CN112818391A - Permission control method based on tangent plane programming - Google Patents
Permission control method based on tangent plane programming Download PDFInfo
- Publication number
- CN112818391A CN112818391A CN202110105104.9A CN202110105104A CN112818391A CN 112818391 A CN112818391 A CN 112818391A CN 202110105104 A CN202110105104 A CN 202110105104A CN 112818391 A CN112818391 A CN 112818391A
- Authority
- CN
- China
- Prior art keywords
- service
- authority
- data
- rule
- interceptor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/20—Software design
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Bioethics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a permission control method based on tangent plane programming, which comprises the following steps: step 1: determining the service type, and determining the authority service rule which meets the organization, the service data category and the specific attribute of the service data through a service analysis module; step 2: defining an authority field, and limiting the authority field according to the acquired authority service rule; and step 3: outputting a data authority rule based on a specific service object to a section interceptor according to the service requirement determined by the service analysis module; and 4, step 4: implanting different service method types into a designated interceptor, and simultaneously transmitting service method data to a section interceptor; and 5: defining a section interceptor, and realizing service inquiry authority control according to the received service method data and the data authority rules; step 6: and outputting the service data subjected to the authority filtering.
Description
Technical Field
The invention relates to a section, in particular to a permission control method based on section programming.
Background
In a service management information system, access control to system resources (such as menus, functions, data, etc.) based on users, roles, and mechanisms is a basic and important function. "ensuring authorized users to access control the system within the authorized scope" is a necessary requirement for the service management information system. The most common service management information system adopts a privilege model, which is RBAC (Role-Based Access Control), and needs to perform privilege Control on all resources of the system, and system resources can be simply summarized as static resources (function operations, data columns) and dynamic resources (data), which are also called object resources and data resources, respectively. The goal of the RBAC is to exercise right control over all object resources and data resources in the system. The difficulty is access control to dynamic resources (data resources).
Due to the dynamic nature of service data, the data authority control of most systems is realized by transmitting user information (roles, mechanisms and the like) in a data access interface and by sql splicing or injection in an interface method, and the main disadvantages are as follows: 1. the access control code of the authority is complex, and all places needing the authority control need to be added with extra codes and parameters which are irrelevant to the service; 2. the authority access logic is dispersed in the whole system, once the business rule changes, the global situation is possibly influenced, and a large amount of maintenance workload is brought; 3. the service logic is mixed with the authority control code, the complexity of the service module is increased, and unnecessary expenses are brought to system debugging and maintenance.
Disclosure of Invention
The present invention is directed to a method for controlling authority based on tangent plane programming.
A permission control method based on tangent plane programming comprises the following steps:
step 1: determining the service type, and determining the authority service rule which meets the organization, the service data category and the specific attribute of the service data through a service analysis module;
step 2: defining an authority field, and limiting the authority field according to the acquired authority service rule;
and step 3: outputting a data authority rule based on a specific service object to a section interceptor according to the service requirement determined by the service analysis module;
and 4, step 4: implanting different service method types into a designated interceptor, and simultaneously transmitting service method data to a section interceptor;
and 5: defining a section interceptor, and realizing service inquiry authority control according to the received service method data and the data authority rules;
step 6: and outputting the service data subjected to the authority filtering.
The step 2 comprises the following substeps:
s201: limiting the authority field according to a tree-shaped multilevel organizational structure coding rule;
s202: and adding a coding field according to the service data controlled by the authority of the organization.
Preferably, the mechanism code is used as a unique attribute of each mechanism, and lower mechanisms automatically inherit the upper mechanism code and extend the current level code.
Preferably, the conditional rule of the data authority rule in step 3 includes: "=", "! = "," include "," left blur ", and" right blur ".
Step 5 comprises the following substeps:
s501: acquiring a mechanism where a login user is located;
s502: and according to the query service of the user, injecting a data authority rule query condition and querying the service data meeting the condition.
The invention has the beneficial effects that: the method has the advantages that the tangent plane technology is utilized, the permission control codes are separated from the service codes, and business logic writers pay attention to the service logic without paying attention to the access permission of the service data; the dynamic configuration is supported through flexible and simple authority access coding rules, and a user can define the rules to realize the control of service data access under most conditions; and aiming at a specific data access rule, an extended authority control interface is supported, and special service data control is realized through secondary development and other forms.
Drawings
FIG. 1 is a flow chart of the operation of the present invention.
Detailed Description
The invention will be further explained with reference to the drawings.
A permission control method based on tangent plane programming comprises the following steps:
step 1: determining the service type, and determining the authority service rule which meets the organization, the service data category and the specific attribute of the service data through a service analysis module;
step 2: defining an authority field, and limiting the authority field according to the acquired authority service rule;
and step 3: outputting a data authority rule based on a specific service object to a section interceptor according to the service requirement determined by the service analysis module;
and 4, step 4: implanting different service method types into a designated interceptor, and simultaneously transmitting service method data to a section interceptor;
and 5: defining a section interceptor, and realizing service inquiry authority control according to the received service method data and the data authority rules;
step 6: and outputting the service data subjected to the authority filtering.
The step 2 comprises the following substeps:
s201: limiting the authority field according to a tree-shaped multilevel organizational structure coding rule;
s202: and adding a coding field according to the service data controlled by the authority of the organization.
It is to be understood that the organization code is the unique attribute of each organization, and that subordinate organizations automatically inherit the superior organization code and extend the present level code.
It should be understood that the conditional rules of the data authority rules in step 3 include: "=", "! = "," include "," left blur ", and" right blur ".
Step 5 comprises the following substeps:
s501: acquiring a mechanism where a login user is located;
s502: and according to the query service of the user, injecting a data authority rule query condition and querying the service data meeting the condition.
It should be noted that, by changing the service data encoding rule and the permission rule, it can be easily realized that, for example, a user can only view own service data, a user can only view a certain type or certain types of specified service data, a user can only view data in a certain specified time period, and the like, and only different encoding and comparison rules need to be simply realized.
It should be noted that, the rule problem of controlling the access right of the user or the role data through the right rule is to make a coding rule of the service data according to the level of the organization where the user is located, the department where the user is located, or the role to which the user belongs, so as to control the access right of the user through the rule on the basis of meeting the diversity and the dynamic property of the service data.
Claims (5)
1. A permission control method based on tangent plane programming is characterized by comprising the following steps:
step 1: determining the service type, and determining the authority service rule which meets the organization, the service data category and the specific attribute of the service data through a service analysis module;
step 2: defining an authority field, and limiting the authority field according to the acquired authority service rule;
and step 3: outputting a data authority rule based on a specific service object to a section interceptor according to the service requirement determined by the service analysis module;
and 4, step 4: implanting different service method types into a designated interceptor, and simultaneously transmitting service method data to a section interceptor;
and 5: defining a section interceptor, and realizing service inquiry authority control according to the received service method data and the data authority rules;
step 6: and outputting the service data subjected to the authority filtering.
2. The privilege control method based on tangent plane programming as claimed in claim 1, wherein the step 2 comprises the following sub-steps:
s201: limiting the authority field according to a tree-shaped multilevel organizational structure coding rule;
s202: and adding a coding field according to the service data controlled by the authority of the organization.
3. The method as claimed in claim 2, wherein the organization code is a unique attribute of each organization, and the subordinate organization automatically inherits the superior organization code and extends the current level code.
4. The method as claimed in claim 1, wherein the conditional rule of the data right rule in step 3 comprises: "=", "! = "," include "," left blur ", and" right blur ".
5. The method as claimed in claim 1, wherein the step 5 comprises the following sub-steps:
s501: acquiring a mechanism where a login user is located;
s502: and according to the query service of the user, injecting a data authority rule query condition and querying the service data meeting the condition.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110105104.9A CN112818391A (en) | 2021-01-26 | 2021-01-26 | Permission control method based on tangent plane programming |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110105104.9A CN112818391A (en) | 2021-01-26 | 2021-01-26 | Permission control method based on tangent plane programming |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112818391A true CN112818391A (en) | 2021-05-18 |
Family
ID=75859340
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110105104.9A Pending CN112818391A (en) | 2021-01-26 | 2021-01-26 | Permission control method based on tangent plane programming |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112818391A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113420327A (en) * | 2021-06-23 | 2021-09-21 | 平安国际智慧城市科技股份有限公司 | Data authority control method, system, electronic device and storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050108257A1 (en) * | 2003-11-19 | 2005-05-19 | Yohsuke Ishii | Emergency access interception according to black list |
| CN101276271A (en) * | 2007-03-29 | 2008-10-01 | 北京邮电大学 | Method and interceptor system facing to tangent plane programming |
| CN103412766A (en) * | 2013-09-05 | 2013-11-27 | 曙光云计算技术有限公司 | User right-based data access method and device |
| CN106529229A (en) * | 2015-09-10 | 2017-03-22 | 北京国双科技有限公司 | Permission data processing method and apparatus |
| CN106778341A (en) * | 2016-12-02 | 2017-05-31 | 华北计算技术研究所(中国电子科技集团公司第十五研究所) | data right management system and method |
| CN107317826A (en) * | 2017-08-05 | 2017-11-03 | 中山大学 | A kind of method that java network system rights managements are realized based on blocker |
| CN109684793A (en) * | 2018-12-29 | 2019-04-26 | 北京神舟航天软件技术有限公司 | A method of data permission management is carried out based on permission domain structure tree |
| CN111385264A (en) * | 2018-12-29 | 2020-07-07 | 卓望数码技术(深圳)有限公司 | Communication service data access system and method |
| CN111931133A (en) * | 2019-12-26 | 2020-11-13 | 长扬科技(北京)有限公司 | Permission control method based on B/S architecture |
-
2021
- 2021-01-26 CN CN202110105104.9A patent/CN112818391A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050108257A1 (en) * | 2003-11-19 | 2005-05-19 | Yohsuke Ishii | Emergency access interception according to black list |
| CN101276271A (en) * | 2007-03-29 | 2008-10-01 | 北京邮电大学 | Method and interceptor system facing to tangent plane programming |
| CN103412766A (en) * | 2013-09-05 | 2013-11-27 | 曙光云计算技术有限公司 | User right-based data access method and device |
| CN106529229A (en) * | 2015-09-10 | 2017-03-22 | 北京国双科技有限公司 | Permission data processing method and apparatus |
| CN106778341A (en) * | 2016-12-02 | 2017-05-31 | 华北计算技术研究所(中国电子科技集团公司第十五研究所) | data right management system and method |
| CN107317826A (en) * | 2017-08-05 | 2017-11-03 | 中山大学 | A kind of method that java network system rights managements are realized based on blocker |
| CN109684793A (en) * | 2018-12-29 | 2019-04-26 | 北京神舟航天软件技术有限公司 | A method of data permission management is carried out based on permission domain structure tree |
| CN111385264A (en) * | 2018-12-29 | 2020-07-07 | 卓望数码技术(深圳)有限公司 | Communication service data access system and method |
| CN111931133A (en) * | 2019-12-26 | 2020-11-13 | 长扬科技(北京)有限公司 | Permission control method based on B/S architecture |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113420327A (en) * | 2021-06-23 | 2021-09-21 | 平安国际智慧城市科技股份有限公司 | Data authority control method, system, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9411977B2 (en) | System and method for enforcing role membership removal requirements | |
| CN100492357C (en) | Systems and methods that optimize row level database security | |
| US20100262625A1 (en) | Method and system for fine-granularity access control for database entities | |
| CN112182619A (en) | Service processing method and system based on user permission, electronic device and medium | |
| US20020083059A1 (en) | Workflow access control | |
| CN106570406A (en) | Data level permission configuration method and device | |
| US20110219425A1 (en) | Access control using roles and multi-dimensional constraints | |
| CN103473078B (en) | A kind of method for generating form | |
| US20210279355A1 (en) | Methods and systems for purpose-based access control | |
| US20040088563A1 (en) | Computer access authorization | |
| CN101309478B (en) | Method for mobile terminal data access | |
| CN114424191A (en) | Fine-grained access control to a process language of a database based on accessed resources | |
| CN112818391A (en) | Permission control method based on tangent plane programming | |
| US8214382B1 (en) | Database predicate constraints on structured query language statements | |
| CN111709017A (en) | Refined enhanced authority management, control and analysis system of android platform | |
| CN110992005B (en) | Method and system for realizing data authority control processing in big data application | |
| CN106020923A (en) | SELinux strategy compiling method and system | |
| CN117407893A (en) | Data authority management method, device, equipment and medium based on API configuration | |
| Fuchs et al. | Minimizing insider misuse through secure Identity Management | |
| CN116383804A (en) | Authority management method, device, equipment, medium and program product | |
| CN101167040B (en) | Signaling to a peripheral via irregular read operations | |
| US11816238B2 (en) | Assignment of computer privileges to user based on automated skill estimate | |
| CN114491498A (en) | Wind power plant central monitoring login system based on permission classification | |
| CN112926071A (en) | Multi-level data authority control method based on government affair cloud management platform | |
| He et al. | Design of policy language expression in SIoT |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |