[go: up one dir, main page]

CN108416230B - Data access method based on data isolation model - Google Patents

Data access method based on data isolation model Download PDF

Info

Publication number
CN108416230B
CN108416230B CN201810246186.7A CN201810246186A CN108416230B CN 108416230 B CN108416230 B CN 108416230B CN 201810246186 A CN201810246186 A CN 201810246186A CN 108416230 B CN108416230 B CN 108416230B
Authority
CN
China
Prior art keywords
data
access
role
business
data access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810246186.7A
Other languages
Chinese (zh)
Other versions
CN108416230A (en
Inventor
韩鹏
李国勇
王燕霞
熊黎丽
任杰
李洪伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing Academy of Science and Technology
Original Assignee
Chongqing Academy of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing Academy of Science and Technology filed Critical Chongqing Academy of Science and Technology
Priority to CN201810246186.7A priority Critical patent/CN108416230B/en
Publication of CN108416230A publication Critical patent/CN108416230A/en
Application granted granted Critical
Publication of CN108416230B publication Critical patent/CN108416230B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

本发明提供了一种基于数据隔离模型的数据访问方法,其利用数据隔离模型区分隔离了各不同层级组织的业务数据库范围,且针对不同数据业务建立相应数据访问权限的访问角色、针对不同操作任务建立相应数据访问权限的子角色,并利用子角色与访问角色之间的归属关系来构建子角色所具备的数据访问权限,在满足多层级的组织层级结构中各不同层级组织之间对数据业务管理的不同需求的同时,不仅确保了不同层级组织的业务数据库范围之间的数据隔离性,而且还能够确保不同层级组织的业务数据库范围之间的访问权限授权安全性,进而达到了对访问权限设计简化和访问权限控制安全性要求的兼顾,为不同于数据业务下的操作任务执行提供更好的安全保障。

The present invention provides a data access method based on a data isolation model, which uses the data isolation model to distinguish and isolate the scope of business databases organized at different levels, and establishes access roles for corresponding data access rights for different data services, and for different operation tasks Establish the sub-roles of corresponding data access rights, and use the attribution relationship between sub-roles and access roles to construct the data access rights of sub-roles, and implement data business between different levels of organizations in a multi-level organizational hierarchy. While managing different requirements, it not only ensures the data isolation between the business database ranges of different organizations at different levels, but also ensures the security of access authority authorization between the business database ranges of different organizations at different levels, thereby achieving the The combination of design simplification and access control security requirements provides better security guarantees for the execution of operational tasks different from data services.

Description

一种基于数据隔离模型的数据访问方法A Data Access Method Based on Data Isolation Model

技术领域technical field

本发明涉及大数据信息安全管理技术领域,具体涉及一种基于数据隔离模型的数据访问方法。The invention relates to the technical field of big data information security management, in particular to a data access method based on a data isolation model.

背景技术Background technique

当前,新一代信息技术与制造业深度融合,正引发新一轮产业变革。我国制造业要以基于“互联网+制造业”的智能制造为主攻方向,提高综合集成水平,走生态文明的发展道路。基于互联网的信息技术迅速发展大大加快了制造业企业的信息化进程。建筑垃圾资源化旨在将建筑垃圾及其他废弃资源通过定向无害化处置转化为可再生资源,并深加工成多种终端产品,创造一种新的循环经济模式。建筑垃圾资源化涉及建筑全产业链、供应链和价值链,同样需要“互联网+”来提升资源再生、循环利用的智能化水平,为建筑垃圾资源化项目推广提供了重要的契机和发展空间。通过实施集团化的ERP系统,从建筑垃圾的产生、运输、处置、资源化到终端再生产品的质量监督,对全产业链进行数字化管理,实行对区域内建筑垃圾资源量预测分析,实时调配与监控,以准确判断和把握产业发展状态,实行精准配置、动态管理,提高全产业链的综合竞争力。随着建筑垃圾资源化产业智能化发展的加快和互联网信息技术的发展,基于Web的信息管理系统成为了企业信息管理系统开发的主流,其信息安全问题也成为了关注的焦点,而对用户权限进行管理则是保障信息系统安全的一个重要手段。访问控制是针对越权使用系统资源的防御措施,它通过限制系统内用户的行为和操作,保证系统资源被受控地、合法地使用,是保障企业信息安全的一种关键技术。At present, the deep integration of new generation information technology and manufacturing industry is triggering a new round of industrial transformation. my country's manufacturing industry should focus on intelligent manufacturing based on "Internet + manufacturing", improve the level of comprehensive integration, and follow the development path of ecological civilization. The rapid development of Internet-based information technology has greatly accelerated the informatization process of manufacturing enterprises. Construction waste recycling aims to transform construction waste and other waste resources into renewable resources through targeted and harmless disposal, and further process them into a variety of end products, creating a new circular economic model. The recycling of construction waste involves the entire construction industry chain, supply chain, and value chain, and "Internet +" is also needed to improve the intelligent level of resource regeneration and recycling, which provides an important opportunity and development space for the promotion of construction waste recycling projects. Through the implementation of a group ERP system, from the generation, transportation, disposal, recycling of construction waste to the quality supervision of terminal recycled products, digital management is carried out on the entire industrial chain, and the forecast analysis of the amount of construction waste resources in the region is carried out. Monitoring, to accurately judge and grasp the status of industrial development, implement precise allocation and dynamic management, and improve the comprehensive competitiveness of the entire industrial chain. With the acceleration of the intelligent development of the construction waste resource industry and the development of Internet information technology, the Web-based information management system has become the mainstream of enterprise information management system development, and its information security issues have also become the focus of attention. Management is an important means to ensure the security of information systems. Access control is a defense measure against unauthorized use of system resources. It ensures controlled and legal use of system resources by restricting the behavior and operations of users in the system. It is a key technology to ensure enterprise information security.

基于角色的访问控制(Role-based Access Control,RBAC)模型是目前在大型商业系统成熟应用的安全访问控制方法。它通过分配和取消角色完成用户权限的授予和取消,并且提供角色分配规则。安全管理人员根据需要定义各种角色,并设置合适的访问权限,而用户根据其责任和资历再被指派为不同的角色。由于 RBAC 模型的授权方式及授权模型的维护方便高效,因此成为开放式环境下权限管理模型的理想选择。The Role-based Access Control (RBAC) model is a security access control method maturely applied in large commercial systems. It completes the granting and canceling of user rights by assigning and canceling roles, and provides role assignment rules. Security managers define various roles as needed and set appropriate access rights, while users are assigned to different roles according to their responsibilities and seniority. Because the authorization method and authorization model maintenance of the RBAC model is convenient and efficient, it becomes an ideal choice for the authority management model in an open environment.

然而,对于集团化公司对于数据业务管理的需求而言,现有的基于角色的访问控制模型(即RBAC模型)却不能具备很好的适用性。由于集团化公司往往具备多层级的组织层级结构,其组织层级结构中各不同层级组织之间,不仅具有上下层级的归属关系,而且不同层级组织之间既强调独立性又强调关联性,因此不同层级组织的业务数据库范围之间也存在着归属、交叉的关系,但又需要具备独立、隔离的访问权限限制要求,使得ERP系统(Enterprise Resource Planning,企业资源计划)的权限管理具有复杂性和动态性;而现有的RBAC模型中对于访问权限的控制都是静态的,即每个角色在业务数据库范围中的访问权限是被静态设定的,若直接将现有的RBAC模型应用在集团化公司的ERP系统下,就容易导致问权限被静态控制的角色难以适应不同层级组织的业务数据库范围的访问权限需求,导致访问机制出现僵化或权限粒度不够(即反问权限最小范围不够);而如果要满足各不同层级组织之间对数据业务管理的不同需求,在现有的RBAC模型下就需要构建大量的角色,且会导致很多角色的数据访问权限存在交叉,不仅使得角色建立的工作量巨大,而且容易因不同角色间数据访问权限的交叉问题而导致角色分配出错、引发数据访问权限分配不当的问题,不利于对数据隔离性和访问权限授权安全性的有效控制。However, the existing role-based access control model (that is, the RBAC model) does not have good applicability to the needs of group companies for data business management. Since group companies often have a multi-level organizational structure, there is not only a relationship between the upper and lower levels of the organization in the organizational structure, but also the emphasis on independence and relevance between different levels of organizations, so different There are also belonging and crossing relationships between business database scopes in hierarchical organizations, but independent and isolated access rights restriction requirements are required, which makes the rights management of the ERP system (Enterprise Resource Planning, Enterprise Resource Planning) complex and dynamic In the existing RBAC model, the control of access rights is static, that is, the access rights of each role in the scope of the business database are statically set. If the existing RBAC model is directly applied to the group Under the company's ERP system, it is easy to cause the roles whose access rights are statically controlled to be difficult to adapt to the access rights requirements of the business databases of different levels of organizations, resulting in rigid access mechanisms or insufficient granularity of permissions (that is, the minimum range of access rights is not enough); and if In order to meet the different needs of different levels of organizations for data business management, a large number of roles need to be constructed under the existing RBAC model, and the data access rights of many roles will overlap, which not only makes the workload of role creation huge , and it is easy to cause errors in role assignment and improper allocation of data access rights due to cross-issues of data access rights among different roles, which is not conducive to effective control of data isolation and access authorization security.

因此,如何针对集团化公司对数据业务管理的需求提供适用的数据访问权限控制方案,并确保不同层级组织的业务数据库范围之间的数据隔离性和访问权限授权安全性,是有待解决的问题。Therefore, how to provide a suitable data access control scheme for the needs of group companies for data business management, and ensure data isolation and access authorization security between business databases of different levels of organization are problems to be solved.

发明内容Contents of the invention

针对现有技术中存在的上述不足,本发明的目的在于提供一种基于数据隔离模型的数据访问方法,用以解决如何满足多层级的组织层级结构中各不同层级组织之间对数据业务管理的不同需求、且确保不同层级组织的业务数据库范围之间的数据隔离性和访问权限授权安全性的问题。Aiming at the above-mentioned deficiencies in the prior art, the purpose of the present invention is to provide a data access method based on a data isolation model to solve the problem of how to meet the requirements of data service management between different hierarchical organizations in a multi-level organizational hierarchy. Issues of data isolation and access authorization security between business databases with different requirements and ensuring different levels of organization.

为实现上述目的,本发明采用可如下的系统技术方案:In order to achieve the above object, the present invention adopts the following system technical scheme:

一种基于数据隔离模型的数据访问方法,包括:A data access method based on a data isolation model, comprising:

根据数据业务管理的组织层级结构中各不同层级组织的业务数据库范围的限制,构建用于区分隔离不同业务数据库范围的数据隔离模型,从而利用所述数据隔离模型区分隔离各不同层级组织的业务数据库范围;According to the limitation of the range of business databases of different levels of organization in the organizational hierarchy of data business management, a data isolation model for differentiating and isolating the scope of different business databases is constructed, thereby using the data isolation model to distinguish and isolate the business databases of different levels of organization scope;

根据数据业务管理中不同数据业务对业务数据库中数据访问权限的限制要求,分别针对每个数据业务构建具备相应数据访问权限的访问角色;还根据不同数据业务中的不同操作任务对业务数据库中数据访问权限的限制要求,分别针对每个数据业务中具备执行相应操作任务权限的每个访问角色,构建归属于该访问角色的具备执行相应操作任务的数据访问权限的子角色;并且,构建各访问角色及其子角色的角色权限标签;According to the restriction requirements of different data services on the data access rights in the business database in data business management, an access role with corresponding data access rights is constructed for each data business; and the data in the business database is also controlled according to different operational tasks in different data businesses. Requirements for restricting access rights: For each access role in each data business that has the right to perform corresponding operation tasks, construct a sub-role that belongs to the access role and has data access rights to perform corresponding operation tasks; and, construct each access role Role permission labels for roles and their subroles;

在数据访问时,根据访问用户所属的层级组织利用所述数据隔离模型区分隔离限制所访问的业务数据库范围,并根据所访问的数据业务或/和操作任务,为所述访问用户配置相对应的角色权限标签,进而根据所配置的角色权限标签相应的访问角色或/和子角色实现对访问用户的数据访问权限控制。When accessing data, use the data isolation model to distinguish the scope of the business database accessed by the isolation restriction according to the hierarchical organization to which the access user belongs, and configure the corresponding access user for the access user according to the accessed data business or/and operation tasks The role permission label, and then realize the data access permission control to the accessing user according to the corresponding access role or/and sub-role of the configured role permission label.

上述基于数据隔离模型的数据访问方法中,作为优选方案,所述数据业务管理的组织层级结构为树状结构;In the above data access method based on the data isolation model, as a preferred solution, the organizational hierarchy of the data service management is a tree structure;

在组织层级结构的根节点层级组织对应全部数据业务的数据访问范围以及全部操作任务的数据访问范围;其余各层级组织,则从相应层级组织的父节点层级组织对应的数据业务中筛选相应层级组织能够访问的数据业务的数据访问范围,并确定每个数据业务中的不同操作任务对应的数据访问范围,进而确定相应层级组织对应的各不同数据业务对数据访问范围以及每个数据业务中的各不同操作任务对数据访问范围的限制要求。At the root node of the organization hierarchy, organize the data access scope corresponding to all data services and the data access scope of all operation tasks; for other hierarchical organizations, select the corresponding hierarchical organization from the data business corresponding to the parent node hierarchical organization of the corresponding hierarchical organization The data access scope of the data services that can be accessed, and determine the data access scope corresponding to different operation tasks in each data service, and then determine the data access scope of different data services corresponding to the corresponding hierarchical organization and the data access scope of each data service. Requirements for restricting the scope of data access for different operational tasks.

上述基于数据隔离模型的数据访问方法中,作为优选方案,每个所述访问角色所具备的数据访问权限,是该访问角色访问其对应的数据业务所必须的最小数据访问范围的数据访问权限。In the above data access method based on the data isolation model, as a preferred solution, the data access authority of each access role is the data access authority of the minimum data access scope necessary for the access role to access its corresponding data service.

上述基于数据隔离模型的数据访问方法中,作为优选方案,每个所述子角色均具备其所归属的访问角色的全部数据访问权限,且还具备至少一个其所归属的访问角色所不具有的数据访问权限。In the above data access method based on the data isolation model, as a preferred solution, each of the sub-roles has all the data access rights of the access role to which it belongs, and also has at least one access role that the access role to which it belongs does not have. Data access rights.

上述基于数据隔离模型的数据访问方法中,作为优选方案,在数据访问时,在区分隔离限制所访问的业务数据库范围后,首先根据访问的数据业务所对应访问角色的角色权限标签,为访问用户赋予相对应访问角色的数据访问权限,进行数据访问的权限控制;当且仅当在执行数据业务中的操作任务、且相应操作任务被激活执行时,才根据相应的操作任务配置所对应子角色的角色权限标签,为访问用户赋予相对应子角色的数据访问权限,进行数据访问的权限控制;在数据业务中的操作任务执行完毕时,则立即收回相应的操作任务所对应子角色的角色权限标签,撤销访问用户对相应子角色的数据访问权限,并以该子角色所归属的访问角色的数据访问权限对访问用户进行数据访问的权限控制。In the above-mentioned data access method based on the data isolation model, as a preferred solution, during data access, after distinguishing the scope of the business database accessed by the isolation restriction, first, according to the role permission label of the access role corresponding to the accessed data business, for the access user Grant data access rights to the corresponding access roles to control data access rights; if and only when the operation tasks in the data business are being executed and the corresponding operation tasks are activated and executed, the corresponding sub-roles are configured according to the corresponding operation tasks The role permission label of the corresponding sub-role is given to the access user to control the data access permission; when the operation task in the data business is completed, the role permission of the sub-role corresponding to the corresponding operation task is immediately revoked label to revoke the access user's data access permission to the corresponding sub-role, and control the data access permission of the access user with the data access permission of the access role to which the sub-role belongs.

相比于现有技术,本发明具有以下有益效果:Compared with the prior art, the present invention has the following beneficial effects:

1、本发明基于数据隔离模型的数据访问方法,利用数据隔离模型区分隔离了各不同层级组织的业务数据库范围,且针对不同数据业务建立相应数据访问权限的访问角色、针对不同操作任务建立相应数据访问权限的子角色,并利用子角色与访问角色之间的归属关系来构建子角色所具备的数据访问权限,在满足多层级的组织层级结构中各不同层级组织之间对数据业务管理的不同需求的同时,不仅确保了不同层级组织的业务数据库范围之间的数据隔离性,而且在避免了构建大量数据访问权限重复的不同访问角色以及避免了构建大量数据访问权限存在交叉的子角色的前提下,还能够确保不同层级组织的业务数据库范围之间的访问权限授权安全性,进而达到了对访问权限设计简化和访问权限控制安全性要求的兼顾。1. The data access method based on the data isolation model of the present invention uses the data isolation model to distinguish and isolate the range of business databases organized at different levels, and establishes corresponding data access roles for different data services, and establishes corresponding data access roles for different operation tasks. The sub-roles of access rights, and use the attribution relationship between sub-roles and access roles to construct the data access rights of sub-roles, and to meet the needs of different levels of organization in the multi-level organizational hierarchy. The difference in data business management At the same time, it not only ensures the data isolation between the business database scopes of different hierarchical organizations, but also avoids building a large number of different access roles with repeated data access rights and avoids building a large number of sub-roles with overlapping data access rights. In this way, it can also ensure the security of access authority authorization between business databases of different levels of organization, thereby achieving both the simplification of access authority design and the security requirements of access authority control.

2、本发明基于数据隔离模型的数据访问方法,还能够通过在数据业务中执行操作任务时对于访问角色和子角色的数据访问权限的灵活分配控制,使得在系统管理配置和操作任务执行阶段均防止了访问用户权限的扩大而产生欺诈行为,为不同于数据业务下的操作任务执行提供了更好的安全保障。2. The data access method based on the data isolation model of the present invention can also flexibly allocate and control the data access rights of access roles and sub-roles when performing operation tasks in the data business, so that both system management configuration and operation task execution stages are prevented. Fraudulent behavior occurs due to the expansion of access user rights, which provides better security for the execution of operational tasks different from data services.

附图说明Description of drawings

图1为本发明基于数据隔离模型的数据访问方法的构架示意图。FIG. 1 is a schematic diagram of a data access method based on a data isolation model in the present invention.

具体实施方式Detailed ways

针对于集团化公司对数据业务管理的需求,由于其多层级的组织层级结构中各不同层级组织之间对数据业务管理具有不同需求,为此,本发明提供了一种基于数据隔离模型的数据访问方法,该方法包括如下步骤:Aiming at the needs of group companies for data business management, because different levels of organizations in its multi-level organizational structure have different requirements for data business management, the present invention provides a data isolation model-based data management system. An access method, the method includes the following steps:

步骤A:根据数据业务管理的组织层级结构中各不同层级组织的业务数据库范围的限制,构建用于区分隔离不同业务数据库范围的数据隔离模型,从而利用所述数据隔离模型区分隔离各不同层级组织的业务数据库范围;Step A: Construct a data isolation model for differentiating and isolating the scope of different business databases according to the limitations of the scope of business databases of organizations at different levels in the organizational hierarchy of data business management, so as to use the data isolation model to distinguish and isolate organizations at different levels business database scope;

步骤B:根据数据业务管理中不同数据业务对业务数据库中数据访问权限的限制要求,分别针对每个数据业务构建具备相应数据访问权限的访问角色;还根据不同数据业务中的不同操作任务对业务数据库中数据访问权限的限制要求,分别针对每个数据业务中具备执行相应操作任务权限的每个访问角色,构建归属于该访问角色的具备执行相应操作任务的数据访问权限的子角色;并且,构建各访问角色及其子角色的角色权限标签;Step B: According to the restriction requirements of different data services on data access rights in the business database in data business management, construct access roles with corresponding data access rights for each data business; Restrictions on data access rights in the database, for each access role in each data business that has the right to perform corresponding operation tasks, construct a sub-role that belongs to the access role and has data access rights to perform corresponding operation tasks; and, Build role permission labels for each access role and its sub-roles;

步骤C :在数据访问时,根据访问用户所属的层级组织利用所述数据隔离模型区分隔离限制所访问的业务数据库范围,并根据所访问的数据业务或/和操作任务,为所述访问用户配置相对应的角色权限标签,进而根据所配置的角色权限标签相应的访问角色或/和子角色实现对访问用户的数据访问权限控制。Step C: During data access, use the data isolation model to distinguish the scope of the business database accessed by the isolation restriction according to the hierarchical organization to which the access user belongs, and configure the access user according to the accessed data business or/and operation tasks The corresponding role permission label, and then according to the corresponding access role or/and sub-role of the configured role permission label, the data access permission control of the accessing user is realized.

在本发明基于数据隔离模型的数据访问方法中,由于利用数据隔离模型区分隔离了各不同层级组织的业务数据库范围,在数据访问时,需要根据访问用户所属的层级组织利用数据隔离模型区分隔离限制所访问的业务数据库范围,因此保证了不同层级组织的业务数据库范围之间的数据隔离性。而在确保了数据隔离性的前提下,对于集团化公司的数据业务管理需求而言,其不同层级组织的数据业务管理往往存在相同的数据业务,只是不同层级组织对应的业务数据库范围不同,因此在不同层级组织的数据业务管理要求中相同数据业务所访问的业务数据库对象不同,这样就使得,在不同层级组织的数据业务管理中针对相同的数据业务采用相同的访问角色执行独立的数据访问控制,是具有可行性的;因此,在建立访问角色时,就不需要区分考虑不同层级组织的业务数据库范围的差别,只需要考虑数据业务管理中不同数据业务对业务数据库中数据访问权限的限制要求,来分别针对每个数据业务构建具备相应数据访问权限的访问角色,也就是说,即便是针对于不同层级组织的业务数据库范围,在根据不同数据业务对业务数据库中数据访问权限的限制要求构建访问角色时,如果具备相应数据业务的数据访问权限的访问角色已经存在,则可以不再重复构建;这样,就避免了针对不同层级组织的数据业务管理构建大量数据访问权限重复的不同访问角色。不仅如此,在本发明基于数据隔离模型的数据访问方法中,还根据不同数据业务中的不同操作任务对业务数据库中数据访问权限的限制要求,分别针对每个数据业务中具备执行相应操作任务权限的每个访问角色,构建了归属于该访问角色的具备执行相应操作任务的数据访问权限的子角色;具体实施时,可以设计每个所述子角色均具备其所归属的访问角色的全部数据访问权限,且还具备至少一个其所归属的访问角色所不具有的数据访问权限,当然,每个子角色所具备的其所归属的访问角色不具有的数据访问权限,应当是该子角色执行其对应的操作任务所必须的数据访问权限;这样以来,使得每个数据业务中执行不同操作任务的数据访问权限在不同子角色之间的分配关系也更加容易区分辨析,并且由于可以避免数据访问权限重复的不同访问角色大量存在,依次为前提,那么利用子角色与访问角色之间的归属关系来构建子角色所具备的数据访问权限,也就很大程度的规避了针对不同层级组织的数据业务管理构建大量数据访问权限存在交叉的子角色的问题。由此,在数据访问时,在根据访问用户所属的层级组织利用所述数据隔离模型区分隔离限制所访问的业务数据库范围之后,根据所访问的数据业务或/和操作任务,为访问用户配置相对应的角色权限标签,再根据所配置的角色权限标签相应的访问角色或/和子角色实现对访问用户的数据访问权限控制,在满足多层级的组织层级结构中各不同层级组织之间对数据业务管理的不同需求的同时,不仅确保了不同层级组织的业务数据库范围之间的数据隔离性,而且在避免了构建大量数据访问权限重复的不同访问角色以及避免了构建大量数据访问权限存在交叉的子角色的前提下,还能够确保不同层级组织的业务数据库范围之间的访问权限授权安全性,进而达到了对访问权限设计简化和访问权限控制安全性要求的兼顾。In the data access method based on the data isolation model of the present invention, since the data isolation model is used to distinguish and isolate the scope of business databases of different hierarchical organizations, during data access, it is necessary to use the data isolation model to distinguish isolation restrictions according to the hierarchical organization to which the access user belongs The range of business databases accessed, thus ensuring the data isolation between the ranges of business databases organized at different levels. On the premise of ensuring data isolation, for the data business management needs of group companies, the data business management of different levels of organizations often has the same data business, but the scope of business databases corresponding to different levels of organizations is different. Therefore, In the data service management requirements of organizations at different levels, the business database objects accessed by the same data service are different, so that in the data service management of organizations at different levels, the same access role is used for the same data service to perform independent data access control , is feasible; therefore, when establishing access roles, it is not necessary to consider the differences in the scope of business databases at different levels of organization, but only to consider the restriction requirements of different data businesses on data access rights in business databases in data business management , to build access roles with corresponding data access rights for each data business, that is to say, even for the range of business databases organized at different levels, according to the restrictions on data access rights in business databases by different data businesses When accessing roles, if an access role with the data access rights of the corresponding data business already exists, it is not necessary to repeat the construction; in this way, it is avoided to build a large number of different access roles with repeated data access rights for data business management of different levels of organizations. Not only that, in the data access method based on the data isolation model of the present invention, according to the restriction requirements of different operation tasks in different data services on the data access rights in the business database, each data business has the corresponding operation task authority For each access role, a sub-role belonging to the access role with the data access authority to perform the corresponding operation task is constructed; in specific implementation, each sub-role can be designed to have all the data of the access role to which it belongs access rights, and also has at least one data access right that the access role it belongs to does not have. Of course, the data access rights that each sub-role has that the access role it belongs to does not have, it should be the sub-role to perform its own The data access rights necessary for the corresponding operation tasks; in this way, it is easier to distinguish and analyze the distribution of data access rights between different sub-roles for performing different operation tasks in each data business, and because data access rights can be avoided There are a large number of different access roles that are repeated. As a premise, the attribution relationship between sub-roles and access roles is used to construct the data access rights of sub-roles, which largely avoids data services for different levels of organization. Manage the problem of building large amounts of data access permissions with intersecting subroles. Therefore, during data access, after using the data isolation model to distinguish the scope of business databases accessed by the data isolation model according to the hierarchical organization to which the access user belongs, according to the accessed data business or/and operation tasks, configure the corresponding database for the access user. The corresponding role permission label, and then according to the corresponding access role or/and sub-role of the configured role permission label, the data access permission control of the access user is realized, and the data business between different hierarchical organizations in the multi-level organizational hierarchy At the same time, it not only ensures the data isolation between the business database ranges of different hierarchical organizations, but also avoids building a large number of data access rights that overlap different access roles and avoids building a large number of data access rights that have crossed sub- On the premise of role, it can also ensure the security of access authority authorization between business databases of different levels of organization, thus achieving both the simplification of access authority design and the security requirements of access authority control.

在本发明基于数据隔离模型的数据访问方法中,上述的步骤A、步骤B之间的顺序没有限制,可以相互调换;步骤C则需要依赖于步骤A和步骤B而得以实施。In the data access method based on the data isolation model of the present invention, the order of the above steps A and B is not limited and can be interchanged; step C needs to be implemented depending on steps A and B.

对于集团化公司而言,其组织层级结构中各不同层级组织之间,往往具有上下层级的归属关系,针对于这样的组织层级结构形式,其数据业务管理的组织层级结构应当设计为树状结构;而在组织层级结构的根节点层级组织,往往就是集团公司的总公司,因此组织层级结构的根节点层级组织应当对应全部数据业务的数据访问范围以及全部操作任务的数据访问范围;而其余各层级组织,由于与其父节点层级组织具有上下层级的归属关系,因此除根节点层级组织的其余各层级组织,应当设计为从相应层级组织的父节点层级组织对应的数据业务中筛选相应层级组织能够访问的数据业务的数据访问范围,并确定每个数据业务中的不同操作任务对应的数据访问范围,进而确定相应层级组织对应的各不同数据业务对数据访问范围以及每个数据业务中的各不同操作任务对数据访问范围的限制要求。这样的数据访问范围区分隔离设计方式,更能够满足集团化公司对数据业务管理的数据隔离性管理需求。For a conglomerate company, there is usually an upper-lower attribution relationship between different organizations in its organizational hierarchy. For such an organizational hierarchy, the organizational hierarchy of its data business management should be designed as a tree structure ; and the organization at the root node level of the organizational hierarchy is often the head office of the group company, so the root node level organization of the organizational hierarchy should correspond to the data access scope of all data services and the data access scope of all operational tasks; while the rest of the Hierarchical organizations, because they have an upper-lower affiliation relationship with their parent node hierarchical organizations, the rest of the hierarchical organizations except the root node hierarchical organization should be designed to select the corresponding hierarchical organization from the data services corresponding to the parent node hierarchical organization of the corresponding hierarchical organization to be able to access The data access range of the data business, and determine the data access range corresponding to the different operation tasks in each data business, and then determine the data access range of different data services corresponding to the corresponding hierarchical organization and the different operations in each data business Requirements for restricting the scope of data access by tasks. This kind of data access scope distinguishes and isolates the design method, which can better meet the data isolation management requirements of group companies for data business management.

在具体实施中,如果为了在某些情况下为任务执行提供更好的安全保障,比如机密信息的处理等,则在设计每个访问角色所具备的数据访问权限时,可以设计该访问角色仅具备访问其对应的数据业务所必须的最小数据访问范围的数据访问权限,而其余需求的数据访问权限,这可以通过其归属的子角色来实现。另一方面,为了提高任务执行的数据安全保护,在数据访问时,在区分隔离限制所访问的业务数据库范围后,还可以首先根据访问的数据业务所对应访问角色的角色权限标签,为访问用户赋予相对应访问角色的数据访问权限,进行数据访问的权限控制;当且仅当在执行数据业务中的操作任务、且相应操作任务被激活执行时,才根据相应的操作任务配置所对应子角色的角色权限标签,为访问用户赋予相对应子角色的数据访问权限,进行数据访问的权限控制;在数据业务中的操作任务执行完毕时,则立即收回相应的操作任务所对应子角色的角色权限标签,撤销访问用户对相应子角色的数据访问权限,并以该子角色所归属的访问角色的数据访问权限对访问用户进行数据访问的权限控制。这样以来,在执行操作任务之前,访问用户即便拥有执行该操作任务的资格,也无法获得实际的数据访问权限,只有在操作任务被激活之后,相应子角色的数据访问权限才真正授予给访问用户;而操作任务结束之后,相应子角色的数据访问权限则立即被收回,使得访问用户不再拥有执行该操作任务所需的数据访问权限,而仅仅具备当前所在数据业务所对应的访问角色所具备的数据访问权限,即该数据业务所必须的最小数据访问范围的数据访问权限,这样以来,在系统管理配置和操作任务执行阶段均防止了访问用户权限的扩大而产生欺诈行为,为不同于数据业务下的操作任务执行提供了更好的安全保障。In the specific implementation, if in order to provide better security guarantee for task execution in some cases, such as the processing of confidential information, etc., when designing the data access rights of each access role, it can be designed that the access role only It has the data access rights of the minimum data access scope necessary to access its corresponding data business, and the data access rights of other requirements, which can be realized through its attributable sub-roles. On the other hand, in order to improve the data security protection of task execution, during data access, after distinguishing the scope of the business database accessed by isolation and restriction, it is also possible to first base on the role permission label of the access role corresponding to the data business being accessed, for the access user Grant data access rights to the corresponding access roles to control data access rights; if and only when the operation tasks in the data business are being executed and the corresponding operation tasks are activated and executed, the corresponding sub-roles are configured according to the corresponding operation tasks The role permission label of the corresponding sub-role is given to the access user to control the data access permission; when the operation task in the data business is completed, the role permission of the sub-role corresponding to the corresponding operation task is immediately revoked label to revoke the access user's data access permission to the corresponding sub-role, and control the data access permission of the access user with the data access permission of the access role to which the sub-role belongs. In this way, before performing an operation task, even if the access user is qualified to perform the operation task, he cannot obtain the actual data access permission. Only after the operation task is activated, the data access permission of the corresponding sub-role is actually granted to the access user ; After the operation task is completed, the data access rights of the corresponding sub-role will be revoked immediately, so that the access user no longer has the data access rights required to perform the operation task, but only has the access role corresponding to the current data business. The data access authority, that is, the data access authority of the minimum data access scope necessary for the data business, so that the expansion of access user authority and fraudulent behavior are prevented during the system management configuration and operation task execution stages, which is different from the data The execution of operational tasks under business provides better security.

综上所述,本发明基于数据隔离模型的数据访问方法,利用数据隔离模型区分隔离了各不同层级组织的业务数据库范围,且针对不同数据业务建立相应数据访问权限的访问角色、针对不同操作任务建立相应数据访问权限的子角色,并利用子角色与访问角色之间的归属关系来构建子角色所具备的数据访问权限,在满足多层级的组织层级结构中各不同层级组织之间对数据业务管理的不同需求的同时,不仅确保了不同层级组织的业务数据库范围之间的数据隔离性,而且在避免了构建大量数据访问权限重复的不同访问角色以及避免了构建大量数据访问权限存在交叉的子角色的前提下,还能够确保不同层级组织的业务数据库范围之间的访问权限授权安全性,进而达到了对访问权限设计简化和访问权限控制安全性要求的兼顾;且本发明基于数据隔离模型的数据访问方法,还能够通过在数据业务中执行操作任务时对于访问角色和子角色的数据访问权限的灵活分配控制,使得在系统管理配置和操作任务执行阶段均防止了访问用户权限的扩大而产生欺诈行为,为不同于数据业务下的操作任务执行提供了更好的安全保障。To sum up, the data access method based on the data isolation model of the present invention uses the data isolation model to distinguish and isolate the scope of business databases organized at different levels, and establishes access roles with corresponding data access rights for different data services, and for different operation tasks. Establish the sub-roles of corresponding data access rights, and use the attribution relationship between sub-roles and access roles to construct the data access rights of sub-roles, and implement data business between different levels of organizations in a multi-level organizational hierarchy. At the same time, it not only ensures the data isolation between the business database ranges of different hierarchical organizations, but also avoids building a large number of data access rights that overlap different access roles and avoids building a large number of data access rights that have crossed sub- On the premise of roles, it can also ensure the security of access authority authorization between business databases organized at different levels, thereby achieving both the simplification of access authority design and the security requirements of access authority control; and the present invention is based on the data isolation model The data access method can also flexibly allocate and control the data access rights of access roles and sub-roles when performing operational tasks in the data business, so that the expansion of access user rights and fraud can be prevented during the system management configuration and operation task execution stages Behavior provides a better security guarantee for the execution of operational tasks different from data services.

最后说明的是,以上实施例仅用以说明本发明的技术方案而非限制,尽管参照实施例对本发明进行了详细说明,本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明技术方案的宗旨和范围,其均应涵盖在本发明的权利要求范围当中。Finally, it is noted that the above embodiments are only used to illustrate the technical solutions of the present invention without limitation. Although the present invention has been described in detail with reference to the embodiments, those of ordinary skill in the art should understand that the technical solutions of the present invention can be modified or Equivalent replacements without departing from the spirit and scope of the technical solutions of the present invention shall be covered by the scope of the claims of the present invention.

Claims (4)

1.一种基于数据隔离模型的数据访问方法,其特征在于,包括:1. A data access method based on a data isolation model, comprising: 根据数据业务管理的组织层级结构中各不同层级组织的业务数据库范围的限制,构建用于区分隔离不同业务数据库范围的数据隔离模型,从而利用所述数据隔离模型区分隔离各不同层级组织的业务数据库范围;According to the limitation of the range of business databases of different levels of organization in the organizational hierarchy of data business management, a data isolation model for differentiating and isolating the scope of different business databases is constructed, thereby using the data isolation model to distinguish and isolate the business databases of different levels of organization scope; 根据数据业务管理中不同数据业务对业务数据库中数据访问权限的限制要求,分别针对每个数据业务构建具备相应数据访问权限的访问角色;还根据不同数据业务中的不同操作任务对业务数据库中数据访问权限的限制要求,分别针对每个数据业务中具备执行相应操作任务权限的每个访问角色,构建归属于该访问角色的具备执行相应操作任务的数据访问权限的子角色;并且,构建各访问角色及其子角色的角色权限标签;每个所述子角色均具备其所归属的访问角色的全部数据访问权限,且还具备至少一个其所归属的访问角色所不具有的数据访问权限;According to the restriction requirements of different data services on the data access rights in the business database in data business management, an access role with corresponding data access rights is constructed for each data business; and the data in the business database is also controlled according to different operational tasks in different data businesses. Requirements for restricting access rights: For each access role in each data business that has the right to perform corresponding operation tasks, construct a sub-role that belongs to the access role and has data access rights to perform corresponding operation tasks; and, construct each access role The role permission label of the role and its sub-roles; each sub-role has all the data access rights of the access role to which it belongs, and also has at least one data access permission that the access role to which it belongs does not have; 在数据访问时,根据访问用户所属的层级组织利用所述数据隔离模型区分隔离限制所访问的业务数据库范围,并根据所访问的数据业务或/和操作任务,为所述访问用户配置相对应的角色权限标签,进而根据所配置的角色权限标签相应的访问角色或/和子角色实现对访问用户的数据访问权限控制。When accessing data, use the data isolation model to distinguish the scope of the business database accessed by the isolation restriction according to the hierarchical organization to which the access user belongs, and configure the corresponding access user for the access user according to the accessed data business or/and operation tasks The role permission label, and then realize the data access permission control to the accessing user according to the corresponding access role or/and sub-role of the configured role permission label. 2.根据权利要求1所述基于数据隔离模型的数据访问方法,其特征在于,所述数据业务管理的组织层级结构为树状结构;2. The data access method based on the data isolation model according to claim 1, wherein the organizational hierarchy of the data service management is a tree structure; 在组织层级结构的根节点层级组织对应全部数据业务的数据访问范围以及全部操作任务的数据访问范围;其余各层级组织,则从相应层级组织的父节点层级组织对应的数据业务中筛选相应层级组织能够访问的数据业务的数据访问范围,并确定每个数据业务中的不同操作任务对应的数据访问范围,进而确定相应层级组织对应的各不同数据业务对数据访问范围以及每个数据业务中的各不同操作任务对数据访问范围的限制要求。At the root node of the organization hierarchy, organize the data access scope corresponding to all data services and the data access scope of all operation tasks; for other hierarchical organizations, select the corresponding hierarchical organization from the data business corresponding to the parent node hierarchical organization of the corresponding hierarchical organization The data access scope of the data services that can be accessed, and determine the data access scope corresponding to different operation tasks in each data service, and then determine the data access scope of different data services corresponding to the corresponding hierarchical organization and the data access scope of each data service. Requirements for restricting the scope of data access for different operational tasks. 3.根据权利要求1所述基于数据隔离模型的数据访问方法,其特征在于,每个所述访问角色所具备的数据访问权限,是该访问角色访问其对应的数据业务所必须的最小数据访问范围的数据访问权限。3. The data access method based on the data isolation model according to claim 1, wherein the data access authority of each access role is the minimum data access necessary for the access role to access its corresponding data service scoped data access permissions. 4.根据权利要求1所述基于数据隔离模型的数据访问方法,其特征在于,在数据访问时,在区分隔离限制所访问的业务数据库范围后,首先根据访问的数据业务所对应访问角色的角色权限标签,为访问用户赋予相对应访问角色的数据访问权限,进行数据访问的权限控制;当且仅当在执行数据业务中的操作任务、且相应操作任务被激活执行时,才根据相应的操作任务配置所对应子角色的角色权限标签,为访问用户赋予相对应子角色的数据访问权限,进行数据访问的权限控制;在数据业务中的操作任务执行完毕时,则立即收回相应的操作任务所对应子角色的角色权限标签,撤销访问用户对相应子角色的数据访问权限,并以该子角色所归属的访问角色的数据访问权限对访问用户进行数据访问的权限控制。4. The data access method based on the data isolation model according to claim 1, characterized in that, during data access, after distinguishing the scope of the business database accessed by isolation and restriction, firstly, according to the role of the access role corresponding to the data service to be accessed Permission label, which grants the access user the data access permission of the corresponding access role to control the permission of data access; if and only when the operation task in the data service is being executed and the corresponding operation task is activated, the corresponding operation The role permission label of the sub-role corresponding to the task configuration, grants the access user the data access permission of the corresponding sub-role, and controls the permission of data access; when the operation task in the data business is completed, the corresponding operation task will be withdrawn immediately The role permission label corresponding to the sub-role revokes the data access permission of the access user to the corresponding sub-role, and controls the data access permission of the access user with the data access permission of the access role to which the sub-role belongs.
CN201810246186.7A 2018-03-23 2018-03-23 Data access method based on data isolation model Active CN108416230B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810246186.7A CN108416230B (en) 2018-03-23 2018-03-23 Data access method based on data isolation model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810246186.7A CN108416230B (en) 2018-03-23 2018-03-23 Data access method based on data isolation model

Publications (2)

Publication Number Publication Date
CN108416230A CN108416230A (en) 2018-08-17
CN108416230B true CN108416230B (en) 2019-12-20

Family

ID=63132343

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810246186.7A Active CN108416230B (en) 2018-03-23 2018-03-23 Data access method based on data isolation model

Country Status (1)

Country Link
CN (1) CN108416230B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109460675A (en) * 2018-10-26 2019-03-12 温州博盈科技有限公司 A kind of enterprise information security management method
CN110188517B (en) * 2018-12-14 2021-12-28 浙江宇视科技有限公司 User account login method and device based on role mode
CN109829331B (en) * 2018-12-28 2021-06-22 金螳螂家装电子商务(苏州)有限公司 Data management method based on decoration chain enterprise employee unified authority
CN110175437A (en) * 2019-04-11 2019-08-27 全球能源互联网研究院有限公司 It is a kind of for access terminal authorization control method, apparatus and host terminal
CN110516450B (en) * 2019-07-23 2023-06-20 平安科技(深圳)有限公司 Data acquisition authority management and control method, electronic device and computer readable storage medium
CN110569657B (en) * 2019-09-10 2021-10-29 北京字节跳动网络技术有限公司 Data access method, device, equipment and storage medium
CN111079182B (en) * 2019-12-18 2022-11-29 北京百度网讯科技有限公司 Data processing method, device, equipment and storage medium
CN113407929A (en) * 2021-02-05 2021-09-17 北京理工大学 Access authorization method and system for research and development design resources
CN114567504B (en) * 2022-03-07 2023-08-25 福建天晴在线互动科技有限公司 Dynamic authority cross management method and system based on web architecture
CN115659395A (en) * 2022-10-19 2023-01-31 安徽生命港湾信息技术有限公司 A complex authority automatic authorization control method for chip factories

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8181230B2 (en) * 2008-06-30 2012-05-15 International Business Machines Corporation System and method for adaptive approximating of a user for role authorization in a hierarchical inter-organizational model
CN104331776A (en) * 2014-11-18 2015-02-04 国家电网公司 Electric power data application management platform
CN104537488A (en) * 2014-12-29 2015-04-22 中国南方电网有限责任公司 Enterprise-level information system function authority unified management method
CN106407823A (en) * 2016-09-26 2017-02-15 中国科学院计算技术研究所 A multi-granularity and multi-intensity access control method and system
CN107506655A (en) * 2017-08-08 2017-12-22 北京盛华安信息技术有限公司 Data permission distributes the method with access control

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8181230B2 (en) * 2008-06-30 2012-05-15 International Business Machines Corporation System and method for adaptive approximating of a user for role authorization in a hierarchical inter-organizational model
CN104331776A (en) * 2014-11-18 2015-02-04 国家电网公司 Electric power data application management platform
CN104537488A (en) * 2014-12-29 2015-04-22 中国南方电网有限责任公司 Enterprise-level information system function authority unified management method
CN106407823A (en) * 2016-09-26 2017-02-15 中国科学院计算技术研究所 A multi-granularity and multi-intensity access control method and system
CN107506655A (en) * 2017-08-08 2017-12-22 北京盛华安信息技术有限公司 Data permission distributes the method with access control

Also Published As

Publication number Publication date
CN108416230A (en) 2018-08-17

Similar Documents

Publication Publication Date Title
CN108416230B (en) Data access method based on data isolation model
US8402514B1 (en) Hierarchy-aware role-based access control
US7284000B2 (en) Automatic policy generation based on role entitlements and identity attributes
US6141778A (en) Method and apparatus for automating security functions in a computer system
US8490152B2 (en) Entitlement lifecycle management in a resource management system
CN111475784B (en) Authority management method and device
CN109981552B (en) A method and device for assigning rights
CN110363012B (en) Method for configuring authority of authority resource, authority system and storage medium
CN104090770A (en) Method based on function of user right configuration system in software development
CN109033861B (en) Method for authorizing authorized operator in system
CN105184144A (en) Multi-system privilege management method
CN101478398A (en) Authorization management system oriented to resource management and establishing method
WO2016026320A1 (en) Access control method and apparatus
CN104715341A (en) Permission assigning method and device
CN113067871A (en) Digital file management method based on block chain technology
CN111611220A (en) File sharing method and system based on hierarchical nodes
CN104424530A (en) Method for realizing layering management of multilevel departments through permission setting
Fuchs et al. Minimizing insider misuse through secure Identity Management
CN113541959A (en) Construction project management system and method
Tamilarasi et al. Machine learning challenges of e-government models of cloud computing in developing countries
CN113347202A (en) Account identification management system of centralized account management and control platform
CN106056270A (en) Data safety design method of textile production management system based on improved RBAC
Wang et al. Multi-source data sharing of electrical equipment based on handle system identity resolution technology for Internet of things in electric industry
Sun et al. Design of authority control service for the two-level comprehensive management system
CN112597518B (en) Rights management method, device and equipment based on graph database

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant