WO2021208758A1 - Gestion de permissions de données - Google Patents

Gestion de permissions de données Download PDF

Info

Publication number
WO2021208758A1
WO2021208758A1 PCT/CN2021/085189 CN2021085189W WO2021208758A1 WO 2021208758 A1 WO2021208758 A1 WO 2021208758A1 CN 2021085189 W CN2021085189 W CN 2021085189W WO 2021208758 A1 WO2021208758 A1 WO 2021208758A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
column
user
perform
authority
Prior art date
Application number
PCT/CN2021/085189
Other languages
English (en)
Chinese (zh)
Inventor
刘洋
周家英
刘恒
Original Assignee
支付宝(杭州)信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 支付宝(杭州)信息技术有限公司 filed Critical 支付宝(杭州)信息技术有限公司
Publication of WO2021208758A1 publication Critical patent/WO2021208758A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • This specification relates to the field of data security technology, and in particular to a data authority management method and device.
  • one method is to divide the behavior of subjects accessing objects into different levels, such as List, Read, Write, and Permissions management.
  • the method only serves to describe the behavior, and does not affect the control of data security.
  • Another method is to control the subject's access to data by adjusting the subject's security level.
  • the disadvantage of this approach is also obvious: if the subject only needs to access a column in the table whose security level is higher than its own, the subject After the security level of is increased, other columns that the subject could not access may also be allowed to access, resulting in over-authorization.
  • one or more embodiments of this specification provide a data authority management method, including: receiving a data operation request sent by a user, the data operation request being used to request a first operation to be performed on the first column of data in the target data set ,
  • the target data set includes a plurality of column data, and each column data corresponds to its own security level.
  • Based on the data operation request obtain data operation authority information corresponding to the user and/or the security level of the first column of data.
  • the authority of the user to perform the first operation on the first column of data is authenticated, and an authentication result is obtained. According to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
  • a data authority management device including: a receiving module, which receives a data operation request sent by a user, and the data operation request is used to request the first column of data in the target data set. Perform the first operation, the target data set includes a plurality of column data, and each column data corresponds to its own security level.
  • the obtaining module obtains the data operation authority information corresponding to the user and/or the security level of the first column of data based on the data operation request.
  • the authentication module according to the data operation authority information and/or the security level, authenticates the user's authority to perform the first operation on the first column of data, and obtains an authentication result.
  • the determining module determines, according to the authentication result, whether to allow the user to perform the first operation on the first column of data.
  • one or more embodiments of the present specification provide a data rights management device, including a processor and a memory arranged to store computer-executable instructions.
  • the processor receives a data operation request sent by a user, the data operation request is used to request a first operation to be performed on the first column of data in the target data set, the target data set It includes a plurality of column data, and each column data corresponds to its own security level.
  • the processor Based on the data operation request, obtain data operation authority information corresponding to the user and/or the security level of the first column of data.
  • the authority of the user to perform the first operation on the first column of data is authenticated, and an authentication result is obtained. According to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
  • one or more embodiments of this specification provide a storage medium for storing computer-executable instructions that, when executed, implement the following process: receiving a data operation request sent by a user, and the data The operation request is used to request the first operation to be performed on the first column of data in the target data set.
  • the target data set includes a plurality of column data, and each column data corresponds to its own security level.
  • Based on the data operation request obtain data operation authority information corresponding to the user and/or the security level of the first column of data.
  • the authority of the user to perform the first operation on the first column of data is authenticated, and an authentication result is obtained. According to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
  • Fig. 1 is a schematic flowchart of a data authority management method according to an embodiment of the present specification
  • Fig. 2 is a schematic flowchart of a data authority management method according to another embodiment of the present specification
  • Fig. 3 is a schematic flowchart of a data authority management method according to still another embodiment of the present specification.
  • Fig. 4 is a schematic flowchart of a data authority management method according to still another embodiment of this specification.
  • Fig. 5 is a schematic block diagram of a data authority management device according to an embodiment of the present specification.
  • Fig. 6 is a schematic block diagram of a data rights management device according to an embodiment of the present specification.
  • One or more embodiments of this specification provide a data authority management method and device to solve the problem of inaccurate data security management and control in the prior art.
  • Fig. 1 is a schematic flowchart of a data authority management method according to an embodiment of the present specification. As shown in Fig. 1, the method includes:
  • S102 Receive a data operation request sent by a user.
  • the data operation request is used to request a first operation to be performed on the first column of data in the target data set.
  • the target data set includes multiple column data, and each column data corresponds to its own security level.
  • the "first" in the first column of data does not have the meaning of a sequence number, and it is only used to indicate the column data targeted by the data operation request. Therefore, the first column of data can be any column of data in the target data set.
  • the target data set may be a data table including multiple columns of data.
  • the security level is a way to classify the column data according to the degree of data confidentiality of the column data.
  • S104 Based on the data operation request, obtain data operation authority information corresponding to the user and/or the security level of the first column of data.
  • the data operation authority information includes first authority information corresponding to various operations that the user is authorized to perform on the target data set and/or second authority information corresponding to various operations that the user is authorized to perform on the first column of data.
  • Various operations such as query operations, read operations, update operations, delete operations, etc.
  • the data operation authority information may include the first authority information corresponding to the various operations that the user has the right to perform on the data table, and may also include the user’s
  • the second permission information corresponding to the various operations that the first column of data can be any column of data is authorized to perform.
  • the first permission information should contain the permission information corresponding to the read operation; suppose the user has the right to access the first column of data in the data table (which can be any column of data).
  • the second authority information should include authority information corresponding to the query operation.
  • S106 According to the data operation authority information and/or the security level, authenticate the user's authority to perform the first operation on the first column of data, and obtain an authentication result.
  • S108 Determine whether the user is allowed to perform the first operation on the first column of data according to the authentication result.
  • the authentication result is right, the user is allowed to perform the first operation on the first column of data; if the authentication result is no right, the user is denied to perform the first operation on the first column of data.
  • the data operation authority information and/or the first operation permission information corresponding to the user is obtained.
  • the security level of the column data the user is authenticated based on the acquired data operation authority information and/or the security level of the first column of data, and then it is determined whether the user is allowed to perform the first operation on the first column of data according to the authentication result.
  • the data authority and the security level of the column data are combined to manage the data comprehensively, thereby improving the accuracy of user authentication.
  • the data management and control solution does not need to adjust the data security level, thereby avoiding over-authorization problems caused by adjusting the data security level, and ensuring data security management and control effects to a greater extent.
  • the following describes in detail how to authenticate the user's authority to perform the first operation on the first column of data according to the user's corresponding data operation authority information and/or the security level of the first column of data.
  • the authority information corresponding to an operation if yes, it is determined that the user has the authority to perform the first operation on the first column of data; if not, the first authority information and/or corresponding to the various operations that the user is authorized to perform on the data table are further determined Or the security level of the first column of data, to identify the user's authority to perform the first operation on the first column of data.
  • authenticating the user’s permission to perform the first operation on the first column of data may include: judging Whether the first permission information contains the permission information corresponding to the first operation; if so, compare the security level of the user and the security level of the first column of data, and verify the user’s execution of the first operation on the first column of data based on the comparison result Permission; if not, it is determined that the user does not have the permission to perform the first operation on the first column of data.
  • the user’s authority to perform the first operation on the first column of data is identified according to the comparison result, specifically: if the comparison result is that the user’s security level is lower than the security level of the first column of data, it is determined that the user does not have the right to perform the first operation on the first column of data.
  • the column data has the permission to perform the first operation; if the comparison result is that the user's security level is not lower than the security level of the first column of data, it is determined that the user has the permission to perform the first operation on the first column of data.
  • the user's authority information on the first column of data is preferentially queried, thereby combining authority management and security levels, not only can accurately control the column data
  • the operation authority that is, the data operation authority is controlled to the column level
  • the authority control of one column of data will not affect the authority control of other column data, so it can improve the data security control effect and avoid over-authorization.
  • the user if the user needs to perform an operation on a certain column of data in the target data set, he can initiate a permission request to perform the operation on the column of data in advance, and initiate a data operation request for the column of data after the permission application is successful.
  • the following takes the first column of data (which can be any column of data) in the target data set as an example to illustrate how to authorize the user to operate the first column of data in advance.
  • the first review result of reviewing the first permission application is determined; if the first review result is approved, Then, the permission information corresponding to the first operation is recorded in the first permission information.
  • Fig. 2 is a schematic flowchart of a data authority management method according to another embodiment of the present specification. As shown in Fig. 2, the method includes:
  • S201 Receive a first permission application sent by a user to perform a first operation on a target data set.
  • S202 Determine a first review result of reviewing the first permission application.
  • a user with a certain authority such as a data authority manager
  • the target data set is the user information table shown in Table 1, and the user information table includes multiple column data and the security level corresponding to each column data.
  • the user needs to perform the first operation (such as a query operation) on the first column (such as the id column or the nickname column) in the user information table 1 whose security level is not higher than that of the user information table
  • a table permission entry for the user to perform the first operation on the user information table 1 is recorded in the first permission information, that is, the permission information corresponding to the first operation is added.
  • the second review result of reviewing the second permission application is determined; if the second review result is approved , Then the permission information corresponding to the first operation is recorded in the second permission information.
  • Fig. 3 is a schematic flowchart of a data authority management method according to another embodiment of the present specification. As shown in Fig. 3, the method includes:
  • S301 Receive a second permission application sent by a user to perform a first operation on the first column of data in the target data set.
  • S302 Determine a second review result of reviewing the second permission application.
  • a user with a certain authority such as a data authority manager
  • data authority management includes the following steps:
  • S401 Receive a data operation request sent by a user for requesting to perform a first operation on a first column of data in a target data set, where the target data set includes multiple column data, and each column data corresponds to its own security level.
  • the first operation is a query operation, a read operation, an update operation, a delete operation, and so on.
  • the first column of data can be any column of data in the target data set.
  • the target data set may be a data table including multiple columns of data.
  • the security level is a way to classify the column data according to the degree of data confidentiality of the column data.
  • the security level of column data can be pre-set by authorized designated personnel (such as data management personnel).
  • the first operation is one of various operations.
  • S403 Determine whether the second authority information includes authority information corresponding to the first operation. If yes, execute S409; if not, execute S404.
  • S404 Acquire first permission information corresponding to various operations that the user has the right to perform on the target data set.
  • S405 Determine whether the first permission information includes permission information corresponding to the first operation. If yes, execute S406; if not, execute S408.
  • S406 Determine the security level of the user and the security level of the first column of data.
  • S407 Determine whether the security level of the user is lower than the security level of the first column of data. If yes, execute S408; if not, execute S409.
  • S408 Determine that the user does not have the authority to perform the first operation on the first column of data, and refuse the user to perform the first operation on the first column of data.
  • S409 Determine that the user has the authority to perform the first operation on the first column of data, and allow the user to perform the first operation on the first column of data.
  • the user's authority information for the first column of data is first queried, and if the user cannot query the first column of data
  • the user is authenticated, thus combining the permission management and the security level, not only can accurately control the operation permissions of the column data (about Data operation authority is controlled to the column level), and the authority control of one column of data will not affect the authority control of other column data, so it can improve the effect of data security control and avoid over-authorization.
  • Zhang San wants to access the column of user information table 1 whose security level is not higher than his own. For example, Zhang San needs to perform a query on the id column or the nickname column. Since the security level of the id column or nickname column is not higher than that of Zhang San, Zhang San can apply in advance for the table permission to perform query operations on the user information table 1.
  • the first permission information (that is, used to record Zhang San 3.
  • Second permission information corresponding to Zhang San (the permission information that Zhang San has the right to perform various operations on the id column is recorded), and determine whether the second permission information contains the permission items corresponding to the query operation . Since Zhang San only applied for the table permission to perform query operations on the user information table 1 in advance, and did not apply for the column permission to perform query operations on the id column, the second permission information does not include (that is, the query cannot be queried) corresponding to the query operation The permission item. Now proceed to the next step.
  • the first permission information contains the permission item corresponding to the query operation, that is, it is judged whether the permission item for Zhang San to perform the query operation on the user information table 1 is recorded in the first permission information. Since Zhang San has previously applied for the table permission to perform the query operation on the user information table 1, the first permission information contains the permission item corresponding to the query operation. Now proceed to the next step, namely security level check.
  • Zhang San determines the security level of the id column in Zhang Sanhe user information table 1, and determine whether the security level of Zhang San is lower than the security level of the id column. Since Zhang San’s security level and the security level of the id column are both 0, that is, Zhang San’s security level is not lower than the security level of the id column, so Zhang San has the right to perform query operations on the id column. At this time, the authentication success message is returned, and Zhang San is allowed to perform query operations on the id column.
  • Zhang San initiates a data operation request to perform a query operation on the nickname column
  • the security level of the nickname column and the security level of the id column are the same, both are 0, the authentication process is the same as the id column, and will not be repeated.
  • Zhang San initiates the permission to perform query operations on the column data in the user information table 1 whose security level is higher than his own (such as the name column).
  • the authentication process is as follows:
  • the first permission information contains the permission item corresponding to the query operation, that is, it is judged whether the permission item for Zhang San to perform the query operation on the user information table 1 is recorded in the first permission information. Since Zhang San has previously applied for the table permission to perform the query operation on the user information table 1, the first permission information contains the permission item corresponding to the query operation. At this time, proceed to the next step, namely security level check.
  • Zhang Sanhe user information table 1 determines whether the security level of Zhang San is lower than the security level of the name column. Since Zhang San’s security level is 0 and the name column’s security level is 2, that is, Zhang San’s security level is lower than the name column’s security level, so Zhang San has no right to perform query operations on the name column. At this time, the authentication failure information is returned, and Zhang San is refused to perform the query operation on the name column.
  • Zhang San initiates a data operation request to perform a query operation on other column data higher than his security level (such as mobile column, birthday column or credit_card column), the authentication process is the same as the name column, and will not be repeated.
  • his security level such as mobile column, birthday column or credit_card column
  • Zhang San wants to access the column of user information table 1 whose security level is higher than his own. For example, Zhang San needs to perform a query operation on the name column. Since the security level of the name column is higher than that of Zhang San, Zhang San can apply in advance for the column permission to perform query operations on the name column. After the approval is passed, the second permission information (record that Zhang San has the right to perform various types of query operations on the name column Add a permission item of Zhang San's query permission on the name column in the operation permission information).
  • the second permission information contains the permission item corresponding to the query operation. Since Zhang San has previously applied for the column permission to perform the query operation on the name column, the second permission information contains the permission item corresponding to the query operation. At this time, the authentication success message is returned, and Zhang San is allowed to perform query operations on the name column.
  • Zhang San initiates a data operation request to perform a query operation on the mobile column
  • the authentication process is as follows:
  • the first permission information corresponding to Zhang San that is, the permission information used to record Zhang San's right to perform various operations on the user information table 1 and the second permission information (record that Zhang San has the right to perform various operations on the mobile column.
  • the permission information of the class operation determine whether the second permission information contains the permission item corresponding to the query operation. Since Zhang San only applied for column permission to perform query operations on the name column in advance, but did not apply for column permissions to perform query operations on the mobile column, the second permission information does not include (that is, the query cannot be queried) the corresponding permissions for the query operation item. Now proceed to the next step.
  • the first permission information contains the permission item corresponding to the query operation, that is, it is judged whether the permission item for Zhang San to perform the query operation on the user information table 1 is recorded in the first permission information. If it does not, it means that Zhang San has no right to perform the query operation on the mobile column of the user information table 1. At this time, the authentication failure information is returned, and Zhang San is refused to perform the query operation on the mobile column. If it does, proceed to the next step, which is the security level check.
  • Zhang Sanhe user information table 1 determines whether the security level of Zhang San is lower than the security level of the mobile column. Since Zhang San’s security level is lower than that of the mobile column, Zhang San has no right to perform query operations on the mobile column. At this time, the authentication failure information is returned, and Zhang San is refused to perform the query operation on the mobile column.
  • Zhang San initiates a data operation request to perform a query operation on the birthday column or the credit_card column
  • the security level of the birthday column or the credit_card column is higher than the security level of Zhang San
  • the authentication process is the same as that of the mobile column. Go into details.
  • Zhang San cannot perform operations on column data with a higher security level than himself in the user information table 1. If Zhang San wants to perform certain operations on column data with a higher security level than himself, then You need to apply for permission to perform this type of operation on the column in advance. It can be seen that this method of combining authority management and security level to comprehensively authenticate users can not only accurately control data security, but also make authorization for one column of data not affect the authority control of other columns, thereby avoiding over-authorization , To ensure the effectiveness of data security management and control.
  • Fig. 5 is a schematic flowchart of a data authority management device according to an embodiment of the present specification. As shown in Fig. 5, the device includes:
  • the receiving module 510 receives a data operation request sent by a user; the data operation request is used to request to perform a first operation on the first column of data in the target data set; the target data set includes multiple column data; each of the column data Corresponding to their respective security levels;
  • the obtaining module 520 based on the data operation request, obtains the data operation authority information corresponding to the user and/or the security level of the first column of data;
  • the authentication module 530 authenticates the user's authority to perform the first operation on the first column of data, and obtains an authentication result;
  • the determining module 540 determines whether the user is allowed to perform the first operation on the first column of data according to the authentication result.
  • the data operation authority information includes first authority information corresponding to various operations that are authorized to perform on the target data set and/or corresponding to various operations that are authorized to perform on the first column of data. ’S second authority information.
  • the authentication module 530 includes: a judging unit, judging whether the second permission information contains the permission information corresponding to the first operation; the first determining unit, if the second permission information is If the authority information corresponding to the first operation is included, it is determined that the user has the authority to perform the first operation on the first column of data; the first authentication unit, if the second authority information does not include all According to the authority information corresponding to the first operation, the authority of the user to perform the first operation on the first column of data is authenticated according to the first authority information and/or the security level.
  • the first authentication unit judges whether the first permission information includes the permission information corresponding to the first operation; if so, compares the security level of the user with the first The security level of the column data, and the authorization of the user to perform the first operation on the first column of data is identified according to the comparison result; if not, it is determined that the user does not have the authority to perform the first operation on the first column of data.
  • the authority of the first operation is described.
  • the first authentication unit if the comparison result is that the security level of the user is lower than the security level of the first column of data, it is determined that the user does not have the right to the first column of data.
  • a column of data has the authority to perform the first operation; if the comparison result is that the security level of the user is not lower than the security level of the first column of data, it is determined that the user has access to the first column The permission of the data to perform the first operation.
  • the device further includes: a second receiving module, which receives the first operation sent by the user for performing the first operation on the target data set before the receiving the data operation request sent by the user. Permission application; a second determination module, which determines the first review result of reviewing the first permission application; a first recording module, if the first review result is approved, records in the first permission information Authority information corresponding to the first operation.
  • the device further includes: a third receiving module, which receives the first operation sent by the user to perform the first operation on the first column of data before the data operation request sent by the user is received.
  • the second permission application receives the first operation sent by the user to perform the first operation on the first column of data before the data operation request sent by the user is received.
  • the second permission application receives the first operation sent by the user to perform the first operation on the first column of data before the data operation request sent by the user is received.
  • the second permission application the third determination module, which determines the second review result of the review of the second permission application
  • the second recording module if the second review result is approved, then it is in the second permission information Record the authority information corresponding to the first operation.
  • the data operation authority information and/or the first column corresponding to the user are obtained.
  • the data security level is used to authenticate the user based on the acquired data operation authority information and/or the security level of the first column of data, and then determine whether the user is allowed to perform the first operation on the first column of data according to the authentication result.
  • the data authority and the security level of the column data are combined to manage the data comprehensively, thereby improving the accuracy of user authentication.
  • the device does not need to adjust the data security level, thereby avoiding over-authorization problems caused by adjusting the data security level, and ensuring data security management and control effects to a greater extent.
  • the data rights management device may have relatively large differences due to different configurations or performances, and may include one or more processors 601 and a memory 602, and the memory 602 may store one or more storage applications or data. Among them, the memory 602 may be short-term storage or persistent storage.
  • the application program stored in the memory 602 may include one or more modules (not shown in the figure), and each module may include a series of computer-executable instructions for the data rights management device.
  • the processor 601 may be configured to communicate with the memory 602, and execute a series of computer-executable instructions in the memory 602 on the data rights management device.
  • the data rights management device may also include one or more power supplies 603, one or more wired or wireless network interfaces 604, one or more input and output interfaces 605, and one or more keyboards 606.
  • the data rights management device includes a memory and one or more programs.
  • One or more programs are stored in the memory, and one or more programs may include one or more modules, and each Each module may include a series of computer-executable instructions in the data rights management device, and is configured to be executed by one or more processors.
  • the one or more programs include computer-executable instructions for performing the following: Data operation request;
  • the data operation request is used to request the first operation to be performed on the first column of data in the target data set; the target data set includes multiple column data; each of the column data corresponds to its own security level;
  • According to the data operation request obtain the data operation authority information corresponding to the user and/or the security level of the first column of data; according to the data operation authority information and/or the security level, authenticate the user to the The permission of the first column of data to perform the first operation is obtained, and the authentication result is obtained; according to the authentication result, it is determined whether the user is allowed to perform the first operation on the first column of data.
  • the data operation authority information includes first authority information corresponding to various operations that are authorized to perform on the target data set and/or first authority information corresponding to various operations that are authorized to perform on the first column of data. 2. Permission information.
  • the processor may also cause the processor to: determine whether the second permission information contains the permission information corresponding to the first operation; if so, determine that the user has the right The first column of data has the right to perform the first operation; if not, according to the first permission information and/or the security level, authenticate the user to perform the first operation on the first column of data Operation authority.
  • the processor may also make the processor: determine whether the first permission information contains the permission information corresponding to the first operation; if so, compare the user’s The security level and the security level of the first column of data, and the authorization of the user to perform the first operation on the first column of data is identified according to the comparison result; if not, it is determined that the user does not have the right to perform the first operation on the first column of data The permission of the first column of data to perform the first operation.
  • the processor may also be caused to: if the comparison result is that the security level of the user is lower than the security level of the first column of data, determine the The user does not have the authority to perform the first operation on the first column of data; if the comparison result is that the security level of the user is not lower than the security level of the first column of data, the user is determined Have the authority to perform the first operation on the first column of data.
  • the processor may also cause the processor to: receive a first permission application sent by the user to perform the first operation on the target data set; A first review result of a permission application for review; if the first review result is approved, then the permission information corresponding to the first operation is recorded in the first permission information.
  • the processor may also cause the processor to: receive a second permission application sent by the user to perform the first operation on the first column of data; The second review result of the second permission application for review; if the second review result is approved, then the permission information corresponding to the first operation is recorded in the second permission information.
  • One or more embodiments of this specification also propose a computer-readable storage medium that stores one or more programs, and the one or more programs include instructions.
  • the electronic device can execute the above-mentioned data authority management method, and is specifically used to execute: receiving a data operation request sent by a user; the data operation request is used to request execution of the first column of data in the target data set The first operation; the target data set includes a plurality of column data; each of the column data corresponds to its own security level; based on the data operation request, obtain the data operation authority information corresponding to the user and/or the first The security level of the column data; according to the data operation authority information and/or the security level, authenticate the user’s authority to perform the first operation on the first column of data to obtain the authentication result; according to the authentication Right result, it is determined whether the user is allowed to perform the first operation on the first column of data.
  • a typical implementation device is a computer.
  • the computer may be, for example, a personal computer, a laptop computer, a cell phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or Any combination of these devices.
  • one or more embodiments of this specification can be provided as a method, a system, or a computer program product. Therefore, one or more embodiments of this specification may adopt the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Moreover, one or more embodiments of this specification may adopt computer programs implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes. The form of the product.
  • These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are used to generate It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • the computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • processors CPUs
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • the memory may include non-permanent memory in computer readable media, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash memory
  • Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology.
  • the information can be computer-readable instructions, data structures, program modules, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
  • program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types.
  • This application can also be practiced in distributed computing environments. In these distributed computing environments, tasks are performed by remote processing devices connected through a communication network. In a distributed computing environment, program modules can be located in local and remote computer storage media including storage devices.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

Un ou plusieurs modes de réalisation de la présente invention concernent un procédé et un appareil de gestion de permissions de données, destinés à être utilisés pour résoudre le problème dans l'état de la technique d'un contrôle imprécis de la sécurité des données. Le procédé comprend les étapes suivantes : réception d'une demande d'opération de données envoyée par un utilisateur, la demande d'opération de données étant utilisée pour demander d'effectuer une première opération sur une première colonne de données dans un ensemble de données cible, l'ensemble de données cibles comprenant une pluralité de colonnes de données et les colonnes de données correspondant à des niveaux de sécurité respectifs ; obtention, sur la base de la demande d'opération de données, d'informations de permissions d'opération de données correspondant à l'utilisateur et/ou au niveau de sécurité de la première colonne de données ; identification, en fonction des informations de permissions d'opération de données et/ou du niveau de sécurité, de la permission de l'utilisateur à effectuer la première opération sur la première colonne de données en vue d'obtenir un résultat d'authentification ; et détermination, selon le résultat de l'authentification, si l'utilisateur a la permission d'effectuer la première opération sur la première colonne de données.
PCT/CN2021/085189 2020-04-15 2021-04-02 Gestion de permissions de données WO2021208758A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010296131.4A CN111523098A (zh) 2020-04-15 2020-04-15 数据权限管理方法及装置
CN202010296131.4 2020-04-15

Publications (1)

Publication Number Publication Date
WO2021208758A1 true WO2021208758A1 (fr) 2021-10-21

Family

ID=71903126

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/085189 WO2021208758A1 (fr) 2020-04-15 2021-04-02 Gestion de permissions de données

Country Status (2)

Country Link
CN (1) CN111523098A (fr)
WO (1) WO2021208758A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210034777A1 (en) * 2018-04-19 2021-02-04 Huawei Technologies Co., Ltd. Data access control method and database access apparatus
CN114969811A (zh) * 2022-05-16 2022-08-30 贵州领航视讯信息技术有限公司 一种基于数据分段的数据权限控制方法
CN116340983A (zh) * 2023-05-24 2023-06-27 深圳墨影科技有限公司 基于机器人生态链用户的用户权限管理方法

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111523098A (zh) * 2020-04-15 2020-08-11 支付宝(杭州)信息技术有限公司 数据权限管理方法及装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104484617A (zh) * 2014-12-05 2015-04-01 中国航空工业集团公司第六三一研究所 一种基于多策略融合的数据库访问控制方法
CN104809405A (zh) * 2015-04-24 2015-07-29 广东电网有限责任公司信息中心 基于分级分类的结构化数据资产防泄露方法
CN110414257A (zh) * 2018-04-26 2019-11-05 中移(苏州)软件技术有限公司 一种数据访问方法及服务器
US20200057733A1 (en) * 2018-01-30 2020-02-20 Toshiba Memory Corporation Data storage apparatus, data processing system, and data processing method
CN111523098A (zh) * 2020-04-15 2020-08-11 支付宝(杭州)信息技术有限公司 数据权限管理方法及装置

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7240046B2 (en) * 2002-09-04 2007-07-03 International Business Machines Corporation Row-level security in a relational database management system
CN102902916B (zh) * 2012-09-17 2015-09-02 攀枝花学院 应用程序通用的权限控制方法
CN104077284A (zh) * 2013-03-26 2014-10-01 中国移动通信集团湖北有限公司 一种数据安全访问方法及系统
CN104065750A (zh) * 2014-07-11 2014-09-24 中国人民公安大学 一种基于共享数据安全管理的方法和系统
CN107239710B (zh) * 2016-03-29 2020-06-16 北京明略软件系统有限公司 一种数据库权限实现方法和系统
CN107392053A (zh) * 2017-08-11 2017-11-24 四川长虹电器股份有限公司 一种企业员工信息数据库中的数据权限控制方法
CN107944284B (zh) * 2017-11-23 2020-10-09 国网浙江省电力公司电力科学研究院 一种企业数据内部安全管控的方法及系统
CN110555039A (zh) * 2018-03-29 2019-12-10 武汉斗鱼网络科技有限公司 数据查询控制方法、存储介质、设备及系统
CN109145041A (zh) * 2018-07-18 2019-01-04 北京云星宇交通科技股份有限公司 一种数据访问方法及系统
CN109413087B (zh) * 2018-11-16 2019-12-31 京东城市(南京)科技有限公司 数据共享方法、装置、数字网关及计算机可读存储介质
CN110427750A (zh) * 2019-07-23 2019-11-08 武汉宏途科技有限公司 一种通过权限组合方式进行表单权限控制的方法及系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104484617A (zh) * 2014-12-05 2015-04-01 中国航空工业集团公司第六三一研究所 一种基于多策略融合的数据库访问控制方法
CN104809405A (zh) * 2015-04-24 2015-07-29 广东电网有限责任公司信息中心 基于分级分类的结构化数据资产防泄露方法
US20200057733A1 (en) * 2018-01-30 2020-02-20 Toshiba Memory Corporation Data storage apparatus, data processing system, and data processing method
CN110414257A (zh) * 2018-04-26 2019-11-05 中移(苏州)软件技术有限公司 一种数据访问方法及服务器
CN111523098A (zh) * 2020-04-15 2020-08-11 支付宝(杭州)信息技术有限公司 数据权限管理方法及装置

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210034777A1 (en) * 2018-04-19 2021-02-04 Huawei Technologies Co., Ltd. Data access control method and database access apparatus
US11947700B2 (en) * 2018-04-19 2024-04-02 Huawei Technologies Co., Ltd. Data access control method and database access apparatus
CN114969811A (zh) * 2022-05-16 2022-08-30 贵州领航视讯信息技术有限公司 一种基于数据分段的数据权限控制方法
CN114969811B (zh) * 2022-05-16 2023-04-07 贵州领航视讯信息技术有限公司 一种基于数据分段的数据权限控制方法
CN116340983A (zh) * 2023-05-24 2023-06-27 深圳墨影科技有限公司 基于机器人生态链用户的用户权限管理方法
CN116340983B (zh) * 2023-05-24 2023-08-18 深圳墨影科技有限公司 基于机器人生态链用户的用户权限管理方法

Also Published As

Publication number Publication date
CN111523098A (zh) 2020-08-11

Similar Documents

Publication Publication Date Title
WO2021208758A1 (fr) Gestion de permissions de données
US11831656B2 (en) Providing data authorization based on blockchain
US11057189B2 (en) Providing data authorization based on blockchain
WO2021068636A1 (fr) Procédé, appareil, dispositif et système de création sur chaîne de blocs d'une revendication vérifiable
Sun et al. Data security and privacy in cloud computing
US9515832B2 (en) Process authentication and resource permissions
US20200327244A1 (en) System for database access restrictions using ip addresses
US20210314164A1 (en) Block content editing methods and apparatuses
US11962694B2 (en) Key pair generation based on environmental factors
CN110046156A (zh) 基于区块链的内容管理系统及方法、装置、电子设备
US20170324736A1 (en) Securing biometric data through template distribution
CN110383240B (zh) 用于容器化的安全计算资源的方法和装置
EP3425846A1 (fr) Procédé et dispositif d'autorisation pour un compte joint, ainsi que procédé et dispositif d'authentification pour un compte joint
WO2020258858A1 (fr) Procédé, système, appareil et dispositif d'autorisation dans un livre de compte de type chaîne de blocs
US11381577B2 (en) Techniques involving a security heat map
TW202011333A (zh) 保單資訊的處理方法、裝置及區塊鏈資料儲存系統
CN114422197A (zh) 一种基于策略管理的权限访问控制方法及系统
CN113704211B (zh) 数据查询方法及装置、电子设备、存储介质
US11251961B2 (en) Methods and apparatuses for storing or invoking blockchain account private keys
CN110352411B (zh) 用于控制对安全计算资源的访问的方法和装置
CN112685778A (zh) 一种数据存储方法及装置
US10872144B1 (en) Systems and methods for secure processing of data streams having differing security level classifications
US11907394B1 (en) Isolation and authorization for segregated command and query database resource access
US20240064148A1 (en) System and method for managing privileged account access
WO2017000369A1 (fr) Procédé et appareil de gestion de sécurité d'informations et support de stockage

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21788799

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21788799

Country of ref document: EP

Kind code of ref document: A1