CN110889142B

CN110889142B - Data authority management method, device, system and equipment

Info

Publication number: CN110889142B
Application number: CN201911323593.4A
Authority: CN
Inventors: 张雨
Original assignee: Bank of China Ltd
Current assignee: Bank of China Ltd
Priority date: 2019-12-20
Filing date: 2019-12-20
Publication date: 2022-08-26
Anticipated expiration: 2039-12-20
Also published as: CN110889142A

Abstract

The specification provides a data authority management method, a device, a system and equipment, wherein the method comprises the following steps: after receiving a data access request of a user, the identity of the requesting user can be obtained, and then the data access authority mechanism identity of the accessing user of the data access type corresponding to the data to be processed is obtained according to the pre-configured data access authority configuration information. And matching the acquired identity of the user with the data access authority identity, wherein when the matching is successful, the data access request is legal, and corresponding data processing can be performed on the data to be processed according to the specific request content of the data access request. Developers only need to configure a small amount of data, control of data access authority of different data can be achieved, and development efficiency of the system is improved. Meanwhile, unified management of authority can be carried out on all data in the system, and the safety of system access is improved.

Description

Data authority management method, device, system and equipment

Technical Field

The present specification belongs to the field of computer technologies, and in particular, to a method, an apparatus, a system, and a device for managing data permissions.

Background

With the development of computer internet technology, the data volume is also greatly increased, and different data may have different management authorities. The authority management is concerned with the security and confidentiality of each application system, and is more important for financial related systems with higher requirements on security and confidentiality.

Usually, an application system includes several functional modules, and each functional module has different requirements for authority control. Generally, the authority management of data is to implement respective authority control on each data or each function module, and each function module needs to develop its own authority control module, resulting in low code reuse rate, lack of macro control over authority control of all function modules, and low security.

Disclosure of Invention

An embodiment of the present specification aims to provide a method, an apparatus, a system, and a device for managing data access permissions, which improve the security and efficiency of data access permissions management.

In one aspect, an embodiment of the present specification provides a data right management method, including:

receiving a data access request, wherein the data access request comprises a data access request type and pending data requested to be accessed, and the data access request type comprises at least one of the following types: data query, data addition, data modification and data deletion;

acquiring the identity of the user who initiates the data access request;

acquiring a data access authority mechanism identifier corresponding to the data access request type corresponding to the data to be processed based on pre-configured data access authority configuration information;

and if the identity identification is matched with the data access authority identification, performing data processing on the data to be processed according to the data access request.

In another aspect, the present specification provides a data right management apparatus comprising:

an access request receiving module, configured to receive a data access request, where the data access request includes a data access request type and pending data that is requested to be accessed, and the data access request type includes at least one of the following: data query, data addition, data modification and data deletion;

the identity identification acquisition module is used for acquiring the identity identification of the user initiating the data access request;

the authority mechanism identification acquisition module is used for acquiring a data access authority identification corresponding to the data access request type corresponding to the data to be processed based on pre-configured data access authority configuration information;

and the data access processing module is used for processing the data to be processed according to the data access request when the identity identifier is matched with the data access authority identifier.

In yet another aspect, the present specification provides a data rights management system comprising: the data processing system comprises a data query module, a newly added data module, a data modification module and a data deletion module, wherein:

the query data module is used for determining whether the user has query authority on the data to be processed based on the identity of the user initiating the data access request and the data query authority identity corresponding to the data to be processed in the data access request when receiving the data access request of a data query type, and if so, sending a data query request for querying the data to be processed to a server;

the newly-added data module is used for determining whether the user has newly-added authority for the data to be processed according to the identity of the user initiating the data access request and a newly-added authority identity corresponding to the data to be processed in the data access request when receiving a data access request of a data newly-added type, and if so, sending a data newly-added request for newly-added data of the data to be processed to a server;

when a data access request of a data modification type is received by a data modification module user, determining whether the user has modification permission on the data to be processed according to an identity of the user initiating the data access request and a modification permission mechanism identity corresponding to the data to be processed in the data access request, and if so, sending a data modification request for modifying the data to be processed to a server;

the data deleting module is used for determining whether the user has deleting authority for the data to be processed according to the identity of the user initiating the data access request and the newly added authority identity corresponding to the data to be processed in the data access request when receiving the data access request of the newly added type of data, and if so, sending a data deleting request for deleting the data to be processed to the server.

In another aspect, the present specification provides a data right management apparatus, including: at least one processor and a memory for storing processor-executable instructions, the processor implementing the above-described data rights management method when executing the instructions.

In yet another aspect, the present specification provides a computer-readable storage medium, on which computer instructions are stored, and when executed, the instructions implement the above-mentioned data right management method.

The data right management method, device, system, processing device and storage medium provided by this specification can pre-configure data access right configuration information for each data, and after receiving a data access request from a user, can obtain an identity of the requesting user, and then obtain a data access right mechanism identifier of an accessing user who can perform a corresponding data access type on the data to be processed according to the pre-configured data access right configuration information. And matching the identity of the user initiating the data access request with a data access authority identity of an access user which is configured in advance and can carry out corresponding data access types on the data to be processed, wherein when the matching is successful, the data access request is legal, and the corresponding data processing can be carried out on the data to be processed according to the specific request content of the data access request. Developers only need to configure a small amount of data, control of data access authority of different data can be achieved, and development efficiency of the system is improved. Meanwhile, unified management of authority can be carried out on all data in the system, and the safety of system access is improved.

Drawings

In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present specification, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort.

FIG. 1 is a flow diagram illustrating a method for data rights management in one embodiment of the present disclosure;

FIG. 2 is a flow chart illustrating a method for managing data query permissions in one embodiment of the present disclosure;

FIG. 3 is a flow chart of a method for managing data new-adding authority in one embodiment of the present disclosure;

FIG. 4 is a flow chart illustrating a method for managing data modification rights in one embodiment of the present disclosure;

FIG. 5 is a flowchart illustrating a method for managing data deletion permissions in one embodiment of the present disclosure;

FIG. 6 is a block diagram of an embodiment of a data rights management device provided in this specification;

FIG. 7 is a block diagram illustrating an exemplary data rights management system provided herein;

fig. 8 is a block diagram showing a hardware configuration of the data right management server in one embodiment of the present specification.

Detailed Description

In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step should fall within the scope of protection of the present specification.

Generally, the access rights of different data in an application system are different, and the access rights of different users to the application system are also different. For example: for data a, user 1 has query authority, and user 2 does not have query authority.

The embodiment of the specification provides a data authority management method, which is characterized in that data access authority configuration information of different data in a system is configured in advance, when a data access request is received, an identity of a user requesting access in the data access request is acquired, and meanwhile, a data access authority identity corresponding to the type of the data access request in the data access request is acquired. And matching the identity identification with the data access authority identification, and if the matching is successful, considering that the user is allowed to perform corresponding data access on the data, namely the data access request is legal. The method has the advantages that all data in the system are subjected to unified data access authority control, the efficiency of data access security management is improved, whether a user requesting access has data access of a corresponding data access request type is judged based on the identity of an access user and the pre-configured data access authority configuration information, and the security of data access is improved.

The data authority management method in the specification can be applied to a client or a server, and the client can be an electronic device such as a smart phone, a tablet computer, a smart wearable device (a smart watch and the like), a smart vehicle-mounted device and the like.

Fig. 1 is a schematic flow chart of a data right management method in an embodiment of the present specification, and as shown in fig. 1, the data right management method provided in an embodiment of the present specification may include:

102, receiving a data access request, where the data access request includes a data access request type and pending data requested to be accessed, where the data access request type includes at least one of: data query, data addition, data modification and data deletion.

In a specific implementation process, the data authority management method provided in the embodiment of the present specification may be applied to a system that needs to perform authority management on data access, for example: some financial systems, payment systems, etc. A user may submit a data access request to the system through its own client, where the data access request may include data access request types such as: the data access request can also comprise data to be processed which is requested to be accessed. For example: the user can submit the balance information of a certain account to the mobile banking system through the client.

And step 104, acquiring the identity of the user initiating the data access request.

In a specific implementation process, after a data access request sent by a user is received, an identity of the user initiating the data access request may be obtained, where the identity may be a character string or other information uniquely identifying the user identity. The user id may be an id of a single user, or an id of a group of users, such as an identity of a unit where the user is located. For example: in the bank system, the identity of the user can be represented by an organization number, after a data access request initiated by the user through a front end is received, the organization number of the bank system where the user initiating the data access request is located can be obtained, and the organization number can represent the unique identity of each unit in the bank system.

And 106, acquiring a data access authority identification corresponding to the data access request type corresponding to the data to be processed based on the pre-configured data access authority configuration information.

In a specific implementation process, development or maintenance staff of the system can pre-configure data access authority configuration information for different data according to use requirements, and the data access authority configuration information can represent data access authority of each data, namely, which users are allowed by each data to perform what data access. The data orientation configuration information may include a correspondence between each data and the access-allowed user corresponding to different data access request types, such as: the data a is allowed to be inquired by users, the data a is allowed to be newly added by users, and the data a is allowed to be modified and deleted by users respectively. The data access authority mechanism identifier corresponding to the data access request type corresponding to the data to be processed in the data access request can be obtained based on the pre-configured data access authority configuration information. For example: the user requests to perform data query on the data a, and can acquire the data access authority identifier of the data query type of the data a according to the pre-configured data access authority configuration information, that is, the data access authority identifier of the user capable of performing data query on the data a.

And 108, if the identity identification is matched with the data access authority identification, performing data processing on the data to be processed according to the data access request.

In a specific implementation process, after acquiring the data access authority identification of the data to be processed and the identification of the user initiating the data access request, the acquired identifications and the data access authority identifications can be compared one by one, if the identification is matched with at least one data access authority identification, the data access request initiated by the user can be considered to be legal, and the corresponding data processing can be performed on the data to be processed according to the data access request.

For example: the user 1 initiates a data access request to the bank system through the front end, and requests to inquire data a. After receiving the data access request sent by the user 1, the organization number corresponding to the user 1 may be obtained as the identity of the user 1. Then, according to the data access right configuration information configured for each data in the bank system in advance, querying the data access right configuration information corresponding to the data a, and acquiring the user information capable of querying the data a, such as: suppose that there are 3 users who can query data a, and obtain the organization numbers of the 3 users. Comparing the organization number corresponding to the user 1 with the organization numbers of 3 users who can perform data query on the data a one by one, and if the organization numbers of the user 1 and 1 of the organization numbers of 3 users who can perform data query on the data a are the same, the user 1 can be considered to be capable of querying the data a. The data a can be queried according to the data access request sent by the user 1, and the queried data a is returned to the user 1.

The data right management method provided in the embodiments of the present specification may pre-configure data access right configuration information for each data, may acquire an identity of a requesting user after receiving a data access request from a user, and then acquire, according to the pre-configured data access right configuration information, a data access right mechanism identity of an accessing user that is capable of performing a corresponding data access type on data to be processed. And matching the identity of the user initiating the data access request with a pre-configured data access authority identity of an accessing user capable of performing corresponding data access types on the data to be processed, wherein when the matching is successful, the data access request is legal, and the corresponding data processing can be performed on the data to be processed according to the specific request content of the data access request. Developers only need to configure a small amount of data, control of data access authority of different data can be achieved, and development efficiency of the system is improved. Meanwhile, unified management of authority can be carried out on all data in the system, and safety of system access is improved.

On the basis of the foregoing embodiments, in some embodiments of this specification, if a data access request type in the received data access request is a data query, the obtaining a data access authority identifier corresponding to the data access request type corresponding to the to-be-processed data includes: acquiring a data query authority identifier corresponding to the data to be processed from pre-stored data query authority information of the data to be processed, and taking the data query authority identifier as the data access authority identifier;

correspondingly, if the identity is matched with the data access authority identity, performing data processing on the data to be processed according to the data access request, including:

and if the identity identification is matched with the data query authority identification, sending a data query request for querying the data to be processed to a server according to the data access request so that the server queries the data to be processed.

In a specific implementation process, in some embodiments of the present specification, when data is stored, the data query authority information of the data may be stored in the data, such as: a field of the organization number of the user who can perform data query on the data a may be stored in the data when the data a is stored. Because of the large number of query class requests, each piece of data in the database stores its query authority field, and this field is transparent to the front end. When the data access request type in the data access request initiated by the user is data query, that is, when the user requests to query a certain data, the data query authority mechanism identifier of the user allowed to query the data to be processed can be obtained according to the data query authority information stored in the data to be processed requested to query. And matching the identity of the initiating user with the data query authority identity of the data to be processed, and if the matching is successful, querying the data to be processed and returning the data to the user. The data query authority information may be understood as data access authority configuration information, which may include information of a user allowed to perform data query corresponding to different data.

For example: when saving the data a, the data query authority identification of the user who can perform data query on the data a may be stored in the data a. When the user 1 initiates a data access request to the bank system through the front end and requests to query the data a, the organization number corresponding to the user 1 may be obtained first as the identity of the user 1. And then, according to the data query authority information stored in the data a, acquiring a data query authority identifier corresponding to the data a, such as: it is assumed that 3 data query authority mechanisms capable of performing data query on data a are stored in data a. And comparing the mechanism number corresponding to the user 1 with 3 data query right mechanism identifications capable of performing data query on the data a one by one, and if the mechanism number of the user 1 is the same as 1 of the 3 data query right mechanism identifications, considering that the user 1 can query the data a. The data a can be queried according to the data access request sent by the user 1, and the queried data a is returned to the user 1.

In the embodiment of the present specification, by storing the data query authority identifier of the data in advance, when a data query request of a user is received, it may be determined whether the data query request is allowed according to a matching result of the identity identifier of the user requesting the query and the data query authority identifier stored in the data, and if the matching is successful, the data is queried. Developers only need to configure the data query mechanism for each data, so that the automatic control of the data query authority can be realized, and the efficiency of processing the data access authority is improved.

On the basis of the foregoing embodiments, in some embodiments of the present specification, if a data access request type in the received data access request is data addition, the acquiring a data access authority identifier corresponding to the data access request type corresponding to the to-be-processed data includes:

inquiring newly added authority control information corresponding to the data to be processed according to a pre-configured authority control configuration table, wherein the authority control configuration table comprises data access mechanisms corresponding to different data;

inquiring a pre-configured authority mechanism information table according to the newly-added type authority control information to acquire a newly-added authority mechanism identifier of the data to be processed, wherein the authority mechanism information table comprises incidence relations among different authority mechanisms and mechanism information of different authority mechanisms;

and taking the newly added authority identification as the data access authority identification.

In a specific implementation process, in some embodiments of this specification, access authority management of data in a system may be configured in advance as an authority control configuration table, and the authority control configuration table may be understood as a type of data access authority configuration information. The authority control configuration table may include information about types of users or types of organizations that different data access request types corresponding to all or part of data in the system allow access, that is, the authority control configuration table may include a correspondence between organizations with data access authority and each data, such as data query, data addition, data modification, data deletion, and the like. Table 1 is a schematic diagram of an authority control configuration table of data in a banking system in an example of this specification, and as shown in table 1, a developer may integrate situations of all authority management mechanisms that may occur in the banking system according to a usage requirement of business management and the like of the banking system, and configure information of the authority management mechanism of each data in the banking system. When the management authority of data changes, a developer can directly modify, delete or add authority information in the authority control configuration table.

Table 1: permission control configuration table

In addition, in some embodiments of the present specification, an authority information table may be further configured in advance, and the authority information table may include association relationships between different authorities and authority information of different authorities. The information of the authorities in all situations can be integrated daily or regularly in a batch manner, such as: the bank system can integrate the information of business relationship, superior and subordinate relationship, and grade of each bank among all branches. From the development perspective, the design of the authority control configuration table and the arrangement of the authority information table need to be adjusted according to different application systems, and all possible authority situations can be covered, and the authority management table can be configured specifically according to actual needs, and the embodiment of the present specification is not limited specifically.

When the type of the data access request initiated by the user through the front end is data addition, such as: the new data is requested to be inserted into the data a, the identity of the user 1 initiating the data access request can be obtained first, and then the newly added type authority control information corresponding to the data a is obtained according to the pre-configured authority control configuration table. And acquiring the newly added authority identification of the data a based on the newly added authority control information corresponding to the data a and a preconfigured authority information table. For example: and acquiring newly-added type authority control information corresponding to the data a based on the authority control configuration table, wherein the data can only be newly added by an account opening row of the account, and the authority mechanism information table can be used for acquiring the mechanism number of the account opening row of the account corresponding to the data a, namely the mechanism identification of the newly-added authority corresponding to the data a.

In the embodiment of the present specification, by pre-configuring the authority control configuration table of the data management authority and the authority organization information table of the relationship between the organizations, when a data access request for newly adding data submitted by a user is received, an identifier of a newly added authority organization corresponding to the data to be processed can be accurately obtained based on the authority control configuration table and the authority organization information table. The automatic management of the newly-added access authority of the data can be realized only by simply configuring in the system in advance, and the data processing efficiency and the data access safety are improved.

On the basis of the foregoing embodiments, in some embodiments of the present specification, during processing a data access request of a data add-on class, the method may further include:

if the identity identification is matched with the newly-added authority identification, inquiring inquiry type authority control information corresponding to the data to be processed according to the authority control configuration table;

acquiring an inquiry authority identification of the data to be processed according to the inquiry type authority control information;

and adding the inquiry authority identification into the data to be processed, and sending a data adding request for adding the data to be processed to a server according to the data access request so as to enable the server to add the data to be processed.

In a specific implementation process, after the identity of the access user and a newly added authority identity corresponding to the data to be processed are obtained, the identity and the newly added authority identity are matched. When the identity identifier is the same as at least one of the newly added authority identifiers of the data to be processed, the query type authority control information corresponding to the data to be processed can be queried according to a pre-configured authority control configuration table, and the query authority identifier of the data to be processed is obtained. After the obtained inquiry authority identification of the data to be processed is added to the data to be processed, a data addition request for adding the data to be processed is sent to the server, and after the server receives the request, the data to be processed can be subjected to addition operation in the system, and data specified by a user is added.

For example: the user 1 requests to insert new data into the data a, and may first obtain the identity of the user 1 initiating the data access request, and then obtain the newly added type authorization control information corresponding to the data a according to a pre-configured authorization control configuration table. And acquiring the newly added authority identification of the data a based on the newly added authority control information corresponding to the data a and a preconfigured authority information table. Such as: if the newly added type authority control information corresponding to the acquired data a based on the authority control configuration table is that the data can only be newly added by the account opening row of the account, the authority mechanism information table can be used for acquiring the mechanism number of the account opening row corresponding to the data a, namely the newly added authority mechanism identification corresponding to the data a. And matching the newly added authority identification corresponding to the data a with the identity identification of the user 1, and if the matching is successful, acquiring inquiry type authority control information corresponding to the data a according to a pre-configured authority control configuration table, and further acquiring the inquiry authority identification corresponding to the data a. And after the acquired inquiry authority identification corresponding to the data a is added to the data a, sending a request for newly adding data to the data a to the server, and inserting the corresponding data into the data a by the server according to the received newly added request.

In the processing process of the data addition request, after the identity identification of the access user is successfully matched with the newly added authority identification of the data to be processed, the inquiry authority identification of the data to be processed is obtained, the obtained inquiry authority identification is added into the data to be processed, a foundation is laid for subsequent data inquiry and access, and the influence on data authority management due to the change of the inquiry authority after the data is newly added is avoided.

On the basis of the foregoing embodiments, in some embodiments of this specification, if a data access request type in the received data access request is data modification, the acquiring a data access authority identifier corresponding to the data access request type corresponding to the to-be-processed data includes:

inquiring modification type authority control information corresponding to the data to be processed according to a pre-configured authority control configuration table, wherein the authority control configuration table comprises data access mechanisms corresponding to different data;

inquiring a pre-configured authority mechanism information table according to the modification type authority control information to acquire a modification authority mechanism identifier of the data to be processed, wherein the authority mechanism information table comprises incidence relations among different authority mechanisms and mechanism information of different authority mechanisms;

and taking the modification authority identification as the data access authority identification.

In a specific implementation process, the access right management of data in the system may be configured in advance as a right control configuration table, and the configuration method and meaning of the right control configuration table may refer to the description of the above embodiments, which is not described herein again. In addition, in some embodiments of the present specification, an authority information table may be configured in advance, and the meaning and the configuration method of the authority information table may refer to the description of the above embodiments, which is not described herein again.

When the type of the data access request initiated by the user through the front end is data modification, such as: the data a can be requested to be modified by first acquiring the identity of the user 1 initiating the data access request, and then acquiring the modification type permission control information corresponding to the data a according to a pre-configured permission control configuration table. And acquiring the modification authority identification of the data a based on the modification authority control information corresponding to the data a and a pre-configured authority information table. For example: and acquiring modification type authority control information corresponding to the data a based on the authority control configuration table, wherein the data can only be modified by the account opening row, and the authority mechanism information table can be utilized to acquire the mechanism number of the account opening row corresponding to the data a, namely the modification authority mechanism identification corresponding to the data a.

In the embodiment of the present specification, by pre-configuring the authority control configuration table of the data management authority and the authority organization information table of the relationship between the authorities, when a data access request for data modification submitted by a user is received, the modification authority organization identifier corresponding to the data to be processed can be accurately obtained based on the authority control configuration table and the authority organization information table. Only simple configuration needs to be carried out in the system in advance, automatic management of data modification access authority can be achieved, and data processing efficiency and data access safety are improved.

On the basis of the foregoing embodiments, in some embodiments of this specification, if the identity identifier matches the data access authority identifier, performing data processing on the data to be processed according to the data access request includes:

if the identity identification is matched with the modification authority identification, inquiring inquiry type authority control information corresponding to the data to be processed according to the authority control configuration table;

and adding the inquiry authority identification into the data to be processed, and sending a data modification request for modifying the data to be processed to a server according to the data access request so as to enable the server to modify the data to be processed.

In a specific implementation process, after acquiring an identity of an access user and a modification authority identity corresponding to data to be processed, matching the identity with the modification authority identity, and when the identity is the same as at least one of the modification authority identities of the data to be processed, querying type authority control information corresponding to the data to be processed according to a pre-configured authority control configuration table, so as to acquire a querying authority identity of the data to be processed. After the obtained inquiry authority mechanism identification of the data to be processed is added to the data to be processed, a data modification request for modifying the data to be processed is sent to the server, and after the server receives the request, corresponding modification operation can be carried out on the data to be processed in the system.

For example: the user 1 requests to modify the data a, and may first obtain the identity of the user 1 initiating the data access request, and then obtain the modification type permission control information corresponding to the data a according to a pre-configured permission control configuration table. And acquiring the modification authority identification of the data a based on the modification authority control information corresponding to the data a and a pre-configured authority information table. Such as: if the modification type authority control information corresponding to the data a is obtained based on the authority control configuration table, the data can only be modified by the account opening row, and the authority mechanism information table can be used for obtaining the mechanism number of the account opening row corresponding to the data a, namely the modification authority mechanism identification corresponding to the data a. And matching the modification authority identification corresponding to the data a with the identity identification of the user 1, if the matching is successful, acquiring inquiry type authority control information corresponding to the data a according to a pre-configured authority control configuration table, and further acquiring the inquiry authority identification corresponding to the data a. After the inquiry authority identification corresponding to the acquired data a is added to the data a, a request for modifying the data a to the data a is sent to the server, and the server performs corresponding modification operation on the data a according to the received modification request.

In the processing process of the data modification request, after the identity identification of the access user is successfully matched with the modification authority identification of the data to be processed requested, the query authority identification of the data to be processed is obtained, and the obtained query authority identification is added into the data to be processed, so that the foundation is laid for subsequent data query access, and the influence on data authority management due to the change of the query authority after the data is modified is avoided.

On the basis of the foregoing embodiments, in some embodiments of this specification, if a data access request type in the received data access request is data deletion, the acquiring a data access authority identifier corresponding to the data access request type corresponding to the to-be-processed data includes:

inquiring deletion type authority control information corresponding to the data to be processed according to a pre-configured authority control configuration table, wherein the authority control configuration table comprises data access mechanisms corresponding to different data;

inquiring a pre-configured authority mechanism information table according to the deletion type authority control information to acquire a deletion authority mechanism identifier of the data to be processed, wherein the authority mechanism information table comprises incidence relations among different authority mechanisms and mechanism information of different authority mechanisms;

taking the deletion authority identification as the data access authority identification;

correspondingly, if the identity identifier is matched with the data access authority identifier, performing data processing on the data to be processed according to the data access request, including:

and if the identity identification is matched with the deletion authority identification, sending a data deletion request for deleting the to-be-processed data to a server according to the data access request so as to enable the server to delete the to-be-processed data.

In a specific implementation process, the access right management of data in the system may be configured in advance as a right control configuration table, and the configuration method and meaning of the right control configuration table may refer to the description of the above embodiments, which is not described herein again. In addition, in some embodiments of the present specification, an authority information table may be configured in advance, and the meaning and the configuration method of the authority information table may refer to the description of the above embodiments, which is not described herein again. When the type of the data access request initiated by the user through the front end is data deletion, such as: the data a can be requested to be deleted, the identity of the user 1 initiating the data access request can be obtained first, and then the deletion-type permission control information corresponding to the data a can be obtained according to a pre-configured permission control configuration table. And acquiring the deletion authority identification of the data a based on the deletion authority control information corresponding to the data a and a pre-configured authority information table. For example: and acquiring the deletion-type authority control information corresponding to the data a based on the authority control configuration table, wherein the data can only be deleted by the account opening row, and the authority mechanism information table can be utilized to acquire the mechanism number of the account opening row corresponding to the data a, namely the deletion authority mechanism identification corresponding to the data a. Matching the identity of the user 1 with the deletion authority identity of the data a, if the identity of the user 1 is the same as at least one deletion authority identity, sending a data access request for deleting the data a to the server, and after receiving the request, the server can directly delete the data a.

In the embodiment of the present specification, by configuring the authority control configuration table and the authority information table in advance, when a data deletion request of a user is received, the deletion authority identifier of the data requested to be deleted can be acquired according to the configured authority control configuration table and the authority information table. And matching the identity of the user initiating the deletion request with the deletion authority identity, and determining that the users all have the deletion authority for the data. Developers only need to carry out authority management on each data and simple configuration of authority information, automatic control of data deletion authority can be achieved, and efficiency of data access authority processing is improved.

The data access request in the embodiment of the present specification mainly includes data query, data addition, data modification, and data deletion, and there may be other data access types according to actual needs, for example: data downloading, data forwarding, and the like, and the embodiments of the present specification are not particularly limited. According to the actual data access requirement, the access authority management processes of different data access types can be set based on the pre-configured data access authority configuration information, and the embodiment of the present specification is not particularly limited. The following specifically introduces the access authority management of 4 data access types provided in the embodiments of the present specification:

fig. 2 is a schematic flow chart of a method for managing data query permission in an embodiment of the present specification, and as shown in fig. 2, a process for managing access permission of a data query may include:

and S22, acquiring the organization number of the login teller. I.e. obtaining the identity of the user initiating the data query request.

And S24, automatically supplementing the organization number of the login teller in the query parameters transmitted from the front end to the background.

S26, sending an inquiry request to the background after the inquiry parameters are reassembled, and inquiring the data only when the inquiry authority number of the data (i.e. the data inquiry authority identifier described in the above embodiment) is consistent with the authority number in the inquiry parameters (i.e. the acquired authority number of the login teller), thereby implementing management of data access authority.

In a specific implementation, in this embodiment of the present specification, a query authority field may be added to all data stores. Because of the large number of query class requests, each piece of data in the database stores its query authority field, and this field is transparent to the front end. The number of the institution to which the teller initiating the inquiry request belongs is required to be consistent with the number of the authority for inquiring the data, and the teller can have inquiry authority on the data. To save space, the database may not store authority storage for additions, modifications, and deletions of data.

Fig. 3 is a flowchart illustrating a method for managing data adding permission in one embodiment of the present specification, and as shown in fig. 3, a process for managing access permission of data adding may include:

and S31, acquiring the organization number of the login teller.

S32, querying the authority control configuration table, and reading the new class transaction authority control configuration of the function module (i.e. the data to be processed), i.e. the new class authority control information in the above embodiment.

S33, according to the function module new class trade authority control configuration, inquiring authority information table, obtaining the new operation authority of the data, namely obtaining the new authority identification of the data to be processed.

And S34, checking whether the teller login mechanism is consistent with the newly-added operation authority mechanism inquired in S33, if the check fails, jumping to S35, and if the check succeeds, jumping to S36.

S35, return to front end directly operation failure.

S36, query right control configuration table, and read the query type transaction right control configuration of the function module, i.e. the query type right control information described in the above embodiments.

S37, inquiring authority information table according to the function module inquiry type transaction authority control configuration, and acquiring the inquiry operation authority of the data, namely acquiring the inquiry authority identification of the data to be processed.

And S38, filling the mechanism number inquired in S37, namely the inquiry authority identification, into the piece of data, and initiating a new addition request to the background.

Fig. 4 is a flowchart illustrating a method for managing data modification rights in an embodiment of the present disclosure, and as shown in fig. 4, an access right management process for data modification may include:

s41: the organization number of the login teller is acquired.

S42: and inquiring an authority control configuration table, and reading the modification type transaction authority control configuration of the functional module (namely the data to be processed), namely modification type authority control information.

S43: and inquiring an authority information table according to the modified transaction authority control configuration of the functional module, and acquiring a modified operation authority of the data, namely acquiring a modified authority identifier of the data to be processed.

S44: and checking whether the teller login mechanism is consistent with the operation authority modification mechanism inquired in the step S43, if the check fails, jumping to the step S45, and if the check succeeds, jumping to the step S46.

S45: returning the operation failure directly to the front end.

S46: in order to prevent the inquiry authority from changing due to the modification, the authority control configuration table is inquired again, and the function module inquiry type transaction authority control configuration, namely inquiry type authority control information, is read.

S47: and inquiring an authority information table according to the inquiry type transaction authority control configuration of the functional module, and acquiring an inquiry operation authority, namely an inquiry authority identifier of the data.

S48: the organization number queried in S47 (i.e. the identifier of the authority to be queried) is filled in the piece of data, and a modification request is initiated to the background.

Fig. 5 is a flowchart illustrating a method for managing data deletion permissions in an embodiment of this specification, and as shown in fig. 5, an access permission management process for data deletion may include:

s51: the organization number of the login teller is acquired.

S52: and inquiring an authority control configuration table, and reading the deletion type transaction authority control configuration of the functional module (namely the data to be processed), namely the deletion type authority control information.

S53: and inquiring an authority information table according to the deletion type transaction authority control configuration of the functional module, and acquiring a deletion operation authority of the data, namely acquiring a deletion authority identifier of the data to be processed.

S54: and (6) checking whether the teller login mechanism is consistent with the deletion operation authority mechanism inquired in the step S53, if the check is failed, jumping to the step S55, and if the check is successful, jumping to the step S56.

S55: returning the operation failure directly to the front end.

S56: and initiating a data deletion request to the background.

The embodiments of the present specification provide a data access permission management method, where a user initiates a data operation request (including query, addition, modification, and deletion) to a background through a front end (such as a browser), and a permission management mechanism in the embodiments of the present specification may perform permission verification on the request, determine whether the data access request is legal, and implement permission management on data access. The developer can realize the authority control of each functional module only by a small amount of configuration, thereby improving the development efficiency; and the authority control of all the functional modules is managed uniformly, so that the access security of the system is improved.

In the present specification, each embodiment of the method is described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from other embodiments. The relevant points can be obtained by referring to the partial description of the method embodiment.

Based on the data authority management method, one or more embodiments of the present specification further provide a data authority management device. The apparatus may include systems (including distributed systems), software (applications), modules, components, servers, clients, etc. that use the methods described in the embodiments of the present specification in conjunction with any necessary apparatus to implement the hardware. Based on the same innovative conception, embodiments of the present specification provide an apparatus as described in the following embodiments. Since the implementation scheme of the apparatus for solving the problem is similar to that of the method, reference may be made to the implementation of the foregoing method for the specific apparatus in the embodiment of the present specification, and repeated descriptions are omitted. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware or a combination of software and hardware is also possible and contemplated.

Specifically, fig. 6 is a schematic block diagram of an embodiment of a data right management device provided in this specification, and as shown in fig. 6, the data right management device provided in this specification may include: an access request receiving module 61, an identity obtaining module 62, an authority identity obtaining module 63, and a data access processing module 64, wherein:

the access request receiving module 61 may be configured to receive a data access request, where the data access request includes a data access request type and pending data that is requested to be accessed, where the data access request type includes at least one of the following: data query, data addition, data modification and data deletion;

an identity obtaining module 62, configured to obtain an identity of a user initiating the data access request;

an authority identifier obtaining module 63, configured to obtain, based on pre-configured data access authority configuration information, a data access authority identifier corresponding to the data access request type corresponding to the to-be-processed data;

and the data access processing module 64 may be configured to perform data processing on the data to be processed according to the data access request when the identity identifier matches the data access authority identifier.

The data right management device provided in the embodiments of the present specification may pre-configure data access right configuration information for each data, and after receiving a data access request from a user, may obtain an identity of the requesting user, and then obtain, according to the pre-configured data access right configuration information, a data access right mechanism identifier of an access user that is capable of performing a corresponding data access type on the data to be processed. And matching the identity of the user initiating the data access request with a data access authority identity of an access user which is configured in advance and can carry out corresponding data access types on the data to be processed, wherein when the matching is successful, the data access request is legal, and the corresponding data processing can be carried out on the data to be processed according to the specific request content of the data access request. Developers only need to configure a small amount of data, control of data access authority of different data can be achieved, and development efficiency of the system is improved. Meanwhile, unified management of authority can be carried out on all data in the system, and the safety of system access is improved.

It should be noted that the above-described apparatus may also include other embodiments according to the description of the method embodiment. The specific implementation manner may refer to the description of the above corresponding method embodiment, and is not described in detail herein.

Fig. 7 is a schematic block diagram of an embodiment of a data rights management system provided in this specification, and as shown in fig. 7, the data rights management system provided in this specification may include: the system comprises a data query module, a newly added data module, a data modification module and a data deletion module, wherein an authority management mechanism can be configured in the data query module, the newly added data module, the data modification module and the data deletion module, wherein:

the query data module is used for determining whether the user has query authority on the data to be processed based on the identity of the user initiating the data access request and the data query authority identity corresponding to the data to be processed in the data access request when receiving the data access request of the data query type, and if so, sending the data query request for querying the data to be processed to a server. That is, when the front end initiates a data query request to the background, the data query module can transmit query parameters to the background, automatically supplement query right related parameters in the query parameters based on a right management mechanism, and initiate the query request to the background after the query parameters are reassembled.

The newly-added data module is used for determining whether the user has newly-added authority for the data to be processed according to the identity of the user initiating the data access request and a newly-added authority identity corresponding to the data to be processed in the data access request when receiving a data access request of a data newly-added type, and if so, sending a data newly-added request for newly-added data to be processed to a server. The newly-added data module is further used for: and after determining that the user has a new authority for the data to be processed, acquiring an inquiry authority identification corresponding to the data to be processed, adding the inquiry authority identification into the data to be processed, and sending a data adding request for adding the new data to be processed to a server according to the data access request.

Namely: when the front end initiates a new data request to the background, the new data module can be used for checking whether the user has an insertion authority for the data according to a set authority management mechanism, and directly rejecting the request if the checking fails; if the verification is successful, the authority management mechanism acquires the inquiry authority of the piece of data and fills the inquiry authority into the piece of data, and then a new adding request is sent to a background.

When a data access request of a data modification type is received by a data modification module user, determining whether the user has modification permission on the data to be processed according to an identity of the user initiating the data access request and a modification permission mechanism identity corresponding to the data to be processed in the data access request, and if so, sending a data modification request for modifying the data to be processed to a server; the modify data module is further to: after determining that the user has modification authority on the data to be processed, acquiring a query authority mechanism identifier corresponding to the data to be processed, adding the query authority mechanism identifier to the data to be processed, and sending a data modification request for modifying the data to be processed to a server according to the data access request.

Namely: when the front end initiates a request for modifying data to the background, the data modification module can check whether the user has the right to modify the data based on the right management mechanism, and if the check fails, the request is directly rejected; if the verification is successful, the authority management mechanism judges whether the modification influences the inquiry authority of the data, if so, the inquiry authority of the data is obtained again and filled in the data, and then a modification request is sent to a background.

An embodiment of the present specification further provides a data right management device, including: at least one processor and a memory for storing processor-executable instructions, wherein the processor, when executing the instructions, implements the data right management method in the above embodiments, such as:

acquiring the identity of the user who initiates the data access request;

It should be noted that the system and the processing device described above may also include other implementations according to the description of the method embodiment. The specific implementation manner may refer to the description of the above corresponding method embodiment, and details are not described herein.

The data right management device or the processing device provided by the specification can also be applied to various data analysis and processing systems. The system or apparatus or processing device may comprise any of the data rights management apparatus of the above embodiments. The described system or apparatus or processing device may be a single server, or may include a server cluster, a system (including distributed system), software (application), actual operation device, logic gate device, quantum computer, etc. using one or more of the described methods or apparatus of one or more embodiments of the present disclosure, and terminal devices incorporating the necessary hardware for implementation. The detection system for collating difference data may comprise at least one processor and a memory storing computer executable instructions which when executed by the processor implement the steps of the method of any one or more of the embodiments described above.

The method embodiments provided by the embodiments of the present specification can be executed in a mobile terminal, a computer terminal, a server or a similar computing device. Taking an example of the server running on the server, fig. 8 is a block diagram of a hardware structure of a data right management server in an embodiment of the present specification, where the server may be a data right management device or system in the above embodiment. As shown in fig. 8, the server 10 may include one or more (only one shown) processors 100 (the processors 100 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 200 for storing data, and a transmission module 300 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 8 is merely an illustration and is not intended to limit the structure of the electronic device. For example, the server 10 may also include more or fewer components than shown in FIG. 8, and may also include other processing hardware, such as a database or multi-level cache, a GPU, or have a different configuration than shown in FIG. 8, for example.

The memory 200 may be used to store software programs and modules of application software, such as program instructions/modules corresponding to the data authority management method in the embodiment of the present specification, and the processor 100 executes various functional applications and resource data updates by running the software programs and modules stored in the memory 200. Memory 200 may include high speed random access memory and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 200 may further include memory located remotely from processor 100, which may be connected to a computer terminal through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The transmission module 300 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal. In one example, the transmission module 300 includes a Network adapter (NIC) that can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission module 300 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.

The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.

The method or apparatus provided by the present specification and described in the foregoing embodiments may implement the service logic through a computer program and record the service logic on a storage medium, where the storage medium may be read and executed by a computer, so as to implement the effect of the solution described in the embodiments of the present specification.

The embodiment of the present application further provides a computer storage medium of a data authority management method, where the computer storage medium stores computer program instructions, and when the computer program instructions are executed, the computer storage medium may implement:

acquiring the identity of the user who initiates the data access request;

The storage medium may include a physical device for storing information, and typically, the information is digitized and then stored using an electrical, magnetic, or optical media. The storage medium may include: devices that store information using electrical energy, such as various types of memory, e.g., RAM, ROM, etc.; devices that store information using magnetic energy, such as hard disks, floppy disks, tapes, core memories, bubble memories, and usb disks; devices that store information optically, such as CDs or DVDs. Of course, there are other ways of storing media that can be read, such as quantum memory, graphene memory, and so forth.

The data right management method or apparatus provided in the embodiment of the present specification may be implemented by a processor executing corresponding program instructions in a computer, for example, implemented by using a c + + language of a windows operating system on a PC side, implemented by using a linux system, or implemented by using android and iOS system programming languages on an intelligent terminal, and implemented by using processing logic based on a quantum computer.

It should be noted that descriptions of the apparatus, the computer storage medium, and the system described above according to the related method embodiments may also include other embodiments, and specific implementations may refer to descriptions of corresponding method embodiments, which are not described in detail herein.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the hardware + program class embodiment, since it is substantially similar to the method embodiment, the description is simple, and the relevant points can be referred to only the partial description of the method embodiment.

The embodiments of the present description are not limited to what must be consistent with industry communications standards, standard computer resource data updating and data storage rules, or what is described in one or more embodiments of the present description. Certain industry standards or implementations modified slightly from those described using custom modes or examples can also achieve the same, equivalent or similar, or other expected implementation results after being modified. The embodiments using the modified or transformed data acquisition, storage, judgment, processing and the like can still fall within the scope of the alternative embodiments of the embodiments in this specification.

In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to the software compiler used in program development, but the original code before compiling is also written in a specific Programming Language, which is called Hardware Description Language (HDL), and the HDL is not only one kind but many kinds, such as abel (advanced boot Expression Language), ahdl (alternate Language Description Language), communication, CUPL (computer universal Programming Language), HDCal (Java Hardware Description Language), langa, Lola, mylar, HDL, PALASM, rhydl (runtime Description Language), vhjhdul (Hardware Description Language), and vhygl-Language, which are currently used commonly. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in purely computer readable program code means, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a vehicle-mounted human-computer interaction device, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

Although one or more embodiments of the present description provide method operational steps as described in the embodiments or flowcharts, more or fewer operational steps may be included based on conventional or non-inventive approaches. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When the device or the end product in practice executes, it can execute sequentially or in parallel according to the method shown in the embodiment or the figures (for example, in the environment of parallel processors or multi-thread processing, even in the environment of distributed resource data update). The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the presence of additional identical or equivalent elements in a process, method, article, or apparatus that comprises the recited elements is not excluded. The terms first, second, etc. are used to denote names, but not any particular order.

For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, when implementing one or more of the present description, the functions of each module may be implemented in one or more software and/or hardware, or a module implementing the same function may be implemented by a combination of multiple sub-modules or sub-units, etc. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of logical functional division, and other divisions may be realized in practice, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable resource data updating apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable resource data updating apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable resource data update apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable resource data update apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage, graphene storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

As will be appreciated by one skilled in the art, one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

One or more embodiments of the present description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the present specification can also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system embodiments are substantially similar to the method embodiments, so that the description is simple, and the relevant points can be referred to the partial description of the method embodiments. In the description of the specification, reference to the description of "one embodiment," "some embodiments," "an example," "a specific example," or "some examples" or the like means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the specification. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.

The above description is intended to be illustrative of one or more embodiments of the disclosure, and is not intended to limit the scope of one or more embodiments of the disclosure. Various modifications and alterations to one or more embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement made within the spirit and principle of the present specification shall be included in the scope of the claims.

Claims

1. A method for data rights management, the method comprising:

acquiring the identity of a user initiating the data access request;

acquiring a data access authority mechanism identifier corresponding to the data access request type corresponding to the to-be-processed data based on pre-configured data access authority configuration information;

if the identity identification is matched with the data access authority identification, performing data processing on the data to be processed according to the data access request;

the method for acquiring the data access authority identifier corresponding to the data access request type corresponding to the data to be processed includes the following steps that: acquiring a data query authority identification corresponding to the data to be processed from pre-stored data query authority information of the data to be processed, and taking the data query authority identification as the data access authority identification;

2. The method of claim 1, wherein if a data access request type in the received data access request is data addition, the obtaining a data access authority identifier corresponding to the data access request type corresponding to the to-be-processed data comprises:

inquiring newly added type authority control information corresponding to the data to be processed according to a pre-configured authority control configuration table, wherein the authority control configuration table comprises data access mechanisms corresponding to different data;

inquiring a pre-configured authority mechanism information table according to the newly-added authority control information to acquire a newly-added authority mechanism identifier of the data to be processed, wherein the authority mechanism information table comprises association relations between different authority mechanisms and mechanism information of different authority mechanisms;

3. The method of claim 2, wherein the performing data processing on the data to be processed according to the data access request if the identity identifier matches the data access authority identifier comprises:

4. The method of claim 1, wherein if a data access request type in the received data access request is data modification, the obtaining a data access authority identifier corresponding to the data access request type corresponding to the to-be-processed data includes:

5. The method as claimed in claim 4, wherein the step of performing data processing on the data to be processed according to the data access request if the identity matches the data access authority identity comprises:

6. The method of claim 1, wherein if a data access request type in the received data access request is data deletion, the obtaining of the data access authority identifier corresponding to the data access request type corresponding to the to-be-processed data includes:

7. A data rights management apparatus, characterized in that the apparatus comprises:

the authority mechanism identifier acquisition module is used for acquiring a data access authority identifier corresponding to the data access request type corresponding to the data to be processed based on pre-configured data access authority configuration information;

the data access processing module is used for processing the data to be processed according to the data access request when the identity identification is matched with the data access authority identification;

the authority identification acquisition module is specifically configured to store a data query authority identification of data in the data, and if a data access request type in the received data access request is data query, the authority identification acquisition module is configured to: acquiring a data query authority identifier corresponding to the data to be processed from pre-stored data query authority information of the data to be processed, and taking the data query authority identifier as the data access authority identifier;

correspondingly, the data access processing module is specifically configured to:

8. A data rights management system, comprising: the data processing system comprises a data query module, a newly added data module, a data modification module and a data deletion module, wherein:

the query data module is used for determining whether the user has query authority on the data to be processed based on the identity of the user initiating the data access request and the data query authority identity corresponding to the data to be processed in the data access request when receiving the data access request of a data query type, and if so, sending a data query request for querying the data to be processed to a server; the method comprises the steps that data inquiry authority identification of data is stored in the data, and when a data access request of a data inquiry type is received, the data inquiry authority identification corresponding to the data to be processed is obtained from pre-stored data inquiry authority information of the data to be processed;

the data deleting module is used for determining whether the user has deleting authority for the data to be processed according to the identity of the user initiating the data access request and the newly added authority identification corresponding to the data to be processed in the data access request when receiving the data access request of the newly added type of the data, and if so, sending a data deleting request for deleting the data to be processed to a server.

9. The system of claim 8, wherein the add data module is further to: after determining that the user has a new authority for the data to be processed, acquiring an inquiry authority identification corresponding to the data to be processed, adding the inquiry authority identification to the data to be processed, and sending a data adding request for adding the new data to be processed to a server according to the data access request;

the modify data module is further to: after determining that the user has modification authority on the data to be processed, acquiring a query authority identification corresponding to the data to be processed, adding the query authority identification to the data to be processed, and sending a data modification request for modifying the data to be processed to a server according to the data access request.

10. A data rights management device, comprising: at least one processor and a memory for storing processor-executable instructions, the processor implementing the method of any one of claims 1-6 when executing the instructions.

11. A computer-readable storage medium having stored thereon computer instructions which, when executed, implement the steps of the method of any one of claims 1 to 6.