户的操作请求;Step S505, determining, according to an operation attribute of the data view, whether to respond to an operation request of the user;
在一实施例中,若所述数据视图为可编辑属性,所述操作模块205响应所述用户通过所述数据视图对所述基表执行的增删改操作请求;In an embodiment, if the data view is an editable attribute, the operation module 205 responds to the add/delete operation request performed by the user on the base table by using the data view;
在另一实施例中,若所述数据视图为只读属性,所述操作模块205拒绝所述用户通过所述数据视图对所述基表执行的增删改操作请求。In another embodiment, if the data view is a read-only attribute, the operation module 205 rejects the addition, deletion, and deletion operation request performed by the user on the base table by using the data view.
通过上述步骤S501-505,本申请所提出的数据操作权限隔离方法,首先,获取当前登入应用系统的操作用户的用户信息,将所述用户信息保存至所述应用系统的第一上下文信息中;其次,将所述第一上下文信息同步至当前连接到数据库会话的第二上下文信息中;再次,基于数据表创建数据视图;最再次,根据所述数据库会话的第二上下文信息,透过所述数据视图显示特定数据;最后,根据所述数据视图的操作属性判断是否响应所述用户的操作请求。这样,可以通过将应用系统的上下文信息设置到当前数据库会话的上下文信息中,可以迅速完成所述数据库对用户信息的获取。在数据库中建立并保存机构关系图,并结合通过基本表建立视图的方式,实现了对拥有不同权 限的特定用户显示不同的特定数据,达到了所述用户可以访问自身部门机构的数据,也可访问下层机构的数据的技术效果。同时,通过获取所述数据视图的操作属性,实现了对用户发出的操作请求的响应或拒绝。Through the above steps S501-505, the data operation authority isolation method proposed by the present application firstly acquires the user information of the operation user currently logged into the application system, and saves the user information to the first context information of the application system; Secondly, the first context information is synchronized to the second context information currently connected to the database session; again, the data view is created based on the data table; and most, according to the second context information of the database session, The data view displays specific data; finally, it is determined whether to respond to the user's operation request according to the operation attribute of the data view. In this way, the database information can be quickly obtained by the database by setting the context information of the application system to the context information of the current database session. Establishing and preserving the organization relationship diagram in the database, and combining the way of establishing the view through the basic table, realizes displaying different specific data for a specific user having different rights, and achieving data that the user can access the department of the department, or Access to the technical effects of the data of the underlying organization. At the same time, by obtaining the operation attribute of the data view, the response or rejection of the operation request issued by the user is realized.
下面以第一用户登入应用系统,对数据库进行数据访问为例进行具体说明:The following is an example of logging in to the application system by the first user and performing data access to the database as an example:
(1)所述第一用户登入所述应用系统时,获取当前所述第一用户的用户信息,将所述用户信息保存至所述应用系统的第一上下文信息中。其中所述第一用户所在的机构为A,即所述第一用户的可操作机构为A。保存所述第一用户的用户可操作信息至所述应用系统的第一上下文信息中。(1) When the first user logs in to the application system, the current user information of the first user is obtained, and the user information is saved in the first context information of the application system. The mechanism in which the first user is located is A, that is, the operable mechanism of the first user is A. The user operable information of the first user is saved into the first context information of the application system.
(2)在所述应用系统连接所述数据库时,所述应用系统首先获取自身的所述第一上下文信息。此时,所述第一上下文信息包括所述第一用户的用户信息。进一步的,所述第一上下文信息包括所述第一用户的用户名及所述可操作机构A。将获取的所述第一上下文信息设置到当前数据库会话中的所述数据库的第二上下文信息中。因此,所述第二上下文信息中包含所述第一用户的用户信息,即所述第二上下文信息中包含了所述第一用户的用户名及可操作机构A。(2) When the application system connects to the database, the application system first acquires the first context information of itself. At this time, the first context information includes user information of the first user. Further, the first context information includes a username of the first user and the operable mechanism A. The obtained first context information is set into the second context information of the database in the current database session. Therefore, the second context information includes the user information of the first user, that is, the second context information includes the user name of the first user and the operable mechanism A.
(3)以所述数据表为基表,以机构名称/机构编码为关键字条件对所述数据表进行所述数据视图的创建,设置所述数据视图的操作属性,所述操作属性可设置为可编辑属性或只读属性。所述数据表内的数据内容包括所述各个机构下的数据资料,所述数据资料可以包括客户资料、业务员资料、保单资料及考勤资料等。在本实施例中,所述数据视图可以默认为可编辑属性,即可以通过所述数据视图对所述基表执行增删改操作。所述数据视图也可以设置为只读属性,即不能通过所述数据视图对所述数据表的数据进行增删改操作。(3) using the data table as a base table, creating the data view on the data table by using an organization name/institutional code as a keyword condition, and setting an operation attribute of the data view, where the operation attribute can be set Is an editable property or a read-only property. The data content in the data table includes data materials under the respective organizations, and the data materials may include customer data, salesperson data, policy information, and attendance data. In this embodiment, the data view may default to an editable attribute, that is, the addition, deletion, and deletion operations may be performed on the base table by using the data view. The data view may also be set to a read-only attribute, that is, the data of the data table cannot be added, deleted or changed through the data view.
(4)获取所述数据库会话的所述第二上下文信息,从所述第二上下文信息中提取所述第一用户的可操作机构A。获取所述数据库的机构关系图,所述 机构关系图用于储存各个机构之间的从属关系。所述数据视图根据所述操作用户的可操作机构以及所述机构关系图在所述数据视图中检索并显示对应数据。(4) acquiring the second context information of the database session, and extracting the operable organization A of the first user from the second context information. Obtaining an institutional relationship diagram of the database, the institutional relationship diagram for storing affiliation between the various institutions. The data view retrieves and displays corresponding data in the data view according to the operable mechanism of the operating user and the mechanism relationship map.
上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the embodiments of the present application are merely for the description, and do not represent the advantages and disadvantages of the embodiments.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the foregoing embodiment method can be implemented by means of software plus a necessary general hardware platform, and of course, can also be through hardware, but in many cases, the former is better. Implementation. Based on such understanding, the technical solution of the present application, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, The optical disc includes a number of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the methods described in various embodiments of the present application.
以上仅为本申请的优选实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。The above is only a preferred embodiment of the present application, and is not intended to limit the scope of the patent application, and the equivalent structure or equivalent process transformations made by the specification and the drawings of the present application, or directly or indirectly applied to other related technical fields. The same is included in the scope of patent protection of this application.

Claims (20)

  1. 一种数据操作权限隔离方法,应用于应用服务器,其特征在于,所述方法包括:A data operation authority isolation method is applied to an application server, and the method includes:
    获取当前登入应用系统的操作用户的用户信息,将所述用户信息保存至所述应用系统的第一上下文信息中;Obtaining user information of an operation user currently logged into the application system, and saving the user information to the first context information of the application system;
    将所述第一上下文信息同步至当前连接到数据库会话的第二上下文信息中;Synchronizing the first context information into second context information currently connected to the database session;
    基于数据表创建数据视图;及Create a data view based on a data table; and
    根据所述数据库会话的第二上下文信息,透过所述数据视图显示特定数据。Displaying specific data through the data view according to the second context information of the database session.
  2. 如权利要求1所述的数据操作权限隔离方法,其特征在于,所述基于数据表创建数据视图的步骤还包括:The data operation authority isolation method according to claim 1, wherein the step of creating a data view based on the data table further comprises:
    获取所述数据表;Obtaining the data table;
    以所述数据表为基表,以机构名称/机构编码为关键字条件对所述数据表进行所述数据视图的创建;Using the data table as a base table, the data table is created by using the organization name/institutional code as a keyword condition;
    设置所述数据视图的操作属性,所述操作属性可设置为可编辑属性或只读属性;Setting an operation attribute of the data view, the operation attribute may be set as an editable attribute or a read-only attribute;
    所述数据表内的数据内容包括所述各个机构下的数据资料,所述数据资料可以包括客户资料、业务员资料、保单资料及考勤资料等。The data content in the data table includes data materials under the respective organizations, and the data materials may include customer data, salesperson data, policy information, and attendance data.
  3. 如权利要求1所述的数据操作权限隔离方法,其特征在于,所述数据视图根据所述数据库会话的第二上下文信息,显示特定数据的步骤还包括:The data operation authority isolation method according to claim 1, wherein the step of displaying the specific data according to the second context information of the database session further includes:
    所述数据视图获取所述数据库会话的第二上下文信息;The data view acquires second context information of the database session;
    从所述数据库中获取机构关系图,所述机构关系图用于储存各个机构之间的从属关系;Obtaining an institutional relationship diagram from the database, the institutional relationship diagram for storing affiliation between the various institutions;
    从所述第二上下文信息提取所述操作用户的可操作机构;Extracting an operable mechanism of the operating user from the second context information;
    所述数据视图根据所述操作用户的可操作机构以及所述机构关系图在所 述数据视图中检索并显示对应数据。The data view retrieves and displays corresponding data in the data view in accordance with the operational mechanism of the operational user and the institutional relationship map.
  4. 如权利要求2所述的数据操作权限隔离方法,其特征在于,所述数据视图根据所述数据库会话的第二上下文信息,显示特定数据的步骤还包括:The data operation authority isolation method according to claim 2, wherein the step of displaying the specific data according to the second context information of the database session of the data view further comprises:
    所述数据视图获取所述数据库会话的第二上下文信息;The data view acquires second context information of the database session;
    从所述数据库中获取机构关系图,所述机构关系图用于储存各个机构之间的从属关系;Obtaining an institutional relationship diagram from the database, the institutional relationship diagram for storing affiliation between the various institutions;
    从所述第二上下文信息提取所述操作用户的可操作机构;Extracting an operable mechanism of the operating user from the second context information;
    所述数据视图根据所述操作用户的可操作机构以及所述机构关系图在所述数据视图中检索并显示对应数据。The data view retrieves and displays corresponding data in the data view according to the operable mechanism of the operating user and the mechanism relationship map.
  5. 如权利要求3所述的数据操作权限隔离方法,其特征在于,所述组织结构图的建立方法可以包括步骤:The data operation authority isolation method according to claim 3, wherein the method for establishing the organization structure map comprises the steps of:
    获取所述各个机构的机构信息,所述机构信息包括机构名称、机构编号及上下级关系;Obtaining institutional information of each institution, where the organization information includes an organization name, an organization number, and a relationship between the upper and lower levels;
    根据所述机构信息定义所述机构关系图;Defining the institutional relationship map according to the institution information;
    所述机构信息和所述机构关系图保存在所述数据库中。The mechanism information and the institutional relationship map are stored in the database.
  6. 根据权利要求2所述的数据操作权限隔离方法,其特征在于,所述方法还包括:The data operation authority isolation method according to claim 2, wherein the method further comprises:
    根据所述数据视图的操作属性判断是否响应所述用户的操作请求;Determining whether to respond to the operation request of the user according to an operation attribute of the data view;
    若所述数据视图为可编辑属性,响应所述用户通过所述数据视图对所述基表执行增删改操作请求;And if the data view is an editable attribute, the user is requested to perform an add/delete operation request to the base table by using the data view;
    若所述数据视图为只读属性,拒绝所述用户通过所述数据视图对所述基表执行增删改操作请求。If the data view is a read-only attribute, the user is denied to perform an add/delete operation request to the base table through the data view.
  7. 根据权利要求4所述的数据操作权限隔离方法,其特征在于,所述方法还包括:The data operation authority isolation method according to claim 4, wherein the method further comprises:
    根据所述数据视图的操作属性判断是否响应所述用户的操作请求;Determining whether to respond to the operation request of the user according to an operation attribute of the data view;
    若所述数据视图为可编辑属性,响应所述用户通过所述数据视图对所述 基表执行增删改操作请求;And if the data view is an editable attribute, responding to the user performing a addition, deletion, and modification operation request on the base table by using the data view;
    若所述数据视图为只读属性,拒绝所述用户通过所述数据视图对所述基表执行增删改操作请求。If the data view is a read-only attribute, the user is denied to perform an add/delete operation request to the base table through the data view.
  8. 一种应用服务器,其特征在于,所述应用服务器包括存储器、处理器,所述存储器上存储有可在所述处理器上运行的数据操作权限隔离程序,所述数据操作权限隔离程序被所述处理器执行时实现如下步骤:An application server, comprising: a memory, a processor, wherein the memory stores a data operation authority isolation program executable on the processor, wherein the data operation authority isolation program is The processor implements the following steps when it executes:
    获取当前登入应用系统的操作用户的用户信息,将所述用户信息保存至所述应用系统的第一上下文信息中;Obtaining user information of an operation user currently logged into the application system, and saving the user information to the first context information of the application system;
    将所述第一上下文信息同步至当前连接到数据库会话的第二上下文信息中;Synchronizing the first context information into second context information currently connected to the database session;
    基于数据表创建数据视图;及Create a data view based on a data table; and
    根据所述数据库会话的第二上下文信息,透过所述数据视图显示特定数据。Displaying specific data through the data view according to the second context information of the database session.
  9. 如权利要求8所述的应用服务器,其特征在于,在所述基于数据表创建数据视图的步骤中,所述数据操作权限隔离程序被所述处理器执行时,还实现如下步骤:The application server according to claim 8, wherein in the step of creating a data view based on the data table, when the data operation authority isolation program is executed by the processor, the following steps are further implemented:
    获取所述数据表;Obtaining the data table;
    以所述数据表为基表,以机构名称/机构编码为关键字条件对所述数据表进行所述数据视图的创建;Using the data table as a base table, the data table is created by using the organization name/institutional code as a keyword condition;
    设置所述数据视图的操作属性,所述操作属性可设置为可编辑属性或只读属性;Setting an operation attribute of the data view, the operation attribute may be set as an editable attribute or a read-only attribute;
    所述数据表内的数据内容包括所述各个机构下的数据资料,所述数据资料可以包括客户资料、业务员资料、保单资料及考勤资料等。The data content in the data table includes data materials under the respective organizations, and the data materials may include customer data, salesperson data, policy information, and attendance data.
  10. 如权利要求8所述的应用服务器,其特征在于,所述数据视图根据所述数据库会话的第二上下文信息,显示特定数据步骤,具体包括:The application server according to claim 8, wherein the data view displays the specific data step according to the second context information of the database session, and specifically includes:
    所述数据视图获取所述数据库会话的第二上下文信息;The data view acquires second context information of the database session;
    从所述数据库中获取机构关系图,所述机构关系图用于储存各个机构之间的从属关系;Obtaining an institutional relationship diagram from the database, the institutional relationship diagram for storing affiliation between the various institutions;
    从所述第二上下文信息提取所述操作用户的可操作机构;Extracting an operable mechanism of the operating user from the second context information;
    所述数据视图根据所述操作用户的可操作机构以及所述机构关系图在所述数据视图中检索并显示对应数据。The data view retrieves and displays corresponding data in the data view according to the operable mechanism of the operating user and the mechanism relationship map.
  11. 如权利要求9所述的应用服务器,其特征在于,所述数据视图根据所述数据库会话的第二上下文信息,显示特定数据步骤,具体包括:The application server according to claim 9, wherein the data view displays the specific data step according to the second context information of the database session, and specifically includes:
    所述数据视图获取所述数据库会话的第二上下文信息;The data view acquires second context information of the database session;
    从所述数据库中获取机构关系图,所述机构关系图用于储存各个机构之间的从属关系;Obtaining an institutional relationship diagram from the database, the institutional relationship diagram for storing affiliation between the various institutions;
    从所述第二上下文信息提取所述操作用户的可操作机构;Extracting an operable mechanism of the operating user from the second context information;
    所述数据视图根据所述操作用户的可操作机构以及所述机构关系图在所述数据视图中检索并显示对应数据。The data view retrieves and displays corresponding data in the data view according to the operable mechanism of the operating user and the mechanism relationship map.
  12. 如权利要求10所述的应用服务器,其特征在于,所述组织结构图的建立步骤,具体包括:The application server according to claim 10, wherein the step of establishing the organization chart comprises:
    获取所述各个机构的机构信息,所述机构信息包括机构名称、机构编号及上下级关系;Obtaining institutional information of each institution, where the organization information includes an organization name, an organization number, and a relationship between the upper and lower levels;
    根据所述机构信息定义所述机构关系图;Defining the institutional relationship map according to the institution information;
    所述机构信息和所述机构关系图保存在所述数据库中。The mechanism information and the institutional relationship map are stored in the database.
  13. 如权利要求9所述的应用服务器,其特征在于,所述数据操作权限隔离程序被所述处理器执行时还实现步骤:The application server according to claim 9, wherein said data operation authority isolation program is further implemented when said processor executes:
    根据所述数据视图的操作属性判断是否响应所述用户的操作请求;Determining whether to respond to the operation request of the user according to an operation attribute of the data view;
    若所述数据视图为可编辑属性,响应所述用户通过所述数据视图对所述基表执行增删改操作请求;And if the data view is an editable attribute, the user is requested to perform an add/delete operation request to the base table by using the data view;
    若所述数据视图为只读属性,拒绝所述用户通过所述数据视图对所述基表执行增删改操作请求。If the data view is a read-only attribute, the user is denied to perform an add/delete operation request to the base table through the data view.
  14. 如权利要求11所述的应用服务器,其特征在于,所述数据操作权限隔离程序被所述处理器执行时还实现步骤:The application server according to claim 11, wherein said data operation authority isolation program is further implemented when said processor executes:
    根据所述数据视图的操作属性判断是否响应所述用户的操作请求;Determining whether to respond to the operation request of the user according to an operation attribute of the data view;
    若所述数据视图为可编辑属性,响应所述用户通过所述数据视图对所述基表执行增删改操作请求;And if the data view is an editable attribute, the user is requested to perform an add/delete operation request to the base table by using the data view;
    若所述数据视图为只读属性,拒绝所述用户通过所述数据视图对所述基表执行增删改操作请求。If the data view is a read-only attribute, the user is denied to perform an add/delete operation request to the base table through the data view.
  15. 一种计算机可读存储介质,所述计算机可读存储介质存储有数据操作权限隔离程序,所述数据操作权限隔离程序可被至少一个处理器执行,以使所述至少一个处理器执行时实现如下步骤:A computer readable storage medium storing a data operation authority isolation program, the data operation authority isolation program being executable by at least one processor to enable the at least one processor to execute as follows step:
    获取当前登入应用系统的操作用户的用户信息,将所述用户信息保存至所述应用系统的第一上下文信息中;Obtaining user information of an operation user currently logged into the application system, and saving the user information to the first context information of the application system;
    将所述第一上下文信息同步至当前连接到数据库会话的第二上下文信息中;Synchronizing the first context information into second context information currently connected to the database session;
    基于数据表创建数据视图;及Create a data view based on a data table; and
    根据所述数据库会话的第二上下文信息,透过所述数据视图显示特定数据。Displaying specific data through the data view according to the second context information of the database session.
  16. 如权利要求15所述的计算机可读存储介质,其特征在于,所述基于数据表创建数据视图的步骤还包括:The computer readable storage medium according to claim 15, wherein the step of creating a data view based on the data table further comprises:
    获取所述数据表;Obtaining the data table;
    以所述数据表为基表,以机构名称/机构编码为关键字条件对所述数据表进行所述数据视图的创建;Using the data table as a base table, the data table is created by using the organization name/institutional code as a keyword condition;
    设置所述数据视图的操作属性,所述操作属性可设置为可编辑属性或只读属性;Setting an operation attribute of the data view, the operation attribute may be set as an editable attribute or a read-only attribute;
    所述数据表内的数据内容包括所述各个机构下的数据资料,所述数据资料可以包括客户资料、业务员资料、保单资料及考勤资料等。The data content in the data table includes data materials under the respective organizations, and the data materials may include customer data, salesperson data, policy information, and attendance data.
  17. 如权利要求15所述的计算机可读存储介质,其特征在于,所述数据视图根据所述数据库会话的第二上下文信息,显示特定数据的步骤还包括:The computer readable storage medium according to claim 15, wherein the step of displaying the specific data according to the second context information of the database session of the data view further comprises:
    所述数据视图获取所述数据库会话的第二上下文信息;The data view acquires second context information of the database session;
    从所述数据库中获取机构关系图,所述机构关系图用于储存各个机构之间的从属关系;Obtaining an institutional relationship diagram from the database, the institutional relationship diagram for storing affiliation between the various institutions;
    从所述第二上下文信息提取所述操作用户的可操作机构;Extracting an operable mechanism of the operating user from the second context information;
    所述数据视图根据所述操作用户的可操作机构以及所述机构关系图在所述数据视图中检索并显示对应数据。The data view retrieves and displays corresponding data in the data view according to the operable mechanism of the operating user and the mechanism relationship map.
  18. 如权利要求16所述的计算机可读存储介质,其特征在于,所述数据视图根据所述数据库会话的第二上下文信息,显示特定数据的步骤还包括:The computer readable storage medium according to claim 16, wherein the step of displaying the specific data according to the second context information of the database session of the data view further comprises:
    所述数据视图获取所述数据库会话的第二上下文信息;The data view acquires second context information of the database session;
    从所述数据库中获取机构关系图,所述机构关系图用于储存各个机构之间的从属关系;Obtaining an institutional relationship diagram from the database, the institutional relationship diagram for storing affiliation between the various institutions;
    从所述第二上下文信息提取所述操作用户的可操作机构;Extracting an operable mechanism of the operating user from the second context information;
    所述数据视图根据所述操作用户的可操作机构以及所述机构关系图在所述数据视图中检索并显示对应数据。The data view retrieves and displays corresponding data in the data view according to the operable mechanism of the operating user and the mechanism relationship map.
  19. 如权利要求17所述的计算机可读存储介质,其特征在于,所述组织结构图的建立方法可以包括步骤:The computer readable storage medium according to claim 17, wherein the method of establishing the organization chart may include the steps of:
    获取所述各个机构的机构信息,所述机构信息包括机构名称、机构编号及上下级关系;Obtaining institutional information of each institution, where the organization information includes an organization name, an organization number, and a relationship between the upper and lower levels;
    根据所述机构信息定义所述机构关系图;Defining the institutional relationship map according to the institution information;
    所述机构信息和所述机构关系图保存在所述数据库中。The mechanism information and the institutional relationship map are stored in the database.
  20. 如权利要求16所述的计算机可读存储介质,其特征在于,所述数据操作权限隔离程序被所述处理器执行时还实现步骤:The computer readable storage medium of claim 16 wherein said data manipulation authority isolation program is further implemented when said processor is executed:
    根据所述数据视图的操作属性判断是否响应所述用户的操作请求;Determining whether to respond to the operation request of the user according to an operation attribute of the data view;
    若所述数据视图为可编辑属性,响应所述用户通过所述数据视图对所述 基表执行增删改操作请求;And if the data view is an editable attribute, responding to the user performing a addition, deletion, and modification operation request on the base table by using the data view;
    若所述数据视图为只读属性,拒绝所述用户通过所述数据视图对所述基表执行增删改操作请求。If the data view is a read-only attribute, the user is denied to perform an add/delete operation request to the base table through the data view.
PCT/CN2018/076143 2017-10-16 2018-02-10 Data operation permission isolation method, application server and computer readable storage medium WO2019075966A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710962907.XA CN107844711B (en) 2017-10-16 2017-10-16 Data manipulation permission partition method, application server and computer readable storage medium
CN201710962907.X 2017-10-16

Publications (1)

Publication Number Publication Date
WO2019075966A1 true WO2019075966A1 (en) 2019-04-25

Family

ID=61662237

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/076143 WO2019075966A1 (en) 2017-10-16 2018-02-10 Data operation permission isolation method, application server and computer readable storage medium

Country Status (2)

Country Link
CN (1) CN107844711B (en)
WO (1) WO2019075966A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110134732A (en) * 2019-05-17 2019-08-16 北京天融信网络安全技术有限公司 A kind of methods of exhibiting and device of authorization relationship quantity
CN113268517B (en) * 2020-02-14 2024-04-02 中电长城网际系统应用有限公司 Data analysis method and device, electronic equipment and readable medium
CN111639116B (en) * 2020-05-15 2023-06-09 中国银联股份有限公司 Data access connection session protection method and device
CN112416966B (en) * 2020-12-11 2024-01-26 北京顺达同行科技有限公司 Impromptu query method, impromptu query device, computer device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388797A (en) * 2008-11-05 2009-03-18 杭州华三通信技术有限公司 Method for realizing authority control in network management and network management system
CN101620601A (en) * 2008-06-30 2010-01-06 上海全成通信技术有限公司 Method for building directory tree based on user permissions
CN102354513A (en) * 2011-05-23 2012-02-15 广东欧珀电子工业有限公司 Method for setting permission levels of blue light player
CN105528556A (en) * 2015-12-03 2016-04-27 中国人民解放军信息工程大学 Hybrid SQLite3 safety access method
CN107066457A (en) * 2016-08-23 2017-08-18 平安科技(深圳)有限公司 User profile view construction method and system

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8745087B2 (en) * 2007-10-01 2014-06-03 Eka Labs, Llc System and method for defining and manipulating roles and the relationship of roles to other system entities
CN102004868A (en) * 2009-09-01 2011-04-06 上海杉达学院 Role access control-based information system data storage layer and building method
CN102004866A (en) * 2009-09-01 2011-04-06 上海杉达学院 Method and device for user identity verification and access control of information system
CN102420690B (en) * 2010-09-28 2014-05-21 上海可鲁系统软件有限公司 Fusion and authentication method and system of identity and authority in industrial control system
CN103516679A (en) * 2012-06-25 2014-01-15 上海博腾信息科技有限公司 Office system based on character accessing control and realization method thereof
CN103220364B (en) * 2013-04-27 2017-03-29 清华大学 A kind of system administration training platform framework based on cloud
CN107103529A (en) * 2016-02-23 2017-08-29 陈馨媛 Bank Profile management system based on SOA frameworks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101620601A (en) * 2008-06-30 2010-01-06 上海全成通信技术有限公司 Method for building directory tree based on user permissions
CN101388797A (en) * 2008-11-05 2009-03-18 杭州华三通信技术有限公司 Method for realizing authority control in network management and network management system
CN102354513A (en) * 2011-05-23 2012-02-15 广东欧珀电子工业有限公司 Method for setting permission levels of blue light player
CN105528556A (en) * 2015-12-03 2016-04-27 中国人民解放军信息工程大学 Hybrid SQLite3 safety access method
CN107066457A (en) * 2016-08-23 2017-08-18 平安科技(深圳)有限公司 User profile view construction method and system

Also Published As

Publication number Publication date
CN107844711A (en) 2018-03-27
CN107844711B (en) 2019-06-07

Similar Documents

Publication Publication Date Title
WO2019085471A1 (en) Database synchronization method, application server, and computer readable storage medium
CA3000176C (en) Policy enforcement system
US9727577B2 (en) System and method to store third-party metadata in a cloud storage system
WO2019075966A1 (en) Data operation permission isolation method, application server and computer readable storage medium
US10354082B2 (en) Document state interface
WO2021051612A1 (en) Automatic data authorization desensitization method, system, device, and storage medium
JP6932175B2 (en) Personal number management device, personal number management method, and personal number management program
US20140090085A1 (en) Database access control
US20150121491A1 (en) System and method of authenticating user account login request messages
JP6306055B2 (en) Using free-form metadata for access control
US20060259960A1 (en) Server, method and program product for management of password policy information
US11010484B2 (en) System and method to provide document management on a public document system
CN107729768B (en) Page display method and device, intelligent panel and storage medium
CN104796412B (en) End-to-end cloud service system and access method to its sensitive data
US20210194762A1 (en) Honeypot asset cloning
WO2019071968A1 (en) Salary calculation method, application server, and computer readable storage medium
US20210049131A1 (en) Systems and methods for write-once-read-many storage
US10721236B1 (en) Method, apparatus and computer program product for providing security via user clustering
CN111800460A (en) Data synchronization method, device and equipment of LDAP (lightweight directory Access protocol) service node and storage medium
US20140075577A1 (en) File security control system and method
JP2016148904A (en) File management system and file management program
JP2009080560A (en) Access authority control system
WO2019230594A1 (en) Management device, management method, and management program
WO2019205293A1 (en) Service permission management method and apparatus, and computer device and storage medium
JP4371995B2 (en) Shared file access control method, system, server device, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18867747

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 23/09/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18867747

Country of ref document: EP

Kind code of ref document: A1