CN113836500B - Data authority control method, system, terminal and storage medium - Google Patents
Data authority control method, system, terminal and storage medium Download PDFInfo
- Publication number
- CN113836500B CN113836500B CN202010582484.0A CN202010582484A CN113836500B CN 113836500 B CN113836500 B CN 113836500B CN 202010582484 A CN202010582484 A CN 202010582484A CN 113836500 B CN113836500 B CN 113836500B
- Authority
- CN
- China
- Prior art keywords
- role
- template
- resource
- user
- operation resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000011217 control strategy Methods 0.000 claims abstract description 33
- 238000009877 rendering Methods 0.000 claims description 26
- 238000012545 processing Methods 0.000 claims description 18
- 230000015654 memory Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 9
- 230000007246 mechanism Effects 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 4
- KLPWJLBORRMFGK-UHFFFAOYSA-N Molindone Chemical compound O=C1C=2C(CC)=C(C)NC=2CCC1CN1CCOCC1 KLPWJLBORRMFGK-UHFFFAOYSA-N 0.000 description 2
- 238000003491 array Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 229940028394 moban Drugs 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/10—Text processing
- G06F40/166—Editing, e.g. inserting or deleting
- G06F40/186—Templates
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Artificial Intelligence (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
Abstract
The data authority control method, the system, the terminal and the storage medium respectively render one or more authority control template strategies based on metadata of one or more users or roles so as to obtain one or more authority control strategies for controlling data operation authorities of each user or role. The method and the device are used for solving the problems that a data authority management mechanism in the prior art can cause an access control list to become huge and difficult to maintain, or can cause a strategy to become extremely complex during the control of multi-level data authority, and is difficult to write and maintain, so that the working efficiency of data authority control is greatly reduced. According to the application, metadata of the user or the role is utilized to render one or more authority control template strategies so as to perform central control on complex data authorities in a private cloud environment, and further, the work efficiency of data authority control is improved.
Description
Technical Field
The present application relates to the field of data information processing technologies, and in particular, to a method, a system, a terminal, and a storage medium for controlling data authority.
Background
In the age of cloud computing and cloud services, in order to ensure data security, a unified and centralized data authority management mechanism is indispensable. Currently, there are access control lists, role-based access control, amazon permission policies, and other central permission control mechanisms. The access control list can precisely define specific data items, but as the data volume increases and different users have the same authority, the access control list becomes huge and difficult to maintain.
And role-based access control is difficult to control data rights to a person. Amazon's rights policy is powerful, but results in policies that become extremely complex and difficult to write and maintain when controlling multi-level data rights.
Disclosure of Invention
In view of the above-mentioned drawbacks of the prior art, an object of the present application is to provide a data authority control method, system, terminal and storage medium, for solving the problem that in the prior art, a data authority management mechanism causes an access control list to become very huge and difficult to maintain, or a policy to become extremely complex and difficult to write and maintain when controlling multi-level data authority, so that the working efficiency of data authority control is greatly reduced.
To achieve the above and other related objects, the present application provides a data authority control method, including: rendering the one or more rights control template policies based on metadata of the one or more users or roles, respectively, to obtain one or more rights control policies for controlling data manipulation rights of the respective users or roles.
In one embodiment of the present application, the rights control template policy includes: an operation resource template part, an operation definition part and an operation decision part; wherein the operation resource template section includes: a placeholder template having a fixed format for determining operational resource information, wherein the operational resource information comprises: an operation resource path, an operation object and an operation resource body; the operation definition part is used for defining operation content based on the operation resource information; the operation decision section is used for determining whether the operation content is allowed.
In one embodiment of the present application, the rights control policy template includes: an operation resource part, an operation part and a decision part; wherein the operation resource part is used for defining the operation resource information of each user or role based on the operation resource template part; the operation part is used for defining the operation content of the information of each user or role on the basis of the corresponding operation resource information based on the operation definition part; the decision section is used for determining whether the operation content of each defined user or role is allowed or not based on the operation decision section.
In an embodiment of the present application, the metadata includes: the name of each user or role, the operation resource path and the operation resource body on the operation resource path.
In an embodiment of the application, the method further comprises: and rendering the authority control strategy of the role or the sub-class role at the upper layer of each sub-class role based on the metadata of each sub-class role with inheritance relationship in each role, so as to obtain the authority control strategy for controlling the data operation authority of each sub-class role.
In one embodiment of the present application, the placeholder template comprises: an operation resource path, an operation object, and an operation resource body placeholder.
To achieve the above and other related objects, the present application provides a data right control system, including: and the processing module is used for respectively rendering the one or more right control template strategies based on the metadata of the one or more users or roles so as to obtain one or more right control strategies for controlling the data operation right of each user or role.
In one embodiment of the present application, the rights control template policy includes: an operation resource template part, an operation definition part and an operation decision part; wherein the operation resource template section includes: a placeholder template having a fixed format for determining operational resource information, wherein the operational resource information comprises: an operation resource path, an operation object and an operation resource body; the operation definition part is used for defining operation content based on the operation resource information; the operation decision section is used for determining whether the operation content is allowed.
To achieve the above and other related objects, the present application provides a data right control terminal, comprising: a memory for storing a computer program; and the processor is used for executing the data authority control method.
To achieve the above and other related objects, the present application provides a computer storage medium storing a computer program implementing the data right control method when the computer program is run.
As described above, the data authority control method, system, terminal and storage medium of the present application have the following beneficial effects: according to the application, metadata of the user or the role is utilized to render one or more authority control template strategies so as to perform central control on complex data authorities in a private cloud environment, and further, the work efficiency of data authority control is improved.
Drawings
Fig. 1 is a flow chart of a data authority control method according to an embodiment of the application.
Fig. 2 is a schematic diagram of a data authority control system according to an embodiment of the application.
Fig. 3 is a schematic diagram of a data authority control terminal according to an embodiment of the present application.
Detailed Description
Other advantages and effects of the present application will become apparent to those skilled in the art from the following disclosure, which describes the embodiments of the present application with reference to specific examples. The application may be practiced or carried out in other embodiments that depart from the specific details, and the details of the present description may be modified or varied from the spirit and scope of the present application. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict.
In the following description, reference is made to the accompanying drawings, which illustrate several embodiments of the application. It is to be understood that other embodiments may be utilized and that mechanical, structural, electrical, and operational changes may be made without departing from the spirit and scope of the present application. The following detailed description is not to be taken in a limiting sense, and the scope of embodiments of the present application is defined only by the claims of the issued patent. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. Spatially relative terms, such as "upper," "lower," "left," "right," "lower," "below," "lower," "above," "upper," and the like, may be used herein to facilitate a description of one element or feature as illustrated in the figures relative to another element or feature.
Throughout the specification, when a portion is said to be "connected" to another portion, this includes not only the case of "direct connection" but also the case of "indirect connection" with other elements interposed therebetween. In addition, when a certain component is said to be "included" in a certain section, unless otherwise stated, other components are not excluded, but it is meant that other components may be included.
The first, second, and third terms are used herein to describe various portions, components, regions, layers and/or sections, but are not limited thereto. These terms are only used to distinguish one portion, component, region, layer or section from another portion, component, region, layer or section. Thus, a first portion, component, region, layer or section discussed below could be termed a second portion, component, region, layer or section without departing from the scope of the present application.
Furthermore, as used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context indicates otherwise. It will be further understood that the terms "comprises," "comprising," "includes," and/or "including" specify the presence of stated features, operations, elements, components, items, categories, and/or groups, but do not preclude the presence, presence or addition of one or more other features, operations, elements, components, items, categories, and/or groups. The terms "or" and/or "as used herein are to be construed as inclusive, or meaning any one or any combination. Thus, "A, B or C" or "A, B and/or C" means "any of the following: a, A is as follows; b, a step of preparing a composite material; c, performing operation; a and B; a and C; b and C; A. b and C). An exception to this definition will occur only when a combination of elements, functions or operations are in some way inherently mutually exclusive.
Therefore, the embodiment of the application provides a data authority control method, which is used for solving the problems that a data authority management mechanism in the prior art can cause an access control list to become huge and difficult to maintain, or a strategy becomes extremely complex and difficult to write and maintain when multi-level data authority is controlled, so that the working efficiency of data authority control is greatly reduced. According to the application, metadata of the user or the role is utilized to render one or more authority control template strategies so as to perform central control on complex data authorities in a private cloud environment, and further, the work efficiency of data authority control is improved.
The embodiments of the present application will be described in detail below with reference to the attached drawings so that those skilled in the art to which the present application pertains can easily implement the present application. This application may be embodied in many different forms and is not limited to the embodiments described herein.
As shown in fig. 1, a flow chart of a data authority control method in an embodiment of the application is shown.
The method comprises the following steps:
step S11: rendering the one or more rights control template policies based on metadata of the one or more users or roles, respectively, to obtain one or more rights control policies for controlling data manipulation rights of the respective users or roles.
Optionally, the one or more rights control template policies are respectively rendered based on metadata of the one or more users to obtain a rights control policy for controlling data operation rights of each user.
Or,
rendering the one or more rights control template policies based on metadata of the one or more roles, respectively, to obtain a rights control policy for controlling data operation rights of each role.
Optionally, each user or role corresponds to one or more rights control template policies, where each rights control template policy includes: an operation resource template part, an operation definition part and an operation decision part.
The operation resource template section includes: a placeholder template having a fixed format for determining operational resource information, wherein the operational resource information comprises: an operation resource path, an operation object and an operation resource body;
the operation definition part is used for defining operation content based on the operation resource information;
the operation decision section is used for determining whether the operation content is allowed.
For example, the "a blog application is composed of a user's article with a fixed number which can be edited" of a rights control template policy includes:
(operation resource template section) resources: blog: article/{ user ID }/{ blog: article ID }
(operation definition section) operation: editing of
(operation decision section) whether or not to permit: is the result.
Optionally, the authority control policy template includes: an operation resource part, an operation part and a decision part; wherein the operation resource part is used for defining the operation resource information of each user or role based on the operation resource template part; the operation part is used for defining the operation content of the information of each user or role on the basis of the corresponding operation resource information based on the operation definition part; the decision section is used for determining whether the operation content of each defined user or role is allowed or not based on the operation decision section.
For example, meta information for user three includes: [ user ID: zhang three ], [ blog: article ID:11], [ blog: article ID:15], rendering the right control template strategy:
the resource: blog: article/{ user ID }/{ blog: article ID }
The operation is as follows: editing of
Whether or not to allow: is the result.
Obtaining two rights control policies corresponding to Zhang three, comprising:
the resource: blog, article/Zhang San/11
The operation is as follows: editing of
Whether or not to allow: is that
The method comprises the steps of,
the resource: blog, article/Zhang San/15
The operation is as follows: editing of
Whether or not to allow: is the result.
Optionally, the operation resource template part is combined with metadata of each user or role to obtain an operation resource part in the role or the authority control policy of the user, and the operation resource part is used for determining the operation resource of each user or role. Specifically, the metadata is used to fill the placeholder Fu Moban, and the operation resource part in the authority control policy of the role or the user is obtained.
Optionally, the operation part defines the operation content of each user or character on the operation resource path based on the operation definition part. It is to be noted that, in the case of the operation resource information determined by the operation resource template, the operation definition section defines the operation contents of the respective users or roles on the operation resource path. For example, the operational content includes: editing, reading, etc., are not limited in the present application.
Optionally, the decision section is configured to determine whether the operation content of each defined user or character is allowed based on the operation decision section. Preferably, the operation decision section determines whether or not the operation content is permitted in a case where the operation resource template determines an operation path and the operation definition section determines the operation content under the operation path. If the operation decision section is allowed, the decision section is also extended as allowed.
Optionally, the placeholder template includes: the placeholder template comprises: an operation resource path, an operation object, and an operation resource body placeholder. Wherein the placeholder templates follow the rules of [ resource path: resource entity name/definition screening conditions ].
For example, the operation resource template portion of "the user can edit an article in a blog" obtained based on the above placeholder template is:
blog: article/{ user ID }/{ blog: article ID }.
Optionally, the operation resource template based on the placeholder template is combined with metadata of each user or role to obtain an operation resource part in the authority control policy, and the operation resource part is used for determining the operation resources of each user or role.
Optionally, the metadata includes any information about the user, the role, and the sub-role, according to which the rights control template policy may be rendered. The content of the metadata is not limited in the present application.
Optionally, the metadata includes: the name of each user or role, the operation resource path and the operation resource body on the operation resource path.
Optionally, if the metadata has a plurality of pieces of data conforming to the condition corresponding to one authority control template policy, the metadata is rendered once, so that time is saved and efficiency is greatly improved.
Optionally, the metadata renders an operation resource template based on the placeholder template in the authority control template strategy to obtain an operation resource part in the authority control strategy. The names of the users or roles fill the name placeholders of the users or roles of the placeholder templates in the operation resource templates; likewise, each user or role is allowed to populate the resource paths of the placeholder templates in the operation resource templates, as well as the operation object placeholders, with the operation objects on each operation resource path. The operation resource part corresponding to each user or role authority control policy is obtained through the above filling.
For example, for user Zhang three, its metadata includes: [ user ID: zhang three, [ blog: article ID:11]; the operation resource template part based on the placeholder template in the authority control template strategy is as follows: blog: article/{ user ID }/{ blog: article ID }. The operation resource part of the right control policy for controlling the data operation right of each user or character is obtained includes: blog: article/sheet three/11.
Optionally, if the number of the operation objects allowed to be on each operation resource path is multiple for each user or role in the metadata, rendering the operation resource template based on the placeholder template corresponding to the operation path in the authority control template strategy if the operation object is one operation path; and if the operation objects are different operation paths, rendering the operation resource templates based on the placeholder templates in the corresponding operation paths in the authority control template strategy respectively.
For example, for user Zhang three, its metadata includes: [ user ID: zhang three ], [ blog: article ID:11], [ blog: article ID:15] for the operation resource template part: and rendering the blog, namely, the rule/{ user ID }/{ blog: article ID }, wherein the operation resource part for obtaining the authority control strategy comprises blog, namely, rule/sheet three/11 and blog, namely, rule/sheet three/15.
Optionally, if each role includes: each sub-class role has inheritance relationships, wherein each sub-class role forms a tree structure with hierarchical relationships. The data authority control method further comprises the following steps: and rendering one or more authority control strategies based on the metadata of each sub-class role of each hierarchy with inheritance relation in each role, so as to obtain the authority control strategy for controlling the data operation authority of each sub-class role.
Specifically, rendering one or more authority control template strategies based on metadata of one or more roles respectively to obtain an authority control strategy for controlling data operation authorities of each role;
and rendering the authority control strategy of the role or the sub-class role at the upper layer of each sub-class role based on the metadata of each sub-class role with inheritance relationship in each role, so as to obtain the authority control strategy for controlling the data operation authority of each sub-class role.
It follows that rendering of multiple inheritance-based role trees and metadata-based template policies is supported.
For example, the character is a personnel department, and the sub-characters include: the personnel department exercises. The method comprises the steps that a right control strategy of a personnel training student is required to be obtained, rendering is needed to be performed firstly based on one or more right control template strategies, and the right control strategy of the personnel is obtained; and rendering the obtained authority control strategy of the personnel department based on the metadata of the personnel department practicing student to obtain the authority control strategy for controlling the data authority control of the personnel department practicing student. Rendering is carried out by inheriting the authority control strategy of the role through the sub-role, so that the control authority of the role is limited again on the basis of the control authority of the role, and the authority control strategy of the sub-role with fewer authorities is obtained.
It should be noted that the hierarchy of the child roles is one or more, and specifically, the first-level child roles inherit the authority control policy of the role as the parent role to obtain the authority control policy of the first-level child roles; the second level child role inherits the authority control strategy of the first level role serving as the parent role of the second level child role to obtain the authority control strategy of the second level child role, and the authority control strategy inheritance of the child role of the higher level to the parent role is realized by the rule to obtain the authority control strategy of the child role.
Optionally, if rendering of the rights control template policy fails based on metadata of one or more users or roles, respectively, specifically, if metadata of each user or role has no filling data of an operation resource template portion corresponding to the rights control template policy, discarding the rights control template policy.
Similar to the principles of the embodiments described above, the present application provides a data rights control system.
Specific embodiments are provided below with reference to the accompanying drawings:
fig. 2 shows a schematic diagram of a data authority control system according to an embodiment of the present application.
The system comprises:
the processing module 21 is configured to render the one or more rights control template policies based on metadata of the one or more users or roles, so as to obtain one or more rights control policies for controlling data operation rights of each user or role.
Optionally, based on metadata of one or more users, the processing module 21 renders one or more rights control template policies respectively to obtain a rights control policy for controlling data operation rights of each user.
Or,
rendering the one or more rights control template policies based on metadata of the one or more roles, respectively, to obtain a rights control policy for controlling data operation rights of each role.
Optionally, each user or role corresponds to one or more rights control template policies, where each rights control template policy includes: an operation resource template part, an operation definition part and an operation decision part.
The operation resource template section includes: a placeholder template having a fixed format for determining operational resource information, wherein the operational resource information comprises: an operation resource path, an operation object and an operation resource body;
the operation definition part is used for defining operation content based on the operation resource information;
the operation decision section is used for determining whether the operation content is allowed.
Optionally, the authority control policy template includes: an operation resource part, an operation part and a decision part; wherein the operation resource part is used for defining the operation resource information of each user or role based on the operation resource template part; the operation part is used for defining the operation content of the information of each user or role on the basis of the corresponding operation resource information based on the operation definition part; the decision section is used for determining whether the operation content of each defined user or role is allowed or not based on the operation decision section.
Optionally, the processing module 21 combines the operation resource template part with metadata of each user or role to obtain an operation resource part in the role or the authority control policy of the user, and is used for determining the operation resource of each user or role. Specifically, the metadata is used to fill the placeholder Fu Moban, and the operation resource part in the authority control policy of the role or the user is obtained.
Optionally, the operation section, based on the operation definition section, the processing module 21 defines the operation content of each user or character on the operation resource path. It is to be noted that, in the case of the operation resource information determined by the operation resource template, the operation definition section defines the operation contents of the respective users or roles on the operation resource path. For example, the operational content includes: editing, reading, etc., are not limited in the present application.
Optionally, the decision section, based on the operation decision section, the processing module 21 determines whether or not the operation contents of the defined individual users or roles are allowed. Preferably, the operation decision section determines whether or not the operation content is permitted in a case where the operation resource template determines an operation path and the operation definition section determines the operation content under the operation path. If the operation decision section is allowed, the decision section is also extended as allowed.
Optionally, the placeholder template includes: the placeholder template comprises: an operation resource path, an operation object, and an operation resource body placeholder. Wherein the placeholder templates follow the rules of [ resource path: resource entity name/definition screening conditions ].
Optionally, the processing module 21 combines the operation resource template based on the placeholder template with metadata of each user or role to obtain an operation resource part in the authority control policy, and the operation resource part is used for determining the operation resource of each user or role.
Optionally, the metadata includes any information about the user, the role, and the sub-role, according to which the rights control template policy may be rendered. The content of the metadata is not limited in the present application.
Optionally, the metadata includes: the name of each user or role, the operation resource path and the operation resource body on the operation resource path.
Optionally, if the metadata has a plurality of pieces of data conforming to the condition corresponding to one authority control template policy, the metadata is rendered once, so that time is saved and efficiency is greatly improved.
Optionally, the metadata renders an operation resource template based on the placeholder template in the authority control template strategy to obtain an operation resource part in the authority control strategy. The names of the users or roles fill the name placeholders of the users or roles of the placeholder templates in the operation resource templates; likewise, each user or role is allowed to populate the resource paths of the placeholder templates in the operation resource templates, as well as the operation object placeholders, with the operation objects on each operation resource path. The operation resource part corresponding to each user or role authority control policy is obtained through the above filling.
Optionally, if the number of the operation objects allowed to be on each operation resource path is multiple for each user or role in the metadata, rendering the operation resource template based on the placeholder template corresponding to the operation path in the authority control template strategy if the operation object is one operation path; and if the operation objects are different operation paths, rendering the operation resource templates based on the placeholder templates in the corresponding operation paths in the authority control template strategy respectively.
Optionally, if each role includes: each sub-class role has inheritance relationships, wherein each sub-class role forms a tree structure with hierarchical relationships. The data authority control method further comprises the following steps: and rendering one or more authority control strategies based on the metadata of each sub-class role of each hierarchy with inheritance relation in each role, so as to obtain the authority control strategy for controlling the data operation authority of each sub-class role.
Specifically, based on metadata of one or more roles, the processing module 21 renders one or more rights control template policies respectively, so as to obtain a rights control policy for controlling data operation rights of each role;
based on metadata of each sub-class character of each hierarchy having an inheritance relationship in each character, the processing module 21 renders the authority control policy of the character or sub-class character of the upper layer of each sub-class character, respectively, to obtain the authority control policy for controlling the data operation authority of each sub-class character.
It follows that the processing module 21 supports rendering of multiple inherited role trees and metadata-based template policies.
It should be noted that the hierarchy of the child roles is one or more, and specifically, the first-level child roles inherit the authority control policy of the role as the parent role to obtain the authority control policy of the first-level child roles; the second level child role inherits the authority control strategy of the first level role serving as the parent role of the second level child role to obtain the authority control strategy of the second level child role, and the authority control strategy inheritance of the child role of the higher level to the parent role is realized by the rule to obtain the authority control strategy of the child role.
Optionally, if rendering the rights control template policy fails based on metadata of one or more users or roles, respectively, specifically, the metadata of each user or role has no filling data of the operation resource template portion corresponding to the rights control template policy, the rights control template policy is discarded.
As shown in fig. 3, a schematic structural diagram of the data authority control terminal 30 in the embodiment of the present application is shown.
The data right control terminal 30 includes: a memory 31 and a processor 32 the memory 31 is for storing a computer program; the processor 32 runs a computer program to implement the data right control method as described in fig. 1.
Alternatively, the number of the memories 31 may be one or more, and the number of the processors 32 may be one or more, and one is taken as an example in fig. 3.
Optionally, the processor 32 in the data authority control terminal 30 loads one or more instructions corresponding to the process of the application program into the memory 31 according to the steps as described in fig. 1, and the processor 32 executes the application program stored in the first memory 31, thereby implementing various functions in the data authority control method as described in fig. 1.
Optionally, the memory 31 may include, but is not limited to, high speed random access memory, nonvolatile memory. Such as one or more disk storage devices, flash memory devices, or other non-volatile solid-state storage devices; the processor 32 may include, but is not limited to, a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but also digital signal processors (Digital Signal Processing, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field-programmable gate arrays (Field-Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
Alternatively, the processor 32 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but also digital signal processors (Digital Signal Processing, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field-programmable gate arrays (Field-Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
The present application also provides a computer readable storage medium storing a computer program which when run implements a data rights control method as shown in fig. 1. The computer-readable storage medium may include, but is not limited to, floppy diskettes, optical disks, CD-ROMs (compact disk-read only memories), magneto-optical disks, ROMs (read-only memories), RAMs (random access memories), EPROMs (erasable programmable read only memories), EEPROMs (electrically erasable programmable read only memories), magnetic or optical cards, flash memory, or other type of media/machine-readable medium suitable for storing machine-executable instructions. The computer readable storage medium may be an article of manufacture that is not accessed by a computer device or may be a component used by an accessed computer device.
In summary, the data authority control method, system, terminal and medium solve the problems that the access control list becomes huge and difficult to maintain due to the data authority management mechanism in the prior art, or the strategy becomes extremely complex and difficult to write and maintain due to the control of the multi-level data authority, and further the working efficiency of the data authority control is greatly reduced. According to the application, metadata of the user or the role is utilized to render one or more authority control template strategies so as to perform central control on complex data authorities in a private cloud environment, and further, the work efficiency of data authority control is improved. Therefore, the application effectively overcomes various defects in the prior art and has high industrial utilization value.
The above embodiments are merely illustrative of the principles of the present application and its effectiveness, and are not intended to limit the application. Modifications and variations may be made to the above-described embodiments by those skilled in the art without departing from the spirit and scope of the application. It is therefore intended that all equivalent modifications and changes made by those skilled in the art without departing from the spirit and technical spirit of the present application shall be covered by the appended claims.
Claims (6)
1. A data authority control method, characterized by comprising:
rendering the one or more rights control template policies based on metadata of the one or more users or roles, respectively, to obtain one or more rights control policies for controlling data operation rights of each user or role;
wherein,
the authority control template strategy comprises the following steps: an operation resource template part, an operation definition part and an operation decision part; wherein the operation resource template section includes: a placeholder template having a fixed format for determining operational resource information, wherein the operational resource information comprises: an operation resource path, an operation object and an operation resource body; the operation definition part is used for defining operation content based on the operation resource information; the operation decision part is used for determining whether the operation content is allowed or not;
the rights control policy includes: an operation resource part, an operation part and a decision part; wherein the operation resource part is used for defining the operation resource information of each user or role based on the operation resource template part; the operation part is used for defining the operation content of the information of each user or role on the basis of the corresponding operation resource information based on the operation definition part; the decision section is used for determining whether the operation content of each defined user or role is allowed or not based on the operation decision section;
the metadata includes: the name of each user or role, an operation resource path and an operation resource body on the operation resource path;
and combining the operation resource template part with metadata of each user or role to obtain an operation resource part in the role or the authority control strategy of the user, wherein the operation resource part is used for determining operation resources of each user or role; wherein the way of combining the operation resource template part with the metadata of each user or role comprises the following steps: and filling a placeholder template of the operation resource template part by using the metadata.
2. The data rights control method of claim 1, further comprising:
and rendering the authority control strategy of the role or the sub-class role at the upper layer of each sub-class role based on the metadata of each sub-class role with inheritance relationship in each role, so as to obtain the authority control strategy for controlling the data operation authority of each sub-class role.
3. The data rights control method of claim 1, wherein the placeholder template comprises: an operation resource path, an operation object, and an operation resource body placeholder.
4. A data rights control system, the system comprising:
the processing module is used for respectively rendering one or more authority control template strategies based on metadata of one or more users or roles so as to obtain one or more authority control strategies for controlling data operation authorities of each user or role;
wherein,
the authority control template strategy comprises the following steps: an operation resource template part, an operation definition part and an operation decision part; wherein the operation resource template section includes: a placeholder template having a fixed format for determining operational resource information, wherein the operational resource information comprises: an operation resource path, an operation object and an operation resource body; the operation definition part is used for defining operation content based on the operation resource information; the operation decision part is used for determining whether the operation content is allowed or not;
the rights control policy includes: an operation resource part, an operation part and a decision part; wherein the operation resource part is used for defining the operation resource information of each user or role based on the operation resource template part; the operation part is used for defining the operation content of the information of each user or role on the basis of the corresponding operation resource information based on the operation definition part; the decision section is used for determining whether the operation content of each defined user or role is allowed or not based on the operation decision section;
the metadata includes: the name of each user or role, an operation resource path and an operation resource body on the operation resource path;
and the processing module is further used for combining the operation resource template part with metadata of each user or role to obtain an operation resource part in the role or the authority control strategy of the user, and determining the operation resource of each user or role; wherein the way of combining the operation resource template part with the metadata of each user or role comprises the following steps: and filling a placeholder template of the operation resource template part by using the metadata.
5. A data right control terminal, characterized by comprising:
a memory for storing a computer program;
a processor for performing the data rights control method of any one of claims 1 to 3.
6. A computer storage medium, characterized in that a computer program is stored, which computer program, when run, implements the data right control method according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010582484.0A CN113836500B (en) | 2020-06-23 | 2020-06-23 | Data authority control method, system, terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010582484.0A CN113836500B (en) | 2020-06-23 | 2020-06-23 | Data authority control method, system, terminal and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113836500A CN113836500A (en) | 2021-12-24 |
| CN113836500B true CN113836500B (en) | 2023-11-07 |
Family
ID=78964209
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010582484.0A Active CN113836500B (en) | 2020-06-23 | 2020-06-23 | Data authority control method, system, terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113836500B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101515308A (en) * | 2009-03-31 | 2009-08-26 | 上海同济同捷科技股份有限公司 | Data management system for vehicle products and collaborative design method thereof |
| CN101561826A (en) * | 2009-05-18 | 2009-10-21 | 汤胤 | Method and application for sharing and cooperating online non-structural file based on node granularity semantics |
| CN102262667A (en) * | 2011-07-27 | 2011-11-30 | 北京航空航天大学 | Access control method of XML (X Extensive Makeup Language) document in native XML database |
| CN102387145A (en) * | 2011-10-21 | 2012-03-21 | 北京航空航天大学 | System and method for detecting access control strategy collision in collaborative environment |
| CN102880715A (en) * | 2012-10-09 | 2013-01-16 | 南京市测绘勘察研究院有限公司 | Data pool management method and data pool management system on basis of cloud storage |
| CN103703443A (en) * | 2011-03-22 | 2014-04-02 | 亚马逊技术股份有限公司 | Strong rights management for computing application functionality |
| CN104967620A (en) * | 2015-06-17 | 2015-10-07 | 中国科学院信息工程研究所 | Access control method based on attribute-based access control policy |
| CN107465653A (en) * | 2016-06-02 | 2017-12-12 | 北京京东尚科信息技术有限公司 | Rights Management System and method |
| CN110516176A (en) * | 2019-08-30 | 2019-11-29 | 北京东软望海科技有限公司 | Processing method, device, electronic equipment and the readable storage medium storing program for executing of user's request |
| CN110956431A (en) * | 2018-09-26 | 2020-04-03 | 富泰华工业(深圳)有限公司 | Data authority control method and system, computer device and readable storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070162400A1 (en) * | 2006-01-12 | 2007-07-12 | International Business Machines Corporation | Method and apparatus for managing digital content in a content management system |
| US20070214497A1 (en) * | 2006-03-10 | 2007-09-13 | Axalto Inc. | System and method for providing a hierarchical role-based access control |
| US8555378B2 (en) * | 2009-03-11 | 2013-10-08 | Sas Institute Inc. | Authorization caching in a multithreaded object server |
-
2020
- 2020-06-23 CN CN202010582484.0A patent/CN113836500B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101515308A (en) * | 2009-03-31 | 2009-08-26 | 上海同济同捷科技股份有限公司 | Data management system for vehicle products and collaborative design method thereof |
| CN101561826A (en) * | 2009-05-18 | 2009-10-21 | 汤胤 | Method and application for sharing and cooperating online non-structural file based on node granularity semantics |
| CN103703443A (en) * | 2011-03-22 | 2014-04-02 | 亚马逊技术股份有限公司 | Strong rights management for computing application functionality |
| CN102262667A (en) * | 2011-07-27 | 2011-11-30 | 北京航空航天大学 | Access control method of XML (X Extensive Makeup Language) document in native XML database |
| CN102387145A (en) * | 2011-10-21 | 2012-03-21 | 北京航空航天大学 | System and method for detecting access control strategy collision in collaborative environment |
| CN102880715A (en) * | 2012-10-09 | 2013-01-16 | 南京市测绘勘察研究院有限公司 | Data pool management method and data pool management system on basis of cloud storage |
| CN104967620A (en) * | 2015-06-17 | 2015-10-07 | 中国科学院信息工程研究所 | Access control method based on attribute-based access control policy |
| CN107465653A (en) * | 2016-06-02 | 2017-12-12 | 北京京东尚科信息技术有限公司 | Rights Management System and method |
| CN110956431A (en) * | 2018-09-26 | 2020-04-03 | 富泰华工业(深圳)有限公司 | Data authority control method and system, computer device and readable storage medium |
| CN110516176A (en) * | 2019-08-30 | 2019-11-29 | 北京东软望海科技有限公司 | Processing method, device, electronic equipment and the readable storage medium storing program for executing of user's request |
Non-Patent Citations (2)
| Title |
|---|
| 基于RBAC模型的多维权限管理方法;陈庆荣;;工业仪表与自动化装置(第04期);全文 * |
| 基于元数据对象动态运行记录***的设计和实现;蔡延华;任钢;;计算机***应用(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113836500A (en) | 2021-12-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2728820C1 (en) | Method and device for processing data based on blockchain | |
| US11675774B2 (en) | Remote policy validation for managing distributed system resources | |
| CN107203715A (en) | The method and device that execution system is called | |
| DE102019108266A1 (en) | TECHNOLOGIES FOR PROVIDING INSULATION ON A FUNCTIONAL LEVEL WITH ABILITY-BASED SECURITY | |
| Liu et al. | Corecube: Core decomposition in multilayer graphs | |
| US11275850B1 (en) | Multi-faceted security framework for unstructured storage objects | |
| CN104252454A (en) | Method and system for multi-tenant mode data authority control oriented to cloud calculation | |
| CN113836500B (en) | Data authority control method, system, terminal and storage medium | |
| WO2014107390A2 (en) | Managing authorization of actions associated with data objects | |
| CN105159668B (en) | Class load implementation method and device in PaaS system | |
| US10726053B2 (en) | System for lightweight objects | |
| Solanki et al. | Resource and role hierarchy based access control for resourceful systems | |
| CN116956366A (en) | Data authority management method and system based on graph model and electronic equipment | |
| US7987443B2 (en) | Declarative association of dialog fields | |
| US9009731B2 (en) | Conversion of lightweight object to a heavyweight object | |
| US20230004663A1 (en) | Classifying data and enforcing data access control using a context-based hierarchical policy | |
| CN113076086B (en) | Metadata management system and method for modeling model object using the same | |
| CN109960503A (en) | Component development method and device based on Django framework | |
| CN109240996B (en) | Accessory export method, accessory export device, computer equipment and computer readable storage medium | |
| CN110968756B (en) | Webpage crawling method and device | |
| US20230267114A1 (en) | Data confidence fabric policy-based scoring | |
| US20230418964A1 (en) | Generating customized policy decision point services for controlling access to computing resources | |
| CN115438047A (en) | Method and device for determining authority of directory tree, storage medium and electronic equipment | |
| US7987470B1 (en) | Converting heavyweight objects to lightwight objects | |
| US10311242B2 (en) | Distributed system resource liens |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |