CN117407893A - Data authority management method, device, equipment and medium based on API configuration - Google Patents
Data authority management method, device, equipment and medium based on API configuration Download PDFInfo
- Publication number
- CN117407893A CN117407893A CN202310873140.9A CN202310873140A CN117407893A CN 117407893 A CN117407893 A CN 117407893A CN 202310873140 A CN202310873140 A CN 202310873140A CN 117407893 A CN117407893 A CN 117407893A
- Authority
- CN
- China
- Prior art keywords
- data
- authority
- rights
- user
- department
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 44
- 238000000034 method Methods 0.000 claims abstract description 31
- 238000013507 mapping Methods 0.000 claims abstract description 30
- 238000013475 authorization Methods 0.000 claims abstract description 20
- 230000008569 process Effects 0.000 claims abstract description 18
- 230000006870 function Effects 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 14
- 230000000875 corresponding effect Effects 0.000 claims description 13
- 230000006399 behavior Effects 0.000 claims description 9
- 238000012217 deletion Methods 0.000 claims description 5
- 230000037430 deletion Effects 0.000 claims description 5
- 230000004048 modification Effects 0.000 claims description 4
- 238000012986 modification Methods 0.000 claims description 4
- 238000007792 addition Methods 0.000 claims 1
- 238000004519 manufacturing process Methods 0.000 abstract description 10
- 238000010586 diagram Methods 0.000 description 9
- 235000019580 granularity Nutrition 0.000 description 6
- 230000000670 limiting effect Effects 0.000 description 5
- 230000008520 organization Effects 0.000 description 5
- 238000001914 filtration Methods 0.000 description 4
- 230000002829 reductive effect Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000002860 competitive effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Bioethics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a data authority management method based on API configuration, and relates to the technical field of data authority management. The method comprises steps S1 to S5. S1, acquiring a user set and an enterprise department architecture tree. S2, attributing the user to a specific department in the enterprise department architecture tree, and acquiring a department and member set. S3, acquiring a data set to be protected and business logic of the data to be protected of each enterprise department. S4, constructing a mapping relation between departments, member sets and data to be protected according to the business logic. S5, configuring corresponding authorities through the authority control model according to the mapping relation. The authority control model controls the authority in an API configuration mode. The method simplifies the data authority configuration process, simplifies the complex data authority authorization process aiming at the real production environment of enterprises, and enables the authority manager to manage the user data authority more efficiently.
Description
Technical Field
The invention relates to the technical field of data authority management, in particular to a data authority management method based on API configuration.
Background
With the continuous improvement of social informatization, the digitized construction of enterprises is also fully developed. Data is an important source of financial creation and competitive advantage, and is undoubtedly the most important enterprise asset for each enterprise. However, for these data assets, most enterprises cannot guarantee the security and availability of the data assets because of the problems of insufficient data granularity and configuration flexibility in the aspect of authority control.
The existing data authority control is realized by establishing a static view for each user in a database and authorizing the view to the user to limit the access to a data table; or embedding the access control logic into the application system, and performing data authority control in a hard coding mode such as branch judgment;
however, when the number of users is large and the authority is changed frequently, the method needs to manage and maintain a large number of views, which brings unnecessary burden to an administrator, and when the access strategy is changed, a large number of program codes need to be modified, and for the same type of application system, the control codes cannot be reused, and only codes with the same function can be developed again, so that resource waste is caused.
In view of this, the applicant has studied the prior art and has made the present application.
Disclosure of Invention
The present invention provides a data rights management method based on API configuration to improve at least one of the above technical problems.
A first aspect,
The embodiment of the invention provides a data authority management method based on API configuration, which comprises steps S1 to S5.
S1, acquiring a user set and an enterprise department architecture tree.
S2, attributing the user to a specific department in the enterprise department architecture tree, and acquiring a department and member set.
S3, acquiring a data set to be protected and business logic of the data to be protected of each enterprise department.
S4, constructing a mapping relation between departments, member sets and data to be protected according to the business logic.
S5, configuring corresponding authorities through the authority control model according to the mapping relation. The authority control model controls the authority in an API configuration mode.
A second aspect,
The embodiment of the invention provides a data authority management device based on API configuration, which comprises:
and the first data acquisition module is used for acquiring the user set and the enterprise department architecture tree.
And the user attribution module is used for attributing the user to a specific department in the enterprise department architecture tree and acquiring a department and member set.
And the second data acquisition module is used for acquiring the data set to be protected and business logic of the data to be protected of each enterprise department.
And the mapping module is used for constructing a mapping relation between departments, member sets and data to be protected according to the business logic.
And the permission configuration module is used for configuring corresponding permissions through the permission control model according to the mapping relation. The authority control model controls the authority in an API configuration mode.
A third aspect,
The embodiment of the invention provides a data authority management device based on API configuration, which comprises a processor, a memory and a computer program stored in the memory. The computer program is executable by a processor to implement the data rights management method based on API configuration as described in any of the paragraphs of the first aspect.
A fourth aspect,
Embodiments of the present invention provide a computer-readable storage medium. The computer readable storage medium comprises a stored computer program, wherein the computer program is controlled to execute the data rights management method based on the API configuration as described in any one of the paragraphs of the first aspect when the computer program is run.
By adopting the technical scheme, the invention can obtain the following technical effects:
according to the data authority management method based on the API configuration, the data authority configuration process is simplified through the organization structure and the data object mapping in the enterprise production environment, and the complex data authority authorization process is simplified aiming at the enterprise actual production environment, so that the authority manager can manage the user data authority more efficiently.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow diagram of a data rights management method based on API configuration.
FIG. 2 is a schematic diagram of a department architecture membership tree.
FIG. 3 is a diagram of a rights map of a rights control model.
Fig. 4 is a control flow of data rights authorization.
Fig. 5 is a schematic diagram of a syntax tree generation process.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Embodiment 1,
Referring to fig. 1 to 5, a first embodiment of the present invention provides a data rights management method based on an API configuration, which can be performed by a data rights management device (hereinafter referred to as a rights management device) based on the API configuration. In particular, by one or more processors in the rights management device to implement steps S1 to S5.
S1, acquiring a user set and an enterprise department architecture tree.
S2, attributing the user to a specific department in the enterprise department architecture tree, and acquiring a department and member set.
Specifically, as shown in fig. 2 and 3, a registered user in the application system is attributed to a certain department, and an enterprise department and member collection object D is constructed.
It is understood that the rights management device may be an electronic device with computing capabilities, such as a portable notebook computer, desktop computer, server, smart phone, or tablet computer.
S3, acquiring a data set to be protected and business logic of the data to be protected of each enterprise department.
S4, constructing a mapping relation between departments, member sets and data to be protected according to the business logic.
As shown in fig. 3, the back-end server maps the data object to be protected and the enterprise department architecture according to the department organization architecture of the enterprise, and maps the data object and the enterprise department architecture into environment variables with different granularities.
In this embodiment, the organization structure and the data object under the enterprise production environment are mapped, so that the data authority configuration process is simplified, and the complex data authority authorization process is simplified for the enterprise real production environment, so that the authority manager can manage the user data authority more efficiently.
Specifically, a mapping relation from the data objects in the data set to the enterprise department architecture is established, and the data objects and the enterprise department architecture are mapped into environment variables with different granularities. The set of functional rights FP (Function Permission) and the set of data rights DP (data permission) are constructed simultaneously. In an enterprise application environment, data rights are often associated with a department structure by building a mapping fn of business rights to department structures and their members in a rights collection: fp→d, thereby forming data rights for different service ranges. The mapping rules depend on the business logic corresponding to the different business data. Similarly, the object in the system, which needs to control the data access authority, can be established with departments or staff in the business field by the mapping method, and dn: dp→fp.
When a certain department or role authority is allocated, a mapping relation is established for the function authority to which the authority belongs, so that the data authority range corresponding to the function authority can be set. When the rights are allocated, only a right set P is allocated to a certain department or role, and the rights set P is collected
According to the common department architecture of enterprises, the embodiment of the invention divides the data authority into 5 types. The authority in 5 includes: all data rights, department data rights, departments and the following data rights, principal data rights and custom data rights.
S5, configuring corresponding authorities through the authority control model according to the mapping relation. The authority control model controls the authority in an API configuration mode.
According to the data authority management method based on the API configuration, the data authority control method based on the API configuration is realized in the Web environment, the data authority configuration process is simplified, the authority data control granularity is refined, and the data configuration flexibility is improved through the organization structure and the data object mapping in the enterprise production environment. And the API configuration mode is utilized to realize data authority control, code multiplexing is realized, and the production cost of the system is reduced.
In an alternative embodiment of the present invention, based on the above embodiment, the rights control model has two constraints. The constraint one and the roles have corresponding inheritance relation. When one role R1 inherits another role R2, R1 automatically has access to R2. Constraint two, when a defined authority is specified, the user can access the own resources independently, and cannot define the resources used by other users.
According to the data authority management method based on the API configuration, the data authority configuration process is simplified through the organization structure and the data object mapping in the enterprise production environment, and the complex data authority authorization process is simplified aiming at the enterprise actual production environment, so that the authority manager can manage the user data authority more efficiently.
Based on the above embodiment, in an optional embodiment of the present invention, the rights control model uses the service data interface of the functional rights as the protected data resource, adjusts the original SQL expression of the data object in the database, and uses the unique database interface identification id as the relevant record rights and field rights configuration of the resource interface.
Specifically, the rights manager inputs configured SQL sentences through the front-end interface, the back-end server takes the service data interface of the functional rights as protected data resources, adjusts the original SQL expression of the data object in the database, and configures the data rights of the corresponding resource interfaces based on the unique database interface identification id.
In this embodiment, the current user id, the department code and the department association set are converted into parameters, and parameterized configuration is performed on the business original SQL expression in the form of environment variables. Preferably, the environment variable form includes: setting the current USER id as a variable parameter @ USER, performing data filtering on the original SQL expression by using a WHERE condition, and passing through a WHERE opening=: the parameterized form of @ USER performs condition filtering to simplify the data authority configuration process.
When the authority control range is query operation, limiting by configuring filtering conditions so as to achieve the aim of configuring the data authority; and adding additional limiting query conditions including the limiting conditions of sphere, in and the like on the original filtering conditions.
When the authority control range is the operation of inserting (adding) and updating (modifying), writing limitation is carried out on unnecessary character filling by inserting the data of the original function authority into an interface; when the original database table field is a necessary filling item, a system default value is given to the field type. Specifically, adding additional constraint query conditions to the original filter conditions includes: a where condition, an in condition, etc. in the select statement.
When the authority control range is to execute the deleting operation, the deleting condition is limited in the data deleting interface of the original function authority, which comprises the following steps: the deletion scope (bulk deletion) or the current recording authority (single deletion) is reduced.
On the basis of the above embodiment, in an alternative embodiment of the present invention, when the custom rights are set by the rights control model, steps A1 to A5 are included.
A1, acquiring a custom SQL statement of the custom authority.
A2, analyzing the custom SQL statement through a lexical analyzer to obtain a one-dimensional array grammar token list.
A3, converting the grammar tree through a grammar parser according to the one-dimensional array grammar token table to obtain a grammar tree. Wherein the parser can check if the SQL statement complies with the grammar specification. If there is a grammar error, an error message is reported.
A4, checking whether the SQL statement accords with the semantic specification or not through a semantic analyzer according to the grammar tree, and acquiring semantic information.
And A5, executing the SQL sentence according to the semantic information.
In this embodiment, the front-end rights manager selects the appropriate environment variable through API rights configuration. The back-end server uses SQL AST (abstract syntax tree) to check the user data authority, so that the safety and usability of the data authority are further ensured. When the rights are configured, the scope of the rights of the existing data is modified according to preset environment variables or input custom SQL statement information selected by the rights management terminal.
When the data rights are customized, the rights manager adjusts the original SQL statement through the SQL configuration interface, and the custom data rights control scope and the SQL statement are checked. After receiving the custom SQL statement information, the back-end server uses SQL AST (abstract syntax tree) to verify the data authority statement, and verifies the correctness and safety of the SQL statement. And after the inspection is finished, returning a front-end interface inspection result, and storing in a database. After the correctness of the SQL statement is verified, the Spring Security framework is used for authorizing the verified data authority.
Specifically, the rights manager performs CURD control on the data rights through a front end interface (rights management terminal). After the required SQL statement is input, the filled SQL expression is checked for correctness and safety through an SQL parser.
When the environment variable is the custom data right, the back-end server firstly analyzes the original sentence by using AST (abstract syntax tree), and the input SQL sentence is decomposed into a one-dimensional array grammar token table by a lexical analyzer (Lexer) comprising: keywords, table names, column names, operators, etc. Typically, we set a space as a separator so that it automatically breaks the syntax element.
Then, the back-end server converts the decomposed one-dimensional unstructured token table into a Tree structure through a syntax analyzer (Parser), and combines the Tree structure into a syntax Tree (Parse Tree) according to rules. The parser will check if the SQL statement complies with the grammar specification and if there is a grammar error, report error information. Taking query operations as an example: after reading the select word, it is changed to a token. The parser encounters select and matches the select syntax. And then reading the characters to generate a token. If the character read in the first step does not accord with the grammar rule, the system can report errors directly, and the verification fails at the moment, and the configuration information is not stored.
The back-end server then uses a semantic analyzer (Semantic Analyzer) to semantically analyze the syntax tree to check whether the SQL statement meets the semantic specification. The semantic analyzer checks whether the object (e.g., table, column, function, etc.) referenced in the SQL statement exists, whether there is a right of use, etc.
Finally, the back-end server optimizes the SQL sentence through an Optimizer, and executes the SQL sentence by using an Executor (Executor), acquires data, updates the data and the like, and returns a query result.
As shown in fig. 4, in an alternative embodiment of the present invention, the authorization process of the rights control model includes steps B1 to B6 based on the above embodiment.
B1, intercepting that a user initiates an access request to an application program.
And B2, verifying the identity of the user through an authentication manager according to the access request.
And B3, if the authentication is successful, creating an authentication token for the user, and then authorizing the user through an authorization manager.
And B4, if the authorization is successful, judging the operation behavior of the user.
And B5, when judging that the user operation behavior is the added data, writing the newly added data into a database according to the information of the current data creator and the service requirement.
And B6, when the user operation behavior is deleted, modified or inquired, matching the user information with the department architecture allowing access and the member tree node, and judging whether the user operation behavior has access rights. And if the access right exists, executing corresponding actions.
Specifically, the specific workflow of the rights authorization process is as follows: (1) identity authentication: the user initiates an access request to the application, the Spring Security intercepts the request, and the authentication manager Authentication Manager is used to verify the user's identity. If authentication is successful, spring Security creates an authentication token for the user (Authentication Token). (2) authorization decision: the Spring Security uses an authorization manager Authorization Manager to authorize the user. If the authorization is successful, querying the current resource and the department set which the role allows to access, and allowing the user to access the protected resource. If the rights are insufficient, access to the resource it is requesting is not allowed. (3) data control: and before the data is read and written in the database, the data authority control is carried out by judging the current operation behavior of the user. If the new interface of the data is called, the new interface of the data is written into a database according to the information of the current data creator and the service requirement; and if the current operation calls the inquiry, deletion and modification interface, matching the current user information with the allowed access department architecture and the member tree node, and judging whether the access authority exists.
Based on the above embodiments, in an alternative embodiment of the present invention, the authorization module of the rights control model is implemented through a spring security framework.
Preferably, the authority control model converts the user id, the department code and the department association set into parameters, and parameterizes and configures the business original SQL expression in the form of environment variables.
Preferably, the rights control of the data rights control model includes a function right and a data right. Functional rights include add, delete, modify, and query. The data authority includes: all data rights, department data rights, departments and the following data rights, principal data rights and custom data rights. The mapping relation between the data authority and the function authority is many-to-many. The mapping relationship between the functional rights and departments and the member sets is many-to-many.
As shown in fig. 2 and 3, keywords in the API configuration-based data rights management method are defined herein, rights (permissions): access capability of different users to data resources. Functional rights (functional permissions): the user has access to a set of operations performed on the application system. Data rights (data permissions): a collection of data that a user can view while the application system is running. Department and user tree (departments and users): users in an application system must be attributed to a certain department in the enterprise department structure tree. The tree structure based on this relationship is called department architecture and member tree (as shown in fig. 2).
Specifically, the authorization function of the data authority management method based on API configuration is realized on the basis of a Spring Security framework. The Spring Security framework is a mature framework aiming at authority Security, has good expansibility, can well match the authorization process defined by the invention, and provides omnibearing Security guarantee for application programs.
The data authority management method based on the API configuration increases authority data control granularity, improves data configuration flexibility, can realize access control of function level and data level, reduces complexity of authorization management, lightens burden of system safety, ensures safety and usability of data, and makes up for the defect of enterprises in fine granularity data authority control.
According to the data authority management method based on the API configuration, an authority manager can realize finer-granularity data authority control, data management is more convenient, the problem that secondary code development is required for special authority requirements in the past is not required to be solved, and development cost is effectively reduced.
According to the data authority management method based on the API configuration, the authority manager is given a certain degree of freedom to the data authority, the limitation to the data authority rule is reduced, and through the multiple data authority modes of authority mapping, not only can the daily production requirements of enterprises be met, but also the special authority requirements of the enterprises under specific environments can be met.
According to the data authority management method based on the API configuration, through the SQL AST (abstract syntax tree) verification technology, on the premise that the authority manager is given fine-granularity data authority operation authority, the correctness and the safety of the input SQL sentences can be guaranteed, error problems and malicious attacks caused by wrong or malicious SQL sentences are prevented, and the reliability and the safety of the data authority management are greatly improved.
Embodiment II,
The embodiment of the invention provides a data authority management device based on API configuration, which comprises:
and the first data acquisition module is used for acquiring the user set and the enterprise department architecture tree.
And the user attribution module is used for attributing the user to a specific department in the enterprise department architecture tree and acquiring a department and member set.
And the second data acquisition module is used for acquiring the data set to be protected and business logic of the data to be protected of each enterprise department.
And the mapping module is used for constructing a mapping relation between departments, member sets and data to be protected according to the business logic.
And the permission configuration module is used for configuring corresponding permissions through the permission control model according to the mapping relation. The authority control model controls the authority in an API configuration mode.
Third embodiment,
The embodiment of the invention provides a data authority management device based on API configuration, which comprises a processor, a memory and a computer program stored in the memory. The computer program is capable of being executed by a processor to implement the data rights management method based on an API configuration as described in any of the embodiments.
Fourth embodiment,
Embodiments of the present invention provide a computer-readable storage medium. The computer readable storage medium includes a stored computer program, wherein the computer program when run controls a device in which the computer readable storage medium resides to perform the API configuration-based data rights management method as described in any of the embodiments.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus and method embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present invention may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, an electronic device, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Depending on the context, the word "if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to detection". Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
References to "first\second" in the embodiments are merely to distinguish similar objects and do not represent a particular ordering for the objects, it being understood that "first\second" may interchange a particular order or precedence where allowed. It is to be understood that the "first\second" distinguishing aspects may be interchanged where appropriate, such that the embodiments described herein may be implemented in sequences other than those illustrated or described herein.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (9)
1. A method for managing data rights based on API configuration, comprising:
acquiring a user set and an enterprise department architecture tree;
attributing the user to a specific department in the enterprise department architecture tree, and acquiring a department and member set;
acquiring a data set to be protected and business logic of the data to be protected of each enterprise department;
according to the business logic, constructing a mapping relation between the departments, the member sets and the data to be protected;
configuring corresponding rights through a rights control model according to the mapping relation; and the authority control model controls the authority in an API configuration mode.
2. The API configuration-based data rights management method of claim 1, wherein the rights control model has the following constraints:
the constraint one and the roles have corresponding inheritance relation; when one role R1 inherits another role R2, R1 automatically has access to R2.
Constraint two, when a defined authority is specified, the user can access the own resources independently, and cannot define the resources used by other users.
3. The API configuration-based data rights management method of claim 1, wherein said rights control model uses a service data interface of a functional right as a protected data resource, adjusts by an original SQL expression for a data object in a database, and uses a unique database interface identification id as a related record right and field right configuration of a resource interface.
4. The API configuration-based data rights management method as recited in claim 1, wherein when the custom rights are set by the rights control model:
acquiring a custom SQL sentence of a custom authority;
analyzing the custom SQL statement through a lexical analyzer to obtain a one-dimensional array grammar token list;
converting through a grammar parser according to the one-dimensional array grammar token table to obtain a grammar tree; wherein, the grammar analyzer can check whether the SQL sentence accords with the grammar specification; if grammar errors exist, reporting error information;
according to the grammar tree, checking whether the SQL sentence accords with the semantic specification through a semantic analyzer, and acquiring semantic information;
and executing the SQL statement according to the semantic information.
5. The API configuration-based data rights management method of any of claims 1-4, wherein said rights control model is implemented by a spring security framework;
the authority control model converts user id, department codes and department association sets into parameters, and parameterizes and configures the original SQL expression of the service in the form of environment variables;
the authority control of the data authority control model comprises a function authority and a data authority; the functional rights include addition, deletion, modification and query; the data authority includes: all data rights, department data rights, departments and the following data rights, principal data rights and custom data rights; the mapping relation between the data authority and the function authority is many-to-many; the mapping relation between the functional authority and the departments and the member set is many-to-many.
6. The API configuration-based data rights management method of claim 5, wherein the rights control model authorization process is:
intercepting an access request initiated by a user to an application program;
verifying the identity of the user through an authentication manager according to the access request;
if the authentication is successful, an authentication token is created for the user, and then the user is authorized through an authorization manager;
if the authorization is successful, judging the operation behavior of the user;
when judging that the user operation behavior is the added data, writing the newly added data into a database according to the information of the current data creator and the service requirement;
when the user operation behavior is deleted, modified or inquired, matching the user information with the department architecture allowing access and the member tree node, and judging whether the user operation behavior has access rights; and if the access right exists, executing corresponding actions.
7. A data rights management apparatus based on API configuration, comprising:
the first data acquisition module is used for acquiring a user set and an enterprise department architecture tree;
the user attribution module is used for attributing the user to a specific department in the enterprise department architecture tree and acquiring a department and member set;
the second data acquisition module is used for acquiring a data set to be protected and business logic of the data to be protected of each enterprise department;
the mapping module is used for constructing a mapping relation between the departments, the member sets and the data to be protected according to the business logic;
the permission configuration module is used for configuring corresponding permissions through a permission control model according to the mapping relation; and the authority control model controls the authority in an API configuration mode.
8. A data rights management device based on API configuration, comprising a processor, a memory, and a computer program stored in the memory; the computer program is executable by the processor to implement the API configuration-based data rights management method of any one of claims 1 to 6.
9. A computer readable storage medium, characterized in that the computer readable storage medium comprises a stored computer program, wherein the computer program when run controls a device in which the computer readable storage medium is located to perform the API configuration-based data rights management method according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310873140.9A CN117407893A (en) | 2023-07-13 | 2023-07-13 | Data authority management method, device, equipment and medium based on API configuration |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310873140.9A CN117407893A (en) | 2023-07-13 | 2023-07-13 | Data authority management method, device, equipment and medium based on API configuration |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117407893A true CN117407893A (en) | 2024-01-16 |
Family
ID=89487736
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310873140.9A Pending CN117407893A (en) | 2023-07-13 | 2023-07-13 | Data authority management method, device, equipment and medium based on API configuration |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117407893A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118133267A (en) * | 2024-03-19 | 2024-06-04 | 临沂大学 | Author management method, device and medium based on Ranger |
-
2023
- 2023-07-13 CN CN202310873140.9A patent/CN117407893A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118133267A (en) * | 2024-03-19 | 2024-06-04 | 临沂大学 | Author management method, device and medium based on Ranger |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220308942A1 (en) | Systems and methods for censoring text inline | |
| US11178182B2 (en) | Automated access control management for computing systems | |
| US9430662B2 (en) | Provisioning authorization claims using attribute-based access-control policies | |
| EP3133507A1 (en) | Context-based data classification | |
| US7891003B2 (en) | Enterprise threat modeling | |
| US20170154188A1 (en) | Context-sensitive copy and paste block | |
| US10986131B1 (en) | Access control policy warnings and suggestions | |
| US20170068409A1 (en) | Computer implemented system and method for dynamically modeling relationships between entities | |
| WO2018051233A1 (en) | Electronic document management using classification taxonomy | |
| US20040117371A1 (en) | Event-based database access execution | |
| JP2001184264A (en) | Access control system, access control method, storage medium, and program transmitting device | |
| EP3196798A1 (en) | Context-sensitive copy and paste block | |
| US20130227639A1 (en) | Provisioning access control using sddl on the basis of a xacml policy | |
| US11968214B2 (en) | Efficient retrieval and rendering of access-controlled computer resources | |
| US20230281249A1 (en) | Computer-implemented methods, systems comprising computer-readable media, and electronic devices for enabled intervention into a network computing environment | |
| US20230273959A1 (en) | Computer-implemented methods, systems comprising computer-readable media, and electronic devices for narrative representation of a network computing environment | |
| US12105756B2 (en) | Computer-implemented methods, systems comprising computer-readable media, and electronic devices for narrative representation of a network computing environment | |
| WO2019244036A1 (en) | Method and server for access verification in an identity and access management system | |
| CN117407893A (en) | Data authority management method, device, equipment and medium based on API configuration | |
| US8132261B1 (en) | Distributed dynamic security capabilities with access controls | |
| US20220366056A1 (en) | Computer security using zero-trust principles and artificial intelligence for source code | |
| CN106020923A (en) | SELinux strategy compiling method and system | |
| Ge et al. | Secure databases: an analysis of Clark-Wilson model in a database environment | |
| Singh et al. | Evaluation of approaches for designing secure data warehouse | |
| CN113454662A (en) | Finite state machine for implementing workflow of data objects managed by data processing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |