[go: up one dir, main page]

CN102063479A - Method and system for controlling data access right - Google Patents

Method and system for controlling data access right Download PDF

Info

Publication number
CN102063479A
CN102063479A CN2010106013469A CN201010601346A CN102063479A CN 102063479 A CN102063479 A CN 102063479A CN 2010106013469 A CN2010106013469 A CN 2010106013469A CN 201010601346 A CN201010601346 A CN 201010601346A CN 102063479 A CN102063479 A CN 102063479A
Authority
CN
China
Prior art keywords
data
user
association relationship
resource type
records
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2010106013469A
Other languages
Chinese (zh)
Inventor
罗华永
张敏杰
李莹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Beijing China Power Information Technology Co Ltd
Original Assignee
Beijing China Power Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing China Power Information Technology Co Ltd filed Critical Beijing China Power Information Technology Co Ltd
Priority to CN2010106013469A priority Critical patent/CN102063479A/en
Publication of CN102063479A publication Critical patent/CN102063479A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

本发明公开一种控制数据访问权限的方法和系统,该方法包括:预先针对数据库表建立数据资源类型表,在所述数据资源表中设置指定字段的过滤条件;根据所述数据资源类型表,筛选出符合所述字段过滤条件的数据记录,建立所述数据记录与用户之间的关联关系,并将所述关联关系保存到用户的访问权限表;接收用户对所述数据表的访问请求,查询该用户的访问权限表,并根据所述关联关系,获取该用户具有的访问权限;根据所述访问权限,对所述数据库表进行过滤,为该用户展现指定字段下符合过滤条件的记录。通过本发明能实现比字段级权限更细粒度的访问权限控制。

The present invention discloses a method and system for controlling data access rights. The method includes: establishing a data resource type table for a database table in advance, and setting filter conditions for specified fields in the data resource table; according to the data resource type table, Filter out the data records that meet the filtering conditions of the fields, establish the association relationship between the data records and the user, and save the association relationship to the user's access authority table; receive the user's access request to the data table, Query the user's access authority table, and obtain the user's access authority according to the association relationship; filter the database table according to the access authority, and display records that meet the filtering conditions under specified fields for the user. The invention can realize access authority control with finer granularity than field-level authority.

Description

一种控制数据访问权限的方法和系统 A method and system for controlling data access rights

技术领域technical field

本发明涉及数据库管理技术,更具体的说是涉及一种控制数据访问权限的方法和系统。The present invention relates to database management technology, and more specifically relates to a method and system for controlling data access authority.

背景技术Background technique

随着信息技术和网络技术的发展,信息安全成为人们普遍关注的问题。任何企、事业单位都不希望自己存放在信息网站的数据资源等信息被自己的竞争对手看到,也不希望企业内部用户对网站信息的越权访问或随意更改数据库中的数据资源。因此几乎每个企业都得会对其系统中的数据资源设置权限管理。所谓权限管理,是指根据系统设置的安全规则或者安全策略,用户可以访问而且只能访问自己被授权的资源。With the development of information technology and network technology, information security has become a common concern of people. Any enterprise or institution does not want the data resources and other information stored on the information website to be seen by its competitors, nor does it want internal users of the enterprise to have unauthorized access to the website information or arbitrarily change the data resources in the database. Therefore, almost every enterprise has to set up permission management for the data resources in its system. The so-called authority management means that according to the security rules or security policies set by the system, users can access and only access the resources they are authorized to.

现有的对数据资源的权限控制可以控制到字段级,即能控制某一字段的隐藏或可见。以某公司的职工表为例,可以设置职工表中的“职称”隐藏或可见,并对用户进行授权操作,当设置某用户具有访问“职称”字段的权限时,该用户便可看到职工表中,每个职工的职称情况;但对于未被授权的用户来说,则在访问该职工表时,就不能看到任何职工的职称情况。Existing access control on data resources can be controlled to the field level, that is, it can control whether a certain field is hidden or visible. Taking the employee table of a company as an example, you can set the "job title" in the employee table to be hidden or visible, and authorize the user. When a user is set to have access to the "job title" field, the user can see the employee In the table, the professional title of each employee; but for unauthorized users, when accessing the employee table, they cannot see the professional title of any employee.

但在系统应用中,经常会需要对数据资源进行更细粒度的权限控制,现有的字段级权限的控制不能满足要求。仍以上面的职工表为例,可能需要设置某些用户虽然具有访问“职称”字段的权限,但只具有访问“职称”中为“教授”的职工的相关信息的权限,通过这种字段级权限控制不能实现这种权限设置。现有的字段级权限控制方法不能实现更细粒度的权限控制。However, in system applications, more fine-grained permission control on data resources is often required, and the existing field-level permission control cannot meet the requirements. Still taking the employee table above as an example, it may be necessary to set some users who have access to the "Professional Title" field, but only have access to the relevant information of employees whose "Professional Title" is "Professor". Through this field-level Permission control cannot implement this kind of permission setting. Existing field-level access control methods cannot achieve finer-grained access control.

发明内容Contents of the invention

有鉴于此,本发明提供一种控制数据访问权限的方法和系统,通过本发明的方法可以实现更细粒度的权限控制。In view of this, the present invention provides a method and system for controlling data access rights, through which more fine-grained rights control can be realized.

为实现上述目的,本发明提供如下技术方案:To achieve the above object, the present invention provides the following technical solutions:

一种控制数据访问权限的方法,包括:A method of controlling access to data comprising:

预先针对数据库表建立数据资源类型表,在所述数据资源类型表中设置指定字段的过滤条件;Establishing a data resource type table for the database table in advance, setting filter conditions for specified fields in the data resource type table;

根据所述数据资源类型表,筛选出符合所述字段过滤条件的数据记录,建立所述数据记录与用户之间的关联关系,并将所述关联关系保存到用户的访问权限表;According to the data resource type table, filter out data records that meet the field filtering conditions, establish an association relationship between the data record and the user, and save the association relationship to the user's access authority table;

接收用户对所述数据表的访问请求,查询该用户的访问权限表,并根据所述关联关系,获取该用户具有的访问权限;receiving a user's access request to the data table, querying the user's access authority table, and obtaining the user's access authority according to the association relationship;

根据所述访问权限,对所述数据库表进行过滤,为该用户展现指定字段下符合过滤条件的记录。According to the access authority, the database table is filtered, and the records meeting the filtering conditions under the specified field are displayed for the user.

优选的,所述在所述数据资源表设置指定字段的过滤条件包括:Preferably, the filter conditions for setting specified fields in the data resource table include:

根据所述数据库表中指定字段具有的数据资源类型,设定过滤所述字段中指定的数据资源类型的条件。According to the data resource type of the specified field in the database table, a condition for filtering the data resource type specified in the field is set.

优选的,所述在所述数据资源类型表中设置指定字段的过滤条件包括:Preferably, the filter conditions for setting specified fields in the data resource type table include:

在数据资源类型表中设置多个字段的过滤条件;Set filter conditions for multiple fields in the data resource type table;

和/或,设置同一指定字段的多个过滤条件。And/or, set multiple filters for the same specified field.

优选的,所述建立所述数据记录与用户之间的关联关系包括:Preferably, the establishment of the association relationship between the data record and the user includes:

将所述筛选出符合条件的记录添加到用户权限表中,以建立该用户与所述数据记录之间的关联关系。Add the filtered records that meet the conditions to the user permission table to establish an association relationship between the user and the data records.

优选的,所述建立所述数据记录与用户之间的关联关系包括:Preferably, the establishment of the association relationship between the data record and the user includes:

建立所述筛选出的所有数据记录与用户之间的关联关系;Establishing an association relationship between all the filtered data records and users;

或建立所述筛选出的数据记录中的部分数据记录与用户之间的关联关系。Or establish an association relationship between some data records in the filtered data records and users.

一种控制数据访问权限的系统,包括:A system for controlling access to data, including:

类型表建立单元,用于针对数据库表建立数据资源类型表,在所述数据资源表中设置指定字段的过滤条件;A type table establishment unit, configured to establish a data resource type table for a database table, and set filter conditions for specified fields in the data resource table;

权限管理单元,用于根据所述数据资源类型表,筛选出符合所述字段过滤条件的数据记录,建立所述数据记录与用户之间的关联关系,并将所述关联关系保存到用户的访问权限表;A rights management unit, configured to filter out data records that meet the field filter conditions according to the data resource type table, establish an association relationship between the data record and the user, and save the association relationship to the user's access Permissions table;

权限判断单元,用于接收用户对所述数据表的访问请求,查询该用户的访问权限表,并根据访问权限表中的关联关系,获取该用户具有的访问权限;An authority judging unit, configured to receive a user's access request to the data table, query the user's access authority table, and obtain the user's access authority according to the association relationship in the access authority table;

数据展现单元,用于根据所述访问权限,对所述数据库表进行过滤,为该用户展现指定字段下符合过滤条件的记录。The data presentation unit is configured to filter the database table according to the access authority, and present records meeting the filtering conditions under specified fields for the user.

优选的,所述类型表建立单元通过以下方式设置过滤条件:Preferably, the type table establishment unit sets filter conditions in the following manner:

根据所述数据库表中指定字段具有的数据资源类型,设置过滤所述字段中指定的数据资源类型的条件。According to the data resource type of the specified field in the database table, a condition for filtering the data resource type specified in the field is set.

优选的,所述类型表建立单元包括:Preferably, the type table establishment unit includes:

条件设定单元,用于在数据资源类型表中设定多个字段的过滤条件;A condition setting unit, configured to set filter conditions for multiple fields in the data resource type table;

和/或,设定同一指定字段的多个过滤条件。And/or, set multiple filters for the same specified field.

优选的,所述权限管理单元通过以下方式设置权限:Preferably, the authority management unit sets authority in the following manner:

根据所述数据资源类型表,筛选出符合条件的数据记录,将所述数据记录添加到用户权限表中,以建立该用户与所述数据记录之间的关联关系。According to the data resource type table, the qualified data records are screened out, and the data records are added to the user permission table, so as to establish an association relationship between the user and the data records.

优选的,所述权限管理单元包括:Preferably, the authority management unit includes:

第一权限管理单元,用于建立所述筛选出的所有数据记录与用户之间的关联关系;A first authority management unit, configured to establish an association relationship between all data records screened out and users;

第二权限管理单元,用于建立所述筛选出的数据记录中的部分数据记录与用户之间的关联关系。The second authority management unit is configured to establish an association relationship between some data records in the filtered data records and users.

经由上述的技术方案可知,与现有技术相比,本发明公开提供了一种控制数据访问权限的方法和系统,通过预先针对某数据库表建立数据资源类型表,在所述数据资源表中设置指定字段的过滤条件,并建立符合所述字段过滤条件的数据记录与用户之间的关联关系,当用户访问该数据表时,根据所述关联关系,获取该用户具有的访问权限,对所述数据库表进行过滤,为该用户展现指定字段下符合过滤条件的记录,从而实现比字段级权限控制更细粒度的权限控制。It can be known from the above-mentioned technical solutions that, compared with the prior art, the present invention discloses a method and system for controlling data access rights, by establishing a data resource type table for a certain database table in advance, and setting in the data resource table Specify the filter condition of the field, and establish the association relationship between the data record and the user that meet the field filter condition. When the user accesses the data table, according to the association relationship, the access authority of the user is obtained, and the The database table is filtered, and the records that meet the filter conditions under the specified field are displayed for the user, so as to achieve finer-grained permission control than field-level permission control.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention, and those skilled in the art can also obtain other drawings according to the provided drawings without creative work.

图1为本发明一种控制数据访问权限的方法实施例的流程图;Fig. 1 is a flow chart of an embodiment of a method for controlling data access authority in the present invention;

图2为本发明一种控制数据访问权限的系统实施例的结构示意图。FIG. 2 is a schematic structural diagram of an embodiment of a system for controlling data access rights in the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

参见图1,为本发明的方法实施例的流程图,该方法包括:Referring to Fig. 1, it is a flowchart of a method embodiment of the present invention, the method includes:

步骤S101:预先针对数据库表建立数据资源类型表,在所述数据资源类型表中设置指定字段的过滤条件;Step S101: establish a data resource type table for the database table in advance, and set filter conditions for specified fields in the data resource type table;

其中,建立的数据资源类型表中包含数据库表的来源,以标明该指定数据库表位置,还可以包括对该指定的数据库表的描述信息等。当需要对指定的数据库表的字段进行更细粒度的权限设置时,就可以在资源类型表中填写该数据库表的来源,以实现对该数据库表中的字段进行更细粒度的过滤;Wherein, the established data resource type table includes the source of the database table to indicate the location of the specified database table, and may also include description information of the specified database table. When it is necessary to set finer-grained permissions on the fields of the specified database table, you can fill in the source of the database table in the resource type table to achieve finer-grained filtering of the fields in the database table;

针对该指定数据库表中的字段,可以进行相应的权限设置,可以设定该字段的过滤条件,以得到该字段下符合条件的记录。具体对所述数据资源表设置指定字段的过滤条件可以为:根据所述数据库表中指定字段具有的数据资源类型,设定过滤所述字段中指定的数据资源类型的条件。For the fields in the specified database table, you can set the corresponding permissions, and you can set the filter conditions for the fields, so as to obtain the records that meet the conditions in the fields. Specifically, setting the filter condition for the specified field in the data resource table may be: according to the data resource type of the specified field in the database table, setting the condition for filtering the data resource type specified in the field.

其中,字段的数据资源类型是指同一字段下区别不同记录的特征信息。例如,以单位职工表为例,职工表中的“职工职位”字段可能包括:车间主任,部门经理、操作工等信息,这些不同的信息就属于不同的数据资源类型。当需要设定具有访问“职工职位”中“操作工”的数据记录的权限时,就可以对该设定过滤条件为:“职工职位”中为“操作工”的数据资源类型。Wherein, the data resource type of a field refers to feature information that distinguishes different records under the same field. For example, taking the employee table of a unit as an example, the "employee position" field in the employee table may include information such as workshop director, department manager, operator, etc. These different information belong to different data resource types. When it is necessary to set the permission to access the data records of "Operator" in "Employee Position", the filter condition for this setting is: the data resource type of "Operator" in "Employee Position".

其中,可以分别设置对多个字段进行数据资源类型的过滤条件。同时,对于该数据库表中的一个字段也可以设定多个过滤条件。例如,仍以上述职工表为例,可以在对“职工职位”的设定过滤条件的同时,对职工表中的“职工工龄”设定过滤条件。另外,对于“职工职位”的字段可以在设定对“操作工”的数据资源类型进行过滤的同时,设定对“车间主任”的数据资源类型的过滤条件。Among them, filter conditions for data resource types for multiple fields can be set respectively. At the same time, multiple filter conditions can also be set for a field in the database table. For example, still taking the above-mentioned employee table as an example, while setting the filter condition for "employee position", you can also set the filter condition for "employee's length of service" in the employee table. In addition, for the field of "employee position", it is possible to set the filtering condition for the data resource type of "workshop supervisor" while setting the filtering condition for the data resource type of "operator".

本发明中还可以自定义字段的数据资源类型,然后对该字段的数据资源类型进行过滤。也可以根据需要对字段设定其他形式的过滤条件。In the present invention, the data resource type of the field can also be customized, and then the data resource type of the field can be filtered. Other forms of filter conditions can also be set for the fields as required.

步骤S102:根据所述数据资源类型表,筛选出符合所述字段过滤条件的数据记录,建立所述数据记录与用户之间的关联关系,并将所述关联关系保存到用户的访问权限表;Step S102: According to the data resource type table, filter out data records that meet the field filtering conditions, establish an association relationship between the data records and the user, and save the association relationship in the user's access authority table;

当针对数据库表建立好数据资源类型表后,就可以进行设定用户访问权限的操作。当需要对用户进行访问权限授权时,通过修改用户的访问权限表,来为用户添加或删除某项访问权限。After the data resource type table is established for the database table, the operation of setting user access rights can be performed. When it is necessary to authorize the user's access right, add or delete a certain access right for the user by modifying the user's access right table.

在进行用户权限授权的操作时,通过查询所述资源类型表,筛选出符合所述字段过滤条件的数据记录,并建立用户与该数据记录之间的关联关系,使得用户具有访问该字段下符合过滤条件的数据记录的权限。例如,当对上述职工表建立资源类型表,并在资源类型表中的“职称”设定过滤条件为:当“职称”字段中为“部门主任”的记录进行筛选。当为用户进行权限授权操作时,根据该资源类型表,筛选出职工表中“职称”字段中为“部门主任”的记录,并建立筛选出的记录与用户之间的关联关系,则该用户就具有访问职工表中“职称”字段中为“部门主任”的记录的权限,而没有建立该关联关系的用户则不具有访问“部门主任”的相关记录的权限。When performing the operation of user authority authorization, by querying the resource type table, filter out the data records that meet the filter conditions of the field, and establish the association between the user and the data record, so that the user has access to the field that meets the The permission of the data record of the filter condition. For example, when a resource type table is created for the employee table above, and the filter condition is set for "title" in the resource type table: when the "title" field is "department director" records are filtered. When performing permission authorization operations for users, according to the resource type table, filter out the records with "Department Director" in the "Professional Title" field in the employee table, and establish the association relationship between the filtered records and users, then the user The user has the permission to access the record of "Department Director" in the "Professional Title" field in the employee table, but the user who has not established this relationship does not have the permission to access the related records of "Department Director".

其中,建立所述数据记录与用户之间的关联关系可以为:将所述筛选符合条件的记录,添加到用户权限表中,以建立该用户与所述数据记录之间的关联关系。Wherein, establishing the association relationship between the data record and the user may be: adding the records meeting the screening conditions to the user authority table, so as to establish the association relationship between the user and the data record.

进一步的,就建立所述数据记录与用户之间的关联关系可以为:建立所述筛选出的所有数据记录与用户之间的关联关系;或,建立所述筛选出的数据记录中的部分数据记录与用户之间的关联关系。Further, the establishment of the association relationship between the data records and users may be: establishment of the association relationship between all the selected data records and users; or establishment of partial data in the selected data records Records are associated with users.

当符合该字段中符合过滤条件的记录中也可以根据需要选择部分记录,对用户进行授权。进行用户授权时,对不同用户授予的权限范围可以不同。When the records that meet the filtering conditions in this field are met, some records can also be selected as required to authorize the user. When performing user authorization, the scope of authority granted to different users can be different.

步骤S103:接收用户对所述数据表的访问请求,查询该用户的访问权限表,并根据所述关联关系,获取该用户具有的访问权限;Step S103: receiving a user's access request to the data table, querying the user's access authority table, and obtaining the user's access authority according to the association relationship;

当用户访问所述数据表库时,首先查询该用户的访问权限表,根据访问权限表中的关联关系,确定该用户具有的访问权限。When a user accesses the data table library, first query the user's access authority table, and determine the user's access authority according to the association relationship in the access authority table.

步骤S104:根据所述访问权限,对所述数据库表进行过滤,为该用户展现指定字段下符合过滤条件的记录。Step S104: According to the access authority, filter the database table, and display records meeting the filtering conditions under specified fields for the user.

获取该用户的访问权限后,可以依据该权限,对用户需要访问的数据库表进行过滤,过滤出指定字段中符合过滤条件,同时满足该用户权限的数据记录展现给该用户,以便用户进行数据访问。After obtaining the user's access authority, you can filter the database tables that the user needs to access according to the authority, filter out the specified fields that meet the filter conditions, and display the data records that meet the user authority to the user, so that the user can access data .

本发明的方法通过预先针对某数据库表建立数据资源类型表,在所述数据资源表中设置指定字段的过滤条件,并建立符合所述字段过滤条件的数据记录与用户之间的关联关系,当用户访问该数据表时,根据所述关联关系,获取该用户具有的访问权限,对所述数据库表进行过滤,为该用户展现符合指定字段下符合过滤条件的记录。从而能实现字段级权限控制不能控制的更细粒度的权限访问。The method of the present invention establishes a data resource type table for a certain database table in advance, sets the filter condition of the specified field in the data resource table, and establishes the association relationship between the data record and the user that meets the filter condition of the field, when When a user accesses the data table, according to the association relationship, the access authority of the user is obtained, the database table is filtered, and the records meeting the filter conditions in the specified fields are displayed for the user. This enables finer-grained permission access that cannot be controlled by field-level permission control.

对应本发明的方法,本发明还提供了一种控制数据访问权限的系统,参见图2,该系统包括:Corresponding to the method of the present invention, the present invention also provides a system for controlling data access rights, referring to Figure 2, the system includes:

类型表建立单元201,用于针对某数据库表建立数据资源类型表,在所述数据资源表中设置指定字段的过滤条件;A type table establishment unit 201, configured to establish a data resource type table for a certain database table, and set a filter condition for a specified field in the data resource table;

权限管理单元202,用于根据所述数据资源类型表,筛选出符合所述字段过滤条件的数据记录,建立所述数据记录与用户之间的关联关系,并将所述关联关系保存到用户的访问权限表;The authority management unit 202 is configured to filter out data records that meet the field filtering conditions according to the data resource type table, establish an association relationship between the data record and the user, and save the association relationship to the user's access table;

权限判断单元203,用于接收用户对所述数据表的访问请求,查询该用户的访问权限表,并根据访问权限表中的关联关系,获取该用户具有的访问权限;The authority judging unit 203 is configured to receive a user's access request to the data table, query the user's access authority table, and obtain the user's access authority according to the association relationship in the access authority table;

数据展现单元204,用于根据所述访问权限,对所述数据库表进行过滤,为该用户展现指定字段下符合过滤条件的记录。The data presenting unit 204 is configured to filter the database table according to the access authority, and present records meeting the filtering conditions under specified fields for the user.

其中过滤条件可以有多种,可以根据字段具有的数据资源类型设定过滤条件,对应的,类型表建立单元可以通过以下方式设置过滤条件:根据所述数据库表中指定字段具有的数据资源类型,设置过滤所述字段中指定的数据资源类型的条件。There can be multiple filter conditions, and the filter conditions can be set according to the data resource type of the field. Correspondingly, the type table establishment unit can set the filter condition in the following manner: according to the data resource type of the specified field in the database table, Sets the criteria for filtering the data resource type specified in the field.

进一步的,设定的过滤条件也可以有多个,可以根据需要选择设定的方式。因此,类型表建立单元包括:Further, there may be multiple filter conditions to be set, and a setting method may be selected according to needs. Therefore, the type table establishment unit includes:

条件设定单元,用于在数据资源类型表中设定多个字段的过滤条件;和/或,设定同一指定字段的多个过滤条件。The condition setting unit is used for setting filter conditions of multiple fields in the data resource type table; and/or, setting multiple filter conditions of the same specified field.

对用户权限进行管理时,授予用户访问权限的方式有很多,优选的,所述权限管理单元通过以下方式设置权限:根据所述数据资源类型表,筛选出符合条件的数据记录,将所述数据记录添加到用户权限表中,以建立该用户与所述数据记录之间的关联关系。When managing user permissions, there are many ways to grant access permissions to users. Preferably, the permission management unit sets permissions in the following way: according to the data resource type table, select qualified data records, and store the data A record is added to the user permission table to establish an association between the user and the data record.

当然,对于授予用户的权限大小可以不同,优选的,所述权限管理单元包括:Of course, the authority granted to the user can be different. Preferably, the authority management unit includes:

第一权限管理单元,用于建立所述筛选出的所有数据记录与用户之间的关联关系;A first authority management unit, configured to establish an association relationship between all data records screened out and users;

第二权限管理单元,用于建立所述筛选出的数据记录中的部分数据记录与用户之间的关联关系。The second authority management unit is configured to establish an association relationship between some data records in the filtered data records and users.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for the related information, please refer to the description of the method part.

对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本发明。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其它实施例中实现。因此,本发明将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the invention. Therefore, the present invention will not be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1.一种控制数据访问权限的方法,其特征在于,包括:1. A method for controlling data access authority, comprising: 预先针对数据库表建立数据资源类型表,在所述数据资源类型表中设置指定字段的过滤条件;Establishing a data resource type table for the database table in advance, setting filter conditions for specified fields in the data resource type table; 根据所述数据资源类型表,筛选出符合所述字段过滤条件的数据记录,建立所述数据记录与用户之间的关联关系,并将所述关联关系保存到用户的访问权限表;According to the data resource type table, filter out data records that meet the field filtering conditions, establish an association relationship between the data record and the user, and save the association relationship to the user's access authority table; 接收用户对所述数据表的访问请求,查询该用户的访问权限表,并根据所述关联关系,获取该用户具有的访问权限;receiving a user's access request to the data table, querying the user's access authority table, and obtaining the user's access authority according to the association relationship; 根据所述访问权限,对所述数据库表进行过滤,为该用户展现指定字段下符合过滤条件的记录。According to the access authority, the database table is filtered, and the records meeting the filtering conditions under the specified field are displayed for the user. 2.根据权利要求1所述的方法,其特征在于,所述在所述数据资源表设置指定字段的过滤条件包括:2. The method according to claim 1, wherein the filter condition for setting a specified field in the data resource table comprises: 根据所述数据库表中指定字段具有的数据资源类型,设定过滤所述字段中指定的数据资源类型的条件。According to the data resource type of the specified field in the database table, a condition for filtering the data resource type specified in the field is set. 3.根据权利要求1所述的方法,其特征在于,所述在所述数据资源类型表中设置指定字段的过滤条件包括:3. The method according to claim 1, wherein the filter condition for setting a specified field in the data resource type table comprises: 在数据资源类型表中设置多个字段的过滤条件;Set filter conditions for multiple fields in the data resource type table; 和/或,设置同一指定字段的多个过滤条件。And/or, set multiple filters for the same specified field. 4.根据权利要求1所述的方法,其特征在于,所述建立所述数据记录与用户之间的关联关系包括:4. The method according to claim 1, wherein said establishing the association between the data record and the user comprises: 将所述筛选出符合条件的记录添加到用户权限表中,以建立该用户与所述数据记录之间的关联关系。Add the filtered records that meet the conditions to the user permission table to establish an association relationship between the user and the data records. 5.根据权利要求1所述的方法,其特征在于,所述建立所述数据记录与用户之间的关联关系包括:5. The method according to claim 1, wherein said establishing the association between the data record and the user comprises: 建立所述筛选出的所有数据记录与用户之间的关联关系;Establishing an association relationship between all the filtered data records and users; 或建立所述筛选出的数据记录中的部分数据记录与用户之间的关联关系。Or establish an association relationship between some data records in the filtered data records and users. 6.一种控制数据访问权限的系统,其特征在于,包括:6. A system for controlling access to data, characterized in that it comprises: 类型表建立单元,用于针对数据库表建立数据资源类型表,在所述数据资源表中设置指定字段的过滤条件;A type table establishment unit, configured to establish a data resource type table for a database table, and set filter conditions for specified fields in the data resource table; 权限管理单元,用于根据所述数据资源类型表,筛选出符合所述字段过滤条件的数据记录,建立所述数据记录与用户之间的关联关系,并将所述关联关系保存到用户的访问权限表;A rights management unit, configured to filter out data records that meet the field filter conditions according to the data resource type table, establish an association relationship between the data record and the user, and save the association relationship to the user's access Permissions table; 权限判断单元,用于接收用户对所述数据表的访问请求,查询该用户的访问权限表,并根据访问权限表中的关联关系,获取该用户具有的访问权限;An authority judging unit, configured to receive a user's access request to the data table, query the user's access authority table, and obtain the user's access authority according to the association relationship in the access authority table; 数据展现单元,用于根据所述访问权限,对所述数据库表进行过滤,为该用户展现指定字段下符合过滤条件的记录。The data presentation unit is configured to filter the database table according to the access authority, and present records meeting the filtering conditions under specified fields for the user. 7.根据权利要求6所述的系统,其特征在于,所述类型表建立单元通过以下方式设置过滤条件:7. The system according to claim 6, wherein the type table establishment unit sets filter conditions in the following manner: 根据所述数据库表中指定字段具有的数据资源类型,设置过滤所述字段中指定的数据资源类型的条件。According to the data resource type of the specified field in the database table, a condition for filtering the data resource type specified in the field is set. 8.根据权利要求6所述的系统,其特征在于,所述类型表建立单元包括:8. The system according to claim 6, wherein the type table establishment unit comprises: 条件设定单元,用于在数据资源类型表中设定多个字段的过滤条件;A condition setting unit, configured to set filter conditions for multiple fields in the data resource type table; 和/或,设定同一指定字段的多个过滤条件。And/or, set multiple filters for the same specified field. 9.根据权利要求6所述的系统,其特征在于,所述权限管理单元通过以下方式设置权限:9. The system according to claim 6, wherein the authority management unit sets authority in the following manner: 根据所述数据资源类型表,筛选出符合条件的数据记录,将所述数据记录添加到用户权限表中,以建立该用户与所述数据记录之间的关联关系。According to the data resource type table, the qualified data records are screened out, and the data records are added to the user permission table, so as to establish an association relationship between the user and the data records. 10.根据权利要求6所述的系统,其特征在于,所述权限管理单元包括:10. The system according to claim 6, wherein the authority management unit comprises: 第一权限管理单元,用于建立所述筛选出的所有数据记录与用户之间的关联关系;A first authority management unit, configured to establish an association relationship between all data records screened out and users; 第二权限管理单元,用于建立所述筛选出的数据记录中的部分数据记录与用户之间的关联关系。The second authority management unit is configured to establish an association relationship between some data records in the filtered data records and users.
CN2010106013469A 2010-12-22 2010-12-22 Method and system for controlling data access right Pending CN102063479A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010106013469A CN102063479A (en) 2010-12-22 2010-12-22 Method and system for controlling data access right

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010106013469A CN102063479A (en) 2010-12-22 2010-12-22 Method and system for controlling data access right

Publications (1)

Publication Number Publication Date
CN102063479A true CN102063479A (en) 2011-05-18

Family

ID=43998755

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010106013469A Pending CN102063479A (en) 2010-12-22 2010-12-22 Method and system for controlling data access right

Country Status (1)

Country Link
CN (1) CN102063479A (en)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102663044A (en) * 2012-03-28 2012-09-12 福建榕基软件股份有限公司 Method and device for creating search base and method and device for full-text search with authorities
CN104679792A (en) * 2013-12-03 2015-06-03 航天信息软件技术有限公司 Data permission achievement method
CN104717206A (en) * 2015-02-04 2015-06-17 中国科学院信息工程研究所 Internet of things resource access authority control method and system
CN105653976A (en) * 2015-12-28 2016-06-08 湖南蚁坊软件有限公司 Implementation method of universal right model used for user authorization
CN106687950A (en) * 2014-06-02 2017-05-17 施拉奇锁有限责任公司 Systems and methods for a credential including multiple access privileges
CN106845174A (en) * 2015-12-03 2017-06-13 福州瑞芯微电子股份有限公司 A kind of application rights management method and system under security system
CN107239711A (en) * 2016-03-29 2017-10-10 北京明略软件系统有限公司 A kind of database row authority control method and system
CN107426134A (en) * 2016-05-23 2017-12-01 上海神计信息系统工程有限公司 A kind of access control method based on relation
CN107533546A (en) * 2015-12-18 2018-01-02 慧与发展有限责任合伙企业 Data type management
CN107733714A (en) * 2017-10-19 2018-02-23 山东浪潮通软信息科技有限公司 A kind of blog management method and device
CN108304581A (en) * 2018-03-05 2018-07-20 贵州工程应用技术学院 A kind of self-service fetching engine and access method based on data permission control
CN108304732A (en) * 2017-12-22 2018-07-20 石化盈科信息技术有限责任公司 A kind of method and system for refining data library permission
CN109542870A (en) * 2018-10-23 2019-03-29 高新兴科技集团股份有限公司 Database data management method and system
CN109840250A (en) * 2018-12-14 2019-06-04 平安科技(深圳)有限公司 Access authority management method, device, equipment and the storage medium of middle field
CN110618990A (en) * 2019-08-15 2019-12-27 中国平安财产保险股份有限公司 List report setting method, system and list report acquisition method
CN110740292A (en) * 2018-07-20 2020-01-31 视联动力信息技术股份有限公司 Data processing method and device for video networks
CN110955662A (en) * 2019-11-29 2020-04-03 车智互联(北京)科技有限公司 Method, computing device and storage medium for maintaining data table association relation
CN111740770A (en) * 2019-03-25 2020-10-02 北京京东尚科信息技术有限公司 Communication method and system
CN113378217A (en) * 2021-06-02 2021-09-10 浪潮软件股份有限公司 Data authority control module, data access system and data access method
CN114218256A (en) * 2022-02-21 2022-03-22 恒生电子股份有限公司 Access statement processing method, device, equipment and storage medium
CN114254165A (en) * 2021-12-20 2022-03-29 徐工汉云技术股份有限公司 A system and method for managing user data rights related to Internet of Vehicles business
CN114969811A (en) * 2022-05-16 2022-08-30 贵州领航视讯信息技术有限公司 Data authority control method based on data segmentation

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6081893A (en) * 1997-05-28 2000-06-27 Symantec Corporation System for supporting secured log-in of multiple users into a plurality of computers using combined presentation of memorized password and transportable passport record
CN1960252A (en) * 2006-06-30 2007-05-09 南京联创科技股份有限公司 Multidimension object access control method based on roles
CN101478536A (en) * 2008-12-08 2009-07-08 山东浪潮齐鲁软件产业股份有限公司 Method for solving access control in authority management
CN101729403A (en) * 2009-12-10 2010-06-09 上海电机学院 Access control method based on attribute and rule

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6081893A (en) * 1997-05-28 2000-06-27 Symantec Corporation System for supporting secured log-in of multiple users into a plurality of computers using combined presentation of memorized password and transportable passport record
CN1960252A (en) * 2006-06-30 2007-05-09 南京联创科技股份有限公司 Multidimension object access control method based on roles
CN101478536A (en) * 2008-12-08 2009-07-08 山东浪潮齐鲁软件产业股份有限公司 Method for solving access control in authority management
CN101729403A (en) * 2009-12-10 2010-06-09 上海电机学院 Access control method based on attribute and rule

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
《燕山大学学报》 20060731 韩言妮等 《数据库层上的细粒度访问控制技术》 第345-348页 1-10 第30卷, 第4期 2 *
《计算机系统应用》 20100731 王成良等 B/S应用系统中的细粒度权限管理模型 第79-82页 1-10 第19卷, 第7期 2 *

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102663044A (en) * 2012-03-28 2012-09-12 福建榕基软件股份有限公司 Method and device for creating search base and method and device for full-text search with authorities
CN104679792A (en) * 2013-12-03 2015-06-03 航天信息软件技术有限公司 Data permission achievement method
US10572645B2 (en) 2014-06-02 2020-02-25 Schlage Lock Company Llc Systems and methods for a credential including multiple access privileges
CN106687950B (en) * 2014-06-02 2020-06-02 施拉奇锁有限责任公司 System and method for a certificate comprising multiple access rights
CN106687950A (en) * 2014-06-02 2017-05-17 施拉奇锁有限责任公司 Systems and methods for a credential including multiple access privileges
CN104717206A (en) * 2015-02-04 2015-06-17 中国科学院信息工程研究所 Internet of things resource access authority control method and system
CN104717206B (en) * 2015-02-04 2018-01-05 中国科学院信息工程研究所 A kind of Internet of Things resource access right control method and system
CN106845174A (en) * 2015-12-03 2017-06-13 福州瑞芯微电子股份有限公司 A kind of application rights management method and system under security system
CN107533546A (en) * 2015-12-18 2018-01-02 慧与发展有限责任合伙企业 Data type management
CN105653976A (en) * 2015-12-28 2016-06-08 湖南蚁坊软件有限公司 Implementation method of universal right model used for user authorization
CN107239711A (en) * 2016-03-29 2017-10-10 北京明略软件系统有限公司 A kind of database row authority control method and system
CN107426134A (en) * 2016-05-23 2017-12-01 上海神计信息系统工程有限公司 A kind of access control method based on relation
CN107733714A (en) * 2017-10-19 2018-02-23 山东浪潮通软信息科技有限公司 A kind of blog management method and device
CN108304732A (en) * 2017-12-22 2018-07-20 石化盈科信息技术有限责任公司 A kind of method and system for refining data library permission
CN108304581A (en) * 2018-03-05 2018-07-20 贵州工程应用技术学院 A kind of self-service fetching engine and access method based on data permission control
CN110740292A (en) * 2018-07-20 2020-01-31 视联动力信息技术股份有限公司 Data processing method and device for video networks
CN109542870A (en) * 2018-10-23 2019-03-29 高新兴科技集团股份有限公司 Database data management method and system
CN109840250A (en) * 2018-12-14 2019-06-04 平安科技(深圳)有限公司 Access authority management method, device, equipment and the storage medium of middle field
CN109840250B (en) * 2018-12-14 2024-02-13 平安科技(深圳)有限公司 Method, device, equipment and storage medium for managing access authority of intermediate field
CN111740770A (en) * 2019-03-25 2020-10-02 北京京东尚科信息技术有限公司 Communication method and system
CN110618990A (en) * 2019-08-15 2019-12-27 中国平安财产保险股份有限公司 List report setting method, system and list report acquisition method
CN110618990B (en) * 2019-08-15 2024-04-30 中国平安财产保险股份有限公司 List report setting method, system and list report acquisition method
CN110955662A (en) * 2019-11-29 2020-04-03 车智互联(北京)科技有限公司 Method, computing device and storage medium for maintaining data table association relation
CN113378217A (en) * 2021-06-02 2021-09-10 浪潮软件股份有限公司 Data authority control module, data access system and data access method
CN114254165A (en) * 2021-12-20 2022-03-29 徐工汉云技术股份有限公司 A system and method for managing user data rights related to Internet of Vehicles business
CN114218256A (en) * 2022-02-21 2022-03-22 恒生电子股份有限公司 Access statement processing method, device, equipment and storage medium
CN114218256B (en) * 2022-02-21 2022-05-27 恒生电子股份有限公司 Access statement processing method, device, equipment and storage medium
CN114969811A (en) * 2022-05-16 2022-08-30 贵州领航视讯信息技术有限公司 Data authority control method based on data segmentation
CN114969811B (en) * 2022-05-16 2023-04-07 贵州领航视讯信息技术有限公司 Data authority control method based on data segmentation

Similar Documents

Publication Publication Date Title
CN102063479A (en) Method and system for controlling data access right
US8799227B2 (en) Presenting metadata from multiple perimeters
US7716242B2 (en) Method and apparatus for controlling access to personally identifiable information
US8539575B2 (en) Techniques to manage access to organizational information of an entity
US7950049B2 (en) Hybrid meta-directory
US7707623B2 (en) Self-service resource provisioning having collaborative compliance enforcement
US9313207B2 (en) Apparatus and method for access validation
US9804747B2 (en) Techniques to manage access to organizational information of an entity
US11516251B2 (en) File resharing management
AU2011202736B2 (en) Policy creation using dynamic access controls
CN107688753A (en) A kind of method and apparatus of ACL controls of authority
US20040010591A1 (en) Employing wrapper profiles
US20040010665A1 (en) Employing local data stores to maintain data during workflows
US20120240194A1 (en) Systems and Methods for Controlling Access to Electronic Data
CN101448002A (en) Method and device for accessing digital resources
US8555333B2 (en) Identifying and resolving separation of duties conflicts in a multi-application environment
WO2014099383A1 (en) Multi-tenant content provider
US11328254B2 (en) Automatic group creation based on organization hierarchy
US20150154417A1 (en) Securing access to business information
US20170103231A1 (en) System and method for distributed, policy-based confidentiality management
WO2002067173A9 (en) A hierarchy model
JP4932291B2 (en) Access right control system
Wu et al. HipStream: A privacy-preserving system for managing mobility data streams

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
ASS Succession or assignment of patent right

Owner name: STATE ELECTRIC NET CROP.

Free format text: FORMER OWNER: BEIJING ZHONGDIAN PUHUA INFORMATION TECHNOLOGY CO., LTD.

Effective date: 20120801

Owner name: BEIJING ZHONGDIAN PUHUA INFORMATION TECHNOLOGY CO.

Effective date: 20120801

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 100192 HAIDIAN, BEIJING TO: 100031 XICHENG, BEIJING

TA01 Transfer of patent application right

Effective date of registration: 20120801

Address after: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing

Applicant after: State Grid Corporation of China

Co-applicant after: Beijing China Power Information Technology Co., Ltd.

Address before: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15 building 710 room research

Applicant before: Beijing China Power Information Technology Co., Ltd.

C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20110518