WO2021208758A1 - Data permissions management - Google Patents

Data permissions management Download PDF

Info

Publication number
WO2021208758A1
WO2021208758A1 PCT/CN2021/085189 CN2021085189W WO2021208758A1 WO 2021208758 A1 WO2021208758 A1 WO 2021208758A1 CN 2021085189 W CN2021085189 W CN 2021085189W WO 2021208758 A1 WO2021208758 A1 WO 2021208758A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
column
user
perform
authority
Prior art date
Application number
PCT/CN2021/085189
Other languages
French (fr)
Chinese (zh)
Inventor
刘洋
周家英
刘恒
Original Assignee
支付宝(杭州)信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 支付宝(杭州)信息技术有限公司 filed Critical 支付宝(杭州)信息技术有限公司
Publication of WO2021208758A1 publication Critical patent/WO2021208758A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • This specification relates to the field of data security technology, and in particular to a data authority management method and device.
  • one method is to divide the behavior of subjects accessing objects into different levels, such as List, Read, Write, and Permissions management.
  • the method only serves to describe the behavior, and does not affect the control of data security.
  • Another method is to control the subject's access to data by adjusting the subject's security level.
  • the disadvantage of this approach is also obvious: if the subject only needs to access a column in the table whose security level is higher than its own, the subject After the security level of is increased, other columns that the subject could not access may also be allowed to access, resulting in over-authorization.
  • one or more embodiments of this specification provide a data authority management method, including: receiving a data operation request sent by a user, the data operation request being used to request a first operation to be performed on the first column of data in the target data set ,
  • the target data set includes a plurality of column data, and each column data corresponds to its own security level.
  • Based on the data operation request obtain data operation authority information corresponding to the user and/or the security level of the first column of data.
  • the authority of the user to perform the first operation on the first column of data is authenticated, and an authentication result is obtained. According to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
  • a data authority management device including: a receiving module, which receives a data operation request sent by a user, and the data operation request is used to request the first column of data in the target data set. Perform the first operation, the target data set includes a plurality of column data, and each column data corresponds to its own security level.
  • the obtaining module obtains the data operation authority information corresponding to the user and/or the security level of the first column of data based on the data operation request.
  • the authentication module according to the data operation authority information and/or the security level, authenticates the user's authority to perform the first operation on the first column of data, and obtains an authentication result.
  • the determining module determines, according to the authentication result, whether to allow the user to perform the first operation on the first column of data.
  • one or more embodiments of the present specification provide a data rights management device, including a processor and a memory arranged to store computer-executable instructions.
  • the processor receives a data operation request sent by a user, the data operation request is used to request a first operation to be performed on the first column of data in the target data set, the target data set It includes a plurality of column data, and each column data corresponds to its own security level.
  • the processor Based on the data operation request, obtain data operation authority information corresponding to the user and/or the security level of the first column of data.
  • the authority of the user to perform the first operation on the first column of data is authenticated, and an authentication result is obtained. According to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
  • one or more embodiments of this specification provide a storage medium for storing computer-executable instructions that, when executed, implement the following process: receiving a data operation request sent by a user, and the data The operation request is used to request the first operation to be performed on the first column of data in the target data set.
  • the target data set includes a plurality of column data, and each column data corresponds to its own security level.
  • Based on the data operation request obtain data operation authority information corresponding to the user and/or the security level of the first column of data.
  • the authority of the user to perform the first operation on the first column of data is authenticated, and an authentication result is obtained. According to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
  • Fig. 1 is a schematic flowchart of a data authority management method according to an embodiment of the present specification
  • Fig. 2 is a schematic flowchart of a data authority management method according to another embodiment of the present specification
  • Fig. 3 is a schematic flowchart of a data authority management method according to still another embodiment of the present specification.
  • Fig. 4 is a schematic flowchart of a data authority management method according to still another embodiment of this specification.
  • Fig. 5 is a schematic block diagram of a data authority management device according to an embodiment of the present specification.
  • Fig. 6 is a schematic block diagram of a data rights management device according to an embodiment of the present specification.
  • One or more embodiments of this specification provide a data authority management method and device to solve the problem of inaccurate data security management and control in the prior art.
  • Fig. 1 is a schematic flowchart of a data authority management method according to an embodiment of the present specification. As shown in Fig. 1, the method includes:
  • S102 Receive a data operation request sent by a user.
  • the data operation request is used to request a first operation to be performed on the first column of data in the target data set.
  • the target data set includes multiple column data, and each column data corresponds to its own security level.
  • the "first" in the first column of data does not have the meaning of a sequence number, and it is only used to indicate the column data targeted by the data operation request. Therefore, the first column of data can be any column of data in the target data set.
  • the target data set may be a data table including multiple columns of data.
  • the security level is a way to classify the column data according to the degree of data confidentiality of the column data.
  • S104 Based on the data operation request, obtain data operation authority information corresponding to the user and/or the security level of the first column of data.
  • the data operation authority information includes first authority information corresponding to various operations that the user is authorized to perform on the target data set and/or second authority information corresponding to various operations that the user is authorized to perform on the first column of data.
  • Various operations such as query operations, read operations, update operations, delete operations, etc.
  • the data operation authority information may include the first authority information corresponding to the various operations that the user has the right to perform on the data table, and may also include the user’s
  • the second permission information corresponding to the various operations that the first column of data can be any column of data is authorized to perform.
  • the first permission information should contain the permission information corresponding to the read operation; suppose the user has the right to access the first column of data in the data table (which can be any column of data).
  • the second authority information should include authority information corresponding to the query operation.
  • S106 According to the data operation authority information and/or the security level, authenticate the user's authority to perform the first operation on the first column of data, and obtain an authentication result.
  • S108 Determine whether the user is allowed to perform the first operation on the first column of data according to the authentication result.
  • the authentication result is right, the user is allowed to perform the first operation on the first column of data; if the authentication result is no right, the user is denied to perform the first operation on the first column of data.
  • the data operation authority information and/or the first operation permission information corresponding to the user is obtained.
  • the security level of the column data the user is authenticated based on the acquired data operation authority information and/or the security level of the first column of data, and then it is determined whether the user is allowed to perform the first operation on the first column of data according to the authentication result.
  • the data authority and the security level of the column data are combined to manage the data comprehensively, thereby improving the accuracy of user authentication.
  • the data management and control solution does not need to adjust the data security level, thereby avoiding over-authorization problems caused by adjusting the data security level, and ensuring data security management and control effects to a greater extent.
  • the following describes in detail how to authenticate the user's authority to perform the first operation on the first column of data according to the user's corresponding data operation authority information and/or the security level of the first column of data.
  • the authority information corresponding to an operation if yes, it is determined that the user has the authority to perform the first operation on the first column of data; if not, the first authority information and/or corresponding to the various operations that the user is authorized to perform on the data table are further determined Or the security level of the first column of data, to identify the user's authority to perform the first operation on the first column of data.
  • authenticating the user’s permission to perform the first operation on the first column of data may include: judging Whether the first permission information contains the permission information corresponding to the first operation; if so, compare the security level of the user and the security level of the first column of data, and verify the user’s execution of the first operation on the first column of data based on the comparison result Permission; if not, it is determined that the user does not have the permission to perform the first operation on the first column of data.
  • the user’s authority to perform the first operation on the first column of data is identified according to the comparison result, specifically: if the comparison result is that the user’s security level is lower than the security level of the first column of data, it is determined that the user does not have the right to perform the first operation on the first column of data.
  • the column data has the permission to perform the first operation; if the comparison result is that the user's security level is not lower than the security level of the first column of data, it is determined that the user has the permission to perform the first operation on the first column of data.
  • the user's authority information on the first column of data is preferentially queried, thereby combining authority management and security levels, not only can accurately control the column data
  • the operation authority that is, the data operation authority is controlled to the column level
  • the authority control of one column of data will not affect the authority control of other column data, so it can improve the data security control effect and avoid over-authorization.
  • the user if the user needs to perform an operation on a certain column of data in the target data set, he can initiate a permission request to perform the operation on the column of data in advance, and initiate a data operation request for the column of data after the permission application is successful.
  • the following takes the first column of data (which can be any column of data) in the target data set as an example to illustrate how to authorize the user to operate the first column of data in advance.
  • the first review result of reviewing the first permission application is determined; if the first review result is approved, Then, the permission information corresponding to the first operation is recorded in the first permission information.
  • Fig. 2 is a schematic flowchart of a data authority management method according to another embodiment of the present specification. As shown in Fig. 2, the method includes:
  • S201 Receive a first permission application sent by a user to perform a first operation on a target data set.
  • S202 Determine a first review result of reviewing the first permission application.
  • a user with a certain authority such as a data authority manager
  • the target data set is the user information table shown in Table 1, and the user information table includes multiple column data and the security level corresponding to each column data.
  • the user needs to perform the first operation (such as a query operation) on the first column (such as the id column or the nickname column) in the user information table 1 whose security level is not higher than that of the user information table
  • a table permission entry for the user to perform the first operation on the user information table 1 is recorded in the first permission information, that is, the permission information corresponding to the first operation is added.
  • the second review result of reviewing the second permission application is determined; if the second review result is approved , Then the permission information corresponding to the first operation is recorded in the second permission information.
  • Fig. 3 is a schematic flowchart of a data authority management method according to another embodiment of the present specification. As shown in Fig. 3, the method includes:
  • S301 Receive a second permission application sent by a user to perform a first operation on the first column of data in the target data set.
  • S302 Determine a second review result of reviewing the second permission application.
  • a user with a certain authority such as a data authority manager
  • data authority management includes the following steps:
  • S401 Receive a data operation request sent by a user for requesting to perform a first operation on a first column of data in a target data set, where the target data set includes multiple column data, and each column data corresponds to its own security level.
  • the first operation is a query operation, a read operation, an update operation, a delete operation, and so on.
  • the first column of data can be any column of data in the target data set.
  • the target data set may be a data table including multiple columns of data.
  • the security level is a way to classify the column data according to the degree of data confidentiality of the column data.
  • the security level of column data can be pre-set by authorized designated personnel (such as data management personnel).
  • the first operation is one of various operations.
  • S403 Determine whether the second authority information includes authority information corresponding to the first operation. If yes, execute S409; if not, execute S404.
  • S404 Acquire first permission information corresponding to various operations that the user has the right to perform on the target data set.
  • S405 Determine whether the first permission information includes permission information corresponding to the first operation. If yes, execute S406; if not, execute S408.
  • S406 Determine the security level of the user and the security level of the first column of data.
  • S407 Determine whether the security level of the user is lower than the security level of the first column of data. If yes, execute S408; if not, execute S409.
  • S408 Determine that the user does not have the authority to perform the first operation on the first column of data, and refuse the user to perform the first operation on the first column of data.
  • S409 Determine that the user has the authority to perform the first operation on the first column of data, and allow the user to perform the first operation on the first column of data.
  • the user's authority information for the first column of data is first queried, and if the user cannot query the first column of data
  • the user is authenticated, thus combining the permission management and the security level, not only can accurately control the operation permissions of the column data (about Data operation authority is controlled to the column level), and the authority control of one column of data will not affect the authority control of other column data, so it can improve the effect of data security control and avoid over-authorization.
  • Zhang San wants to access the column of user information table 1 whose security level is not higher than his own. For example, Zhang San needs to perform a query on the id column or the nickname column. Since the security level of the id column or nickname column is not higher than that of Zhang San, Zhang San can apply in advance for the table permission to perform query operations on the user information table 1.
  • the first permission information (that is, used to record Zhang San 3.
  • Second permission information corresponding to Zhang San (the permission information that Zhang San has the right to perform various operations on the id column is recorded), and determine whether the second permission information contains the permission items corresponding to the query operation . Since Zhang San only applied for the table permission to perform query operations on the user information table 1 in advance, and did not apply for the column permission to perform query operations on the id column, the second permission information does not include (that is, the query cannot be queried) corresponding to the query operation The permission item. Now proceed to the next step.
  • the first permission information contains the permission item corresponding to the query operation, that is, it is judged whether the permission item for Zhang San to perform the query operation on the user information table 1 is recorded in the first permission information. Since Zhang San has previously applied for the table permission to perform the query operation on the user information table 1, the first permission information contains the permission item corresponding to the query operation. Now proceed to the next step, namely security level check.
  • Zhang San determines the security level of the id column in Zhang Sanhe user information table 1, and determine whether the security level of Zhang San is lower than the security level of the id column. Since Zhang San’s security level and the security level of the id column are both 0, that is, Zhang San’s security level is not lower than the security level of the id column, so Zhang San has the right to perform query operations on the id column. At this time, the authentication success message is returned, and Zhang San is allowed to perform query operations on the id column.
  • Zhang San initiates a data operation request to perform a query operation on the nickname column
  • the security level of the nickname column and the security level of the id column are the same, both are 0, the authentication process is the same as the id column, and will not be repeated.
  • Zhang San initiates the permission to perform query operations on the column data in the user information table 1 whose security level is higher than his own (such as the name column).
  • the authentication process is as follows:
  • the first permission information contains the permission item corresponding to the query operation, that is, it is judged whether the permission item for Zhang San to perform the query operation on the user information table 1 is recorded in the first permission information. Since Zhang San has previously applied for the table permission to perform the query operation on the user information table 1, the first permission information contains the permission item corresponding to the query operation. At this time, proceed to the next step, namely security level check.
  • Zhang Sanhe user information table 1 determines whether the security level of Zhang San is lower than the security level of the name column. Since Zhang San’s security level is 0 and the name column’s security level is 2, that is, Zhang San’s security level is lower than the name column’s security level, so Zhang San has no right to perform query operations on the name column. At this time, the authentication failure information is returned, and Zhang San is refused to perform the query operation on the name column.
  • Zhang San initiates a data operation request to perform a query operation on other column data higher than his security level (such as mobile column, birthday column or credit_card column), the authentication process is the same as the name column, and will not be repeated.
  • his security level such as mobile column, birthday column or credit_card column
  • Zhang San wants to access the column of user information table 1 whose security level is higher than his own. For example, Zhang San needs to perform a query operation on the name column. Since the security level of the name column is higher than that of Zhang San, Zhang San can apply in advance for the column permission to perform query operations on the name column. After the approval is passed, the second permission information (record that Zhang San has the right to perform various types of query operations on the name column Add a permission item of Zhang San's query permission on the name column in the operation permission information).
  • the second permission information contains the permission item corresponding to the query operation. Since Zhang San has previously applied for the column permission to perform the query operation on the name column, the second permission information contains the permission item corresponding to the query operation. At this time, the authentication success message is returned, and Zhang San is allowed to perform query operations on the name column.
  • Zhang San initiates a data operation request to perform a query operation on the mobile column
  • the authentication process is as follows:
  • the first permission information corresponding to Zhang San that is, the permission information used to record Zhang San's right to perform various operations on the user information table 1 and the second permission information (record that Zhang San has the right to perform various operations on the mobile column.
  • the permission information of the class operation determine whether the second permission information contains the permission item corresponding to the query operation. Since Zhang San only applied for column permission to perform query operations on the name column in advance, but did not apply for column permissions to perform query operations on the mobile column, the second permission information does not include (that is, the query cannot be queried) the corresponding permissions for the query operation item. Now proceed to the next step.
  • the first permission information contains the permission item corresponding to the query operation, that is, it is judged whether the permission item for Zhang San to perform the query operation on the user information table 1 is recorded in the first permission information. If it does not, it means that Zhang San has no right to perform the query operation on the mobile column of the user information table 1. At this time, the authentication failure information is returned, and Zhang San is refused to perform the query operation on the mobile column. If it does, proceed to the next step, which is the security level check.
  • Zhang Sanhe user information table 1 determines whether the security level of Zhang San is lower than the security level of the mobile column. Since Zhang San’s security level is lower than that of the mobile column, Zhang San has no right to perform query operations on the mobile column. At this time, the authentication failure information is returned, and Zhang San is refused to perform the query operation on the mobile column.
  • Zhang San initiates a data operation request to perform a query operation on the birthday column or the credit_card column
  • the security level of the birthday column or the credit_card column is higher than the security level of Zhang San
  • the authentication process is the same as that of the mobile column. Go into details.
  • Zhang San cannot perform operations on column data with a higher security level than himself in the user information table 1. If Zhang San wants to perform certain operations on column data with a higher security level than himself, then You need to apply for permission to perform this type of operation on the column in advance. It can be seen that this method of combining authority management and security level to comprehensively authenticate users can not only accurately control data security, but also make authorization for one column of data not affect the authority control of other columns, thereby avoiding over-authorization , To ensure the effectiveness of data security management and control.
  • Fig. 5 is a schematic flowchart of a data authority management device according to an embodiment of the present specification. As shown in Fig. 5, the device includes:
  • the receiving module 510 receives a data operation request sent by a user; the data operation request is used to request to perform a first operation on the first column of data in the target data set; the target data set includes multiple column data; each of the column data Corresponding to their respective security levels;
  • the obtaining module 520 based on the data operation request, obtains the data operation authority information corresponding to the user and/or the security level of the first column of data;
  • the authentication module 530 authenticates the user's authority to perform the first operation on the first column of data, and obtains an authentication result;
  • the determining module 540 determines whether the user is allowed to perform the first operation on the first column of data according to the authentication result.
  • the data operation authority information includes first authority information corresponding to various operations that are authorized to perform on the target data set and/or corresponding to various operations that are authorized to perform on the first column of data. ’S second authority information.
  • the authentication module 530 includes: a judging unit, judging whether the second permission information contains the permission information corresponding to the first operation; the first determining unit, if the second permission information is If the authority information corresponding to the first operation is included, it is determined that the user has the authority to perform the first operation on the first column of data; the first authentication unit, if the second authority information does not include all According to the authority information corresponding to the first operation, the authority of the user to perform the first operation on the first column of data is authenticated according to the first authority information and/or the security level.
  • the first authentication unit judges whether the first permission information includes the permission information corresponding to the first operation; if so, compares the security level of the user with the first The security level of the column data, and the authorization of the user to perform the first operation on the first column of data is identified according to the comparison result; if not, it is determined that the user does not have the authority to perform the first operation on the first column of data.
  • the authority of the first operation is described.
  • the first authentication unit if the comparison result is that the security level of the user is lower than the security level of the first column of data, it is determined that the user does not have the right to the first column of data.
  • a column of data has the authority to perform the first operation; if the comparison result is that the security level of the user is not lower than the security level of the first column of data, it is determined that the user has access to the first column The permission of the data to perform the first operation.
  • the device further includes: a second receiving module, which receives the first operation sent by the user for performing the first operation on the target data set before the receiving the data operation request sent by the user. Permission application; a second determination module, which determines the first review result of reviewing the first permission application; a first recording module, if the first review result is approved, records in the first permission information Authority information corresponding to the first operation.
  • the device further includes: a third receiving module, which receives the first operation sent by the user to perform the first operation on the first column of data before the data operation request sent by the user is received.
  • the second permission application receives the first operation sent by the user to perform the first operation on the first column of data before the data operation request sent by the user is received.
  • the second permission application receives the first operation sent by the user to perform the first operation on the first column of data before the data operation request sent by the user is received.
  • the second permission application the third determination module, which determines the second review result of the review of the second permission application
  • the second recording module if the second review result is approved, then it is in the second permission information Record the authority information corresponding to the first operation.
  • the data operation authority information and/or the first column corresponding to the user are obtained.
  • the data security level is used to authenticate the user based on the acquired data operation authority information and/or the security level of the first column of data, and then determine whether the user is allowed to perform the first operation on the first column of data according to the authentication result.
  • the data authority and the security level of the column data are combined to manage the data comprehensively, thereby improving the accuracy of user authentication.
  • the device does not need to adjust the data security level, thereby avoiding over-authorization problems caused by adjusting the data security level, and ensuring data security management and control effects to a greater extent.
  • the data rights management device may have relatively large differences due to different configurations or performances, and may include one or more processors 601 and a memory 602, and the memory 602 may store one or more storage applications or data. Among them, the memory 602 may be short-term storage or persistent storage.
  • the application program stored in the memory 602 may include one or more modules (not shown in the figure), and each module may include a series of computer-executable instructions for the data rights management device.
  • the processor 601 may be configured to communicate with the memory 602, and execute a series of computer-executable instructions in the memory 602 on the data rights management device.
  • the data rights management device may also include one or more power supplies 603, one or more wired or wireless network interfaces 604, one or more input and output interfaces 605, and one or more keyboards 606.
  • the data rights management device includes a memory and one or more programs.
  • One or more programs are stored in the memory, and one or more programs may include one or more modules, and each Each module may include a series of computer-executable instructions in the data rights management device, and is configured to be executed by one or more processors.
  • the one or more programs include computer-executable instructions for performing the following: Data operation request;
  • the data operation request is used to request the first operation to be performed on the first column of data in the target data set; the target data set includes multiple column data; each of the column data corresponds to its own security level;
  • According to the data operation request obtain the data operation authority information corresponding to the user and/or the security level of the first column of data; according to the data operation authority information and/or the security level, authenticate the user to the The permission of the first column of data to perform the first operation is obtained, and the authentication result is obtained; according to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
  • the data operation authority information includes first authority information corresponding to various operations that are authorized to perform on the target data set and/or first authority information corresponding to various operations that are authorized to perform on the first column of data. 2. Permission information.
  • the processor may also cause the processor to: determine whether the second permission information contains the permission information corresponding to the first operation; if so, determine that the user has the right The first column of data has the right to perform the first operation; if not, according to the first permission information and/or the security level, authenticate the user to perform the first operation on the first column of data Operation authority.
  • the processor may also make the processor: determine whether the first permission information contains the permission information corresponding to the first operation; if so, compare the user’s The security level and the security level of the first column of data, and the authorization of the user to perform the first operation on the first column of data is identified according to the comparison result; if not, it is determined that the user does not have the right to perform the first operation on the first column of data The permission of the first column of data to perform the first operation.
  • the processor may also be caused to: if the comparison result is that the security level of the user is lower than the security level of the first column of data, determine the The user does not have the authority to perform the first operation on the first column of data; if the comparison result is that the security level of the user is not lower than the security level of the first column of data, the user is determined Have the authority to perform the first operation on the first column of data.
  • the processor may also cause the processor to: receive a first permission application sent by the user to perform the first operation on the target data set; A first review result of a permission application for review; if the first review result is approved, then the permission information corresponding to the first operation is recorded in the first permission information.
  • the processor may also cause the processor to: receive a second permission application sent by the user to perform the first operation on the first column of data; The second review result of the second permission application for review; if the second review result is approved, then the permission information corresponding to the first operation is recorded in the second permission information.
  • One or more embodiments of this specification also propose a computer-readable storage medium that stores one or more programs, and the one or more programs include instructions.
  • the electronic device can execute the above-mentioned data authority management method, and is specifically used to execute: receiving a data operation request sent by a user; the data operation request is used to request execution of the first column of data in the target data set The first operation; the target data set includes a plurality of column data; each of the column data corresponds to its own security level; based on the data operation request, obtain the data operation authority information corresponding to the user and/or the first The security level of the column data; according to the data operation authority information and/or the security level, authenticate the user’s authority to perform the first operation on the first column of data to obtain the authentication result; according to the authentication Right result, it is determined whether the user is allowed to perform the first operation on the first column of data.
  • a typical implementation device is a computer.
  • the computer may be, for example, a personal computer, a laptop computer, a cell phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or Any combination of these devices.
  • one or more embodiments of this specification can be provided as a method, a system, or a computer program product. Therefore, one or more embodiments of this specification may adopt the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Moreover, one or more embodiments of this specification may adopt computer programs implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes. The form of the product.
  • These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are used to generate It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • the computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • processors CPUs
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • the memory may include non-permanent memory in computer readable media, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash memory
  • Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology.
  • the information can be computer-readable instructions, data structures, program modules, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
  • program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types.
  • This application can also be practiced in distributed computing environments. In these distributed computing environments, tasks are performed by remote processing devices connected through a communication network. In a distributed computing environment, program modules can be located in local and remote computer storage media including storage devices.

Abstract

Disclosed in one or more embodiments of the present invention are a data permissions management method and apparatus, for use in solving the problem in the prior art of inaccurate data security control. The method comprises: receiving a data operation request sent by a user, the data operation request being used for requesting to perform a first operation on a first column of data in a target data set, the target data set comprising a plurality of columns of data, and the columns of data corresponding to respective security levels; obtaining, on the basis of the data operation request, data operation permissions information corresponding to the user and/or the security level of the first column of data; identifying, according to the data operation permissions information and/or the security level, the permission of the user to perform the first operation on the first column of data to obtain an authentication result; and determining, according to the authentication result, whether the user is permitted to perform the first operation on the first column of data.

Description

数据权限管理Data authority management 技术领域Technical field
本说明书涉及数据安全技术领域,尤其涉及一种数据权限管理方法及装置。This specification relates to the field of data security technology, and in particular to a data authority management method and device.
背景技术Background technique
在如今的大数据时代,很多企业都有自己的大数据体系,作为基础设施为云计算和人工智能等技术提供服务。大数据体系中涵盖着很多重要的数据,在这些数据中,甚至可能包含用户的隐私信息或企业的机密信息,所以人和数据的安全等级划分也是数据安全管理中的重要一环。为了防止数据泄露,需要数据权限管理,即管控哪些人可以怎样访问哪些数据,这在金融级的企业中尤为重要。In today's big data era, many companies have their own big data systems, which serve as infrastructure for cloud computing and artificial intelligence and other technologies. The big data system covers a lot of important data. In these data, it may even include user's private information or enterprise's confidential information. Therefore, the classification of people and data security levels is also an important part of data security management. In order to prevent data leakage, data rights management is required, that is, who can access what data is how and who can be accessed. This is particularly important in financial-level enterprises.
相关技术中,对于数据权限管理,一种方法是将主体访问客体的行为分为不同等级,如表(List)、读(Read)、写(Write)和权限管理(Permissions management),但这种方式仅起到对行为的描述作用,并不会影响数据安全的管控。另一种方法是通过调整主体(subject)的安全等级,来管控主体对数据的访问,这种方式的缺点也是显而易见的:如果主体只需要访问表中安全等级高于自己的某一列,将主体的安全等级调高后,主体原先不能访问的其他列,可能也将允许访问,从而导致过度授权。In related technologies, for data permission management, one method is to divide the behavior of subjects accessing objects into different levels, such as List, Read, Write, and Permissions management. The method only serves to describe the behavior, and does not affect the control of data security. Another method is to control the subject's access to data by adjusting the subject's security level. The disadvantage of this approach is also obvious: if the subject only needs to access a column in the table whose security level is higher than its own, the subject After the security level of is increased, other columns that the subject could not access may also be allowed to access, resulting in over-authorization.
发明内容Summary of the invention
一方面,本说明书一个或多个实施例提供一种数据权限管理方法,包括:接收用户发送的数据操作请求,所述数据操作请求用于请求对目标数据集中的第一列数据执行第一操作,所述目标数据集包括多个列数据,各所述列数据对应各自的安全等级。基于所述数据操作请求,获取所述用户对应的数据操作权限信息和/或所述第一列数据的安全等级。根据所述数据操作权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限,得到鉴权结果。根据所述鉴权结果,确定是否允许所述用户对所述第一列数据执行所述第一操作。On the one hand, one or more embodiments of this specification provide a data authority management method, including: receiving a data operation request sent by a user, the data operation request being used to request a first operation to be performed on the first column of data in the target data set , The target data set includes a plurality of column data, and each column data corresponds to its own security level. Based on the data operation request, obtain data operation authority information corresponding to the user and/or the security level of the first column of data. According to the data operation authority information and/or the security level, the authority of the user to perform the first operation on the first column of data is authenticated, and an authentication result is obtained. According to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
另一方面,本说明书一个或多个实施例提供一种数据权限管理装置,包括:接收模块,接收用户发送的数据操作请求,所述数据操作请求用于请求对目标数据集中的第一列数据执行第一操作,所述目标数据集包括多个列数据,各所述列数据对应各自的安全等级。获取模块,基于所述数据操作请求,获取所述用户对应的数据操作权限信息和/ 或所述第一列数据的安全等级。鉴权模块,根据所述数据操作权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限,得到鉴权结果。确定模块,根据所述鉴权结果,确定是否允许所述用户对所述第一列数据执行所述第一操作。On the other hand, one or more embodiments of the present specification provide a data authority management device, including: a receiving module, which receives a data operation request sent by a user, and the data operation request is used to request the first column of data in the target data set. Perform the first operation, the target data set includes a plurality of column data, and each column data corresponds to its own security level. The obtaining module obtains the data operation authority information corresponding to the user and/or the security level of the first column of data based on the data operation request. The authentication module, according to the data operation authority information and/or the security level, authenticates the user's authority to perform the first operation on the first column of data, and obtains an authentication result. The determining module determines, according to the authentication result, whether to allow the user to perform the first operation on the first column of data.
再一方面,本说明书一个或多个实施例提供一种数据权限管理设备,包括处理器以及被安排成存储计算机可执行指令的存储器。所述可执行指令在被执行时使所述处理器:接收用户发送的数据操作请求,所述数据操作请求用于请求对目标数据集中的第一列数据执行第一操作,所述目标数据集包括多个列数据,各所述列数据对应各自的安全等级。基于所述数据操作请求,获取所述用户对应的数据操作权限信息和/或所述第一列数据的安全等级。根据所述数据操作权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限,得到鉴权结果。根据所述鉴权结果,确定是否允许所述用户对所述第一列数据执行所述第一操作。In another aspect, one or more embodiments of the present specification provide a data rights management device, including a processor and a memory arranged to store computer-executable instructions. When the executable instruction is executed, the processor: receives a data operation request sent by a user, the data operation request is used to request a first operation to be performed on the first column of data in the target data set, the target data set It includes a plurality of column data, and each column data corresponds to its own security level. Based on the data operation request, obtain data operation authority information corresponding to the user and/or the security level of the first column of data. According to the data operation authority information and/or the security level, the authority of the user to perform the first operation on the first column of data is authenticated, and an authentication result is obtained. According to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
再一方面,本说明书一个或多个实施例提供一种存储介质,用于存储计算机可执行指令,所述可执行指令在被执行时实现以下流程:接收用户发送的数据操作请求,所述数据操作请求用于请求对目标数据集中的第一列数据执行第一操作,所述目标数据集包括多个列数据,各所述列数据对应各自的安全等级。基于所述数据操作请求,获取所述用户对应的数据操作权限信息和/或所述第一列数据的安全等级。根据所述数据操作权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限,得到鉴权结果。根据所述鉴权结果,确定是否允许所述用户对所述第一列数据执行所述第一操作。In another aspect, one or more embodiments of this specification provide a storage medium for storing computer-executable instructions that, when executed, implement the following process: receiving a data operation request sent by a user, and the data The operation request is used to request the first operation to be performed on the first column of data in the target data set. The target data set includes a plurality of column data, and each column data corresponds to its own security level. Based on the data operation request, obtain data operation authority information corresponding to the user and/or the security level of the first column of data. According to the data operation authority information and/or the security level, the authority of the user to perform the first operation on the first column of data is authenticated, and an authentication result is obtained. According to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
附图说明Description of the drawings
为了更清楚地说明本说明书一个或多个实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本说明书一个或多个实施例中记载的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly explain one or more embodiments of this specification or the technical solutions in the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, in the following description The drawings are only some of the embodiments described in one or more embodiments of this specification. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without creative labor. .
图1是根据本说明书一实施例的一种数据权限管理方法的示意性流程图;Fig. 1 is a schematic flowchart of a data authority management method according to an embodiment of the present specification;
图2是根据本说明书另一实施例的一种数据权限管理方法的示意性流程图;Fig. 2 is a schematic flowchart of a data authority management method according to another embodiment of the present specification;
图3是根据本说明书再一实施例的一种数据权限管理方法的示意性流程图;Fig. 3 is a schematic flowchart of a data authority management method according to still another embodiment of the present specification;
图4是根据本说明书再一实施例的一种数据权限管理方法的示意性流程图;Fig. 4 is a schematic flowchart of a data authority management method according to still another embodiment of this specification;
图5是根据本说明书一实施例的一种数据权限管理装置的示意性框图;Fig. 5 is a schematic block diagram of a data authority management device according to an embodiment of the present specification;
图6是根据本说明书一实施例的一种数据权限管理设备的示意性框图。Fig. 6 is a schematic block diagram of a data rights management device according to an embodiment of the present specification.
具体实施方式Detailed ways
本说明书一个或多个实施例提供一种数据权限管理方法及装置,用以解决现有技术中数据安全管控不准确的问题。One or more embodiments of this specification provide a data authority management method and device to solve the problem of inaccurate data security management and control in the prior art.
为了使本技术领域的人员更好地理解本说明书一个或多个实施例中的技术方案,下面将结合本说明书一个或多个实施例中的附图,对本说明书一个或多个实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本说明书一部分实施例,而不是全部的实施例。基于本说明书一个或多个实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都应当属于本说明书一个或多个实施例保护的范围。In order to enable those skilled in the art to better understand the technical solutions in one or more embodiments of this specification, the following will combine the drawings in one or more embodiments of this specification to compare The technical solution is described clearly and completely. Obviously, the described embodiments are only a part of the embodiments in this specification, rather than all the embodiments. Based on one or more embodiments of this specification, all other embodiments obtained by a person of ordinary skill in the art without creative work shall fall within the protection scope of one or more embodiments of this specification.
图1是根据本说明书一实施例的一种数据权限管理方法的示意性流程图,如图1所示,该方法包括:Fig. 1 is a schematic flowchart of a data authority management method according to an embodiment of the present specification. As shown in Fig. 1, the method includes:
S102,接收用户发送的数据操作请求,数据操作请求用于请求对目标数据集中的第一列数据执行第一操作,目标数据集包括多个列数据,各列数据对应各自的安全等级。S102: Receive a data operation request sent by a user. The data operation request is used to request a first operation to be performed on the first column of data in the target data set. The target data set includes multiple column data, and each column data corresponds to its own security level.
其中,第一列数据中的“第一”不具有序号含义,其仅是用于指示数据操作请求所针对的列数据。因此,第一列数据可以是目标数据集中的任一列数据。在一个实施例中,目标数据集可以是包括多个列数据的数据表。Among them, the "first" in the first column of data does not have the meaning of a sequence number, and it is only used to indicate the column data targeted by the data operation request. Therefore, the first column of data can be any column of data in the target data set. In one embodiment, the target data set may be a data table including multiple columns of data.
安全等级为通过列数据的数据保密程度对列数据划分等级的方式。安全等级越高,表明对应的列数据的保密程度越高,数据越敏感。The security level is a way to classify the column data according to the degree of data confidentiality of the column data. The higher the security level, the higher the degree of confidentiality of the corresponding column data, and the more sensitive the data.
S104,基于数据操作请求,获取用户对应的数据操作权限信息和/或第一列数据的安全等级。S104: Based on the data operation request, obtain data operation authority information corresponding to the user and/or the security level of the first column of data.
其中,数据操作权限信息包括用户对目标数据集有权执行的各类操作对应的第一权限信息和/或对第一列数据有权执行的各类操作对应的第二权限信息。各类操作如查询操作、读取操作、更新操作、删除操作等。The data operation authority information includes first authority information corresponding to various operations that the user is authorized to perform on the target data set and/or second authority information corresponding to various operations that the user is authorized to perform on the first column of data. Various operations such as query operations, read operations, update operations, delete operations, etc.
例如,若目标数据集为包括多个列数据的数据表,则数据操作权限信息可包括用户对数据表有权执行的各类操作对应的第一权限信息,还可以包括用户对数据表中的第一 列数据(可以是任一列数据)有权执行的各类操作对应的第二权限信息。For example, if the target data set is a data table that includes multiple columns of data, the data operation authority information may include the first authority information corresponding to the various operations that the user has the right to perform on the data table, and may also include the user’s The second permission information corresponding to the various operations that the first column of data (can be any column of data) is authorized to perform.
再例如,假设用户有权对数据表执行读取操作,则第一权限信息中应包含读取操作对应的权限信息;假设用户有权对数据表中的第一列数据(可以是任一列数据)执行查询操作,则第二权限信息中应包含查询操作对应的权限信息。For another example, suppose the user has the right to perform read operations on the data table, the first permission information should contain the permission information corresponding to the read operation; suppose the user has the right to access the first column of data in the data table (which can be any column of data). ) To perform a query operation, the second authority information should include authority information corresponding to the query operation.
S106,根据数据操作权限信息和/或安全等级,鉴定用户对第一列数据执行第一操作的权限,得到鉴权结果。S106: According to the data operation authority information and/or the security level, authenticate the user's authority to perform the first operation on the first column of data, and obtain an authentication result.
S108,根据鉴权结果,确定是否允许用户对第一列数据执行第一操作。S108: Determine whether the user is allowed to perform the first operation on the first column of data according to the authentication result.
其中,若鉴权结果为有权,则允许用户对第一列数据执行第一操作;若鉴权结果为无权,则拒绝用户对第一列数据执行第一操作。Among them, if the authentication result is right, the user is allowed to perform the first operation on the first column of data; if the authentication result is no right, the user is denied to perform the first operation on the first column of data.
采用本说明书一个或多个实施例的技术方案,在接收到用户针对目标数据集中的第一列数据执行第一操作的数据操作请求后,通过获取用户对应的数据操作权限信息和/或第一列数据的安全等级,并基于获取到的数据操作权限信息和/或第一列数据的安全等级对用户进行鉴权,进而根据鉴权结果确定是否允许用户对第一列数据执行第一操作。实现了将数据权限和列数据的安全等级结合起来综合管理数据的效果,从而提高对用户鉴权的准确性。并且,该数据管控方案无需调整数据安全等级,从而避免调整数据安全等级后造成的过度授权问题,更大程度上确保数据的安全管控效果。Using the technical solutions of one or more embodiments of this specification, after receiving a data operation request from a user to perform the first operation on the first column of data in the target data set, the data operation authority information and/or the first operation permission information corresponding to the user is obtained. According to the security level of the column data, the user is authenticated based on the acquired data operation authority information and/or the security level of the first column of data, and then it is determined whether the user is allowed to perform the first operation on the first column of data according to the authentication result. The data authority and the security level of the column data are combined to manage the data comprehensively, thereby improving the accuracy of user authentication. In addition, the data management and control solution does not need to adjust the data security level, thereby avoiding over-authorization problems caused by adjusting the data security level, and ensuring data security management and control effects to a greater extent.
以下详细说明如何根据用户对应的数据操作权限信息和/或第一列数据的安全等级,鉴定用户对第一列数据执行第一操作的权限。The following describes in detail how to authenticate the user's authority to perform the first operation on the first column of data according to the user's corresponding data operation authority information and/or the security level of the first column of data.
在一个实施例中,鉴定用户对第一列数据执行第一操作的权限时,首先判断用户对数据表中的第一列数据有权执行的各类操作对应的第二权限信息中是否包含第一操作对应的权限信息;若是,则确定用户具有对第一列数据执行第一操作的权限;若否,则进一步根据用户对数据表有权执行的各类操作对应的第一权限信息和/或第一列数据的安全等级,鉴定用户对第一列数据执行第一操作的权限。In one embodiment, when authenticating the user's permission to perform the first operation on the first column of data, first determine whether the second permission information corresponding to the various operations that the user has the right to perform on the first column of data in the data table contains the second permission information. The authority information corresponding to an operation; if yes, it is determined that the user has the authority to perform the first operation on the first column of data; if not, the first authority information and/or corresponding to the various operations that the user is authorized to perform on the data table are further determined Or the security level of the first column of data, to identify the user's authority to perform the first operation on the first column of data.
其中,进一步根据用户对数据表有权执行的各类操作对应的第一权限信息和/或第一列数据的安全等级,鉴定用户对第一列数据执行第一操作的权限,可以包括:判断第一权限信息中是否包含第一操作对应的权限信息;若是,则比对用户的安全等级及第一列数据的安全等级,并根据比对结果鉴定用户对第一列数据执行第一操作的权限;若否,则确定用户不具有对第一列数据执行第一操作的权限。Wherein, further according to the first permission information corresponding to the various operations that the user has the right to perform on the data table and/or the security level of the first column of data, authenticating the user’s permission to perform the first operation on the first column of data may include: judging Whether the first permission information contains the permission information corresponding to the first operation; if so, compare the security level of the user and the security level of the first column of data, and verify the user’s execution of the first operation on the first column of data based on the comparison result Permission; if not, it is determined that the user does not have the permission to perform the first operation on the first column of data.
其中,根据比对结果鉴定用户对第一列数据执行第一操作的权限,具体为:若比对 结果为用户的安全等级低于第一列数据的安全等级,则确定用户不具有对第一列数据执行第一操作的权限;若比对结果为用户的安全等级不低于第一列数据的安全等级,则确定用户具有对第一列数据执行第一操作的权限。Among them, the user’s authority to perform the first operation on the first column of data is identified according to the comparison result, specifically: if the comparison result is that the user’s security level is lower than the security level of the first column of data, it is determined that the user does not have the right to perform the first operation on the first column of data. The column data has the permission to perform the first operation; if the comparison result is that the user's security level is not lower than the security level of the first column of data, it is determined that the user has the permission to perform the first operation on the first column of data.
上述实施例中,鉴定用户对第一列数据执行第一操作的权限时,优先查询用户对第一列数据的权限信息,从而将权限管理和安全等级结合起来,不仅能精确管控到对列数据的操作权限(即将数据操作权限管控到列级别),且对其中一列数据的权限管控不会影响到其他列数据的权限管控,因此能够提升数据的安全管控效果,避免过度授权。In the above-mentioned embodiment, when authenticating the user's authority to perform the first operation on the first column of data, the user's authority information on the first column of data is preferentially queried, thereby combining authority management and security levels, not only can accurately control the column data The operation authority (that is, the data operation authority is controlled to the column level), and the authority control of one column of data will not affect the authority control of other column data, so it can improve the data security control effect and avoid over-authorization.
在一个实施例中,若用户需对目标数据集中的某一列数据执行操作,可预先发起对该列数据执行操作的权限申请,并在权限申请成功后发起对该列数据的数据操作请求。下面以目标数据集中的第一列数据(可以是任一列数据)为例,说明如何预先为用户对第一列数据的操作授权。In one embodiment, if the user needs to perform an operation on a certain column of data in the target data set, he can initiate a permission request to perform the operation on the column of data in advance, and initiate a data operation request for the column of data after the permission application is successful. The following takes the first column of data (which can be any column of data) in the target data set as an example to illustrate how to authorize the user to operate the first column of data in advance.
在一个实施例中,当接收到用户发送的对目标数据集执行第一操作的第一权限申请时,确定对第一权限申请进行审核的第一审核结果;若第一审核结果为审核通过,则在第一权限信息中记录第一操作对应的权限信息。In one embodiment, when the first permission application for performing the first operation on the target data set sent by the user is received, the first review result of reviewing the first permission application is determined; if the first review result is approved, Then, the permission information corresponding to the first operation is recorded in the first permission information.
图2是根据本说明书另一实施例的一种数据权限管理方法的示意性流程图,如图2所示,该方法包括:Fig. 2 is a schematic flowchart of a data authority management method according to another embodiment of the present specification. As shown in Fig. 2, the method includes:
S201,接收用户发送的对目标数据集执行第一操作的第一权限申请。S201: Receive a first permission application sent by a user to perform a first operation on a target data set.
S202,确定对第一权限申请进行审核的第一审核结果。其中,可由具有一定权限的用户(如数据权限管理人员)对第一权限申请进行审核进行审批,也可由计算机基于预先设定的权限审批条件对第一权限申请进行审核,从而得到第一审核结果。S202: Determine a first review result of reviewing the first permission application. Among them, a user with a certain authority (such as a data authority manager) can review and approve the first authority application, or the computer can review the first authority application based on pre-set authority approval conditions, so as to obtain the first review result .
S203,判断第一审核结果是否为审核通过;若是,则执行S204;若否,则执行S205。S203: Determine whether the first audit result is approved; if yes, execute S204; if not, execute S205.
S204,确定授权成功,并在第一权限信息中记录第一操作对应的权限信息。S204: It is determined that the authorization is successful, and the authority information corresponding to the first operation is recorded in the first authority information.
S205,确定授权失败。授权失败时不在第一权限信息中记录第一操作对应的权限信息。S205: It is determined that the authorization fails. When the authorization fails, the authority information corresponding to the first operation is not recorded in the first authority information.
例如,目标数据集为表1所示的用户信息表,用户信息表中包括多个列数据以及各列数据对应的安全等级。For example, the target data set is the user information table shown in Table 1, and the user information table includes multiple column data and the security level corresponding to each column data.
表1Table 1
列名Column name 描述describe 安全等级Security Level
idid 用户IDUser ID 00
nicknamenickname 昵称Nick name 00
namename 用户姓名username 22
mobilemobile 用户手机号User phone number 22
birthdaybirthday 用户生日User birthday 22
credit_cardcredit_card 用户的信用卡号User's credit card number 33
假设用户需要对用户信息表1中安全等级不高于自己的第一列(如id列或nickname列)执行第一操作(如查询操作),则可以申请对用户信息表执行第一操作的表权限。审批通过后,第一权限信息中记录一条用户对用户信息表1执行第一操作的表权限项,即增加第一操作对应的权限信息。Assuming that the user needs to perform the first operation (such as a query operation) on the first column (such as the id column or the nickname column) in the user information table 1 whose security level is not higher than that of the user information table, you can apply for a table that performs the first operation on the user information table Permissions. After the approval is passed, a table permission entry for the user to perform the first operation on the user information table 1 is recorded in the first permission information, that is, the permission information corresponding to the first operation is added.
本实施例中,若用户想要对目标数据集或目标数据集中安全等级不高于自己的列数据执行操作,则只需预先申请对目标数据集的操作权限,即可在授权成功后对目标数据集执行操作。从而简化用户操作目标数据集的授权过程。In this embodiment, if the user wants to perform operations on the target data set or column data whose security level is not higher than that of his The data set performs the operation. This simplifies the authorization process for the user to manipulate the target data set.
在一个实施例中,当接收到用户发送的对第一列数据执行第一操作的第二权限申请时,确定对第二权限申请进行审核的第二审核结果;若第二审核结果为审核通过,则在第二权限信息中记录第一操作对应的权限信息。In one embodiment, when the second permission application for performing the first operation on the first column of data sent by the user is received, the second review result of reviewing the second permission application is determined; if the second review result is approved , Then the permission information corresponding to the first operation is recorded in the second permission information.
图3是根据本说明书另一实施例的一种数据权限管理方法的示意性流程图,如图3所示,该方法包括:Fig. 3 is a schematic flowchart of a data authority management method according to another embodiment of the present specification. As shown in Fig. 3, the method includes:
S301,接收用户发送的对目标数据集中的第一列数据执行第一操作的第二权限申请。S301: Receive a second permission application sent by a user to perform a first operation on the first column of data in the target data set.
S302,确定对第二权限申请进行审核的第二审核结果。其中,可由具有一定权限的用户(如数据权限管理人员)对第二权限申请进行审核进行审批,也可由计算机基于预先设定的权限审批条件对第一权限申请进行审核,从而得到第二审核结果。S302: Determine a second review result of reviewing the second permission application. Among them, a user with a certain authority (such as a data authority manager) can review and approve the second authority application, or the computer can review the first authority application based on pre-set authority approval conditions to obtain the second review result .
S303,判断第二审核结果是否为审核通过;若是,则执行S304;若否,则执行S305。S303: Determine whether the second audit result is approved; if yes, execute S304; if not, execute S305.
S304,确定授权成功,并在第二权限信息中记录第一操作对应的权限信息。S304: It is determined that the authorization is successful, and the authority information corresponding to the first operation is recorded in the second authority information.
S305,确定授权失败。授权失败时不在第二权限信息中记录第一操作对应的权限 信息。S305: It is determined that the authorization fails. When the authorization fails, the authority information corresponding to the first operation is not recorded in the second authority information.
仍以上述用户信息表1为例。假设用户需要对用户信息表1中安全等级高于自己的第二列(如name列、mobile列、birthday列或credit_card列)执行第一操作,则可申请对用户信息表1中的第二列数据执行第一操作的列权限。审批通过后,第二权限信息中记录一条用户对第二列数据执行第一操作的列权限项,即增加第一操作对应的权限信息。Still take the above user information table 1 as an example. Assuming that the user needs to perform the first operation on the second column of user information table 1 whose security level is higher than that of his own (such as name column, mobile column, birthday column or credit_card column), he can apply for the second column in user information table 1 The column permission for the data to perform the first operation. After the approval is passed, a column permission item for the user to perform the first operation on the second column of data is recorded in the second permission information, that is, the permission information corresponding to the first operation is added.
可见,本实施例中,若用户想要对安全等级高于自己的某一列数据执行操作,则只需预先申请对该列数据的操作权限,即可在授权成功后对该列数据执行操作。而并不会影响其他列数据的权限管控,因此能够将数据操作权限管控到列级别。It can be seen that, in this embodiment, if the user wants to perform an operation on a column of data with a higher security level than his own, he only needs to apply for the operation authority for the column of data in advance, and then the operation can be performed on the column of data after the authorization is successful. It does not affect the authority control of other column data, so the data operation authority can be controlled to the column level.
基于图2或图3所示实施例中的授权方法,可按照图4所示的步骤对数据权限进行管理。如图4所示,数据权限管理包括以下步骤:Based on the authorization method in the embodiment shown in FIG. 2 or FIG. 3, the data authority can be managed according to the steps shown in FIG. 4. As shown in Figure 4, data authority management includes the following steps:
S401,接收用户发送的用于请求对目标数据集中的第一列数据执行第一操作的数据操作请求,目标数据集包括多个列数据,各列数据对应各自的安全等级。S401: Receive a data operation request sent by a user for requesting to perform a first operation on a first column of data in a target data set, where the target data set includes multiple column data, and each column data corresponds to its own security level.
其中,第一操作如查询操作、读取操作、更新操作、删除操作等。第一列数据可以是目标数据集中的任一列数据。在一个实施例中,目标数据集可以是包括多个列数据的数据表。Among them, the first operation is a query operation, a read operation, an update operation, a delete operation, and so on. The first column of data can be any column of data in the target data set. In one embodiment, the target data set may be a data table including multiple columns of data.
安全等级为通过列数据的数据保密程度对列数据划分等级的方式。安全等级越高,表明对应的列数据的保密程度越高,数据越敏感。列数据的安全等级可预先由有权限的指定人员(如数据管理人员)设定。The security level is a way to classify the column data according to the degree of data confidentiality of the column data. The higher the security level, the higher the degree of confidentiality of the corresponding column data, and the more sensitive the data. The security level of column data can be pre-set by authorized designated personnel (such as data management personnel).
S402,基于数据操作请求,获取用户对第一列数据有权执行的各类操作对应的第二权限信息。S402: Based on the data operation request, obtain second permission information corresponding to various operations that the user has the right to perform on the first column of data.
其中,各类操作如查询操作、读取操作、更新操作、删除操作等。第一操作为各类操作中的其中一种。Among them, various operations such as query operations, read operations, update operations, delete operations, etc. The first operation is one of various operations.
S403,判断第二权限信息中是否包含第一操作对应的权限信息。若是,则执行S409;若否,则执行S404。S403: Determine whether the second authority information includes authority information corresponding to the first operation. If yes, execute S409; if not, execute S404.
S404,获取用户对目标数据集有权执行的各类操作对应的第一权限信息。S404: Acquire first permission information corresponding to various operations that the user has the right to perform on the target data set.
S405,判断第一权限信息中是否包含第一操作对应的权限信息。若是,则执行S406;若否,则执行S408。S405: Determine whether the first permission information includes permission information corresponding to the first operation. If yes, execute S406; if not, execute S408.
S406,确定用户的安全等级和第一列数据的安全等级。S406: Determine the security level of the user and the security level of the first column of data.
S407,判断用户的安全等级是否低于第一列数据的安全等级。若是,则执行S408;若否,则执行S409。S407: Determine whether the security level of the user is lower than the security level of the first column of data. If yes, execute S408; if not, execute S409.
S408,确定用户不具有对第一列数据执行第一操作的权限,拒绝用户对第一列数据执行第一操作。S408: Determine that the user does not have the authority to perform the first operation on the first column of data, and refuse the user to perform the first operation on the first column of data.
S409,确定用户具有对第一列数据执行第一操作的权限,允许用户对第一列数据执行第一操作。S409: Determine that the user has the authority to perform the first operation on the first column of data, and allow the user to perform the first operation on the first column of data.
本实施例中,在接收到用户针对目标数据集中的第一列数据执行第一操作的数据操作请求后,优先查询用户对第一列数据的权限信息,并在查询不到用户对第一列数据的权限信息的情况下,再结合用户对目标数据集的权限信息及安全等级对用户进行鉴权,从而将权限管理和安全等级结合起来,不仅能精确管控到对列数据的操作权限(即将数据操作权限管控到列级别),且对其中一列数据的权限管控不会影响到其他列数据的权限管控,因此能够提升数据的安全管控效果,避免过度授权。In this embodiment, after receiving a data operation request from the user to perform the first operation on the first column of data in the target data set, the user's authority information for the first column of data is first queried, and if the user cannot query the first column of data In the case of data permission information, combined with the user’s permission information and security level of the target data set, the user is authenticated, thus combining the permission management and the security level, not only can accurately control the operation permissions of the column data (about Data operation authority is controlled to the column level), and the authority control of one column of data will not affect the authority control of other column data, so it can improve the effect of data security control and avoid over-authorization.
下面通过具体实施例来说明本说明书一个或多个实施例提供的数据权限管理方法。The following specific embodiments are used to illustrate the data rights management method provided by one or more embodiments of this specification.
仍以上述用户信息表1为例。假设用户“张三”作为数据操作主体,其安全等级为0。如果张三想要访问用户信息表1中的列数据,则分为以下两种情况:Still take the above user information table 1 as an example. Assume that the user "Zhang San" is the subject of data manipulation, and his security level is 0. If Zhang San wants to access the column data in the user information table 1, there are two situations:
(1)张三想要访问用户信息表1中安全等级不高于自己的列,例如张三需对id列或nickname列执行查询操作。由于id列或nickname列的安全等级不高于张三的安全等级,因此张三可预先申请对用户信息表1执行查询操作的表权限,审批通过后,第一权限信息(即用于记录张三有权对用户信息表1执行各类操作的权限信息)中增加一条张三对用户信息表1执行查询权限的权限项。(1) Zhang San wants to access the column of user information table 1 whose security level is not higher than his own. For example, Zhang San needs to perform a query on the id column or the nickname column. Since the security level of the id column or nickname column is not higher than that of Zhang San, Zhang San can apply in advance for the table permission to perform query operations on the user information table 1. After the approval is passed, the first permission information (that is, used to record Zhang San 3. The authority information that has the right to perform various operations on the user information table 1) adds a permission item that Zhang San has the authority to perform queries on the user information table 1.
在授权成功后,若张三发起对id列执行查询操作的数据操作请求,则鉴权流程如下:After the authorization is successful, if Zhang San initiates a data operation request to perform a query operation on the id column, the authentication process is as follows:
首先,查询张三对应的第一权限信息和第二权限信息(记录有张三对id列有权执行各类操作的权限信息),并判断第二权限信息中是否包含查询操作对应的权限项。由于张三预先仅申请了对用户信息表1执行查询操作的表权限,而并未申请对id列执行查询操作的列权限,因此第二权限信息中不包含(即查询不到)查询操作对应的权限项。此时进行下一步操作。First, query the first permission information and second permission information corresponding to Zhang San (the permission information that Zhang San has the right to perform various operations on the id column is recorded), and determine whether the second permission information contains the permission items corresponding to the query operation . Since Zhang San only applied for the table permission to perform query operations on the user information table 1 in advance, and did not apply for the column permission to perform query operations on the id column, the second permission information does not include (that is, the query cannot be queried) corresponding to the query operation The permission item. Now proceed to the next step.
其次,判断第一权限信息中是否包含查询操作对应的权限项,即判断第一权限信息中是否记录有张三对用户信息表1执行查询操作的权限项。由于张三预先申请了对用户信息表1执行查询操作的表权限,因此第一权限信息中包含查询操作对应的权限项。此 时进行下一步操作,即安全等级检查。Secondly, it is judged whether the first permission information contains the permission item corresponding to the query operation, that is, it is judged whether the permission item for Zhang San to perform the query operation on the user information table 1 is recorded in the first permission information. Since Zhang San has previously applied for the table permission to perform the query operation on the user information table 1, the first permission information contains the permission item corresponding to the query operation. Now proceed to the next step, namely security level check.
然后,确定张三和用户信息表1中的id列的安全等级,并判断张三的安全等级是否低于id列的安全等级。由于张三的安全等级和id列的安全等级均为0,即张三的安全等级不低于id列的安全等级,因此张三有权对id列执行查询操作。此时返回鉴权成功信息,允许张三对id列执行查询操作。Then, determine the security level of the id column in Zhang Sanhe user information table 1, and determine whether the security level of Zhang San is lower than the security level of the id column. Since Zhang San’s security level and the security level of the id column are both 0, that is, Zhang San’s security level is not lower than the security level of the id column, so Zhang San has the right to perform query operations on the id column. At this time, the authentication success message is returned, and Zhang San is allowed to perform query operations on the id column.
同样地,若张三发起对nickname列执行查询操作的数据操作请求,由于nickname列的安全等级和id列的安全等级相同,均为0,因此鉴权流程和id列相同,不再赘述。Similarly, if Zhang San initiates a data operation request to perform a query operation on the nickname column, since the security level of the nickname column and the security level of the id column are the same, both are 0, the authentication process is the same as the id column, and will not be repeated.
若张三发起对用户信息表1中安全等级高于自己的列数据(如name列)执行查询操作的权限。则鉴权流程如下:If Zhang San initiates the permission to perform query operations on the column data in the user information table 1 whose security level is higher than his own (such as the name column). The authentication process is as follows:
首先,查询张三对应的第一权限信息(即用于记录张三有权对用户信息表1执行各类操作的权限信息)和第二权限信息(记录有张三对name列有权执行各类操作的权限信息),并判断第二权限信息中是否包含查询操作对应的权限项。由于张三预先仅申请了对用户信息表1执行查询操作的表权限,而并未申请对name列执行查询操作的列权限,因此第二权限信息中不包含(即查询不到)查询操作对应的权限项。此时进行下一步操作。First, query the first permission information corresponding to Zhang San (that is, the permission information used to record Zhang San's right to perform various operations on the user information table 1) and the second permission information (record that Zhang San has the right to execute each name column The permission information of the class operation), and determine whether the second permission information contains the permission item corresponding to the query operation. Since Zhang San only applied for the table permission to perform the query operation on the user information table 1 in advance, and did not apply for the column permission to perform the query operation on the name column, the second permission information does not include (that is, the query cannot be queried) the corresponding query operation The permission item. Now proceed to the next step.
其次,判断第一权限信息中是否包含查询操作对应的权限项,即判断第一权限信息中是否记录有张三对用户信息表1执行查询操作的权限项。由于张三预先申请了对用户信息表1执行查询操作的表权限,因此第一权限信息中包含查询操作对应的权限项。此时进行下一步操作,即安全等级检查。Secondly, it is judged whether the first permission information contains the permission item corresponding to the query operation, that is, it is judged whether the permission item for Zhang San to perform the query operation on the user information table 1 is recorded in the first permission information. Since Zhang San has previously applied for the table permission to perform the query operation on the user information table 1, the first permission information contains the permission item corresponding to the query operation. At this time, proceed to the next step, namely security level check.
然后,确定张三和用户信息表1中的name列的安全等级,并判断张三的安全等级是否低于name列的安全等级。由于张三的安全等级为0,name列的安全等级为2,即张三的安全等级低于name列的安全等级,因此张三无权对name列执行查询操作。此时返回鉴权失败信息,拒绝张三对name列执行查询操作。Then, determine the security level of the name column in Zhang Sanhe user information table 1, and determine whether the security level of Zhang San is lower than the security level of the name column. Since Zhang San’s security level is 0 and the name column’s security level is 2, that is, Zhang San’s security level is lower than the name column’s security level, so Zhang San has no right to perform query operations on the name column. At this time, the authentication failure information is returned, and Zhang San is refused to perform the query operation on the name column.
同样地,若张三发起对其它高于其安全等级的列数据(如mobile列、birthday列或credit_card列)执行查询操作的数据操作请求,鉴权流程和name列相同,不再赘述。Similarly, if Zhang San initiates a data operation request to perform a query operation on other column data higher than his security level (such as mobile column, birthday column or credit_card column), the authentication process is the same as the name column, and will not be repeated.
(2)张三想要访问用户信息表1中安全等级高于自己的列,例如张三需对name列执行查询操作。由于name列的安全等级高于张三的安全等级,因此张三可预先申请对name列执行查询操作的列权限,审批通过后,第二权限信息(记录张三有权对name列执行各类操作的权限信息)中增加一条张三对name列执行查询权限的权限项。(2) Zhang San wants to access the column of user information table 1 whose security level is higher than his own. For example, Zhang San needs to perform a query operation on the name column. Since the security level of the name column is higher than that of Zhang San, Zhang San can apply in advance for the column permission to perform query operations on the name column. After the approval is passed, the second permission information (record that Zhang San has the right to perform various types of query operations on the name column Add a permission item of Zhang San's query permission on the name column in the operation permission information).
在授权成功后,若张三发起对name列执行查询操作的数据操作请求,则鉴权流程如下:After the authorization is successful, if Zhang San initiates a data operation request to perform a query operation on the name column, the authentication process is as follows:
首先,查询张三对应的第一权限信息(即用于记录张三有权对用户信息表1执行各类操作的权限信息)和第二权限信息(记录有张三对name列有权执行各类操作的权限信息)。First, query the first permission information corresponding to Zhang San (that is, the permission information used to record Zhang San's right to perform various operations on the user information table 1) and the second permission information (record that Zhang San has the right to execute each name column Permission information for class operations).
其次,判断第二权限信息中是否包含查询操作对应的权限项。由于张三预先申请了对name列执行查询操作的列权限,因此第二权限信息中包含查询操作对应的权限项。此时返回鉴权成功信息,允许张三对name列执行查询操作。Secondly, it is judged whether the second permission information contains the permission item corresponding to the query operation. Since Zhang San has previously applied for the column permission to perform the query operation on the name column, the second permission information contains the permission item corresponding to the query operation. At this time, the authentication success message is returned, and Zhang San is allowed to perform query operations on the name column.
若张三发起对mobile列执行查询操作的数据操作请求,则鉴权流程如下:If Zhang San initiates a data operation request to perform a query operation on the mobile column, the authentication process is as follows:
首先,查询张三对应的第一权限信息(即用于记录张三有权对用户信息表1执行各类操作的权限信息)和第二权限信息(记录有张三对mobile列有权执行各类操作的权限信息),并判断第二权限信息中是否包含查询操作对应的权限项。由于张三预先仅申请了对name列执行查询操作的列权限,而并未申请对mobile列执行查询操作的列权限,因此第二权限信息中不包含(即查询不到)查询操作对应的权限项。此时进行下一步操作。First, query the first permission information corresponding to Zhang San (that is, the permission information used to record Zhang San's right to perform various operations on the user information table 1) and the second permission information (record that Zhang San has the right to perform various operations on the mobile column. The permission information of the class operation), and determine whether the second permission information contains the permission item corresponding to the query operation. Since Zhang San only applied for column permission to perform query operations on the name column in advance, but did not apply for column permissions to perform query operations on the mobile column, the second permission information does not include (that is, the query cannot be queried) the corresponding permissions for the query operation item. Now proceed to the next step.
其次,判断第一权限信息中是否包含查询操作对应的权限项,即判断第一权限信息中是否记录有张三对用户信息表1执行查询操作的权限项。若不包含,则说明张三无权对用户信息表1的mobile列执行查询操作,此时返回鉴权失败信息,拒绝张三对mobile列执行查询操作。若包含,则进行下一步操作,即安全等级检查。Secondly, it is judged whether the first permission information contains the permission item corresponding to the query operation, that is, it is judged whether the permission item for Zhang San to perform the query operation on the user information table 1 is recorded in the first permission information. If it does not, it means that Zhang San has no right to perform the query operation on the mobile column of the user information table 1. At this time, the authentication failure information is returned, and Zhang San is refused to perform the query operation on the mobile column. If it does, proceed to the next step, which is the security level check.
然后,确定张三和用户信息表1中的mobile列的安全等级,并判断张三的安全等级是否低于mobile列的安全等级。由于张三的安全等级低于mobile列的安全等级,因此张三无权对mobile列执行查询操作。此时返回鉴权失败信息,拒绝张三对mobile列执行查询操作。Then, determine the security level of the mobile column in Zhang Sanhe user information table 1, and determine whether the security level of Zhang San is lower than the security level of the mobile column. Since Zhang San’s security level is lower than that of the mobile column, Zhang San has no right to perform query operations on the mobile column. At this time, the authentication failure information is returned, and Zhang San is refused to perform the query operation on the mobile column.
同样地,若张三发起对birthday列或credit_card列执行查询操作的数据操作请求,由于birthday列或credit_card列的安全等级均高于张三的安全等级,因此鉴权流程和mobile列相同,不再赘述。Similarly, if Zhang San initiates a data operation request to perform a query operation on the birthday column or the credit_card column, since the security level of the birthday column or the credit_card column is higher than the security level of Zhang San, the authentication process is the same as that of the mobile column. Go into details.
由上述实施例可看出,张三是不能对用户信息表1中安全等级高于自己的列数据执行操作的,若张三想要对安全等级高于自己的列数据执行某类操作,则需预先申请对该列执行该类操作的权限。可见,这种结合权限管理和安全等级综合对用户进行鉴权的方 式,不仅能够精准管控数据安全,且使得对某一列数据的授权行为不会影响到其他列数据的权限管控,从而避免过度授权,确保数据的安全管控效果。It can be seen from the above embodiment that Zhang San cannot perform operations on column data with a higher security level than himself in the user information table 1. If Zhang San wants to perform certain operations on column data with a higher security level than himself, then You need to apply for permission to perform this type of operation on the column in advance. It can be seen that this method of combining authority management and security level to comprehensively authenticate users can not only accurately control data security, but also make authorization for one column of data not affect the authority control of other columns, thereby avoiding over-authorization , To ensure the effectiveness of data security management and control.
综上,已经对本主题的特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作可以按照不同的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序,以实现期望的结果。在某些实施方式中,多任务处理和并行处理可以是有利的。In summary, specific embodiments of the subject matter have been described. Other embodiments are within the scope of the appended claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desired results. In addition, the processes depicted in the drawings do not necessarily require the specific order or sequential order shown in order to achieve the desired result. In certain embodiments, multitasking and parallel processing may be advantageous.
以上为本说明书一个或多个实施例提供的数据权限管理方法,基于同样的思路,本说明书一个或多个实施例还提供一种数据权限管理装置。The above is the data authority management method provided by one or more embodiments of this specification. Based on the same idea, one or more embodiments of this specification also provide a data authority management device.
图5是根据本说明书一实施例的一种数据权限管理装置的示意性流程图,如图5所示,该装置包括:Fig. 5 is a schematic flowchart of a data authority management device according to an embodiment of the present specification. As shown in Fig. 5, the device includes:
接收模块510,接收用户发送的数据操作请求;所述数据操作请求用于请求对目标数据集中的第一列数据执行第一操作;所述目标数据集包括多个列数据;各所述列数据对应各自的安全等级;The receiving module 510 receives a data operation request sent by a user; the data operation request is used to request to perform a first operation on the first column of data in the target data set; the target data set includes multiple column data; each of the column data Corresponding to their respective security levels;
获取模块520,基于所述数据操作请求,获取所述用户对应的数据操作权限信息和/或所述第一列数据的安全等级;The obtaining module 520, based on the data operation request, obtains the data operation authority information corresponding to the user and/or the security level of the first column of data;
鉴权模块530,根据所述数据操作权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限,得到鉴权结果;The authentication module 530, according to the data operation authority information and/or the security level, authenticates the user's authority to perform the first operation on the first column of data, and obtains an authentication result;
确定模块540,根据所述鉴权结果,确定是否允许所述用户对所述第一列数据执行所述第一操作。The determining module 540 determines whether the user is allowed to perform the first operation on the first column of data according to the authentication result.
在一个实施例中,所述数据操作权限信息包括对所述目标数据集有权执行的各类操作对应的第一权限信息和/或对所述第一列数据有权执行的各类操作对应的第二权限信息。In one embodiment, the data operation authority information includes first authority information corresponding to various operations that are authorized to perform on the target data set and/or corresponding to various operations that are authorized to perform on the first column of data. ’S second authority information.
在一个实施例中,所述鉴权模块530包括:判断单元,判断所述第二权限信息中是否包含所述第一操作对应的权限信息;第一确定单元,若所述第二权限信息中包含所述第一操作对应的权限信息,则确定所述用户具有对所述第一列数据执行所述第一操作的权限;第一鉴权单元,若所述第二权限信息中不包含所述第一操作对应的权限信息,则根据所述第一权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限。In one embodiment, the authentication module 530 includes: a judging unit, judging whether the second permission information contains the permission information corresponding to the first operation; the first determining unit, if the second permission information is If the authority information corresponding to the first operation is included, it is determined that the user has the authority to perform the first operation on the first column of data; the first authentication unit, if the second authority information does not include all According to the authority information corresponding to the first operation, the authority of the user to perform the first operation on the first column of data is authenticated according to the first authority information and/or the security level.
在一个实施例中,所述第一鉴权单元:判断所述第一权限信息中是否包含所述第一操作对应的权限信息;若是,则比对所述用户的安全等级及所述第一列数据的安全等级,以及根据比对结果鉴定所述用户对所述第一列数据执行所述第一操作的权限;若否,则确定所述用户不具有对所述第一列数据执行所述第一操作的权限。In an embodiment, the first authentication unit: judges whether the first permission information includes the permission information corresponding to the first operation; if so, compares the security level of the user with the first The security level of the column data, and the authorization of the user to perform the first operation on the first column of data is identified according to the comparison result; if not, it is determined that the user does not have the authority to perform the first operation on the first column of data. The authority of the first operation is described.
在一个实施例中,所述第一鉴权单元:若所述比对结果为所述用户的安全等级低于所述第一列数据的安全等级,则确定所述用户不具有对所述第一列数据执行所述第一操作的权限;若所述比对结果为所述用户的安全等级不低于所述第一列数据的安全等级,则确定所述用户具有对所述第一列数据执行所述第一操作的权限。In one embodiment, the first authentication unit: if the comparison result is that the security level of the user is lower than the security level of the first column of data, it is determined that the user does not have the right to the first column of data. A column of data has the authority to perform the first operation; if the comparison result is that the security level of the user is not lower than the security level of the first column of data, it is determined that the user has access to the first column The permission of the data to perform the first operation.
在一个实施例中,所述装置还包括:第二接收模块,在所述接收用户发送的数据操作请求之前,接收所述用户发送的对所述目标数据集执行所述第一操作的第一权限申请;第二确定模块,确定对所述第一权限申请进行审核的第一审核结果;第一记录模块,若所述第一审核结果为审核通过,则在所述第一权限信息中记录所述第一操作对应的权限信息。In one embodiment, the device further includes: a second receiving module, which receives the first operation sent by the user for performing the first operation on the target data set before the receiving the data operation request sent by the user. Permission application; a second determination module, which determines the first review result of reviewing the first permission application; a first recording module, if the first review result is approved, records in the first permission information Authority information corresponding to the first operation.
在一个实施例中,所述装置还包括:第三接收模块,在所述接收用户发送的数据操作请求之前,接收所述用户发送的对所述第一列数据执行所述第一操作的第二权限申请;第三确定模块,确定对所述第二权限申请进行审核的第二审核结果;第二记录模块,若所述第二审核结果为审核通过,则在所述第二权限信息中记录所述第一操作对应的权限信息。In one embodiment, the device further includes: a third receiving module, which receives the first operation sent by the user to perform the first operation on the first column of data before the data operation request sent by the user is received. The second permission application; the third determination module, which determines the second review result of the review of the second permission application; the second recording module, if the second review result is approved, then it is in the second permission information Record the authority information corresponding to the first operation.
采用本说明书一个或多个实施例的装置,在接收到用户针对目标数据集中的第一列数据执行第一操作的数据操作请求后,通过获取用户对应的数据操作权限信息和/或第一列数据的安全等级,并基于获取到的数据操作权限信息和/或第一列数据的安全等级对用户进行鉴权,进而根据鉴权结果确定是否允许用户对第一列数据执行第一操作。实现了将数据权限和列数据的安全等级结合起来综合管理数据的效果,从而提高对用户鉴权的准确性。并且,该装置无需调整数据安全等级,从而避免调整数据安全等级后造成的过度授权问题,更大程度上确保数据的安全管控效果。Using the device of one or more embodiments of the present specification, after receiving a data operation request from a user to perform a first operation on the first column of data in the target data set, the data operation authority information and/or the first column corresponding to the user are obtained. The data security level is used to authenticate the user based on the acquired data operation authority information and/or the security level of the first column of data, and then determine whether the user is allowed to perform the first operation on the first column of data according to the authentication result. The data authority and the security level of the column data are combined to manage the data comprehensively, thereby improving the accuracy of user authentication. In addition, the device does not need to adjust the data security level, thereby avoiding over-authorization problems caused by adjusting the data security level, and ensuring data security management and control effects to a greater extent.
本领域的技术人员应可理解,上述数据权限管理装置能够用来实现前文所述的数据权限管理方法,其中的细节描述应与前文方法部分描述类似,为避免繁琐,此处不赘述。Those skilled in the art should understand that the above-mentioned data rights management device can be used to implement the data rights management method described above, and the detailed description should be similar to that described in the previous method. To avoid cumbersomeness, it will not be repeated here.
基于同样的思路,本说明书一个或多个实施例还提供一种数据权限管理设备,如图6所示。数据权限管理设备可因配置或性能不同而产生比较大的差异,可以包括一个或 一个以上的处理器601和存储器602,存储器602中可以存储有一个或一个以上存储应用程序或数据。其中,存储器602可以是短暂存储或持久存储。存储在存储器602的应用程序可以包括一个或一个以上模块(图示未示出),每个模块可以包括对数据权限管理设备中的一系列计算机可执行指令。更进一步地,处理器601可以设置为与存储器602通信,在数据权限管理设备上执行存储器602中的一系列计算机可执行指令。数据权限管理设备还可以包括一个或一个以上电源603,一个或一个以上有线或无线网络接口604,一个或一个以上输入输出接口605,一个或一个以上键盘606。Based on the same idea, one or more embodiments of this specification also provide a data rights management device, as shown in FIG. 6. The data rights management device may have relatively large differences due to different configurations or performances, and may include one or more processors 601 and a memory 602, and the memory 602 may store one or more storage applications or data. Among them, the memory 602 may be short-term storage or persistent storage. The application program stored in the memory 602 may include one or more modules (not shown in the figure), and each module may include a series of computer-executable instructions for the data rights management device. Furthermore, the processor 601 may be configured to communicate with the memory 602, and execute a series of computer-executable instructions in the memory 602 on the data rights management device. The data rights management device may also include one or more power supplies 603, one or more wired or wireless network interfaces 604, one or more input and output interfaces 605, and one or more keyboards 606.
具体在本实施例中,数据权限管理设备包括有存储器,以及一个或一个以上的程序,其中一个或者一个以上程序存储于存储器中,且一个或者一个以上程序可以包括一个或一个以上模块,且每个模块可以包括对数据权限管理设备中的一系列计算机可执行指令,且经配置以由一个或者一个以上处理器执行该一个或者一个以上程序包含用于进行以下计算机可执行指令:接收用户发送的数据操作请求;所述数据操作请求用于请求对目标数据集中的第一列数据执行第一操作;所述目标数据集包括多个列数据;各所述列数据对应各自的安全等级;基于所述数据操作请求,获取所述用户对应的数据操作权限信息和/或所述第一列数据的安全等级;根据所述数据操作权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限,得到鉴权结果;根据所述鉴权结果,确定是否允许所述用户对所述第一列数据执行所述第一操作。Specifically, in this embodiment, the data rights management device includes a memory and one or more programs. One or more programs are stored in the memory, and one or more programs may include one or more modules, and each Each module may include a series of computer-executable instructions in the data rights management device, and is configured to be executed by one or more processors. The one or more programs include computer-executable instructions for performing the following: Data operation request; The data operation request is used to request the first operation to be performed on the first column of data in the target data set; the target data set includes multiple column data; each of the column data corresponds to its own security level; According to the data operation request, obtain the data operation authority information corresponding to the user and/or the security level of the first column of data; according to the data operation authority information and/or the security level, authenticate the user to the The permission of the first column of data to perform the first operation is obtained, and the authentication result is obtained; according to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
可选地,所述数据操作权限信息包括对所述目标数据集有权执行的各类操作对应的第一权限信息和/或对所述第一列数据有权执行的各类操作对应的第二权限信息。Optionally, the data operation authority information includes first authority information corresponding to various operations that are authorized to perform on the target data set and/or first authority information corresponding to various operations that are authorized to perform on the first column of data. 2. Permission information.
可选地,计算机可执行指令在被执行时,还可以使所述处理器:判断所述第二权限信息中是否包含所述第一操作对应的权限信息;若是,则确定所述用户具有对所述第一列数据执行所述第一操作的权限;若否,则根据所述第一权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限。Optionally, when the computer-executable instructions are executed, the processor may also cause the processor to: determine whether the second permission information contains the permission information corresponding to the first operation; if so, determine that the user has the right The first column of data has the right to perform the first operation; if not, according to the first permission information and/or the security level, authenticate the user to perform the first operation on the first column of data Operation authority.
可选地,计算机可执行指令在被执行时,还可以使所述处理器:判断所述第一权限信息中是否包含所述第一操作对应的权限信息;若是,则比对所述用户的安全等级及所述第一列数据的安全等级,以及根据比对结果鉴定所述用户对所述第一列数据执行所述第一操作的权限;若否,则确定所述用户不具有对所述第一列数据执行所述第一操作的权限。Optionally, when the computer-executable instructions are executed, the processor may also make the processor: determine whether the first permission information contains the permission information corresponding to the first operation; if so, compare the user’s The security level and the security level of the first column of data, and the authorization of the user to perform the first operation on the first column of data is identified according to the comparison result; if not, it is determined that the user does not have the right to perform the first operation on the first column of data The permission of the first column of data to perform the first operation.
可选地,计算机可执行指令在被执行时,还可使所述处理器:若所述比对结果为所述用户的安全等级低于所述第一列数据的安全等级,则确定所述用户不具有对所述第一 列数据执行所述第一操作的权限;若所述比对结果为所述用户的安全等级不低于所述第一列数据的安全等级,则确定所述用户具有对所述第一列数据执行所述第一操作的权限。Optionally, when the computer-executable instructions are executed, the processor may also be caused to: if the comparison result is that the security level of the user is lower than the security level of the first column of data, determine the The user does not have the authority to perform the first operation on the first column of data; if the comparison result is that the security level of the user is not lower than the security level of the first column of data, the user is determined Have the authority to perform the first operation on the first column of data.
可选地,计算机可执行指令在被执行时,还可以使所述处理器:接收所述用户发送的对所述目标数据集执行所述第一操作的第一权限申请;确定对所述第一权限申请进行审核的第一审核结果;若所述第一审核结果为审核通过,则在所述第一权限信息中记录所述第一操作对应的权限信息。Optionally, when the computer-executable instructions are executed, the processor may also cause the processor to: receive a first permission application sent by the user to perform the first operation on the target data set; A first review result of a permission application for review; if the first review result is approved, then the permission information corresponding to the first operation is recorded in the first permission information.
可选地,计算机可执行指令在被执行时,还可以使所述处理器:接收所述用户发送的对所述第一列数据执行所述第一操作的第二权限申请;确定对所述第二权限申请进行审核的第二审核结果;若所述第二审核结果为审核通过,则在所述第二权限信息中记录所述第一操作对应的权限信息。Optionally, when the computer-executable instructions are executed, the processor may also cause the processor to: receive a second permission application sent by the user to perform the first operation on the first column of data; The second review result of the second permission application for review; if the second review result is approved, then the permission information corresponding to the first operation is recorded in the second permission information.
本说明书一个或多个实施例还提出了一种计算机可读存储介质,该计算机可读存储介质存储一个或多个程序,该一个或多个程序包括指令,该指令当被包括多个应用程序的电子设备执行时,能够使该电子设备执行上述数据权限管理方法,并具体用于执行:接收用户发送的数据操作请求;所述数据操作请求用于请求对目标数据集中的第一列数据执行第一操作;所述目标数据集包括多个列数据;各所述列数据对应各自的安全等级;基于所述数据操作请求,获取所述用户对应的数据操作权限信息和/或所述第一列数据的安全等级;根据所述数据操作权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限,得到鉴权结果;根据所述鉴权结果,确定是否允许所述用户对所述第一列数据执行所述第一操作。One or more embodiments of this specification also propose a computer-readable storage medium that stores one or more programs, and the one or more programs include instructions. When the instructions include multiple application programs When the electronic device is executed, the electronic device can execute the above-mentioned data authority management method, and is specifically used to execute: receiving a data operation request sent by a user; the data operation request is used to request execution of the first column of data in the target data set The first operation; the target data set includes a plurality of column data; each of the column data corresponds to its own security level; based on the data operation request, obtain the data operation authority information corresponding to the user and/or the first The security level of the column data; according to the data operation authority information and/or the security level, authenticate the user’s authority to perform the first operation on the first column of data to obtain the authentication result; according to the authentication Right result, it is determined whether the user is allowed to perform the first operation on the first column of data.
上述实施例阐明的系统、装置、模块或单元,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。一种典型的实现设备为计算机。具体的,计算机例如可以为个人计算机、膝上型计算机、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任何设备的组合。The systems, devices, modules, or units illustrated in the above embodiments may be specifically implemented by computer chips or entities, or implemented by products with certain functions. A typical implementation device is a computer. Specifically, the computer may be, for example, a personal computer, a laptop computer, a cell phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or Any combination of these devices.
为了描述的方便,描述以上装置时以功能分为各种单元分别描述。当然,在实施本说明书一个或多个实施例时可以把各单元的功能在同一个或多个软件和/或硬件中实现。For the convenience of description, when describing the above device, the functions are divided into various units and described separately. Of course, when implementing one or more embodiments of this specification, the functions of each unit may be implemented in the same one or more software and/or hardware.
本领域内的技术人员应明白,本说明书一个或多个实施例可提供为方法、系统、或计算机程序产品。因此,本说明书一个或多个实施例可采用完全硬件实施例、完全软 件实施例、或结合软件和硬件方面的实施例的形式。而且,本说明书一个或多个实施例可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that one or more embodiments of this specification can be provided as a method, a system, or a computer program product. Therefore, one or more embodiments of this specification may adopt the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Moreover, one or more embodiments of this specification may adopt computer programs implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes. The form of the product.
本说明书一个或多个实施例是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。One or more embodiments of this specification are described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to the embodiments of this application. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are used to generate It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, the computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。The memory may include non-permanent memory in computer readable media, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存 储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology. The information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or equipment including a series of elements not only includes those elements, but also includes Other elements that are not explicitly listed, or also include elements inherent to such processes, methods, commodities, or equipment. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other identical elements in the process, method, commodity, or equipment that includes the element.
本说明书一个或多个实施例可以在由计算机执行的计算机可执行指令的一般上下文中描述,例如程序模块。一般地,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。也可以在分布式计算环境中实践本申请,在这些分布式计算环境中,由通过通信网络而被连接的远程处理设备来执行任务。在分布式计算环境中,程序模块可以位于包括存储设备在内的本地和远程计算机存储介质中。One or more embodiments of this specification may be described in the general context of computer-executable instructions executed by a computer, such as program modules. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types. This application can also be practiced in distributed computing environments. In these distributed computing environments, tasks are performed by remote processing devices connected through a communication network. In a distributed computing environment, program modules can be located in local and remote computer storage media including storage devices.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。The various embodiments in this specification are described in a progressive manner, and the same or similar parts between the various embodiments can be referred to each other, and each embodiment focuses on the difference from other embodiments. In particular, as for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.
以上所述仅为本说明书一个或多个实施例而已,并不用于限制本说明书。对于本领域技术人员来说,本说明书一个或多个实施例可以有各种更改和变化。凡在本说明书一个或多个实施例的精神和原理之内所作的任何修改、等同替换、改进等,均应包含在本说明书一个或多个实施例的权利要求范围之内。The above description is only one or more embodiments of this specification, and is not intended to limit this specification. For those skilled in the art, one or more embodiments of this specification may have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of one or more embodiments of this specification should be included in the scope of the claims of one or more embodiments of this specification.

Claims (14)

  1. 一种数据权限管理方法,包括:A data authority management method, including:
    接收用户发送的数据操作请求;所述数据操作请求用于请求对目标数据集中的第一列数据执行第一操作;所述目标数据集包括多个列数据;各所述列数据对应各自的安全等级;Receive a data operation request sent by a user; the data operation request is used to request the first operation to be performed on the first column of data in the target data set; the target data set includes multiple column data; each column data corresponds to its own security grade;
    基于所述数据操作请求,获取所述用户对应的数据操作权限信息和/或所述第一列数据的安全等级;Obtaining data operation authority information corresponding to the user and/or the security level of the first column of data based on the data operation request;
    根据所述数据操作权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限,得到鉴权结果;According to the data operation authority information and/or the security level, authenticate the user's authority to perform the first operation on the first column of data, and obtain an authentication result;
    根据所述鉴权结果,确定是否允许所述用户对所述第一列数据执行所述第一操作。According to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
  2. 根据权利要求1所述的方法,所述数据操作权限信息包括对所述目标数据集有权执行的各类操作对应的第一权限信息和/或对所述第一列数据有权执行的各类操作对应的第二权限信息。The method according to claim 1, wherein the data operation authority information includes first authority information corresponding to various operations that are authorized to perform on the target data set and/or various operations that are authorized to perform on the first column of data. The second permission information corresponding to the class operation.
  3. 根据权利要求2所述的方法,所述根据所述数据操作权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限,包括:The method according to claim 2, wherein the authentication of the user's authority to perform the first operation on the first column of data according to the data operation authority information and/or the security level includes:
    判断所述第二权限信息中是否包含所述第一操作对应的权限信息;Determining whether the second authority information includes authority information corresponding to the first operation;
    若是,则确定所述用户具有对所述第一列数据执行所述第一操作的权限;If yes, it is determined that the user has the authority to perform the first operation on the first column of data;
    若否,则根据所述第一权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限。If not, according to the first authority information and/or the security level, the authority of the user to perform the first operation on the first column of data is authenticated.
  4. 根据权利要求3所述的方法,所述根据所述第一权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限,包括:The method according to claim 3, wherein the authenticating the user's authority to perform the first operation on the first column of data according to the first authority information and/or the security level includes:
    判断所述第一权限信息中是否包含所述第一操作对应的权限信息;Determining whether the first authority information includes authority information corresponding to the first operation;
    若是,则比对所述用户的安全等级及所述第一列数据的安全等级,以及根据比对结果鉴定所述用户对所述第一列数据执行所述第一操作的权限;If yes, compare the security level of the user with the security level of the first column of data, and authenticate the user's authority to perform the first operation on the first column of data according to the comparison result;
    若否,则确定所述用户不具有对所述第一列数据执行所述第一操作的权限。If not, it is determined that the user does not have the authority to perform the first operation on the first column of data.
  5. 根据权利要求4所述的方法,所述根据比对结果鉴定所述用户对所述第一列数据执行所述第一操作的权限,包括:The method according to claim 4, wherein the authentication of the user's authority to perform the first operation on the first column of data according to the comparison result comprises:
    若所述比对结果为所述用户的安全等级低于所述第一列数据的安全等级,则确定所述用户不具有对所述第一列数据执行所述第一操作的权限;If the comparison result is that the security level of the user is lower than the security level of the first column of data, it is determined that the user does not have the authority to perform the first operation on the first column of data;
    若所述比对结果为所述用户的安全等级不低于所述第一列数据的安全等级,则确定所述用户具有对所述第一列数据执行所述第一操作的权限。If the comparison result is that the security level of the user is not lower than the security level of the first column of data, it is determined that the user has the authority to perform the first operation on the first column of data.
  6. 根据权利要求2所述的方法,所述接收用户发送的数据操作请求之前,还包括:The method according to claim 2, before the receiving the data operation request sent by the user, the method further comprises:
    接收所述用户发送的对所述目标数据集执行所述第一操作的第一权限申请;Receiving a first permission application sent by the user to perform the first operation on the target data set;
    确定对所述第一权限申请进行审核的第一审核结果;Determining the first review result of reviewing the first permission application;
    若所述第一审核结果为审核通过,则在所述第一权限信息中记录所述第一操作对应的权限信息。If the first review result is approved, the authority information corresponding to the first operation is recorded in the first authority information.
  7. 根据权利要求2或6所述的方法,所述接收用户发送的数据操作请求之前,还包括:The method according to claim 2 or 6, before the receiving the data operation request sent by the user, further comprising:
    接收所述用户发送的对所述第一列数据执行所述第一操作的第二权限申请;Receiving a second permission application sent by the user to perform the first operation on the first column of data;
    确定对所述第二权限申请进行审核的第二审核结果;Determining the second review result of reviewing the second permission application;
    若所述第二审核结果为审核通过,则在所述第二权限信息中记录所述第一操作对应的权限信息。If the second review result is approved, the authority information corresponding to the first operation is recorded in the second authority information.
  8. 一种数据权限管理装置,包括:A data authority management device, including:
    接收模块,接收用户发送的数据操作请求;所述数据操作请求用于请求对目标数据集中的第一列数据执行第一操作;所述目标数据集包括多个列数据;各所述列数据对应各自的安全等级;The receiving module receives a data operation request sent by a user; the data operation request is used to request a first operation to be performed on the first column of data in the target data set; the target data set includes multiple column data; each column data corresponds to Respective security level;
    获取模块,基于所述数据操作请求,获取所述用户对应的数据操作权限信息和/或所述第一列数据的安全等级;An obtaining module, based on the data operation request, obtaining data operation authority information corresponding to the user and/or the security level of the first column of data;
    鉴权模块,根据所述数据操作权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限,得到鉴权结果;An authentication module, which authenticates the user's authority to perform the first operation on the first column of data according to the data operation authority information and/or the security level, and obtains an authentication result;
    确定模块,根据所述鉴权结果,确定是否允许所述用户对所述第一列数据执行所述第一操作。The determining module determines, according to the authentication result, whether to allow the user to perform the first operation on the first column of data.
  9. 根据权利要求8所述的装置,所述数据操作权限信息包括对所述目标数据集有权执行的各类操作对应的第一权限信息和/或对所述第一列数据有权执行的各类操作对应的第二权限信息。The device according to claim 8, wherein the data operation authority information includes first authority information corresponding to various operations that are authorized to perform on the target data set and/or various operations that are authorized to perform on the first column of data. The second permission information corresponding to the class operation.
  10. 根据权利要求9所述的装置,所述鉴权模块包括:The device according to claim 9, wherein the authentication module comprises:
    判断单元,判断所述第二权限信息中是否包含所述第一操作对应的权限信息;A judging unit, judging whether the second permission information includes permission information corresponding to the first operation;
    第一确定单元,若所述第二权限信息中包含所述第一操作对应的权限信息,则确定所述用户具有对所述第一列数据执行所述第一操作的权限;A first determining unit, if the second authority information includes authority information corresponding to the first operation, determine that the user has the authority to perform the first operation on the first column of data;
    第一鉴权单元,若所述第二权限信息中不包含所述第一操作对应的权限信息,则根据所述第一权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限。The first authentication unit, if the second authority information does not include the authority information corresponding to the first operation, authenticate the user to the first operation according to the first authority information and/or the security level The permission for a list of data to perform the first operation.
  11. 根据权利要求10所述的装置,所述第一鉴权单元:The device according to claim 10, the first authentication unit:
    判断所述第一权限信息中是否包含所述第一操作对应的权限信息;Determining whether the first authority information includes authority information corresponding to the first operation;
    若是,则比对所述用户的安全等级及所述第一列数据的安全等级,以及根据比对结果鉴定所述用户对所述第一列数据执行所述第一操作的权限;If yes, compare the security level of the user with the security level of the first column of data, and authenticate the user's authority to perform the first operation on the first column of data according to the comparison result;
    若否,则确定所述用户不具有对所述第一列数据执行所述第一操作的权限。If not, it is determined that the user does not have the authority to perform the first operation on the first column of data.
  12. 根据权利要求11所述的装置,所述第一鉴权单元:The device according to claim 11, the first authentication unit:
    若所述比对结果为所述用户的安全等级低于所述第一列数据的安全等级,则确定所述用户不具有对所述第一列数据执行所述第一操作的权限;If the comparison result is that the security level of the user is lower than the security level of the first column of data, it is determined that the user does not have the authority to perform the first operation on the first column of data;
    若所述比对结果为所述用户的安全等级不低于所述第一列数据的安全等级,则确定所述用户具有对所述第一列数据执行所述第一操作的权限。If the comparison result is that the security level of the user is not lower than the security level of the first column of data, it is determined that the user has the authority to perform the first operation on the first column of data.
  13. 一种数据权限管理设备,包括:A data authority management device, including:
    处理器;以及Processor; and
    被安排成存储计算机可执行指令的存储器,所述可执行指令在被执行时使所述处理器:A memory arranged to store computer-executable instructions which, when executed, cause the processor to:
    接收用户发送的数据操作请求;所述数据操作请求用于请求对目标数据集中的第一列数据执行第一操作;所述目标数据集包括多个列数据;各所述列数据对应各自的安全等级;Receive a data operation request sent by a user; the data operation request is used to request the first operation to be performed on the first column of data in the target data set; the target data set includes multiple column data; each column data corresponds to its own security grade;
    基于所述数据操作请求,获取所述用户对应的数据操作权限信息和/或所述第一列数据的安全等级;Obtaining data operation authority information corresponding to the user and/or the security level of the first column of data based on the data operation request;
    根据所述数据操作权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限,得到鉴权结果;According to the data operation authority information and/or the security level, authenticate the user's authority to perform the first operation on the first column of data, and obtain an authentication result;
    根据所述鉴权结果,确定是否允许所述用户对所述第一列数据执行所述第一操作。According to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
  14. 一种存储介质,用于存储计算机可执行指令,所述可执行指令在被执行时实现以下流程:A storage medium for storing computer-executable instructions, which, when executed, implement the following processes:
    接收用户发送的数据操作请求;所述数据操作请求用于请求对目标数据集中的第一列数据执行第一操作;所述目标数据集包括多个列数据;各所述列数据对应各自的安全等级;Receive a data operation request sent by a user; the data operation request is used to request the first operation to be performed on the first column of data in the target data set; the target data set includes multiple column data; each column data corresponds to its own security grade;
    基于所述数据操作请求,获取所述用户对应的数据操作权限信息和/或所述第一列数据的安全等级;Obtaining data operation authority information corresponding to the user and/or the security level of the first column of data based on the data operation request;
    根据所述数据操作权限信息和/或所述安全等级,鉴定所述用户对所述第一列数据执行所述第一操作的权限,得到鉴权结果;According to the data operation authority information and/or the security level, authenticate the user's authority to perform the first operation on the first column of data, and obtain an authentication result;
    根据所述鉴权结果,确定是否允许所述用户对所述第一列数据执行所述第一操作。According to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
PCT/CN2021/085189 2020-04-15 2021-04-02 Data permissions management WO2021208758A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010296131.4 2020-04-15
CN202010296131.4A CN111523098A (en) 2020-04-15 2020-04-15 Data authority management method and device

Publications (1)

Publication Number Publication Date
WO2021208758A1 true WO2021208758A1 (en) 2021-10-21

Family

ID=71903126

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/085189 WO2021208758A1 (en) 2020-04-15 2021-04-02 Data permissions management

Country Status (2)

Country Link
CN (1) CN111523098A (en)
WO (1) WO2021208758A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210034777A1 (en) * 2018-04-19 2021-02-04 Huawei Technologies Co., Ltd. Data access control method and database access apparatus
CN114969811A (en) * 2022-05-16 2022-08-30 贵州领航视讯信息技术有限公司 Data authority control method based on data segmentation
CN116340983A (en) * 2023-05-24 2023-06-27 深圳墨影科技有限公司 User authority management method based on robot ecological chain user

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111523098A (en) * 2020-04-15 2020-08-11 支付宝(杭州)信息技术有限公司 Data authority management method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104484617A (en) * 2014-12-05 2015-04-01 中国航空工业集团公司第六三一研究所 Database access control method on basis of multi-strategy integration
CN104809405A (en) * 2015-04-24 2015-07-29 广东电网有限责任公司信息中心 Structural data asset leakage prevention method based on hierarchical classification
CN110414257A (en) * 2018-04-26 2019-11-05 中移(苏州)软件技术有限公司 A kind of data access method and server
US20200057733A1 (en) * 2018-01-30 2020-02-20 Toshiba Memory Corporation Data storage apparatus, data processing system, and data processing method
CN111523098A (en) * 2020-04-15 2020-08-11 支付宝(杭州)信息技术有限公司 Data authority management method and device

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7240046B2 (en) * 2002-09-04 2007-07-03 International Business Machines Corporation Row-level security in a relational database management system
CN102902916B (en) * 2012-09-17 2015-09-02 攀枝花学院 The authority control method that application program is general
CN104077284A (en) * 2013-03-26 2014-10-01 中国移动通信集团湖北有限公司 Data security access method and data security access system
CN104065750A (en) * 2014-07-11 2014-09-24 中国人民公安大学 Safety management method and system based on shared data
CN107239710B (en) * 2016-03-29 2020-06-16 北京明略软件系统有限公司 Database permission implementation method and system
CN107392053A (en) * 2017-08-11 2017-11-24 四川长虹电器股份有限公司 A kind of data permission control method in enterprise staff information database
CN107944284B (en) * 2017-11-23 2020-10-09 国网浙江省电力公司电力科学研究院 Method and system for internal security control of enterprise data
CN110555039A (en) * 2018-03-29 2019-12-10 武汉斗鱼网络科技有限公司 data query control method, storage medium, device and system
CN109145041A (en) * 2018-07-18 2019-01-04 北京云星宇交通科技股份有限公司 A kind of data access method and system
CN109413087B (en) * 2018-11-16 2019-12-31 京东城市(南京)科技有限公司 Data sharing method and device, digital gateway and computer readable storage medium
CN110427750A (en) * 2019-07-23 2019-11-08 武汉宏途科技有限公司 A kind of method and system carrying out the control of list permission by permission combination

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104484617A (en) * 2014-12-05 2015-04-01 中国航空工业集团公司第六三一研究所 Database access control method on basis of multi-strategy integration
CN104809405A (en) * 2015-04-24 2015-07-29 广东电网有限责任公司信息中心 Structural data asset leakage prevention method based on hierarchical classification
US20200057733A1 (en) * 2018-01-30 2020-02-20 Toshiba Memory Corporation Data storage apparatus, data processing system, and data processing method
CN110414257A (en) * 2018-04-26 2019-11-05 中移(苏州)软件技术有限公司 A kind of data access method and server
CN111523098A (en) * 2020-04-15 2020-08-11 支付宝(杭州)信息技术有限公司 Data authority management method and device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210034777A1 (en) * 2018-04-19 2021-02-04 Huawei Technologies Co., Ltd. Data access control method and database access apparatus
US11947700B2 (en) * 2018-04-19 2024-04-02 Huawei Technologies Co., Ltd. Data access control method and database access apparatus
CN114969811A (en) * 2022-05-16 2022-08-30 贵州领航视讯信息技术有限公司 Data authority control method based on data segmentation
CN114969811B (en) * 2022-05-16 2023-04-07 贵州领航视讯信息技术有限公司 Data authority control method based on data segmentation
CN116340983A (en) * 2023-05-24 2023-06-27 深圳墨影科技有限公司 User authority management method based on robot ecological chain user
CN116340983B (en) * 2023-05-24 2023-08-18 深圳墨影科技有限公司 User authority management method based on robot ecological chain user

Also Published As

Publication number Publication date
CN111523098A (en) 2020-08-11

Similar Documents

Publication Publication Date Title
WO2021208758A1 (en) Data permissions management
US11831656B2 (en) Providing data authorization based on blockchain
US11057189B2 (en) Providing data authorization based on blockchain
US9515832B2 (en) Process authentication and resource permissions
US20200327244A1 (en) System for database access restrictions using ip addresses
TW201917666A (en) Data auditing method and device
US10432622B2 (en) Securing biometric data through template distribution
US20210314164A1 (en) Block content editing methods and apparatuses
CN110046156A (en) Content Management System and method, apparatus, electronic equipment based on block chain
US9078129B1 (en) Knowledge-based authentication for restricting access to mobile devices
EP3809629B1 (en) Authorization method and device for joint account, and authentication method and device for joint account
CN110383240B (en) Method and apparatus for containerized secure computing resources
WO2020258858A1 (en) Authorization method, system, apparatus and device in blockchain-type account book
CN110222531A (en) A kind of method, system and equipment accessing database
US11381577B2 (en) Techniques involving a security heat map
US9026456B2 (en) Business-responsibility-centric identity management
US20180232531A1 (en) Authentication based on client access limitation
TW202022669A (en) Method, device and electronic equipment for preventing misuse of identity data
TW202011333A (en) Insurance policy information processing method, device and block chain data storage system
CN113704211B (en) Data query method and device, electronic equipment and storage medium
US11251961B2 (en) Methods and apparatuses for storing or invoking blockchain account private keys
CN114422197A (en) Permission access control method and system based on policy management
CN110352411A (en) Method and apparatus for controlling the access to safe computing resource
US11272368B2 (en) Controlling access to protected resource using a heat map
US10872144B1 (en) Systems and methods for secure processing of data streams having differing security level classifications

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21788799

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21788799

Country of ref document: EP

Kind code of ref document: A1