[go: up one dir, main page]

CN112016116A - Data management and access method, device, electronic equipment and readable storage medium - Google Patents

Data management and access method, device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN112016116A
CN112016116A CN201910465647.4A CN201910465647A CN112016116A CN 112016116 A CN112016116 A CN 112016116A CN 201910465647 A CN201910465647 A CN 201910465647A CN 112016116 A CN112016116 A CN 112016116A
Authority
CN
China
Prior art keywords
data
tag
user
authorized user
label
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910465647.4A
Other languages
Chinese (zh)
Other versions
CN112016116B (en
Inventor
陈金玉
代伟超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201910465647.4A priority Critical patent/CN112016116B/en
Publication of CN112016116A publication Critical patent/CN112016116A/en
Application granted granted Critical
Publication of CN112016116B publication Critical patent/CN112016116B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

本公开实施例公开了一种数据管理和访问方法、装置、电子设备及可读存储介质,所述数据管理方法包括建立与数据中的预设对象相对应的标签,对允许使用所述标签的用户进行授权,在从获得授权的授权用户接收到使用所述标签的数据访问请求时,向所述授权用户提供与所述标签相对应的所述预设对象的内容。该技术方案能够建立与预设对象相对应的标签,并基于所述标签对用户进行授权,细化了数据管理的粒度级,提高了数据管理的安全性和灵活性。

Figure 201910465647

Embodiments of the present disclosure disclose a data management and access method, apparatus, electronic device, and readable storage medium. The data management method includes establishing a tag corresponding to a preset object in the data, and setting up a tag that is allowed to use the tag. The user performs authorization, and when a data access request using the tag is received from an authorized authorized user, the content of the preset object corresponding to the tag is provided to the authorized user. The technical solution can establish tags corresponding to preset objects, and authorize users based on the tags, refine the granularity level of data management, and improve the security and flexibility of data management.

Figure 201910465647

Description

数据管理和访问方法、装置、电子设备及可读存储介质Data management and access method, apparatus, electronic device and readable storage medium

技术领域technical field

本公开涉及计算机技术领域,具体涉及一种数据管理和访问方法、装置、电子设备及可读存储介质。The present disclosure relates to the field of computer technologies, and in particular, to a data management and access method, apparatus, electronic device, and readable storage medium.

背景技术Background technique

在当前的大数据环境下,数据量迅速增长,用户对数据的访问需求也日益增多。一方面,数据的共享有利于提高数据利用率,避免重复劳动,例如,科研人员之间的数据共享有利于促进学科发展,企业之间的数据共享有利于行业的进步,交叉领域之间的数据共享有利于各领域的突破等,另一方面,数据常常与个人隐私、行业机密甚至国家安全息息相关,而这些数据的泄露通常会严重影响对社会稳定,这对数据的管理和使用提出了很大的挑战。In the current big data environment, the amount of data is growing rapidly, and users' demand for data access is also increasing. On the one hand, data sharing is conducive to improving data utilization and avoiding duplication of work. For example, data sharing between researchers is conducive to promoting the development of disciplines, data sharing between enterprises is conducive to the progress of the industry, and data sharing between cross-fields Sharing is conducive to breakthroughs in various fields. On the other hand, data is often closely related to personal privacy, industry secrets and even national security, and the leakage of these data usually seriously affects social stability, which poses great challenges to the management and use of data. challenge.

发明内容SUMMARY OF THE INVENTION

为了解决相关技术中的问题,本公开实施例提供一种数据管理和访问方法、装置、电子设备及可读存储介质。In order to solve the problems in the related art, the embodiments of the present disclosure provide a data management and access method, an apparatus, an electronic device, and a readable storage medium.

第一方面,本公开实施例提供了一种数据管理方法。In a first aspect, an embodiment of the present disclosure provides a data management method.

具体地,所述数据管理方法包括:Specifically, the data management method includes:

建立与数据中的预设对象相对应的标签;Create labels corresponding to preset objects in the data;

对允许使用所述标签的用户进行授权;Authorize users who are allowed to use the tags;

在从获得授权的授权用户接收到使用所述标签的数据访问请求时,向所述授权用户提供与所述标签相对应的所述预设对象的内容。When a data access request using the tag is received from an authorized authorized user, the authorized user is provided with the content of the preset object corresponding to the tag.

结合第一方面,本公开在第一方面的第一种实现方式中,所述建立与所述预设对象相对应的标签,包括根据生成所述数据的用户集合的用户的指示,针对所述预设对象生成相应标签;和/或With reference to the first aspect, in a first implementation manner of the first aspect of the present disclosure, the establishing a label corresponding to the preset object includes, according to an instruction of a user who generates the user set of the data, for the Preset objects generate corresponding labels; and/or

所述建立与所述预设对象相对应的标签,包括根据生成所述数据的用户集合的用户的指示,建立所述预设对象与相应标签之间的对应关系;和/或The establishing a label corresponding to the preset object includes establishing a corresponding relationship between the preset object and the corresponding label according to an instruction of a user who generated the user set of the data; and/or

所述数据管理方法还包括:接收用户对使用所述标签的申请;或从其他用户集合的用户接收对使用所述标签的申请。The data management method further includes: receiving an application for using the tag from a user; or receiving an application for using the tag from users of other user sets.

结合第一方面的第一种实现方式,本公开在第一方面的第二种实现方式中,所述标签初始为仅对生成所述数据的用户集合可见的私有标签,所述数据管理方法还包括:With reference to the first implementation manner of the first aspect, in the second implementation manner of the first aspect of the present disclosure, the tag is initially a private tag visible only to the set of users who generate the data, and the data management method further include:

将所述私有标签转换为公共标签,所述公共标签对所述其他用户集合可见;或者converting the private label to a public label that is visible to the other set of users; or

将所述私有标签转换为公共标签,所述公共标签的公开范围设置为以下任意一种或多种:生成所述数据的用户集合的所有下级用户集合、生成所述数据的用户集合的选定下级用户集合、与生成所述数据的用户集合隶属于同一上级的兄弟用户集合。Converting the private label into a public label, and the disclosure scope of the public label is set to any one or more of the following: a set of all subordinate users of the user set that generated the data, a selected set of users that generated the data The lower-level user set and the user set that generated the data belong to the same upper-level sibling user set.

结合第一方面,本公开在第一方面的第三种实现方式中,所述标签对应于多个预设对象,所述多个预设对象具有相同属性且属于不同数据资源;With reference to the first aspect, in a third implementation manner of the first aspect of the present disclosure, the label corresponds to multiple preset objects, and the multiple preset objects have the same attribute and belong to different data resources;

所述对使用所述标签的申请包含对所述不同数据资源中的特定数据资源的指示和/或所述数据访问请求包含对所述特定数据资源的指示;the application for using the tag contains an indication of a specific data resource among the different data resources and/or the data access request contains an indication of the specific data resource;

所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括向所述授权用户提供所述特定数据资源中与所述标签相对应的所述预设对象的内容。The providing the authorized user with the content of the preset object corresponding to the tag includes providing the authorized user with the content of the preset object corresponding to the tag in the specific data resource .

结合第一方面,本公开在第一方面的第四种实现方式中,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:With reference to the first aspect, in a fourth implementation manner of the first aspect of the present disclosure, the providing the authorized user with the content of the preset object corresponding to the tag includes:

确定允许所述授权用户访问的记录;determine the records that the authorized user is allowed to access;

向所述授权用户提供允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容。The authorized user is provided with the content of the preset object corresponding to the tag in a record that the authorized user is allowed to access.

结合第一方面,本公开在第一方面的第五种实现方式中,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:With reference to the first aspect, in a fifth implementation manner of the first aspect of the present disclosure, the providing the authorized user with the content of the preset object corresponding to the tag includes:

在所述标签属于敏感标签的情况下,确定相应的脱敏规则;If the label is a sensitive label, determine the corresponding desensitization rule;

根据所述脱敏规则处理与所述标签相对应的所述预设对象的内容,得到第一脱敏数据;Process the content of the preset object corresponding to the label according to the desensitization rule to obtain first desensitization data;

向所述授权用户提供所述第一脱敏数据。The first desensitized data is provided to the authorized user.

结合第一方面,本公开在第一方面的第六种实现方式中,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:With reference to the first aspect, in a sixth implementation manner of the first aspect of the present disclosure, the providing the authorized user with the content of the preset object corresponding to the tag includes:

确定允许所述授权用户访问的记录;determine the records that the authorized user is allowed to access;

在所述标签属于敏感标签的情况下,确定相应的脱敏规则;If the label is a sensitive label, determine the corresponding desensitization rule;

根据所述脱敏规则处理允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容,得到第二脱敏数据;Process the content of the preset object corresponding to the label in the record allowing the authorized user to access according to the desensitization rule, to obtain second desensitization data;

向所述授权用户提供所述第二脱敏数据。The second masked data is provided to the authorized user.

结合第一方面的第四种实现方式或第六种实现方式,本公开在第一方面的第七种实现方式中,所述确定允许所述授权用户访问的记录,包括:With reference to the fourth implementation manner or the sixth implementation manner of the first aspect, in a seventh implementation manner of the first aspect of the present disclosure, the determining of the records that the authorized user is allowed to access includes:

根据所述授权用户的属性值确定允许所述授权用户访问的记录;或者Determine the records that the authorized user is allowed to access based on the attribute value of the authorized user; or

根据所述标签的类别和所述授权用户的属性值确定允许所述授权用户访问的记录。The records that the authorized user is allowed to access are determined according to the category of the tag and the attribute value of the authorized user.

结合第一方面的第五种实现方式或第六种实现方式,本公开在第一方面的第八种实现方式中,所述确定所述相应的脱敏规则,包括:With reference to the fifth implementation manner or the sixth implementation manner of the first aspect, in the eighth implementation manner of the first aspect of the present disclosure, the determining the corresponding desensitization rule includes:

根据所述标签的等级和/或所述授权用户的属性值确定所述相应的脱敏规则;和/或determining the corresponding desensitization rule according to the level of the tag and/or the attribute value of the authorized user; and/or

在所述授权用户属于白名单用户集合的情况下,不进行脱敏处理。In the case that the authorized user belongs to the whitelist user set, no desensitization processing is performed.

结合第一方面,本公开在第一方面的第九种实现方式中,所述数据包括物理表;和/或In conjunction with the first aspect, in a ninth implementation manner of the first aspect, the data includes a physical table; and/or

所述预设对象的内容是物理表内容的真子集;和/或the content of the preset object is a proper subset of the content of the physical table; and/or

所述预设对象是字段。第二方面,本公开实施例提供了一种数据访问方法。The preset object is a field. In a second aspect, an embodiment of the present disclosure provides a data access method.

具体地,所述数据访问方法包括:Specifically, the data access method includes:

展示与数据中的预设对象相对应的标签;Display labels corresponding to preset objects in the data;

在用户获得使用所述标签的授权而成为授权用户之后,发送所述授权用户使用所述标签的数据访问请求;After the user obtains the authorization to use the tag and becomes an authorized user, sending a data access request for the authorized user to use the tag;

接收与所述标签相对应的所述预设对象的内容。The content of the preset object corresponding to the tag is received.

结合第二方面,本公开在第二方面的第一种实现方式中,所述用户不属于生成所述数据的用户集合。In conjunction with the second aspect, in a first implementation manner of the second aspect of the present disclosure, the user does not belong to the user set that generated the data.

结合第二方面,本公开在第二方面的第二种实现方式中,所述标签对应于多个字段,所述多个字段具有相同属性且属于不同数据资源;In conjunction with the second aspect, in a second implementation manner of the second aspect of the present disclosure, the tag corresponds to multiple fields, and the multiple fields have the same attribute and belong to different data resources;

所述对使用所述标签的申请包含对所述不同数据资源中的特定数据资源的指示和/或所述数据访问请求包含对所述特定数据资源的指示;the application for using the tag contains an indication of a specific data resource among the different data resources and/or the data access request contains an indication of the specific data resource;

所述接收与所述标签相对应的所述预设对象的内容,包括接收所述特定数据资源中与所述标签相对应的所述预设对象的内容。The receiving the content of the preset object corresponding to the tag includes receiving the content of the preset object corresponding to the tag in the specific data resource.

结合第二方面,本公开在第二方面的第三种实现方式中,所述接收与所述标签相对应的所述预设对象的内容,包括接收以下任意之一:With reference to the second aspect, in a third implementation manner of the second aspect of the present disclosure, the receiving the content of the preset object corresponding to the tag includes receiving any one of the following:

允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容;the content of the preset object corresponding to the tag in the record allowing the authorized user to access;

根据脱敏规则处理与所述标签相对应的所述预设对象的内容而得到的第一脱敏数据;first desensitization data obtained by processing the content of the preset object corresponding to the label according to the desensitization rule;

根据脱敏规则处理允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容而得到的第二脱敏数据。The second desensitization data obtained by processing the content of the preset object corresponding to the tag in the record that is allowed to be accessed by the authorized user according to the desensitization rule.

结合第二方面的第三种实现方式,本公开在第二方面的第四种实现方式中,所述允许所述授权用户访问的记录是根据所述授权用户的属性值确定的,或者是根据所述标签的类别和所述授权用户的属性值确定的;With reference to the third implementation manner of the second aspect, in a fourth implementation manner of the second aspect of the present disclosure, the record allowing the authorized user to access is determined according to the attribute value of the authorized user, or according to The category of the label and the attribute value of the authorized user are determined;

所述脱敏规则是根据所述标签的等级和/或所述授权用户的属性值确定的。The desensitization rule is determined according to the level of the tag and/or the attribute value of the authorized user.

结合第二方面,本公开在第二方面的第五种实现方式中,所述数据包括物理表;和/或In conjunction with the second aspect, in a fifth implementation manner of the second aspect, the data includes a physical table; and/or

所述预设对象的内容是物理表内容的真子集;和/或the content of the preset object is a proper subset of the content of the physical table; and/or

所述预设对象是字段。The preset object is a field.

结合第二方面,本公开在第二方面的第六种实现方式中,所述数据访问方法还包括:In conjunction with the second aspect, in a sixth implementation manner of the second aspect, the data access method further includes:

发送用户对使用所述标签的申请。A user request to use the tag is sent.

第三方面,本公开实施例提供一种数据管理装置。In a third aspect, an embodiment of the present disclosure provides a data management apparatus.

具体地,所述数据管理装置包括:Specifically, the data management device includes:

建立模块,被配置为建立与数据中的预设对象相对应的标签;an establishment module configured to establish a label corresponding to a preset object in the data;

授权模块,被配置为对允许使用所述标签的用户进行授权;an authorization module configured to authorize users allowed to use the tag;

提供模块,被配置为在从获得授权的授权用户接收到使用所述标签的数据访问请求时,向所述授权用户提供与所述标签相对应的所述预设对象的内容。A providing module is configured to provide the authorized user with the content of the preset object corresponding to the tag when a data access request using the tag is received from an authorized authorized user.

结合第三方面,本公开在第三方面的第一种实现方式中,所述建立与所述预设对象相对应的标签,包括根据生成所述数据的用户集合的用户的指示,针对所述预设对象生成相应标签;和/或With reference to the third aspect, in a first implementation manner of the third aspect of the present disclosure, the establishing a label corresponding to the preset object includes, according to an instruction of a user who generates the user set of the data, for the Preset objects generate corresponding labels; and/or

所述建立与所述预设对象相对应的标签,包括根据生成所述数据的用户集合的用户的指示,建立所述预设对象与相应标签之间的对应关系;和/或The establishing a label corresponding to the preset object includes establishing a corresponding relationship between the preset object and the corresponding label according to an instruction of a user who generated the user set of the data; and/or

所述数据管理装置还包括:接收申请模块,被配置为接收用户对使用所述标签的申请;或从其他用户集合的用户接收对使用所述标签的申请。The data management apparatus further includes: an application receiving module configured to receive an application for using the tag from a user; or receiving an application for using the tag from a user group of other users.

结合第三方面的第一种实现方式,本公开在第三方面的第二种实现方式中,所述标签初始为仅对生成所述数据的用户集合可见的私有标签,所述装置还包括转换模块,被配置为:With reference to the first implementation manner of the third aspect, in the second implementation manner of the third aspect of the present disclosure, the tag is initially a private tag visible only to the set of users who generate the data, and the apparatus further includes a conversion module, configured as:

将所述私有标签转换为公共标签,所述公共标签对所述其他用户集合可见;或者converting the private label to a public label that is visible to the other set of users; or

将所述私有标签转换为公共标签,所述公共标签的公开范围设置为以下任意一种或多种:生成所述数据的用户集合的所有下级用户集合、生成所述数据的用户集合的选定下级用户集合、与生成所述数据的用户集合隶属于同一上级的兄弟用户集合。Converting the private label into a public label, and the disclosure scope of the public label is set to any one or more of the following: a set of all subordinate users of the user set that generated the data, a selected set of users that generated the data The lower-level user set and the user set that generated the data belong to the same upper-level sibling user set.

结合第三方面,本公开在第三方面的第三种实现方式中,所述标签对应于多个预设对象,所述多个预设对象具有相同属性且属于不同数据资源;With reference to the third aspect, in a third implementation manner of the third aspect of the present disclosure, the tags correspond to multiple preset objects, and the multiple preset objects have the same attribute and belong to different data resources;

所述对使用所述标签的申请包含对所述不同数据资源中的特定数据资源的指示和/或所述数据访问请求包含对所述特定数据资源的指示;the application for using the tag contains an indication of a specific data resource among the different data resources and/or the data access request contains an indication of the specific data resource;

所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括向所述授权用户提供所述特定数据资源中与所述标签相对应的所述预设对象的内容。The providing the authorized user with the content of the preset object corresponding to the tag includes providing the authorized user with the content of the preset object corresponding to the tag in the specific data resource .

结合第三方面,本公开在第三方面的第四种实现方式中,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:With reference to the third aspect, in a fourth implementation manner of the third aspect of the present disclosure, the providing the authorized user with the content of the preset object corresponding to the tag includes:

确定允许所述授权用户访问的记录;determine the records that the authorized user is allowed to access;

向所述授权用户提供允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容。The authorized user is provided with the content of the preset object corresponding to the tag in a record that the authorized user is allowed to access.

结合第三方面,本公开在第三方面的第五种实现方式中,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:With reference to the third aspect, in a fifth implementation manner of the third aspect of the present disclosure, the providing the authorized user with the content of the preset object corresponding to the tag includes:

在所述标签属于敏感标签的情况下,确定相应的脱敏规则;If the label is a sensitive label, determine the corresponding desensitization rule;

根据所述脱敏规则处理与所述标签相对应的所述预设对象的内容,得到第一脱敏数据;Process the content of the preset object corresponding to the label according to the desensitization rule to obtain first desensitization data;

向所述授权用户提供所述第一脱敏数据。The first desensitized data is provided to the authorized user.

结合第三方面,本公开在第三方面的第六种实现方式中,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:With reference to the third aspect, in a sixth implementation manner of the third aspect of the present disclosure, the providing the authorized user with the content of the preset object corresponding to the tag includes:

确定允许所述授权用户访问的记录;determine the records that the authorized user is allowed to access;

在所述标签属于敏感标签的情况下,确定相应的脱敏规则;If the label is a sensitive label, determine the corresponding desensitization rule;

根据所述脱敏规则处理允许所述授权用户访问的记录中与所述标签相对应的字段的内容,得到第二脱敏数据;Process the content of the field corresponding to the label in the record that the authorized user is allowed to access according to the desensitization rule, to obtain second desensitization data;

向所述授权用户提供所述第二脱敏数据。The second masked data is provided to the authorized user.

结合第三方面的第四种实现方式或第六种实现方式,本公开在第三方面的第七种实现方式中,所述确定允许所述授权用户访问的记录,包括:With reference to the fourth implementation manner or the sixth implementation manner of the third aspect, in a seventh implementation manner of the third aspect of the present disclosure, the determining of the records that the authorized user is allowed to access includes:

根据所述授权用户的属性值确定允许所述授权用户访问的记录;或者Determine the records that the authorized user is allowed to access based on the attribute value of the authorized user; or

根据所述标签的类别和所述授权用户的属性值确定允许所述授权用户访问的记录。The records that the authorized user is allowed to access are determined according to the category of the tag and the attribute value of the authorized user.

结合第三方面的第五种实现方式或第六种实现方式,本公开在第三方面的第八种实现方式中,所述确定所述相应的脱敏规则,包括:With reference to the fifth implementation manner or the sixth implementation manner of the third aspect, in the eighth implementation manner of the third aspect of the present disclosure, the determining the corresponding desensitization rule includes:

根据所述标签的等级和/或所述授权用户的属性值确定所述相应的脱敏规则;和/或determining the corresponding desensitization rule according to the level of the tag and/or the attribute value of the authorized user; and/or

在所述授权用户属于白名单用户集合的情况下,不进行脱敏处理。In the case that the authorized user belongs to the whitelist user set, no desensitization processing is performed.

结合第三方面,本公开在第三方面的第种九实现方式中,所述数据包括物理表;和/或In conjunction with the third aspect, in a ninth implementation manner of the third aspect, the data includes a physical table; and/or

所述预设对象的内容是物理表内容的真子集;和/或the content of the preset object is a proper subset of the content of the physical table; and/or

所述预设对象是字段。The preset object is a field.

第四方面,本公开实施例提供一种数据访问装置。In a fourth aspect, an embodiment of the present disclosure provides a data access device.

具体地,所述数据访问装置包括:Specifically, the data access device includes:

展示模块,被配置为展示与数据中的预设对象相对应的标签;a display module, configured to display labels corresponding to preset objects in the data;

第一发送模块,被配置为在用户获得使用所述标签的授权而成为授权用户之后,发送所述授权用户使用所述标签的数据访问请求;a first sending module, configured to send a data access request for using the label by the authorized user after the user obtains the authorization to use the label and becomes an authorized user;

接收模块,被配置为接收与所述标签相对应的所述预设对象的内容。The receiving module is configured to receive the content of the preset object corresponding to the tag.

结合第四方面,本公开在第四方面的第一种实现方式中,所述用户不属于生成所述数据的用户集合。With reference to the fourth aspect, in a first implementation manner of the fourth aspect of the present disclosure, the user does not belong to the user set that generated the data.

结合第四方面,本公开在第四方面的第二种实现方式中,所述标签对应于多个预设对象,所述多个预设对象具有相同属性且属于不同数据资源;With reference to the fourth aspect, in a second implementation manner of the fourth aspect of the present disclosure, the tags correspond to multiple preset objects, and the multiple preset objects have the same attribute and belong to different data resources;

所述对使用所述标签的申请包含对所述不同数据资源中的特定数据资源的指示和/或所述数据访问请求包含对所述特定数据资源的指示;the application for using the tag contains an indication of a specific data resource among the different data resources and/or the data access request contains an indication of the specific data resource;

所述接收与所述标签相对应的所述预设对象的内容,包括接收所述特定数据资源中与所述标签相对应的字段的内容。The receiving the content of the preset object corresponding to the tag includes receiving the content of the field corresponding to the tag in the specific data resource.

结合第四方面,本公开在第四方面的第三种实现方式中,所述接收与所述标签相对应的所述预设对象的内容,包括接收以下任意之一:With reference to the fourth aspect, in a third implementation manner of the fourth aspect of the present disclosure, the receiving the content of the preset object corresponding to the tag includes receiving any one of the following:

允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容;the content of the preset object corresponding to the tag in the record allowing the authorized user to access;

根据脱敏规则处理与所述标签相对应的所述预设对象的内容而得到的第一脱敏数据;first desensitization data obtained by processing the content of the preset object corresponding to the label according to the desensitization rule;

根据脱敏规则处理允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容而得到的第二脱敏数据。The second desensitization data obtained by processing the content of the preset object corresponding to the tag in the record that is allowed to be accessed by the authorized user according to the desensitization rule.

结合第四方面的第三种实现方式,本公开在第四方面的第四种实现方式中,所述允许所述授权用户访问的记录是根据所述授权用户的属性值确定的,或者是根据所述标签的类别和所述授权用户的属性值确定的;With reference to the third implementation manner of the fourth aspect, in the fourth implementation manner of the present disclosure, the record allowing the authorized user to access is determined according to the attribute value of the authorized user, or according to The category of the label and the attribute value of the authorized user are determined;

所述授权用户的脱敏规则是根据所述标签的等级和/或所述授权用户的属性值确定的。The desensitization rule of the authorized user is determined according to the level of the tag and/or the attribute value of the authorized user.

结合第四方面,本公开在第四方面的第五种实现方式中,所述数据包括物理表;和/或In conjunction with the fourth aspect, in a fifth implementation manner of the fourth aspect, the data includes a physical table; and/or

所述预设对象的内容是物理表内容的真子集;和/或the content of the preset object is a proper subset of the content of the physical table; and/or

所述预设对象是字段。The preset object is a field.

结合第四方面,本公开在第四方面的第六种实现方式中,所述数据访问装置还包括:In conjunction with the fourth aspect, in a sixth implementation manner of the fourth aspect, the data access device further includes:

第二发送模块,被配置为发送用户对使用所述标签的申请。The second sending module is configured to send the user's application for using the tag.

第五方面,本公开实施例提供了一种电子设备,包括存储器和处理器;其中,所述存储器用于存储一条或多条计算机指令,其中,所述一条或多条计算机指令被所述处理器执行以实现以下方法步骤:In a fifth aspect, embodiments of the present disclosure provide an electronic device, including a memory and a processor; wherein the memory is used to store one or more computer instructions, wherein the one or more computer instructions are processed by the The controller executes to implement the following method steps:

建立与数据中的预设对象相对应的标签;Create labels corresponding to preset objects in the data;

对允许使用所述标签的用户进行授权;Authorize users who are allowed to use the tags;

在从获得授权的授权用户接收到使用所述标签的数据访问请求时,向所述授权用户提供与所述标签相对应的所述预设对象的内容。When a data access request using the tag is received from an authorized authorized user, the authorized user is provided with the content of the preset object corresponding to the tag.

结合第五方面,本公开在第五方面的第一种实现方式中,所述建立与所述预设对象相对应的标签,包括根据生成所述数据的用户集合的用户的指示,针对所述预设对象生成相应标签;和/或With reference to the fifth aspect, in a first implementation manner of the fifth aspect of the present disclosure, the establishing a label corresponding to the preset object includes, according to an instruction of a user who generates the data set of users, for the Preset objects generate corresponding labels; and/or

所述建立与所述预设对象相对应的标签,包括根据生成所述数据的用户集合的用户的指示,建立所述预设对象与相应标签之间的对应关系;和/或The establishing a label corresponding to the preset object includes establishing a corresponding relationship between the preset object and the corresponding label according to an instruction of a user who generated the user set of the data; and/or

所述一条或多条计算机指令还被所述处理器执行以实现以下方法步骤:接收用户对使用所述标签的申请;或从其他用户集合的用户接收对使用所述标签的申请。The one or more computer instructions are also executed by the processor to implement the method steps of: receiving a user application to use the tag; or receiving an application to use the tag from a user of another set of users.

结合第五方面的第一种实现方式,本公开在第五方面的第二种实现方式中,所述标签初始为仅对生成所述数据的用户集合可见的私有标签,所述一条或多条计算机指令被所述处理器执行以实现以下方法步骤:With reference to the first implementation manner of the fifth aspect, in the second implementation manner of the fifth aspect of the present disclosure, the tag is initially a private tag visible only to the set of users who generate the data, and the one or more Computer instructions are executed by the processor to implement the following method steps:

将所述私有标签转换为公共标签,所述公共标签对所述其他用户集合可见;或者converting the private label to a public label that is visible to the other set of users; or

将所述私有标签转换为公共标签,所述公共标签的公开范围设置为以下任意一种或多种:生成所述数据的用户集合的所有下级用户集合、生成所述数据的用户集合的选定下级用户集合、与生成所述数据的用户集合隶属于同一上级的兄弟用户集合。Converting the private label into a public label, and the disclosure scope of the public label is set to any one or more of the following: a set of all subordinate users of the user set that generated the data, a selected set of users that generated the data The lower-level user set and the user set that generated the data belong to the same upper-level sibling user set.

结合第五方面,本公开在第五方面的第三种实现方式中,所述标签对应于多个预设对象,所述多个预设对象具有相同属性且属于不同数据资源;With reference to the fifth aspect, in a third implementation manner of the fifth aspect of the present disclosure, the tags correspond to multiple preset objects, and the multiple preset objects have the same attribute and belong to different data resources;

所述对使用所述标签的申请包含对所述不同数据资源中的特定数据资源的指示和/或所述数据访问请求包含对所述特定数据资源的指示;the application for using the tag contains an indication of a specific data resource among the different data resources and/or the data access request contains an indication of the specific data resource;

所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括向所述授权用户提供所述特定数据资源中与所述标签相对应的所述预设对象内容。The providing the authorized user with the content of the preset object corresponding to the tag includes providing the authorized user with the preset object content corresponding to the tag in the specific data resource.

结合第五方面,本公开在第五方面的第四种实现方式中,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:With reference to the fifth aspect, in a fourth implementation manner of the fifth aspect, the providing the authorized user with the content of the preset object corresponding to the tag includes:

确定允许所述授权用户访问的记录;determine the records that the authorized user is allowed to access;

向所述授权用户提供允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容。The authorized user is provided with the content of the preset object corresponding to the tag in a record that the authorized user is allowed to access.

结合第五方面,本公开在第五方面的第五种实现方式中,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:With reference to the fifth aspect, in a fifth implementation manner of the fifth aspect, the providing the authorized user with the content of the preset object corresponding to the tag includes:

在所述标签属于敏感标签的情况下,确定相应的脱敏规则,根据所述脱敏规则处理与所述标签相对应的所述预设对象的内容,得到第一脱敏数据;If the label is a sensitive label, determine a corresponding desensitization rule, process the content of the preset object corresponding to the label according to the desensitization rule, and obtain first desensitization data;

向所述授权用户提供所述第一脱敏数据。The first desensitized data is provided to the authorized user.

结合第五方面,本公开在第五方面的第六种实现方式中,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:With reference to the fifth aspect, in a sixth implementation manner of the fifth aspect, the providing the authorized user with the content of the preset object corresponding to the tag includes:

确定允许所述授权用户访问的记录;determine the records that the authorized user is allowed to access;

在所述标签属于敏感标签的情况下,确定相应的脱敏规则;If the label is a sensitive label, determine the corresponding desensitization rule;

根据所述脱敏规则处理允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容,得到第二脱敏数据;Process the content of the preset object corresponding to the label in the record allowing the authorized user to access according to the desensitization rule, to obtain second desensitization data;

向所述授权用户提供所述第二脱敏数据。The second masked data is provided to the authorized user.

结合第五方面的第四种实现方式或第六种实现方式,本公开在第五方面的第七种实现方式中,所述确定允许所述授权用户访问的记录,包括:With reference to the fourth implementation manner or the sixth implementation manner of the fifth aspect, in a seventh implementation manner of the fifth aspect of the present disclosure, the determining of the records that the authorized user is allowed to access includes:

根据所述授权用户的属性值确定允许所述授权用户访问的记录;或者Determine the records that the authorized user is allowed to access based on the attribute value of the authorized user; or

根据所述标签的类别和所述授权用户的属性值确定允许所述授权用户访问的记录。The records that the authorized user is allowed to access are determined according to the category of the tag and the attribute value of the authorized user.

结合第五方面的第五种实现方式或第六种实现方式,本公开在第五方面的第八种实现方式中,所述确定所述相应的脱敏规则,包括:With reference to the fifth implementation manner or the sixth implementation manner of the fifth aspect, in the eighth implementation manner of the fifth aspect of the present disclosure, the determining the corresponding desensitization rule includes:

根据所述标签的等级和/或所述授权用户的属性值确定所述相应的脱敏规则;和/或determining the corresponding desensitization rule according to the level of the tag and/or the attribute value of the authorized user; and/or

在所述授权用户属于白名单用户集合的情况下,不进行脱敏处理。In the case that the authorized user belongs to the whitelist user set, no desensitization processing is performed.

结合第五方面,本公开在第五方面的第九种实现方式中,所述数据包括物理表;和/或In conjunction with the fifth aspect, in a ninth implementation manner of the fifth aspect, the data includes a physical table; and/or

所述预设对象的内容是物理表内容的真子集;和/或the content of the preset object is a proper subset of the content of the physical table; and/or

所述预设对象是字段。The preset object is a field.

第六方面,本公开实施例提供了一种电子设备,包括存储器和处理器;其中,所述存储器用于存储一条或多条计算机指令,其中,所述一条或多条计算机指令被所述处理器执行以实现以下方法步骤:In a sixth aspect, embodiments of the present disclosure provide an electronic device, including a memory and a processor; wherein the memory is used to store one or more computer instructions, wherein the one or more computer instructions are processed by the The controller executes to implement the following method steps:

展示与数据中的预设对象相对应的标签;Display labels corresponding to preset objects in the data;

在用户获得使用所述标签的授权而成为授权用户之后,发送所述授权用户使用所述标签的数据访问请求;After the user obtains the authorization to use the tag and becomes an authorized user, sending a data access request for the authorized user to use the tag;

接收与所述标签相对应的所述预设对象的内容。The content of the preset object corresponding to the tag is received.

结合第六方面,本公开在第六方面的第一种实现方式中,所述用户不属于生成所述数据的用户集合。With reference to the sixth aspect, in a first implementation manner of the sixth aspect of the present disclosure, the user does not belong to the user set that generated the data.

结合第六方面,本公开在第六方面的第二种实现方式中,所述标签对应于多个预设对象,所述多个预设对象具有相同属性且属于不同数据资源;With reference to the sixth aspect, in a second implementation manner of the sixth aspect of the present disclosure, the tags correspond to multiple preset objects, and the multiple preset objects have the same attribute and belong to different data resources;

所述对使用所述标签的申请包含对所述不同数据资源中的特定数据资源的指示和/或所述数据访问请求包含对所述特定数据资源的指示;the application for using the tag contains an indication of a specific data resource among the different data resources and/or the data access request contains an indication of the specific data resource;

所述接收与所述标签相对应的所述预设对象的内容,包括接收所述特定数据资源中与所述标签相对应的所述预设对象的内容。The receiving the content of the preset object corresponding to the tag includes receiving the content of the preset object corresponding to the tag in the specific data resource.

结合第六方面,本公开在第六方面的第三种实现方式中,所述接收与所述标签相对应的所述预设对象的内容,包括接收以下任意之一:With reference to the sixth aspect, in a third implementation manner of the sixth aspect of the present disclosure, the receiving the content of the preset object corresponding to the tag includes receiving any one of the following:

允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容;the content of the preset object corresponding to the tag in the record allowing the authorized user to access;

根据脱敏规则处理与所述标签相对应的所述预设对象的内容而得到的第一脱敏数据;first desensitization data obtained by processing the content of the preset object corresponding to the label according to the desensitization rule;

根据脱敏规则处理允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容而得到的第二脱敏数据。The second desensitization data obtained by processing the content of the preset object corresponding to the tag in the record that is allowed to be accessed by the authorized user according to the desensitization rule.

结合第六方面的第三种实现方式,本公开在第六方面的第四种实现方式中,所述允许所述授权用户访问的记录是根据所述授权用户的属性值确定的,或者是根据所述标签的类别和所述授权用户的属性值确定的;With reference to the third implementation manner of the sixth aspect, in a fourth implementation manner of the sixth aspect of the present disclosure, the record allowing the authorized user to access is determined according to the attribute value of the authorized user, or according to The category of the label and the attribute value of the authorized user are determined;

所述脱敏规则是根据所述标签的等级和/或所述授权用户的属性值确定的。The desensitization rule is determined according to the level of the tag and/or the attribute value of the authorized user.

结合第六方面,本公开在第六方面的第五种实现方式中,所述数据包括物理表;和/或In conjunction with the sixth aspect, in a fifth implementation manner of the sixth aspect, the data includes a physical table; and/or

所述预设对象的内容是物理表内容的真子集;和/或the content of the preset object is a proper subset of the content of the physical table; and/or

所述预设对象是字段。The preset object is a field.

结合第六方面,本公开在第六方面的第六种实现方式中,所述一条或多条计算机指令还被所述处理器执行以实现以下方法步骤:In conjunction with the sixth aspect, in a sixth implementation manner of the sixth aspect, the one or more computer instructions are further executed by the processor to implement the following method steps:

发送用户对使用所述标签的申请。A user request to use the tag is sent.

第七方面,本公开实施例中提供了一种可读存储介质,其上存储有计算机指令,该计算机指令被处理器执行时实现如第一方面、第一方面的第一种实现方式至第九种实现方式任一项所述的方法。In a seventh aspect, an embodiment of the present disclosure provides a readable storage medium on which computer instructions are stored, and when the computer instructions are executed by a processor, implement the first aspect, the first implementation manner of the first aspect to the sixth aspect The method described in any one of the nine implementation manners.

第八方面,本公开实施例中提供了一种可读存储介质,其上存储有计算机指令,该计算机指令被处理器执行时实现如第二方面、第二方面的第一种实现方式至第五种实现方式任一项所述的方法。In an eighth aspect, an embodiment of the present disclosure provides a readable storage medium on which computer instructions are stored, and when the computer instructions are executed by a processor, implement the second aspect, the first implementation manner of the second aspect to the sixth aspect The method described in any one of the five implementation manners.

本公开实施例提供的技术方案可以包括以下有益效果:The technical solutions provided by the embodiments of the present disclosure may include the following beneficial effects:

根据本公开实施例提供的技术方案,能够建立与预设对象相对应的标签,并基于所述标签对用户进行授权,使得用户能够获取预设对象粒度级的授权,通过细化数据管理的粒度级提高了数据管理的安全性和灵活性。According to the technical solutions provided by the embodiments of the present disclosure, a tag corresponding to a preset object can be established, and a user can be authorized based on the tag, so that the user can obtain the authorization at the granularity level of the preset object, and by refining the granularity of data management This level increases the security and flexibility of data management.

应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本公开。It is to be understood that the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present disclosure.

附图说明Description of drawings

结合附图,通过以下非限制性实施方式的详细描述,本公开的其它标签、目的和优点将变得更加明显。在附图中:Other labels, objects and advantages of the present disclosure will become more apparent from the following detailed description of non-limiting embodiments, taken in conjunction with the accompanying drawings. In the attached image:

图1A示出根据本公开实施例的数据管理方法的流程图;1A shows a flowchart of a data management method according to an embodiment of the present disclosure;

图1B示出了根据本公开实施例的数据的示例;FIG. 1B shows an example of data according to an embodiment of the present disclosure;

图2A示出了根据本公开实施例建立、公开和撤回标签的过程;Figure 2A illustrates the process of creating, publishing and withdrawing tags according to embodiments of the present disclosure;

图2B示出了根据本公开实施例申请、使用标签的流程图;FIG. 2B shows a flowchart of applying and using a label according to an embodiment of the present disclosure;

图2C示出了根据本公开实施例在两个用户集合G1和G2之间通过标签来共享预设对象的示意图;2C shows a schematic diagram of sharing preset objects through tags between two user sets G1 and G2 according to an embodiment of the present disclosure;

图3示出了根据本公开实施例跨数据资源申请使用标签的用户界面示意图;FIG. 3 shows a schematic diagram of a user interface for applying tags across data resources according to an embodiment of the present disclosure;

图4A示出根据本公开实施例向授权用户提供与标签相对应的预设对象的流程图;4A shows a flowchart of providing a preset object corresponding to a tag to an authorized user according to an embodiment of the present disclosure;

图4B示出根据本公开实施例在通过标签实现预设对象访问控制的基础上,进一步对允许用户访问的记录进行控制的示意图;4B shows a schematic diagram of further controlling the records that users are allowed to access on the basis of implementing preset object access control through tags according to an embodiment of the present disclosure;

图5A示出根据本公开实施例向授权用户提供与标签相对应的预设对象的流程图;5A shows a flowchart of providing a preset object corresponding to a tag to an authorized user according to an embodiment of the present disclosure;

图5B-5D示出了分别使用假名、掩盖和hash化来对预设对象的内容进行脱敏的示意图;5B-5D show schematic diagrams of desensitizing the content of preset objects using pseudonymization, masking, and hashing, respectively;

图6示出根据本公开实施例设置脱敏规则的流程示意图;6 shows a schematic flowchart of setting a desensitization rule according to an embodiment of the present disclosure;

图7示出根据本公开实施例向授权用户提供与标签相对应的预设对象的流程图;7 shows a flowchart of providing a preset object corresponding to a tag to an authorized user according to an embodiment of the present disclosure;

图8示出根据本公开实施例的数据访问方法的流程图;8 shows a flowchart of a data access method according to an embodiment of the present disclosure;

图9示出根据本公开的实施例的数据管理装置的结构框图;9 shows a structural block diagram of a data management apparatus according to an embodiment of the present disclosure;

图10示出根据本公开的实施例的数据访问装置的结构框图;FIG. 10 shows a structural block diagram of a data access apparatus according to an embodiment of the present disclosure;

图11示出根据本公开的实施例的电子设备的结构框图;11 shows a structural block diagram of an electronic device according to an embodiment of the present disclosure;

图12示出适于用来实现根据本公开实施例的数据管理方法和/或数据访问方法的计算机系统的结构示意图。FIG. 12 shows a schematic structural diagram of a computer system suitable for implementing the data management method and/or the data access method according to an embodiment of the present disclosure.

具体实施方式Detailed ways

下文中,将参考附图详细描述本公开的示例性实施例,以使本领域技术人员可容易地实现它们。此外,为了清楚起见,在附图中省略了与描述示例性实施例无关的部分。Hereinafter, exemplary embodiments of the present disclosure will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily implement them. Also, for the sake of clarity, parts unrelated to describing the exemplary embodiments are omitted from the drawings.

在本公开中,应理解,诸如“包括”或“具有”等的术语旨在指示本说明书中所公开的特征、数字、步骤、行为、部件、部分或其组合的存在,并且不欲排除一个或多个其他特征、数字、步骤、行为、部件、部分或其组合存在或被添加的可能性。In the present disclosure, it should be understood that terms such as "comprising" or "having" are intended to indicate the presence of features, numbers, steps, acts, components, parts, or combinations thereof disclosed in this specification, and are not intended to exclude a or multiple other features, numbers, steps, acts, components, parts, or combinations thereof may exist or be added.

另外还需要说明的是,在不冲突的情况下,本公开中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本公开。In addition, it should be noted that the embodiments of the present disclosure and the features of the embodiments may be combined with each other under the condition of no conflict. The present disclosure will be described in detail below with reference to the accompanying drawings and in conjunction with embodiments.

本公开实施例提供了一种数据管理方法,所述数据管理方法包括建立与数据中的预设对象相对应的标签,对允许使用所述标签的用户进行授权,在从获得授权的授权用户接收到使用所述标签的数据访问请求时,向所述授权用户提供与所述标签相对应的所述预设对象的内容。An embodiment of the present disclosure provides a data management method, the data management method includes establishing a label corresponding to a preset object in the data, authorizing a user who is allowed to use the label, and receiving an authorization from the authorized authorized user. When a data access request using the tag is made, the authorized user is provided with the content of the preset object corresponding to the tag.

本公开的实施例能够基于与预设对象相对应的标签对用户进行授权,实现了预设对象粒度的数据管理,方便用户访问其所需的预设对象,禁止用户访问其未获得授权的预设对象,从而提高了数据管理的安全性和灵活性。The embodiments of the present disclosure can authorize users based on tags corresponding to preset objects, realize data management of preset object granularity, facilitate users to access preset objects they need, and prohibit users from accessing unauthorized preset objects. Set objects, thereby improving the security and flexibility of data management.

图1A示出根据本公开实施例的数据管理方法的流程图。FIG. 1A shows a flowchart of a data management method according to an embodiment of the present disclosure.

如图1A所示,所述数据管理方法包括以下步骤S101-S103。As shown in FIG. 1A, the data management method includes the following steps S101-S103.

在步骤S101中,建立与数据中的预设对象相对应的标签。In step S101, a label corresponding to a preset object in the data is established.

在步骤S102中,对允许使用所述标签的用户进行授权。In step S102, the user who is allowed to use the tag is authorized.

在步骤S103中,在从获得授权的授权用户接收到使用所述标签的数据访问请求时,向所述授权用户提供与所述标签相对应的所述预设对象的内容。In step S103, when a data access request using the tag is received from an authorized authorized user, the content of the preset object corresponding to the tag is provided to the authorized user.

根据本公开的实施例,所述数据包括物理表。根据本公开的实施例,所述预设对象的内容是物理表内容的真子集。According to an embodiment of the present disclosure, the data includes physical tables. According to an embodiment of the present disclosure, the content of the preset object is a proper subset of the content of the physical table.

根据本公开的实施例,所述预设对象的内容是物理表内容的真子集是指所述物理表内容包含所述预设对象的全部内容,但所述预设对象的内容不等于所述物理表内容。例如,假设所述物理表包括M行N列的内容,M和N均为正整数,则所述预设对象的内容可以是物理表中m行n列的内容,其中,m取不大于M的任意一个正整数,n取不大于N的任意一个整数,但所述预设对象的内容不能是所述物理表的全部内容,即m=M和n=N不能同时成立。According to an embodiment of the present disclosure, the fact that the content of the preset object is a proper subset of the content of the physical table means that the content of the physical table includes all the content of the preset object, but the content of the preset object is not equal to the content of the preset object. Physical table content. For example, assuming that the physical table includes contents of M rows and N columns, and both M and N are positive integers, the contents of the preset object may be contents of m rows and n columns in the physical table, where m is not greater than M Any positive integer of , n takes any integer not greater than N, but the content of the preset object cannot be the entire content of the physical table, that is, m=M and n=N cannot be established at the same time.

所述根据本公开的实施例,所述预设对象是字段,其中,所述字段为列数据。接下来以所述预设对象为字段为例,对本公开进行进一步解释和说明。According to the embodiment of the present disclosure, the preset object is a field, wherein the field is column data. Next, the present disclosure will be further explained and illustrated by taking the preset object as a field as an example.

图1B示出了根据本公开实施例的数据的示例。FIG. 1B shows an example of data according to an embodiment of the present disclosure.

本领域技术人员可以理解,虽然图1B是以三行四列的物理表为例来对数据进行说明,但本公开实施例并不限于此,而是也可以应用于其他行列数的物理表,或者具有包括预设对象的其他数据。Those skilled in the art can understand that although FIG. 1B uses a physical table with three rows and four columns as an example to describe data, the embodiment of the present disclosure is not limited to this, but can also be applied to physical tables with other rows and columns. Or have other data including preset objects.

如图1B所示,所述数据(例如物理表Data_s1)包括记录R1-R3和字段C1-C4。根据本公开的实施例,可以建立与字段C1-C4相对应的四个标签c1、c2、c3、c4,其中标签c1对应于字段C1,标签c2对应于字段C2,标签c3对应于字段C3,标签c4对应于字段C4。根据本公开的实施例,也可以仅针对部分字段而不是全部四个字段建立对应的标签。As shown in FIG. 1B , the data (eg, the physical table Data_s1 ) includes records R1-R3 and fields C1-C4. According to an embodiment of the present disclosure, four labels c1, c2, c3, and c4 corresponding to fields C1-C4 may be established, wherein label c1 corresponds to field C1, label c2 corresponds to field C2, and label c3 corresponds to field C3, Label c4 corresponds to field C4. According to an embodiment of the present disclosure, corresponding tags may also be established only for some fields instead of all four fields.

可以对允许使用所述标签c1-c4中的任意一个或多个标签的用户进行授权,例如,可以对允许使用标签c1的用户进行授权,使得所述用户成为标签c1的授权用户。在获得使用标签c1的授权而成为授权用户之后,授权用户就可以使用标签c1来访问数据的字段C1的内容,如图1B中阴影部分所示。例如,可以在数据访问请求中包含与标签c1有关的信息,根据该信息可以访问标签c1相对应的字段。根据本公开的实施例,与标签c1有关的信息例如为以下任意一种或多种的组合:数据资源名称或存储位置、字段名称或存储位置、到数据资源和/或字段的链接,等等,本公开对此不作具体限定。根据本公开的实施例,所述建立与所述预设对象相对应的标签,包括根据生成所述数据的用户集合的用户的指示,针对所述预设对象生成相应标签。A user who is allowed to use any one or more of the tags c1-c4 can be authorized, for example, a user who is allowed to use the tag c1 can be authorized so that the user becomes an authorized user of the tag c1. After being authorized to use the label c1 to become an authorized user, the authorized user can use the label c1 to access the content of the field C1 of the data, as shown by the shaded part in FIG. 1B . For example, the data access request may include information related to the tag c1, and according to the information, the field corresponding to the tag c1 may be accessed. According to an embodiment of the present disclosure, the information related to the tag c1 is, for example, any one or a combination of the following: data resource name or storage location, field name or storage location, link to data resource and/or field, etc. , which is not specifically limited in the present disclosure. According to an embodiment of the present disclosure, the establishing a label corresponding to the preset object includes generating a corresponding label for the preset object according to an instruction of a user who generates the user set of the data.

根据本公开的实施例,物理表Data_s1可以是由用户集合G1生成的,相应地,用户集合G1具有物理表Data_s1的管理权限,用户集合G1中的用户可以分别生成物理表Data_s1中的字段C1-C4中的任意一个或多个字段相对应的一个或多个标签。According to an embodiment of the present disclosure, the physical table Data_s1 may be generated by the user set G1, correspondingly, the user set G1 has the management authority of the physical table Data_s1, and the users in the user set G1 can respectively generate the fields C1- One or more tags corresponding to any one or more fields in C4.

根据本公开的实施例,所述建立与所述预设对象相对应的标签,包括根据生成所述数据的用户集合的用户的指示,建立所述预设对象与相应标签之间的对应关系。According to an embodiment of the present disclosure, the establishing the label corresponding to the preset object includes establishing a corresponding relationship between the preset object and the corresponding label according to an instruction of a user who generates the user set of the data.

根据本公开的实施例,标签可以是针对所述预设对象新生成的,也可以是已有的,通过建立对应关系,使得所述预设对象与所述标签相对应。例如,用户集合G1在生成物理表Data_s1后,可以针对字段C1生成一个新的标签c1,也可以是通过建立已有标签c1与所述字段C1之间的对应关系,使得所述标签c1对应于所述字段C1。According to an embodiment of the present disclosure, the label may be newly generated for the preset object, or it may be an existing one, and by establishing a corresponding relationship, the preset object is made to correspond to the label. For example, after the user set G1 generates the physical table Data_s1, a new label c1 may be generated for the field C1, or a corresponding relationship between the existing label c1 and the field C1 may be established, so that the label c1 corresponds to the field C1.

根据本公开的实施例,所述数据管理方法还包括:接收用户对使用所述标签的申请,或从其他用户集合的用户接收对使用所述标签的申请。According to an embodiment of the present disclosure, the data management method further includes: receiving an application for using the tag from a user, or receiving an application for using the tag from users of other user sets.

根据本公开的实施例,用户可以对使用标签c1-c4中的任意一个或多个标签提出申请,例如对使用标签c1提出申请。图2A示出了根据本公开实施例建立、公开和撤回标签的过程。According to an embodiment of the present disclosure, a user may apply for using any one or more of the tags c1-c4, for example, apply for using the tag c1. Figure 2A illustrates the process of creating, publishing, and withdrawing tags in accordance with an embodiment of the present disclosure.

根据本公开的实施例,所述标签初始为仅对生成所述数据的用户集合可见的私有标签,所述数据管理方法还包括将所述私有标签转换为公共标签,所述公共标签对所述其他用户集合可见。例如,用户集合G1中的用户U1针对数据中的预设对象建立标签。该标签初始为仅对生成所述数据的用户集合G1可见的私有标签。用户U1向用户集合G1的管理员申请公开该私有标签。该公开申请被管理员批准后,该私有标签被转换为公共标签,从而对其他用户集合可见。或者,根据本公开的实施例,所述公共标签的公开范围也可以不是对所有其他用户集合可见,而是设置为以下任意一种或多种:生成所述数据的用户集合的所有下级用户集合、生成所述数据的用户集合的选定下级用户集合、与生成所述数据的用户集合隶属于同一上级的兄弟用户集合。According to an embodiment of the present disclosure, the label is initially a private label visible only to a set of users who generate the data, and the data management method further includes converting the private label into a public label, the public label being Other user collections are visible. For example, the user U1 in the user set G1 establishes tags for preset objects in the data. This tag is initially a private tag visible only to the set of users G1 that generated the data. The user U1 applies to the administrator of the user set G1 to disclose the private label. After the public application is approved by the administrator, the private label is converted to a public label and thus visible to other user collections. Alternatively, according to an embodiment of the present disclosure, the disclosure scope of the public label may not be visible to all other user sets, but may be set to any one or more of the following: all lower-level user sets of the user set that generated the data , a selected subordinate user set of the user set that generates the data, and a brother user set that belongs to the same superior as the user set that generated the data.

根据本公开的实施例,当用户U1不想再公开该公共标签时,用户U1向用户集合G1的管理员申请撤回该公共标签。该撤回申请被管理员批准后,该公共标签被转换为私有标签,从而对其他用户集合不可见,其他用户集合也不能再使用该标签来访问对应预设对象。According to an embodiment of the present disclosure, when the user U1 no longer wants to disclose the public label, the user U1 applies to the administrator of the user set G1 to withdraw the public label. After the withdrawal application is approved by the administrator, the public label is converted into a private label, so that it is invisible to other user sets, and other user sets can no longer use the label to access the corresponding preset object.

根据本公开的实施例,如果标签是由用户集合G1的管理员建立的,则管理员可以决定是否公开该标签,而省略上述申请公开、批准公开、申请撤回和批准撤回的过程。According to an embodiment of the present disclosure, if a tag is established by the administrator of the user set G1, the administrator can decide whether to publish the tag, omitting the above-mentioned processes of application disclosure, approval disclosure, application withdrawal, and approval withdrawal.

根据本公开的实施例,所述接收用户对使用所述标签的申请,包括从与用户集合G1不同的其他用户集合的用户接收对使用所述标签的申请,例如,从可以看到标签的其他用户集合的用户接收对使用所述标签的申请,不能看到所述标签的用户集合的用户不能申请使用所述标签。例如,与用户集合G1不同的其他用户集合G2中的用户可以申请使用用户集合G1建立的标签。According to an embodiment of the present disclosure, the receiving an application for using the tag from the user includes receiving an application for using the tag from a user in a user set different from the user set G1, for example, from other users who can see the tag. A user of the user set receives an application for using the tag, and a user of the user set who cannot see the tag cannot apply for using the tag. For example, users in another user set G2 different from the user set G1 can apply for using the tags established by the user set G1.

图2B示出了根据本公开实施例申请、使用标签的流程图。FIG. 2B shows a flowchart of applying and using tags according to an embodiment of the present disclosure.

如图2B所示,用户集合G2中的用户U2在公共标签库中选择标签,然后针对所选择的标签提出使用申请,生成申请单/审批单并在用户U2的个人中心中记录。如果该使用申请被批准通过,则用户U2获得标签的使用授权,接下来可以使用该标签来访问相应预设对象的内容。如果该使用申请未被批准通过,则在个人中心中记录“申请未通过”,并且用户U2不能使用该标签来访问相应预设对象的内容。根据本公开的实施例,在用户U2得到标签的使用授权后,用户集合G2的其他成员也同时获得标签的使用授权并接收到标签授权通知,实现一人申请,全组授权,简化了用户操作。As shown in FIG. 2B , user U2 in the user set G2 selects a tag in the public tag library, then applies for the selected tag, generates an application form/approval form and records it in the personal center of user U2. If the application for use is approved, the user U2 obtains the authorization to use the tag, and then can use the tag to access the content of the corresponding preset object. If the application for use is not approved, "application failed" is recorded in the personal center, and the user U2 cannot use this tag to access the content of the corresponding preset object. According to the embodiment of the present disclosure, after user U2 obtains the authorization to use the tag, other members of the user set G2 also obtain the authorization to use the tag and receive the notification of tag authorization, realizing one-person application and whole-group authorization, which simplifies user operations.

图2C示出了根据本公开实施例在两个用户集合G1和G2之间通过标签来共享预设对象的示意图。FIG. 2C shows a schematic diagram of sharing preset objects through tags between two user sets G1 and G2 according to an embodiment of the present disclosure.

如图2C所示,用户集合G1建立对应于其自身生成的数据的预设对象的标签,所述标签初始为仅对用户集合G1中的用户可见的私有标签。在用户集合G1的管理员批准之后,私有标签转换为公共标签,并且对其他用户集合可见。用户集合G2的用户可以对公共标签提出使用申请,在得到授权之后,该标签可以加入用户集合G2的授权标签库,用户集合G2可以使用该标签来访问相应的预设对象。As shown in FIG. 2C , the user set G1 establishes a label corresponding to a preset object of data generated by itself, and the label is initially a private label visible only to users in the user set G1 . After approval by the administrator of the user set G1, the private label is converted to a public label and is visible to other user sets. Users of the user set G2 can apply for the use of the public label, and after obtaining authorization, the label can be added to the authorized label library of the user set G2, and the user set G2 can use the label to access corresponding preset objects.

另一方面,用户集合G2建立对应于其自身生成的数据的预设对象的标签,这些标签初始为仅对用户集合G2中的用户可见的私有标签。在用户集合G2的管理员批准之后,私有标签转换为公共标签,并且对其他用户集合可见。用户集合G1的用户可以对公共标签提出使用申请,在得到授权之后,该标签可以加入用户集合G1的授权标签库,用户集合G1可以使用该标签来访问相应的预设对象。On the other hand, the user set G2 establishes tags corresponding to preset objects of its own generated data, which are initially private tags only visible to the users in the user set G2. After approval by the administrator of user set G2, private labels are converted to public labels and are visible to other user sets. Users of the user set G1 can apply for the use of the public label, and after obtaining authorization, the label can be added to the authorized label library of the user set G1, and the user set G1 can use the label to access corresponding preset objects.

根据本公开的实施例,一个所述标签可以对应于多个预设对象,所述多个预设对象具有相同属性且属于不同数据资源,例如属于不同的物理表,所述物理表可以是相同数据资源类型的不同物理表,也可以是不同数据资源类型的不同物理表。根据本公开的实施例,所述数据资源可以是任意一种资源类型,例如,大数据计算服务(MaxCompute)、关系型数据库服务(Relational Database Service,RDS)、分析型数据库服务(AnalyticDatabase Service,ADS)等,本公开对此不作具体限定。例如,标签c1可以对应于物理表Data_s1中的字段C1、物理表Data_s2中的字段C1’、物理表Data_s3中的字段C1”,字段C1、字段C1’、字段C1”具有相同属性,例如具有相同的物理或逻辑含义。例如,字段C1、字段C1’、字段C1”都是“身高”,或者都是“所属社团”。According to an embodiment of the present disclosure, one of the tags may correspond to multiple preset objects, and the multiple preset objects have the same attribute and belong to different data resources, for example, belong to different physical tables, and the physical tables may be the same Different physical tables of different data resource types may also be different physical tables of different data resource types. According to an embodiment of the present disclosure, the data resource may be any resource type, for example, a big data computing service (MaxCompute), a relational database service (Relational Database Service, RDS), an analytical database service (AnalyticDatabase Service, ADS) ), etc., which are not specifically limited in the present disclosure. For example, label c1 may correspond to field C1 in physical table Data_s1, field C1' in physical table Data_s2, field C1" in physical table Data_s3, and field C1, field C1', field C1" have the same attributes, for example, have the same physical or logical meaning. For example, field C1, field C1', field C1" are all "height", or all are "belonging to the community".

根据本公开的实施例,所述对使用所述标签的申请包含对所述不同数据资源中的特定数据资源的指示和/或所述数据访问请求包含对所述特定数据资源的指示,所述向所述授权用户提供与所述标签相对应的预设对象的内容,包括向所述授权用户提供所述特定数据资源中与所述标签相对应的预设对象的内容。例如,用户集合G2中的用户U2可以在申请使用标签时指定任意一个或多个数据资源,或者针对该标签申请对全部数据资源的授权,实现跨数据资源的标签使用授权。这样,用户不需要为具有相同属性但存储在不同数据资源中的数据重复申请授权,简化了用户操作,提高了数据管理和访问的灵活性和便捷性。相应地,用户U2可以在使用标签访问预设对象的内容时指示其所要访问的数据资源。如果用户U2仅申请了一种数据资源的标签使用授权,则在使用标签访问预设对象的内容时,也可以不指示其所要访问的数据资源,此时默认用户U2访问已获得授权的数据资源。According to an embodiment of the present disclosure, the application for using the tag includes an indication of a specific data resource among the different data resources and/or the data access request includes an indication of the specific data resource, the Providing the authorized user with the content of the preset object corresponding to the tag includes providing the authorized user with the content of the preset object corresponding to the tag in the specific data resource. For example, the user U2 in the user set G2 can designate any one or more data resources when applying for a tag, or apply for authorization of all data resources for the tag, so as to implement tag use authorization across data resources. In this way, users do not need to apply for authorization repeatedly for data with the same attributes but stored in different data resources, which simplifies user operations and improves the flexibility and convenience of data management and access. Correspondingly, the user U2 can indicate the data resource to be accessed when using the tag to access the content of the preset object. If the user U2 only applies for the label use authorization of one data resource, when using the label to access the content of the preset object, it is not necessary to indicate the data resource to be accessed. At this time, the default user U2 accesses the authorized data resource. .

图3示出了根据本公开实施例跨数据资源申请使用标签的用户界面示意图。FIG. 3 shows a schematic diagram of a user interface for applying tags across data resources according to an embodiment of the present disclosure.

如图3所示,标签c1可以对应于物理表Data_s1中的字段C1、物理表Data_s2中的字段C1’、物理表Data_s3中的字段C1”,在用户U2提出对标签c1的使用申请时,可以选择要使用的数据资源。在图3中,用户U2选择了数据资源Data_s1、Data_s2。这样,在获得授权之后,用户U2可以使用标签c1访问数字资源Data_s1和Data_s2中的相应字段C1和C1’,而不能使用标签c1访问数字资源Data_s3中的相应字段C1”。As shown in FIG. 3, the tag c1 may correspond to the field C1 in the physical table Data_s1, the field C1' in the physical table Data_s2, and the field C1" in the physical table Data_s3. When the user U2 applies for the use of the tag c1, it can Select the data resource to be used.In Figure 3, the user U2 has selected the data resource Data_s1, Data_s2.In this way, after obtaining authorization, the user U2 can use the label c1 to access the corresponding fields C1 and C1' in the digital resources Data_s1 and Data_s2, Instead, the corresponding field C1" in the digital resource Data_s3 cannot be accessed using the tag c1.

在用户U2获得了使用标签c1访问数字资源Data_s1和Data_s2的授权之后,可以在数据访问请求中包含对要访问的数据资源的指示,例如在数据访问请求中指示访问数据资源Data_s1中标签c1的相应字段。After the user U2 obtains the authorization to use the tag c1 to access the digital resources Data_s1 and Data_s2, the data access request may include an indication of the data resources to be accessed, for example, the data access request may indicate to access the corresponding data of the tag c1 in the data resource Data_s1 field.

或者,如果用户U2在图3所示的界面中仅申请使用数据资源Data_s1,则可以不在数据访问请求中指示访问数据资源Data_s1,此时默认用户U2要访问数据资源Data_s1。Alternatively, if the user U2 only applies to use the data resource Data_s1 in the interface shown in FIG. 3 , the user U2 may not indicate access to the data resource Data_s1 in the data access request, and the user U2 wants to access the data resource Data_s1 by default.

根据本公开的实施例,数据(例如,物理表)包括至少一个记录,所述记录包括至少一个预设对象(例如,字段),其中,所述记录为行数据。例如,继续参考图1B,所述物理表Data_s1包括记录R1-R3,每条记录包括字段C1-C4。According to an embodiment of the present disclosure, data (eg, a physical table) includes at least one record including at least one preset object (eg, a field), wherein the record is row data. For example, with continued reference to FIG. 1B, the physical table Data_s1 includes records R1-R3, each record including fields C1-C4.

图4A示出根据本公开实施例向授权用户提供与标签相对应的预设对象的流程图。FIG. 4A shows a flowchart of providing a preset object corresponding to a tag to an authorized user according to an embodiment of the present disclosure.

如图4A所示,根据本公开的实施例,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括步骤S201-步骤S202。As shown in FIG. 4A , according to an embodiment of the present disclosure, providing the authorized user with the content of the preset object corresponding to the tag includes steps S201 to S202 .

在步骤S201中,确定允许所述授权用户访问的记录。In step S201, the records that are allowed to be accessed by the authorized user are determined.

在步骤S202中,向所述授权用户提供允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容。In step S202, the authorized user is provided with the content of the preset object corresponding to the tag in the record that the authorized user is allowed to access.

根据本公开的实施例,在通过标签实现预设对象访问控制的基础上,进一步实现了对允许用户访问的记录进行控制。According to the embodiments of the present disclosure, on the basis of implementing the preset object access control through the tag, the control of the records that the user is allowed to access is further realized.

图4B示出根据本公开实施例在通过标签实现预设对象访问控制的基础上,进一步对允许用户访问的记录进行控制的示意图。FIG. 4B shows a schematic diagram of further controlling the records that the user is allowed to access on the basis of implementing preset object access control through tags according to an embodiment of the present disclosure.

例如,对于图1B所示的物理表Data_s1,用户U2通过得到使用标签c1的授权而被允许访问字段C1的数据。但是,用户U2的权限只能够访问记录R1和R2,而不能访问记录R3。于是,在接收到用户U2使用标签c1的数据访问请求时,向用户U2提供记录R1和R2中与标签c1相对应的字段C1的内容,如图4B中阴影部分所示。For example, for the physical table Data_s1 shown in FIG. 1B, user U2 is allowed to access the data of field C1 by being authorized to use tag c1. However, the authority of user U2 can only access records R1 and R2, but cannot access record R3. Therefore, when receiving a data access request from user U2 using tag c1, the content of field C1 corresponding to tag c1 in records R1 and R2 is provided to user U2, as shown by the shaded part in FIG. 4B .

在通过标签实现预设对象访问控制的基础上,对允许用户访问的记录进行控制,本公开实施例实现了数据管理的进一步细化,实现了更加灵活和有针对性的数据管理。On the basis of implementing preset object access control through tags, and controlling the records that users are allowed to access, the embodiments of the present disclosure realize further refinement of data management, and realize more flexible and targeted data management.

根据本公开的实施例,所述确定允许所述授权用户访问的记录,包括根据所述授权用户的属性值确定允许所述授权用户访问的记录。According to an embodiment of the present disclosure, the determining the records that are allowed to be accessed by the authorized user includes determining the records that are allowed to be accessed by the authorized user according to an attribute value of the authorized user.

根据本公开的实施例,所述授权用户的属性值可以包括以下任意一项或多项:所属用户集合、行政区划、数据来源标志、税务机关代码、工作编号、部门代号等,本公开对此不作具体限定。According to an embodiment of the present disclosure, the attribute value of the authorized user may include any one or more of the following: user set to which he belongs, administrative division, data source identifier, tax authority code, job number, department code, etc. There is no specific limitation.

根据本公开的实施例,可以根据授权用户的属性值来确定允许其访问的记录。例如,如果根据授权用户的属性值确定其是A省用户,则授权用户可以查看A省的记录,而不能查看其他省的记录。According to an embodiment of the present disclosure, records to which an authorized user is allowed to access may be determined according to attribute values of an authorized user. For example, if an authorized user is determined to be a user in province A based on the attribute value of the authorized user, the authorized user can view records in province A but cannot view records in other provinces.

根据本公开的实施例,所述确定允许所述授权用户访问的记录,包括根据所述标签的类别和所述授权用户的属性值确定允许所述授权用户访问的记录。According to an embodiment of the present disclosure, the determining the records that are allowed to be accessed by the authorized user includes determining the records that are allowed to be accessed by the authorized user according to the category of the tag and the attribute value of the authorized user.

根据本公开的实施例,标签可以分为多个类别,对于同一授权用户,不同类别的访问权限可以是不同的。例如,标签可以分为记录访问受限程度递增的“非受限标签”、“I类受限标签”、“II类受限标签”。如果标签是非受限标签,则允许授权用户查看该标签对应预设对象的所有记录。如果标签是I类受限标签,A省a市用户可以查看A省所有记录,不能看其他省记录。如果标签是II类受限标签,则A省a市用户只能查看A省a市记录,不能看A省的其他市记录,也不能看其他省记录。According to an embodiment of the present disclosure, tags may be classified into multiple categories, and for the same authorized user, access rights of different categories may be different. For example, tags can be classified into "unrestricted tags", "type I restricted tags", and "type II restricted tags" with increasing record access restrictions. If the tag is an unrestricted tag, it allows authorized users to view all records of the preset object corresponding to the tag. If the tag is a Class I restricted tag, users in city a in province A can view all records in province A, but cannot view records in other provinces. If the tag is a Class II restricted tag, users in city a in province A can only view records in city a in province A, but cannot view records in other cities in province A, nor can they view records in other provinces.

根据本公开的实施例,对于受限标签,可以先定义其记录访问权限,例如“允许本省本市用户查看”、“允许本省用户查看”、“允许本省税务机关用户查看”,等等。然后,对于该标签的记录访问权限,确定用于确定权限的用户属性值。例如,对于“允许本省本市用户查看”这一访问权限,用于确定权限的用户属性值为其所属省市。对于“允许本省用户查看”这一访问权限,用于确定权限的用户属性值为其所属省。对于“允许本省税务机关用户查看”这一访问权限,用于确定权限的用户属性值为其所属省和所在单位。According to an embodiment of the present disclosure, for a restricted label, its record access authority can be defined first, such as "allow users in this province and city to view", "allow users in this province to view", "allow users in tax authorities in this province to view", and so on. Then, for the record access rights for that tag, determine the user attribute value used to determine the rights. For example, for the access permission of "allow users in this province and city to view", the user attribute value used to determine the permission is the province and city to which they belong. For the access permission "Allow users in this province to view", the user attribute value used to determine the permission is the province to which it belongs. For the access permission "Allow users from the tax authority of this province to view", the user attribute values used to determine the permission are their province and unit.

根据本公开的实施例,用于确定权限的用户属性值可以在标签对应预设对象所在的数据资源(例如,物理表)中具有对应预设对象,也可以在标签对应预设对象所在的数据资源中没有对应预设对象。当用于确定权限的用户属性值在标签对应预设对象所在的数据资源中没有对应预设对象时,需要将标签对应预设对象所在的数据资源与另一数据资源相关联,其中,用于确定权限的用户属性值在所述另一数据资源中具有对应预设对象。然后,可以使用该关联的数据资源来确定允许用户访问的记录。例如,表1包含预设对象“企业名称”、“税务信息”、“企业编号”,表2包含预设对象“企业编号”、“所属省份”,如果要访问的预设对象是“税务信息”,用于确定权限的用户属性值为其所属省份,则需要通过“企业编号”将表1和表2相关联,通过表2的预设对象“所属省份”确定允许用户访问的企业编号,再用企业编号确定表1中允许访问的记录。According to an embodiment of the present disclosure, the user attribute value used to determine the authority may have a corresponding preset object in the data resource (for example, a physical table) where the tag corresponds to the preset object, or may have a corresponding preset object in the data where the tag corresponds to the preset object There is no corresponding preset object in the resource. When the user attribute value used to determine the authority does not have a corresponding preset object in the data resource where the preset object corresponding to the label is located, the data resource where the preset object corresponding to the label is located needs to be associated with another data resource, wherein the The user attribute value that determines the authority has a corresponding preset object in the other data resource. This associated data resource can then be used to determine which records the user is allowed to access. For example, Table 1 contains preset objects "Enterprise Name", "Tax Information", "Enterprise ID", and Table 2 contains preset objects "Enterprise ID", "Province", if the preset object to be accessed is "Tax Information" ", the user attribute value used to determine the authority is the province to which it belongs, then it is necessary to associate Table 1 with Table 2 through "Enterprise ID", and determine the enterprise ID that the user is allowed to access through the preset object "Belonging to Province" in Table 2, Then use the enterprise number to identify the records in Table 1 that are allowed to be accessed.

在设置记录访问权限时,可以通过选择数据资源中的标签来生成过滤条件,也可以通过手动添加来生成过滤条件,过滤条件可以包括一个或多个条件。使用用户属性值和过滤条件,可以确定允许用户访问的记录。例如,对于“允许本省本市用户查看”这一访问权限,过滤条件包括记录所属的省市,可以通过选择标签“所属省份”和“所属城市”生成该过滤条件。在A省a市用户进行数据访问时,使用该过滤条件,得到该用户允许访问的记录为A省a市的记录。或者,对于“允许本省税务机关用户查看”这一访问权限,可以手动添加过滤条件“所属省份”(这个条件也可以通过选择标签来添加)和“所在单位”,在A省税务机关用户进行数据访问时,使用该过滤条件,得到该用户允许访问的记录为A省的记录。When setting record access permissions, you can generate filter conditions by selecting tags in the data resource, or you can generate filter conditions by adding them manually. Filter conditions can include one or more conditions. Using user attribute values and filter criteria, you can determine which records the user is allowed to access. For example, for the access permission "Allow users in this province and city to view", the filter condition includes the province and city to which the record belongs, which can be generated by selecting the labels "belonging province" and "belonging city". When a user in city a, province A, accesses data, the filter condition is used to obtain the records that the user is allowed to access as the records of city a, province A. Or, for the access right of "Allow users of the tax authority of this province to view", you can manually add the filter conditions "province" (this condition can also be added by selecting the label) and "unit", and the users of the tax authority in province A can perform data processing. When accessing, use this filter condition to obtain the records that the user is allowed to access as records in province A.

图5A示出根据本公开实施例向授权用户提供与标签相对应的预设对象的流程图。FIG. 5A shows a flowchart of providing a preset object corresponding to a tag to an authorized user according to an embodiment of the present disclosure.

如图5A所示,根据本公开的实施例,所述向所述授权用户提供与所述标签相对应的预设对象的内容,包括步骤S301-步骤S303。As shown in FIG. 5A , according to an embodiment of the present disclosure, providing the authorized user with the content of the preset object corresponding to the tag includes steps S301 to S303 .

在步骤S301中,在所述标签属于敏感标签的情况下,确定相应的脱敏规则。In step S301, when the label belongs to a sensitive label, a corresponding desensitization rule is determined.

在步骤S302中,根据所述脱敏规则处理与所述标签相对应的所述预设对象的内容,得到第一脱敏数据。In step S302, the content of the preset object corresponding to the label is processed according to the desensitization rule to obtain first desensitization data.

在步骤S303中,向所述授权用户提供所述第一脱敏数据。In step S303, the first desensitization data is provided to the authorized user.

根据本公开的实施例,如果标签属于非敏感标签,则不对与所述标签相对应的预设对象的内容进行脱敏;如果标签属于敏感标签,则根据脱敏规则来对与所述标签相对应的预设对象的内容进行脱敏处理后提供给用户。According to the embodiment of the present disclosure, if the label belongs to a non-sensitive label, the content of the preset object corresponding to the label is not desensitized; if the label belongs to a sensitive label, the content of the label corresponding to the label is desensitized according to the desensitization rule. The content of the corresponding preset object is desensitized and provided to the user.

根据本公开的实施例,所述脱敏规则可以根据实际需要进行设置,例如包括假名、掩盖、哈希化(hash化)、自定义规则等,本公开对此不做具体限定。According to an embodiment of the present disclosure, the desensitization rules can be set according to actual needs, for example, including pseudonymization, masking, hashing, custom rules, etc., which are not specifically limited in the present disclosure.

图5B-5D示出了分别使用假名、掩盖和hash化来对预设对象的内容进行脱敏的示意图。5B-5D show schematic diagrams of desensitizing the content of preset objects using pseudonymization, masking, and hashing, respectively.

假设记录R1-R3的字段C1的原始数据为企业名称“猫猫食品公司”、“狗狗服装公司”、“兔兔玩具公司”。如图5B所示,假名脱敏后的字段C1的内容可以分别为“A公司”、“B公司”和“C公司”。如图5C所示,掩盖脱敏后的字段C1的内容可以分别为“**食品公司”、“**服装公司”、“**文具公司”。Assume that the original data of the field C1 of records R1-R3 is the company name "Cat Cat Food Company", "Dog Clothing Company", and "Tutu Toy Company". As shown in FIG. 5B , the contents of the field C1 after pseudonym desensitization may be “Company A”, “Company B” and “Company C” respectively. As shown in FIG. 5C , the contents of the field C1 after masking and desensitization can be "**food company", "**clothing company", and "**stationery company" respectively.

根据本公开的实施例,hash化包括根据哈希方程(Hash Function)处理与所述标签相对应的预设对象的内容,哈希方程可以将任意长度的预设对象的内容映射成为一个长度较短且长度固定的值(哈希值)。由于哈希方程是一种单向密码体制,即一个从明文到密文的不可逆映射,只有加密过程,没有解密过程,因此可以对预设对象的内容进行有效的脱敏处理。如图5C所示,hash化后的字段C1的内容为三个hash值,将hash值代替字段的原始数据提供给用户。According to an embodiment of the present disclosure, hashing includes processing the content of a preset object corresponding to the tag according to a hash function, and the hash function can map the content of a preset object of arbitrary length into a A short, fixed-length value (hash). Since the hash equation is a one-way cryptosystem, that is, an irreversible mapping from plaintext to ciphertext, there is only an encryption process and no decryption process, so the content of the preset object can be effectively desensitized. As shown in FIG. 5C , the content of the hashed field C1 is three hash values, and the hash values are provided to the user in place of the original data of the field.

根据本公开的实施例,通过对敏感数据进行脱敏处理,可以实现敏感数据的“可用不可见”,使敏感预设对象可被更多用户、应用和场景使用,在保证敏感数据的安全性的同时,显著增加了可供用户使用的数据量,提高了数据利用效率。According to the embodiments of the present disclosure, by performing desensitization processing on sensitive data, "available and invisible" of sensitive data can be realized, so that sensitive preset objects can be used by more users, applications and scenarios, while ensuring the security of sensitive data. At the same time, the amount of data available to users is significantly increased, and the efficiency of data utilization is improved.

根据本公开的实施例,所述确定所述相应的脱敏规则,包括根据所述标签的等级和/或所述授权用户的属性值确定所述相应的脱敏规则。According to an embodiment of the present disclosure, the determining the corresponding desensitization rule includes determining the corresponding desensitization rule according to the level of the tag and/or the attribute value of the authorized user.

根据本公开的实施例,可以根据标签的等级确定授权用户的脱敏规则。例如,标签可以被分为敏感程度不同的多个等级,不同等级的脱敏规则可以是不同的。例如,如果标签是1级标签,则进行掩盖脱敏处理,如果标签是2级标签,则进行假名脱敏,如果标签是3级标签,则进行hash化脱敏处理。According to the embodiment of the present disclosure, the desensitization rule of the authorized user may be determined according to the level of the tag. For example, tags can be divided into multiple levels with different degrees of sensitivity, and the desensitization rules of different levels can be different. For example, if the label is a level 1 label, mask desensitization is performed, if the label is a level 2 label, pseudonym desensitization is performed, and if the label is a level 3 label, hash desensitization is performed.

根据本公开的实施例,可以根据授权用户的属性值确定授权用户的脱敏规则。例如,对于属于白名单用户集合的用户可以不进行脱敏处理,对于其他用户则进行脱敏处理。According to the embodiment of the present disclosure, the desensitization rule of the authorized user can be determined according to the attribute value of the authorized user. For example, desensitization processing may not be performed for users belonging to the whitelist user set, and desensitization processing is performed for other users.

根据本公开的实施例,可以根据标签等级和授权用户的属性值确定授权用户的脱敏规则。例如,如果标签是一级标签,则对高级用户不进行脱敏处理,对普通用户进行掩盖脱敏处理,如果标签是二级标签,则对高级用户进行掩盖脱敏处理,对普通用户进行hash化脱敏处理,等等。According to the embodiment of the present disclosure, the desensitization rule of the authorized user can be determined according to the tag level and the attribute value of the authorized user. For example, if the tag is a first-level tag, no desensitization processing is performed for advanced users, and masking and desensitization processing is performed for ordinary users. If the tag is a second-level tag, advanced users are masked and desensitized, and ordinary users are hashed. chemical desensitization treatment, etc.

图6示出根据本公开实施例设置脱敏规则的流程示意图。FIG. 6 shows a schematic flowchart of setting a desensitization rule according to an embodiment of the present disclosure.

如图6示,根据本公开的实施例,在设置脱敏规则时,可以定义多个敏感等级,例如1级、2级、3级,等等。还可以定义多个脱敏规则,例如假名脱敏、掩盖脱敏、hash化脱敏,等等。针对敏感标签,可以先定义其为1级、2级、或3级敏感标签,然后,可以选择该标签对应的脱敏规则,例如对于1级标签进行假名脱敏,对于2级标签进行掩盖脱敏,对于3级标签进行hash化脱敏,等等。还可以针对该敏感标签设置白名单用户集合,对于该白名单用户集合中的用户不进行脱敏处理。As shown in FIG. 6 , according to an embodiment of the present disclosure, when setting a desensitization rule, multiple sensitivity levels can be defined, such as level 1, level 2, level 3, and so on. You can also define multiple desensitization rules, such as pseudonym desensitization, mask desensitization, hash desensitization, and so on. For sensitive labels, you can first define them as level 1, level 2, or level 3 sensitive labels, and then you can select the desensitization rule corresponding to the label, such as pseudonym desensitization for level 1 labels, and mask desensitization for level 2 labels. Sensitization, hash desensitization for level 3 labels, etc. A whitelist user set may also be set for the sensitive label, and no desensitization processing is performed on the users in the whitelist user set.

根据本公开的实施例,可以对标签应用预设的脱敏模板,例如对标签“姓名”应用掩盖模板,则预设对象内容“猫猫服装公司”可以被脱敏处理为“**服装公司”。脱敏模板的脱敏规则和方法是预先设置好的,可以直接使用,免除了重新设置脱敏规则和编写脱敏方法的麻烦。According to an embodiment of the present disclosure, a preset desensitization template may be applied to the label, for example, a mask template may be applied to the label "name", and the preset object content "cat clothing company" may be desensitized as "** clothing company" ". The desensitization rules and methods of the desensitization template are preset and can be used directly, eliminating the trouble of resetting desensitization rules and writing desensitization methods.

根据本公开的实施例,对于不同等级的标签采用相应的脱敏规则,可以在预设对象粒度级别上实现针对不同用户集合或用户的区别化数据加密,提高了数据管理的灵活性和安全性。According to the embodiments of the present disclosure, by adopting corresponding desensitization rules for tags of different levels, differentiated data encryption for different user sets or users can be realized at the preset object granularity level, which improves the flexibility and security of data management. .

图7示出根据本公开实施例向授权用户提供与标签相对应的预设对象的流程图。FIG. 7 shows a flowchart of providing a preset object corresponding to a tag to an authorized user according to an embodiment of the present disclosure.

如图7所示,根据本公开的实施例,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括步骤S401-步骤S404。As shown in FIG. 7 , according to an embodiment of the present disclosure, providing the authorized user with the content of the preset object corresponding to the tag includes steps S401 to S404 .

在步骤S401中,确定允许所述授权用户访问的记录;In step S401, determine the record that the authorized user is allowed to access;

在步骤S402中,在所述标签属于敏感标签的情况下,确定相应的脱敏规则;In step S402, in the case that the label belongs to a sensitive label, a corresponding desensitization rule is determined;

在步骤S403中,根据所述脱敏规则处理允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容,得到第二脱敏数据;In step S403, processing the content of the preset object corresponding to the label in the record allowing the authorized user to access according to the desensitization rule, to obtain second desensitization data;

在步骤S404中,向所述授权用户提供所述第二脱敏数据。In step S404, the second desensitization data is provided to the authorized user.

参考图4B,假设用户U2使用标签c1访问字段C1,用户U2的权限为允许访问记录R1和记录R2,用户U2的脱敏规则为假名脱敏,于是向用户U2提供假名脱敏后的记录R1和R2的字段C1的内容,例如图5B所示的“A公司”和“B公司”。Referring to FIG. 4B, it is assumed that the user U2 uses the label c1 to access the field C1, the authority of the user U2 is to allow access to the record R1 and the record R2, and the desensitization rule of the user U2 is pseudonym desensitization, so the pseudonym desensitized record R1 is provided to the user U2. and the content of the field C1 of R2, such as "Company A" and "Company B" shown in FIG. 5B .

根据本公开的实施例,在通过标签实现预设对象粒度的数据访问控制的基础上,进一步进行记录访问权限和脱敏控制,控制手段组合更加多样化和灵活,适应于更多应用和场景的需要。According to the embodiments of the present disclosure, on the basis of realizing data access control with preset object granularity through tags, recording access authority and desensitization control are further performed, and the combination of control means is more diverse and flexible, and is suitable for more applications and scenarios. need.

图8示出根据本公开实施例的数据访问方法的流程图。FIG. 8 shows a flowchart of a data access method according to an embodiment of the present disclosure.

如图8所示,所述数据访问方法包括步骤S501-S503。As shown in FIG. 8 , the data access method includes steps S501-S503.

在步骤S501中,展示与数据中的预设对象相对应的标签;In step S501, the label corresponding to the preset object in the data is displayed;

在步骤S502中,在用户获得使用所述标签的授权而成为授权用户之后,发送所述授权用户使用所述标签的数据访问请求;In step S502, after the user obtains the authorization to use the tag and becomes an authorized user, send a data access request for the authorized user to use the tag;

在步骤S503中,接收与所述标签相对应的所述预设对象的内容。In step S503, the content of the preset object corresponding to the tag is received.

根据本公开的实施例,所述数据包括物理表。According to an embodiment of the present disclosure, the data includes physical tables.

根据本公开的实施例,所述预设对象的内容是物理表内容的真子集。According to an embodiment of the present disclosure, the content of the preset object is a proper subset of the content of the physical table.

根据本公开的实施例,所述预设对象是字段。According to an embodiment of the present disclosure, the preset object is a field.

根据本公开的实施例,所述数据访问方法还包括发送用户对使用所述标签的申请。According to an embodiment of the present disclosure, the data access method further includes sending a user's application for using the tag.

根据本公开的实施例,所述用户不属于生成所述数据的用户集合。According to an embodiment of the present disclosure, the user does not belong to the set of users that generated the data.

参照上文对图2C的描述,用户集合G1的公共标签对于用户集合G2的用户U2可见。用户U2可以发送对使用公共标签(例如,标签c1)的申请,在获得授权后,用户U2可以发送使用标签c1的数据访问请求,并接收与标签c1相对应的字段的内容。Referring to the description of FIG. 2C above, the public label of user set G1 is visible to user U2 of user set G2. User U2 can send an application for using a public label (eg, label c1), and after obtaining authorization, user U2 can send a data access request using label c1, and receive the content of the field corresponding to label c1.

根据本公开的实施例,所述标签对应于多个预设对象,所述多个预设对象具有相同属性且属于不同数据资源。According to an embodiment of the present disclosure, the tags correspond to multiple preset objects, and the multiple preset objects have the same attribute and belong to different data resources.

根据本公开的实施例,所述对使用所述标签的申请包含对所述不同数据资源中的特定数据资源的指示和/或所述数据访问请求包含对所述特定数据资源的指示。According to an embodiment of the present disclosure, the application for using the tag includes an indication of a specific data resource among the different data resources and/or the data access request includes an indication of the specific data resource.

参照上文对图3的描述,标签c1可以对应于物理表Data_s1中的字段C1、物理表Data_s2中的字段C1’、物理表Data_s3中的字段C1”,在用户U2提出对标签c1的使用申请时,可以选择要使用的数据资源。在图3中,用户U2选择了数据资源Data_s1、Data_s2。这样,在获得授权之后,用户U2可以使用标签c1访问数字资源Data_s1和Data_s2中的相应字段C1和C1’,而不能使用标签c1访问数字资源Data_s3中的相应字段C1”。Referring to the description of FIG. 3 above, the tag c1 may correspond to the field C1 in the physical table Data_s1, the field C1' in the physical table Data_s2, and the field C1" in the physical table Data_s3, and the user U2 applies for the use of the tag c1 When, can choose the data resource to be used.In Fig. 3, user U2 has selected data resource Data_s1, Data_s2.In this way, after obtaining authorization, user U2 can use label c1 to visit corresponding field C1 and in Data_s2 in digital resource Data_s1 and Data_s2 C1', while the corresponding field C1" in the digital resource Data_s3 cannot be accessed using the label c1.

在用户U2获得了使用标签c1访问数字资源Data_s1和Data_s2的授权之后,可以在数据访问请求中包含对要访问的数据资源的指示,例如在数据访问请求中指示访问数据资源Data_s1中标签c1的相应字段。After the user U2 obtains the authorization to use the tag c1 to access the digital resources Data_s1 and Data_s2, the data access request may include an indication of the data resources to be accessed, for example, the data access request may indicate to access the corresponding data of the tag c1 in the data resource Data_s1 field.

或者,如果用户U2在图3所示的界面中仅申请使用数据资源Data_s1,则可以不在数据访问请求中指示访问数据资源Data_s1,此时默认用户U2要访问数据资源Data_s1。Alternatively, if the user U2 only applies to use the data resource Data_s1 in the interface shown in FIG. 3 , the user U2 may not indicate access to the data resource Data_s1 in the data access request, and the user U2 wants to access the data resource Data_s1 by default.

根据本公开的实施例,所述接收与所述标签相对应的所述预设对象的内容,包括接收所述特定数据资源中与所述标签相对应的所述预设对象的内容。According to an embodiment of the present disclosure, the receiving the content of the preset object corresponding to the tag includes receiving the content of the preset object corresponding to the tag in the specific data resource.

根据本公开的实施例,所述接收与所述标签相对应的所述预设对象的内容,包括接收以下任意之一:According to an embodiment of the present disclosure, the receiving the content of the preset object corresponding to the tag includes receiving any one of the following:

允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容;the content of the preset object corresponding to the tag in the record allowing the authorized user to access;

根据脱敏规则处理与所述标签相对应的所述预设对象的内容而得到的第一脱敏数据;first desensitization data obtained by processing the content of the preset object corresponding to the label according to the desensitization rule;

根据脱敏规则处理允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容而得到的第二脱敏数据。The second desensitization data obtained by processing the content of the preset object corresponding to the tag in the record that is allowed to be accessed by the authorized user according to the desensitization rule.

根据本公开的实施例,所述允许所述授权用户访问的记录是根据所述授权用户的属性值确定的,或者是根据所述标签的类别和所述授权用户的属性值确定的。According to an embodiment of the present disclosure, the record allowing the authorized user to access is determined according to the attribute value of the authorized user, or is determined according to the category of the tag and the attribute value of the authorized user.

根据本公开的实施例,所述授权用户的脱敏规则是根据所述标签的等级和/或所述授权用户的属性值确定的。According to an embodiment of the present disclosure, the desensitization rule of the authorized user is determined according to the level of the tag and/or the attribute value of the authorized user.

根据本公开的实施例,在授权用户使用授权标签进行数据访问时,可以根据授权用户的属性值、或根据标签类别和授权用户的属性值,提供允许授权用户访问的记录中与所述标签相对应的所述预设对象的内容。相应地,授权用户可以接收允许所述授权用户访问的记录中与所述标签相对应的预设对象的内容。在通过标签实现预设对象访问控制的基础上,对允许用户访问的记录进行控制,本公开实施例实现了数据管理和访问的进一步细化,实现了更加灵活和有针对性的数据管理。According to an embodiment of the present disclosure, when an authorized user uses an authorized tag to access data, a record corresponding to the tag in the record allowing the authorized user to access may be provided according to the attribute value of the authorized user, or according to the tag category and the attribute value of the authorized user. content of the corresponding preset object. Accordingly, the authorized user may receive the content of the preset object corresponding to the tag in the record that the authorized user is allowed to access. On the basis of implementing preset object access control through tags, the records that users are allowed to access are controlled, the embodiments of the present disclosure realize further refinement of data management and access, and realize more flexible and targeted data management.

根据本公开的实施例,对于敏感标签,在授权用户使用授权标签进行数据访问时,可以根据所述标签的等级和/或所述授权用户的属性值确定所述授权用户的脱敏规则,提供根据脱敏规则处理与所述标签相对应的预设对象的内容而得到的第一脱敏数据。相应地,授权用户可以接收根据脱敏规则处理与所述标签相对应的预设对象的内容而得到的第一脱敏数据。根据本公开的实施例,通过对敏感数据进行脱敏处理,可以实现敏感数据的“可用不可见”,使敏感预设对象可被更多用户、应用和场景使用,在保证敏感数据的安全性的同时,显著增加了可供用户使用的数据量,提高了数据利用效率。根据本公开的实施例,对于不同等级的标签采用相应的脱敏规则,可以在预设对象粒度级别上实现针对不同用户集合或用户的区别化数据加密,提高了数据管理和访问的灵活性和安全性。According to an embodiment of the present disclosure, for a sensitive tag, when an authorized user uses an authorized tag to access data, the desensitization rule of the authorized user can be determined according to the level of the tag and/or the attribute value of the authorized user, providing The first desensitization data obtained by processing the content of the preset object corresponding to the label according to the desensitization rule. Correspondingly, the authorized user may receive the first desensitization data obtained by processing the content of the preset object corresponding to the tag according to the desensitization rule. According to the embodiments of the present disclosure, by performing desensitization processing on sensitive data, "available and invisible" of sensitive data can be realized, so that sensitive preset objects can be used by more users, applications and scenarios, while ensuring the security of sensitive data. At the same time, the amount of data available to users is significantly increased, and the efficiency of data utilization is improved. According to the embodiments of the present disclosure, by adopting corresponding desensitization rules for tags of different levels, differentiated data encryption for different user sets or users can be realized at the preset object granularity level, which improves the flexibility and flexibility of data management and access. safety.

根据本公开的实施例,在授权用户使用授权标签进行数据访问时,可以根据授权用户的属性值、或根据标签类别和授权用户的属性值,确定允许授权用户访问的记录中与所述标签相对应的预设对象的内容,并且对于敏感标签,可以根据所述标签的等级和/或所述授权用户的属性值确定所述授权用户的脱敏规则。然后,可以提供根据脱敏规则处理允许所述授权用户访问的记录中与所述标签相对应的预设对象的内容而得到的第二脱敏数据。根据本公开的实施例,在通过标签实现预设对象粒度的数据访问控制的基础上,进一步进行记录访问权限和脱敏控制,控制手段组合更加多样化和灵活,适应于更多应用和场景的需要。According to an embodiment of the present disclosure, when an authorized user uses an authorized tag to access data, it can be determined according to the attribute value of the authorized user, or according to the tag category and the attribute value of the authorized user, in the records that are allowed to access the authorized user and the tag is determined. The content of the corresponding preset object, and for a sensitive tag, the desensitization rule of the authorized user may be determined according to the level of the tag and/or the attribute value of the authorized user. Then, second desensitization data obtained by processing the content of the preset object corresponding to the tag in the record that is allowed to be accessed by the authorized user according to the desensitization rule may be provided. According to the embodiments of the present disclosure, on the basis of realizing data access control with preset object granularity through tags, recording access authority and desensitization control are further performed, and the combination of control means is more diverse and flexible, and is suitable for more applications and scenarios. need.

图9示出根据本公开的实施例的数据管理装置600的结构框图。其中,该装置可以通过软件、硬件或者两者的结合实现成为电子设备的部分或者全部。FIG. 9 shows a structural block diagram of a data management apparatus 600 according to an embodiment of the present disclosure. Wherein, the apparatus may be realized by software, hardware or a combination of the two to become part or all of the electronic device.

如图9所示,所述数据管理装置600包括建立模块601、授权模块602和提供模块603。As shown in FIG. 9 , the data management apparatus 600 includes an establishment module 601 , an authorization module 602 and a provision module 603 .

所述建立模块601被配置为建立与数据中的预设对象相对应的标签;The establishment module 601 is configured to establish a label corresponding to a preset object in the data;

所述授权模块602被配置为对允许使用所述标签的用户进行授权;The authorization module 602 is configured to authorize the user allowed to use the tag;

所述提供模块603被配置为在从获得授权的授权用户接收到使用所述标签的数据访问请求时,向所述授权用户提供与所述标签相对应的所述预设对象的内容。根据本公开的实施例,所述建立与所述预设对象相对应的标签,包括根据生成所述数据的用户集合的用户的指示,针对所述预设对象生成相应标签;和/或The providing module 603 is configured to provide the authorized user with the content of the preset object corresponding to the tag when receiving a data access request using the tag from an authorized authorized user. According to an embodiment of the present disclosure, the establishing a label corresponding to the preset object includes generating a corresponding label for the preset object according to an instruction of a user who generates the user set of the data; and/or

所述数据管理装置还包括接收申请模块604,所述接收申请模块604被配置为接收用户对使用所述标签的申请;或从其他用户集合的用户接收对使用所述标签的申请。The data management apparatus further includes an application receiving module 604, which is configured to receive an application for using the tag from a user; or receive an application for using the tag from a user set of other users.

根据本公开的实施例,所述标签初始为仅对生成所述数据的用户集合可见的私有标签,所述装置还包括转换模块605。According to an embodiment of the present disclosure, the tag is initially a private tag visible only to the set of users who generate the data, and the apparatus further includes a conversion module 605 .

所述转换模块605被配置为:将所述私有标签转换为公共标签,所述公共标签对所述其他用户集合可见;或者将所述私有标签转换为公共标签,所述公共标签的公开范围设置为以下任意一种或多种:生成所述数据的用户集合的所有下级用户集合、生成所述数据的用户集合的选定下级用户集合、与生成所述数据的用户集合隶属于同一上级的兄弟用户集合。The conversion module 605 is configured to: convert the private tag into a public tag, and the public tag is visible to the other user sets; or convert the private tag into a public tag, and the public tag's disclosure scope is set be any one or more of the following: all subordinate user sets of the user set that generated the data, selected subordinate user sets of the user set that generated the data, brothers who belong to the same superior as the user set that generated the data User collection.

根据本公开的实施例,所述标签对应于多个预设对象,所述多个预设对象具有相同属性且属于不同数据资源;According to an embodiment of the present disclosure, the label corresponds to a plurality of preset objects, and the plurality of preset objects have the same attribute and belong to different data resources;

所述数据访问请求包含对要访问的特定数据资源的指示;the data access request contains an indication of a particular data resource to be accessed;

所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括向所述授权用户提供所述特定数据资源中与所述标签相对应的所述预设对象的内容。The providing the authorized user with the content of the preset object corresponding to the tag includes providing the authorized user with the content of the preset object corresponding to the tag in the specific data resource .

根据本公开的实施例,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:According to an embodiment of the present disclosure, the providing the authorized user with the content of the preset object corresponding to the tag includes:

确定允许所述授权用户访问的记录;determine the records that the authorized user is allowed to access;

向所述授权用户提供允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容。The authorized user is provided with the content of the preset object corresponding to the tag in a record that the authorized user is allowed to access.

根据本公开的实施例,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:According to an embodiment of the present disclosure, the providing the authorized user with the content of the preset object corresponding to the tag includes:

在所述标签属于敏感标签的情况下,确定相应的脱敏规则;If the label is a sensitive label, determine the corresponding desensitization rule;

根据所述脱敏规则处理与所述标签相对应的所述预设对象的内容,得到第一脱敏数据;Process the content of the preset object corresponding to the label according to the desensitization rule to obtain first desensitization data;

向所述授权用户提供所述第一脱敏数据。The first desensitized data is provided to the authorized user.

根据本公开的实施例,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:According to an embodiment of the present disclosure, the providing the authorized user with the content of the preset object corresponding to the tag includes:

确定允许所述授权用户访问的记录;determine the records that the authorized user is allowed to access;

在所述标签属于敏感标签的情况下,确定相应的脱敏规则;If the label is a sensitive label, determine the corresponding desensitization rule;

根据所述脱敏规则处理允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容,得到第二脱敏数据;Process the content of the preset object corresponding to the label in the record allowing the authorized user to access according to the desensitization rule, to obtain second desensitization data;

向所述授权用户提供所述第二脱敏数据。The second masked data is provided to the authorized user.

根据本公开的实施例,所述确定允许所述授权用户访问的记录,包括:According to an embodiment of the present disclosure, the determining the records that the authorized user is allowed to access includes:

根据所述授权用户的属性值确定允许所述授权用户访问的记录;或者Determine the records that the authorized user is allowed to access based on the attribute value of the authorized user; or

根据所述标签的类别和所述授权用户的属性值确定允许所述授权用户访问的记录。The records that the authorized user is allowed to access are determined according to the category of the tag and the attribute value of the authorized user.

根据本公开的实施例,确定所述相应的脱敏规则,包括:According to an embodiment of the present disclosure, determining the corresponding desensitization rule includes:

根据所述标签的等级和/或所述授权用户的属性值确定所述相应的脱敏规则;和/或determining the corresponding desensitization rule according to the level of the tag and/or the attribute value of the authorized user; and/or

在所述授权用户属于白名单用户集合的情况下,不进行脱敏处理。In the case that the authorized user belongs to the whitelist user set, no desensitization processing is performed.

根据本公开的实施例,所述数据包括物理表;和/或According to an embodiment of the present disclosure, the data includes a physical table; and/or

所述预设对象的内容是物理表内容的真子集;和/或the content of the preset object is a proper subset of the content of the physical table; and/or

所述预设对象是字段。The preset object is a field.

图10示出根据本公开的实施例的数据访问装置700的结构框图。其中,该装置可以通过软件、硬件或者两者的结合实现成为电子设备的部分或者全部。FIG. 10 shows a structural block diagram of a data access apparatus 700 according to an embodiment of the present disclosure. Wherein, the apparatus may be realized by software, hardware or a combination of the two to become part or all of the electronic device.

如图10所示,所述数据访问装置700包括展示模块701、第一发送模块702和接收模块703。As shown in FIG. 10 , the data access apparatus 700 includes a presentation module 701 , a first sending module 702 and a receiving module 703 .

所述展示模块701被配置为展示与数据中的预设对象相对应的标签;The display module 701 is configured to display tags corresponding to preset objects in the data;

所述第一发送模块702被配置为在用户获得使用所述标签的授权而成为授权用户之后,发送所述授权用户使用所述标签的数据访问请求;The first sending module 702 is configured to send a data access request for using the tag by the authorized user after the user obtains the authorization to use the tag and becomes an authorized user;

所述接收模块703被配置为接收与所述标签相对应的所述预设对象的内容。The receiving module 703 is configured to receive the content of the preset object corresponding to the tag.

根据本公开的实施例,所述用户不属于生成所述数据的用户集合。According to an embodiment of the present disclosure, the user does not belong to the set of users that generated the data.

根据本公开的实施例,所述标签对应于多个预设对象,所述多个预设对象具有相同属性且属于不同数据资源;According to an embodiment of the present disclosure, the label corresponds to a plurality of preset objects, and the plurality of preset objects have the same attribute and belong to different data resources;

所述数据访问请求包含对要访问的特定数据资源的指示;the data access request contains an indication of a particular data resource to be accessed;

所述接收与所述标签相对应的所述预设对象的内容,包括接收所述特定数据资源中与所述标签相对应的所述预设对象的内容。The receiving the content of the preset object corresponding to the tag includes receiving the content of the preset object corresponding to the tag in the specific data resource.

根据本公开的实施例,所述接收与所述标签相对应的所述预设对象的内容,包括接收以下任意之一:According to an embodiment of the present disclosure, the receiving the content of the preset object corresponding to the tag includes receiving any one of the following:

允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容;the content of the preset object corresponding to the tag in the record allowing the authorized user to access;

根据脱敏规则处理与所述标签相对应的所述预设对象的内容而得到的第一脱敏数据;first desensitization data obtained by processing the content of the preset object corresponding to the label according to the desensitization rule;

根据脱敏规则处理允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容而得到的第二脱敏数据。The second desensitization data obtained by processing the content of the preset object corresponding to the tag in the record that is allowed to be accessed by the authorized user according to the desensitization rule.

根据本公开的实施例,所述允许所述授权用户访问的记录是根据所述授权用户的属性值确定的,或者是根据所述标签的类别和所述授权用户的属性值确定的;According to an embodiment of the present disclosure, the record allowing the authorized user to access is determined according to the attribute value of the authorized user, or is determined according to the category of the tag and the attribute value of the authorized user;

所述授权用户的脱敏规则是根据所述标签的等级和/或所述授权用户的属性值确定的。The desensitization rule of the authorized user is determined according to the level of the tag and/or the attribute value of the authorized user.

根据本公开的实施例,所述数据包括物理表;和/或According to an embodiment of the present disclosure, the data includes a physical table; and/or

所述预设对象的内容是物理表内容的真子集;和/或the content of the preset object is a proper subset of the content of the physical table; and/or

所述预设对象是字段。The preset object is a field.

根据本公开的实施例,所述数据访问装置还包括第二发送模块704,所述第二发送模块704被配置为发送用户对使用所述标签的申请。According to an embodiment of the present disclosure, the data access apparatus further includes a second sending module 704, and the second sending module 704 is configured to send a user's application for using the tag.

图11示出根据本公开的实施例的电子设备800的结构框图。FIG. 11 shows a structural block diagram of an electronic device 800 according to an embodiment of the present disclosure.

如图11所示,所述电子设备800包括存储器801和处理器802。所述存储器801用于存储一条或多条计算机指令,其中,所述一条或多条计算机指令被所述处理器802执行以实现以下方法步骤:As shown in FIG. 11 , the electronic device 800 includes a memory 801 and a processor 802 . The memory 801 is used to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor 802 to implement the following method steps:

建立与数据中的预设对象相对应的标签;Create labels corresponding to preset objects in the data;

对允许使用所述标签的用户进行授权;Authorize users who are allowed to use the tags;

在从获得授权的授权用户接收到使用所述标签的数据访问请求时,向所述授权用户提供与所述标签相对应的所述预设对象的内容。When a data access request using the tag is received from an authorized authorized user, the authorized user is provided with the content of the preset object corresponding to the tag.

根据本公开的实施例,所述建立与所述预设对象相对应的标签,包括根据生成所述数据的用户集合的用户的指示,针对所述预设对象生成相应标签;和/或According to an embodiment of the present disclosure, the establishing a label corresponding to the preset object includes generating a corresponding label for the preset object according to an instruction of a user who generates the user set of the data; and/or

所述建立与所述预设对象相对应的标签,包括根据生成所述数据的用户集合的用户的指示,建立所述预设对象与相应标签之间的对应关系;和/或The establishing a label corresponding to the preset object includes establishing a corresponding relationship between the preset object and the corresponding label according to an instruction of a user who generated the user set of the data; and/or

所述一条或多条计算机指令还被所述处理器802执行以实现以下方法步骤:The one or more computer instructions are also executed by the processor 802 to implement the following method steps:

接收用户对使用所述标签的申请;或从其他用户集合的用户接收对使用所述标签的申请。Receive an application for using the tag from a user; or receive an application for using the tag from a user of another set of users.

根据本公开的实施例,所述标签初始为仅对生成所述数据的用户集合可见的私有标签,所述一条或多条计算机指令还被所述处理器802执行以实现以下方法步骤:According to an embodiment of the present disclosure, the tag is initially a private tag visible only to the set of users that generated the data, and the one or more computer instructions are further executed by the processor 802 to implement the following method steps:

将所述私有标签转换为公共标签,所述公共标签对所述其他用户集合可见;或者converting the private label to a public label that is visible to the other set of users; or

将所述私有标签转换为公共标签,所述公共标签的公开范围设置为以下任意一种或多种:生成所述数据的用户集合的所有下级用户集合、生成所述数据的用户集合的选定下级用户集合、与生成所述数据的用户集合隶属于同一上级的兄弟用户集合。Converting the private label into a public label, and the disclosure scope of the public label is set to any one or more of the following: a set of all subordinate users of the user set that generated the data, a selected set of users that generated the data The lower-level user set and the user set that generated the data belong to the same upper-level sibling user set.

根据本公开的实施例,所述标签对应于多个预设对象,所述多个预设对象具有相同属性且属于不同数据资源;According to an embodiment of the present disclosure, the label corresponds to a plurality of preset objects, and the plurality of preset objects have the same attribute and belong to different data resources;

所述数据访问请求包含对要访问的特定数据资源的指示;the data access request contains an indication of a particular data resource to be accessed;

所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括向所述授权用户提供所述特定数据资源中与所述标签相对应的所述预设对象的内容。The providing the authorized user with the content of the preset object corresponding to the tag includes providing the authorized user with the content of the preset object corresponding to the tag in the specific data resource .

根据本公开的实施例,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:According to an embodiment of the present disclosure, the providing the authorized user with the content of the preset object corresponding to the tag includes:

确定允许所述授权用户访问的记录;determine the records that the authorized user is allowed to access;

向所述授权用户提供允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容。The authorized user is provided with the content of the preset object corresponding to the tag in a record that the authorized user is allowed to access.

根据本公开的实施例,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:According to an embodiment of the present disclosure, the providing the authorized user with the content of the preset object corresponding to the tag includes:

在所述标签属于敏感标签的情况下,确定相应的脱敏规则;If the label is a sensitive label, determine the corresponding desensitization rule;

根据所述脱敏规则处理与所述标签相对应的所述预设对象的内容,得到第一脱敏数据;Process the content of the preset object corresponding to the label according to the desensitization rule to obtain first desensitization data;

向所述授权用户提供所述第一脱敏数据。The first desensitized data is provided to the authorized user.

根据本公开的实施例,所述向所述授权用户提供与所述标签相对应的所述预设对象的内容,包括:According to an embodiment of the present disclosure, the providing the authorized user with the content of the preset object corresponding to the tag includes:

确定允许所述授权用户访问的记录;determine the records that the authorized user is allowed to access;

在所述标签属于敏感标签的情况下,确定相应的脱敏规则;If the label is a sensitive label, determine the corresponding desensitization rule;

根据所述脱敏规则处理允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容,得到第二脱敏数据;Process the content of the preset object corresponding to the label in the record allowing the authorized user to access according to the desensitization rule, to obtain second desensitization data;

向所述授权用户提供所述第二脱敏数据。The second masked data is provided to the authorized user.

根据本公开的实施例,所述确定允许所述授权用户访问的记录,包括:According to an embodiment of the present disclosure, the determining the records that the authorized user is allowed to access includes:

根据所述授权用户的属性值确定允许所述授权用户访问的记录;或者Determine the records that the authorized user is allowed to access based on the attribute value of the authorized user; or

根据所述标签的类别和所述授权用户的属性值确定允许所述授权用户访问的记录。The records that the authorized user is allowed to access are determined according to the category of the tag and the attribute value of the authorized user.

根据本公开的实施例,所述确定所述相应的脱敏规则,包括:According to an embodiment of the present disclosure, the determining the corresponding desensitization rule includes:

根据所述标签的等级和/或所述授权用户的属性值确定所述相应的脱敏规则;和/或determining the corresponding desensitization rule according to the level of the tag and/or the attribute value of the authorized user; and/or

在所述授权用户属于白名单用户集合的情况下,不进行脱敏处理。In the case that the authorized user belongs to the whitelist user set, no desensitization processing is performed.

根据本公开的实施例,所述数据包括物理表;和/或According to an embodiment of the present disclosure, the data includes a physical table; and/or

所述预设对象的内容是物理表内容的真子集;和/或the content of the preset object is a proper subset of the content of the physical table; and/or

所述预设对象是字段。The preset object is a field.

根据本公开的实施例,所述一条或多条计算机指令被所述处理器802执行以实现以下方法步骤:According to an embodiment of the present disclosure, the one or more computer instructions are executed by the processor 802 to implement the following method steps:

展示与数据中的预设对象相对应的标签;Display labels corresponding to preset objects in the data;

在用户获得使用所述标签的授权而成为授权用户之后,发送所述授权用户使用所述标签的数据访问请求;After the user obtains the authorization to use the tag and becomes an authorized user, sending a data access request for the authorized user to use the tag;

接收与所述标签相对应的所述预设对象的内容。The content of the preset object corresponding to the tag is received.

根据本公开的实施例,所述用户不属于生成所述数据的用户集合。According to an embodiment of the present disclosure, the user does not belong to the set of users that generated the data.

根据本公开的实施例,所述标签对应于多个预设对象,所述多个预设对象具有相同属性且属于不同数据资源;According to an embodiment of the present disclosure, the label corresponds to a plurality of preset objects, and the plurality of preset objects have the same attribute and belong to different data resources;

所述数据访问请求包含对要访问的特定数据资源的指示;the data access request contains an indication of a particular data resource to be accessed;

所述接收与所述标签相对应的所述预设对象的内容,包括接收所述特定数据资源中与所述标签相对应的所述预设对象的内容。The receiving the content of the preset object corresponding to the tag includes receiving the content of the preset object corresponding to the tag in the specific data resource.

根据本公开的实施例,所述接收与所述标签相对应的所述预设对象的内容,包括接收以下任意之一:According to an embodiment of the present disclosure, the receiving the content of the preset object corresponding to the tag includes receiving any one of the following:

允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容;the content of the preset object corresponding to the tag in the record allowing the authorized user to access;

根据脱敏规则处理与所述标签相对应的所述预设对象的内容而得到的第一脱敏数据;first desensitization data obtained by processing the content of the preset object corresponding to the label according to the desensitization rule;

根据脱敏规则处理允许所述授权用户访问的记录中与所述标签相对应的所述预设对象的内容而得到的第二脱敏数据。The second desensitization data obtained by processing the content of the preset object corresponding to the tag in the record that is allowed to be accessed by the authorized user according to the desensitization rule.

根据本公开的实施例,所述允许所述授权用户访问的记录是根据所述授权用户的属性值确定的,或者是根据所述标签的类别和所述授权用户的属性值确定的;According to an embodiment of the present disclosure, the record allowing the authorized user to access is determined according to the attribute value of the authorized user, or is determined according to the category of the tag and the attribute value of the authorized user;

所述脱敏规则是根据所述标签的等级和/或所述授权用户的属性值确定的。The desensitization rule is determined according to the level of the tag and/or the attribute value of the authorized user.

根据本公开的实施例,所述数据包括物理表;和/或According to an embodiment of the present disclosure, the data includes a physical table; and/or

所述预设对象的内容是物理表内容的真子集;和/或the content of the preset object is a proper subset of the content of the physical table; and/or

所述预设对象是字段。The preset object is a field.

根据本公开的实施例,所述一条或多条计算机指令被所述处理器802执行以实现以下方法步骤:According to an embodiment of the present disclosure, the one or more computer instructions are executed by the processor 802 to implement the following method steps:

发送用户对使用所述标签的申请。A user request to use the tag is sent.

图12示出适于用来实现根据本公开实施例的数据管理方法和/或数据访问方法的计算机系统900的结构示意图。FIG. 12 shows a schematic structural diagram of a computer system 900 suitable for implementing a data management method and/or a data access method according to an embodiment of the present disclosure.

如图12所示,计算机系统900包括中央处理单元(CPU)901,其可以根据存储在只读存储器(ROM)902中的程序或者从存储部分909加载到随机访问存储器(RAM)903中的程序而执行上述实施例中的各种处理。在RAM903中,还存储有系统900操作所需的各种程序和数据。CPU901、ROM902以及RAM903通过总线904彼此相连。输入/输出(I/O)接口905也连接至总线904。As shown in FIG. 12, a computer system 900 includes a central processing unit (CPU) 901, which can be loaded into a random access memory (RAM) 903 according to a program stored in a read only memory (ROM) 902 or a program from a storage section 909 Instead, various processes in the above-described embodiments are performed. In the RAM 903, various programs and data necessary for the operation of the system 900 are also stored. The CPU 901 , the ROM 902 and the RAM 903 are connected to each other through a bus 904 . An input/output (I/O) interface 905 is also connected to bus 904 .

以下部件连接至I/O接口905:包括键盘、鼠标等的输入部分906;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分907;包括硬盘等的存储部分908;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分909。通信部分909经由诸如因特网的网络执行通信处理。驱动器910也根据需要连接至I/O接口905。可拆卸介质911,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器910上,以便于从其上读出的计算机程序根据需要被安装入存储部分908。The following components are connected to the I/O interface 905: an input section 906 including a keyboard, a mouse, etc.; an output section 907 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 908 including a hard disk, etc. ; and a communication section 909 including a network interface card such as a LAN card, a modem, and the like. The communication section 909 performs communication processing via a network such as the Internet. A drive 910 is also connected to the I/O interface 905 as needed. A removable medium 911, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is mounted on the drive 910 as needed so that a computer program read therefrom is installed into the storage section 908 as needed.

特别地,根据本公开的实施例,上文描述的方法可以被实现为计算机软件程序。例如,本公开的实施例包括一种计算机程序产品,其包括有形地包含在其可读介质上的计算机程序,所述计算机程序包含用于执行上述数据管理和/或访问方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分909从网络上被下载和安装,和/或从可拆卸介质911被安装。In particular, according to embodiments of the present disclosure, the methods described above may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program tangibly embodied on a readable medium thereof, the computer program containing program code for performing the data management and/or access methods described above. In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 909, and/or installed from the removable medium 911.

附图中的流程图和框图,图示了按照本公开各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,路程图或框图中的每个方框可以代表一个模块、程序段或代码的一部分,所述模块、程序段或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the diagram or block diagram may represent a module, segment, or portion of code that contains one or more functions for implementing the specified logical function. executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It is also noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented in dedicated hardware-based systems that perform the specified functions or operations , or can be implemented in a combination of dedicated hardware and computer instructions.

描述于本公开实施例中所涉及到的单元或模块可以通过软件的方式实现,也可以通过可编程硬件的方式来实现。所描述的单元或模块也可以设置在处理器中,这些单元或模块的名称在某种情况下并不构成对该单元或模块本身的限定。The units or modules involved in the embodiments of the present disclosure may be implemented in a software manner, or may be implemented in a programmable hardware manner. The described units or modules may also be provided in the processor, and the names of these units or modules do not constitute a limitation on the units or modules themselves in certain circumstances.

作为另一方面,本公开还提供了一种可读存储介质,该可读存储介质可以是上述实施例中电子设备或计算机系统中所包含的可读存储介质;也可以是单独存在,未装配入设备中的可读存储介质。可读存储介质存储有一个或者一个以上程序,所述程序被一个或者一个以上的处理器用来执行描述于本公开的方法。As another aspect, the present disclosure also provides a readable storage medium. The readable storage medium may be the readable storage medium included in the electronic device or computer system in the above-mentioned embodiments; readable storage medium in the device. The readable storage medium stores one or more programs used by one or more processors to perform the methods described in the present disclosure.

以上描述仅为本公开的较佳实施例以及对所运用技术原理的说明。本领域开发人员应当理解,本公开中所涉及的发明范围,并不限于上述技术特征的特定组合而成的技术方案,同时也应涵盖在不脱离所述发明构思的情况下,由上述技术特征或其等同特征进行任意组合而形成的其它技术方案。例如上述特征与本公开中公开的(但不限于)具有类似功能的技术特征进行互相替换而形成的技术方案。The above description is merely a preferred embodiment of the present disclosure and an illustration of the technical principles employed. Developers in the art should understand that the scope of the invention involved in the present disclosure is not limited to the technical solutions formed by the specific combination of the above technical features, and should also cover the above technical features without departing from the inventive concept. Other technical solutions formed by any combination of its equivalent features. For example, a technical solution is formed by replacing the above features with the technical features disclosed in the present disclosure (but not limited to) with similar functions.

Claims (36)

1. A method for managing data, comprising:
establishing a label corresponding to a preset object in the data;
authorizing a user allowed to use the tag;
providing the contents of the preset object corresponding to the tag to an authorized user upon receiving a data access request using the tag from the authorized user.
2. The data management method according to claim 1, wherein:
the establishing of the label corresponding to the preset object comprises generating a corresponding label aiming at the preset object according to the indication of the user generating the user set of the data; and/or
The establishing of the label corresponding to the preset object comprises establishing a corresponding relation between the preset object and the corresponding label according to the indication of the user generating the user set of the data; and/or
The data management method further comprises: receiving a user application for using the label; or receiving an application for using the tag from a user of the other user set.
3. The data management method of claim 2, wherein the tag is initially a private tag that is visible only to a set of users that generated the data, the data management method further comprising:
converting the private label to a public label, the public label being visible to the set of other users; or
Converting the private label into a public label, wherein the public range of the public label is set as any one or more of the following: generating all subordinate user sets of the user set of the data, generating a selected subordinate user set of the data, and generating a sibling user set which belongs to the same upper level as the user set of the data.
4. The data management method according to claim 1, wherein:
the tags correspond to a plurality of preset objects, and the preset objects have the same attribute and belong to different data resources;
the application for using the tag comprises an indication of a particular data resource of the different data resources and/or the data access request comprises an indication of the particular data resource;
the providing the content of the preset object corresponding to the tag to the authorized user comprises providing the content of the preset object corresponding to the tag in the specific data resource to the authorized user.
5. The data management method of claim 1, wherein the providing the content of the preset object corresponding to the tag to the authorized user comprises:
determining a record allowing access by the authorized user;
and providing the content of the preset object corresponding to the label in the record allowing the authorized user to access to the authorized user.
6. The data management method of claim 1, wherein the providing the content of the preset object corresponding to the tag to the authorized user comprises:
under the condition that the label belongs to a sensitive label, determining a corresponding desensitization rule, and processing the content of the preset object corresponding to the label according to the desensitization rule to obtain first desensitization data;
providing the first desensitization data to the authorized user.
7. The data management method of claim 1, wherein the providing the content of the preset object corresponding to the tag to the authorized user comprises:
determining a record allowing access by the authorized user;
in the case that the tag belongs to a sensitive tag, determining a corresponding desensitization rule;
processing the content of the preset object corresponding to the label in the record which is allowed to be accessed by the authorized user according to the desensitization rule to obtain second desensitization data;
providing the second desensitization data to the authorized user.
8. The data management method of claim 5 or 7, wherein the determining the record that the authorized user is allowed to access comprises:
determining a record allowing the authorized user to access according to the attribute value of the authorized user; or
And determining a record allowing the authorized user to access according to the category of the label and the attribute value of the authorized user.
9. The data management method of claim 6 or 7, wherein the determining the corresponding desensitization rule comprises:
determining the corresponding desensitization rule according to the grade of the label and/or the attribute value of the authorized user; and/or
And in the case that the authorized user belongs to the white list user set, performing no desensitization treatment.
10. The data management method according to claim 1, wherein:
the data comprises a physical table; and/or
The content of the preset object is a proper subset of the content of the physical table; and/or
The preset object is a field.
11. A method of data access, comprising:
displaying a label corresponding to a preset object in the data;
after a user obtains authorization to use the tag and becomes an authorized user, sending a data access request of the authorized user for using the tag;
and receiving the content of the preset object corresponding to the label.
12. The data access method of claim 11, wherein the user does not belong to a set of users that generated the data.
13. The data access method of claim 11, wherein:
the tags correspond to a plurality of preset objects, and the preset objects have the same attribute and belong to different data resources;
the application for using the tag comprises an indication of a particular data resource of the different data resources and/or the data access request comprises an indication of the particular data resource;
the receiving the content of the preset object corresponding to the tag comprises receiving the content of the preset object corresponding to the tag in the specific data resource.
14. The data access method of claim 11, wherein the receiving the content of the preset object corresponding to the tag comprises receiving any one of:
allowing the content of the preset object corresponding to the label in the record accessed by the authorized user;
processing the content of the preset object corresponding to the label according to a desensitization rule to obtain first desensitization data;
and processing second desensitization data obtained by allowing the content of the preset object corresponding to the label in the record accessed by the authorized user according to desensitization rules.
15. The data access method of claim 14, wherein:
the record allowing the authorized user to access is determined according to the attribute value of the authorized user or the category of the tag and the attribute value of the authorized user;
the desensitization rule is determined based on the rating of the tag and/or the attribute value of the authorized user.
16. The data access method of claim 11, wherein:
the data comprises a physical table; and/or
The content of the preset object is a proper subset of the content of the physical table; and/or
The preset object is a field.
17. The data access method of claim 11, further comprising:
and sending a user application for using the label.
18. A data management apparatus, comprising:
the establishing module is configured to establish a label corresponding to a preset object in the data;
an authorization module configured to authorize a user allowed to use the tag;
a providing module configured to provide the content of the preset object corresponding to the tag to an authorized user when a data access request using the tag is received from the authorized user who obtains authorization.
19. The data management device of claim 18, wherein:
the establishing of the label corresponding to the preset object comprises generating a corresponding label aiming at the preset object according to the indication of the user generating the user set of the data; and/or
The establishing of the label corresponding to the preset object comprises establishing a corresponding relation between the preset object and the corresponding label according to the indication of the user generating the user set of the data; and/or
The data management apparatus further includes: a receiving application module configured to receive a user application for using the tag; or receiving an application for using the tag from a user of the other user set.
20. The data management apparatus of claim 19, wherein the tag is initially a private tag that is visible only to a set of users that generated the data, the apparatus further comprising a conversion module configured to:
converting the private label to a public label, the public label being visible to the set of other users; or
Converting the private label into a public label, wherein the public range of the public label is set as any one or more of the following: generating all subordinate user sets of the user set of the data, generating a selected subordinate user set of the data, and generating a sibling user set which belongs to the same upper level as the user set of the data.
21. The data management device of claim 18, wherein:
the tags correspond to a plurality of preset objects, and the preset objects have the same attribute and belong to different data resources;
the application for using the tag comprises an indication of a particular data resource of the different data resources and/or the data access request comprises an indication of the particular data resource;
the providing the content of the preset object corresponding to the tag to the authorized user comprises providing the content of the preset object corresponding to the tag in the specific data resource to the authorized user.
22. The data management device of claim 18, wherein the providing the content of the preset object corresponding to the tag to the authorized user comprises:
determining a record allowing access by the authorized user;
and providing the content of the preset object corresponding to the label in the record allowing the authorized user to access to the authorized user.
23. The data management device of claim 18, wherein the providing the content of the preset object corresponding to the tag to the authorized user comprises:
in the case that the tag belongs to a sensitive tag, determining a corresponding desensitization rule;
processing the content of the preset object corresponding to the label according to the desensitization rule to obtain first desensitization data;
providing the first desensitization data to the authorized user.
24. The data management device of claim 18, wherein the providing the content of the preset object corresponding to the tag to the authorized user comprises:
determining a record allowing access by the authorized user;
in the case that the tag belongs to a sensitive tag, determining a corresponding desensitization rule;
processing the content of the preset object corresponding to the label in the record which is allowed to be accessed by the authorized user according to the desensitization rule to obtain second desensitization data;
providing the second desensitization data to the authorized user.
25. The data management device of claim 22 or 24, wherein the determining the record that the authorized user is allowed to access comprises:
determining a record allowing the authorized user to access according to the attribute value of the authorized user; or
And determining a record allowing the authorized user to access according to the category of the label and the attribute value of the authorized user.
26. The data management device of claim 23 or 24, wherein the determining the corresponding desensitization rule comprises:
determining the corresponding desensitization rule according to the grade of the label and/or the attribute value of the authorized user; and/or
And in the case that the authorized user belongs to the white list user set, performing no desensitization treatment.
27. The data management device of claim 18, wherein:
the data comprises a physical table; and/or
The content of the preset object is a proper subset of the content of the physical table; and/or
The preset object is a field.
28. A data access device, comprising:
a presentation module configured to present a tag corresponding to a preset object in data;
a first transmitting module configured to transmit a data access request of an authorized user using the tag after the user obtains authorization to use the tag to become an authorized user;
a receiving module configured to receive the content of the preset object corresponding to the tag.
29. The data access device of claim 28, wherein the user does not belong to a set of users that generated the data.
30. The data access device of claim 28, wherein:
the tags correspond to a plurality of preset objects, and the preset objects have the same attribute and belong to different data resources;
the application for using the tag comprises an indication of a particular data resource of the different data resources and/or the data access request comprises an indication of the particular data resource;
the receiving the content of the preset object corresponding to the tag comprises receiving the content of the preset object corresponding to the tag in the specific data resource.
31. The data access device of claim 28, wherein receiving the content of the preset object corresponding to the tag comprises receiving any one of:
allowing the content of the preset object corresponding to the label in the record accessed by the authorized user;
processing the content of the preset object corresponding to the label according to a desensitization rule to obtain first desensitization data;
and processing second desensitization data obtained by allowing the content of the preset object corresponding to the label in the record accessed by the authorized user according to desensitization rules.
32. The data access device of claim 31, wherein:
the record allowing the authorized user to access is determined according to the attribute value of the authorized user or the category of the tag and the attribute value of the authorized user;
the desensitization rules of the authorized user are determined based on the rating of the tag and/or the attribute values of the authorized user.
33. The data access device of claim 28, wherein;
the data comprises a physical table; and/or
The content of the preset object is a proper subset of the content of the physical table; and/or
The preset object is a field.
34. The data access device of claim 28, further comprising:
a second sending module configured to send a user application for using the tag.
35. An electronic device comprising a memory and a processor; wherein the memory is to store one or more computer instructions, wherein the one or more computer instructions are to be executed by the processor to implement the method steps of any of claims 1-17.
36. A readable storage medium having stored thereon computer instructions, characterized in that the computer instructions, when executed by a processor, carry out the method steps of any of claims 1-17.
CN201910465647.4A 2019-05-30 2019-05-30 Data management and access method, device, electronic equipment and readable storage medium Active CN112016116B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910465647.4A CN112016116B (en) 2019-05-30 2019-05-30 Data management and access method, device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910465647.4A CN112016116B (en) 2019-05-30 2019-05-30 Data management and access method, device, electronic equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN112016116A true CN112016116A (en) 2020-12-01
CN112016116B CN112016116B (en) 2025-08-19

Family

ID=73501976

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910465647.4A Active CN112016116B (en) 2019-05-30 2019-05-30 Data management and access method, device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN112016116B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113094560A (en) * 2021-05-07 2021-07-09 国家电网有限公司大数据中心 Data label library construction method, device, equipment and medium based on data middlebox

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1960313A (en) * 2005-11-03 2007-05-09 中兴通讯股份有限公司 Periphery devices of service provider of combining network address conversion, and method of application
US8463815B1 (en) * 2007-11-13 2013-06-11 Storediq, Inc. System and method for access controls
CN106295388A (en) * 2015-06-04 2017-01-04 中国移动通信集团山东有限公司 A kind of data desensitization method and device
CN106506521A (en) * 2016-11-28 2017-03-15 腾讯科技(深圳)有限公司 resource access control method and device
CN106789972A (en) * 2016-12-06 2017-05-31 郑州云海信息技术有限公司 Secret protection and secure access implementation based on distributed heterogeneous mass data
CN107342992A (en) * 2017-06-27 2017-11-10 努比亚技术有限公司 A kind of System right management method, apparatus and computer-readable recording medium
US10049317B1 (en) * 2010-02-01 2018-08-14 Impinj, Inc. RFID tags with public and private inventory states
CN108632032A (en) * 2018-02-22 2018-10-09 福州大学 The safe multi-key word sequence searching system of no key escrow
CN109033882A (en) * 2018-08-20 2018-12-18 北京广成同泰科技有限公司 A kind of safe dissemination method of retrospective big data and system
CN109063511A (en) * 2018-08-16 2018-12-21 深圳云安宝科技有限公司 Data access control method, device, proxy server and medium based on Web API
CN109150815A (en) * 2017-06-28 2019-01-04 阿里巴巴集团控股有限公司 Method for processing resource, device and machine readable media
CN109241358A (en) * 2018-08-14 2019-01-18 中国平安财产保险股份有限公司 Metadata management method, device, computer equipment and storage medium

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1960313A (en) * 2005-11-03 2007-05-09 中兴通讯股份有限公司 Periphery devices of service provider of combining network address conversion, and method of application
US8463815B1 (en) * 2007-11-13 2013-06-11 Storediq, Inc. System and method for access controls
US10049317B1 (en) * 2010-02-01 2018-08-14 Impinj, Inc. RFID tags with public and private inventory states
CN106295388A (en) * 2015-06-04 2017-01-04 中国移动通信集团山东有限公司 A kind of data desensitization method and device
CN106506521A (en) * 2016-11-28 2017-03-15 腾讯科技(深圳)有限公司 resource access control method and device
CN106789972A (en) * 2016-12-06 2017-05-31 郑州云海信息技术有限公司 Secret protection and secure access implementation based on distributed heterogeneous mass data
CN107342992A (en) * 2017-06-27 2017-11-10 努比亚技术有限公司 A kind of System right management method, apparatus and computer-readable recording medium
CN109150815A (en) * 2017-06-28 2019-01-04 阿里巴巴集团控股有限公司 Method for processing resource, device and machine readable media
CN108632032A (en) * 2018-02-22 2018-10-09 福州大学 The safe multi-key word sequence searching system of no key escrow
CN109241358A (en) * 2018-08-14 2019-01-18 中国平安财产保险股份有限公司 Metadata management method, device, computer equipment and storage medium
CN109063511A (en) * 2018-08-16 2018-12-21 深圳云安宝科技有限公司 Data access control method, device, proxy server and medium based on Web API
CN109033882A (en) * 2018-08-20 2018-12-18 北京广成同泰科技有限公司 A kind of safe dissemination method of retrospective big data and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
曹进;李培峰;朱巧明;钱培德;: "基于安全标签的多域安全访问控制模型", 计算机应用与软件, no. 01, 15 January 2015 (2015-01-15) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113094560A (en) * 2021-05-07 2021-07-09 国家电网有限公司大数据中心 Data label library construction method, device, equipment and medium based on data middlebox

Also Published As

Publication number Publication date
CN112016116B (en) 2025-08-19

Similar Documents

Publication Publication Date Title
US11870882B2 (en) Data processing permits system with keys
Xu et al. An efficient privacy‐enhanced attribute‐based access control mechanism
Subbiah et al. A novel approach to view and modify data in cloud environment using attribute-based encryption
JP2012504274A (en) Technology for managing access to entity information of entities
JP2022544484A (en) Encrypted Knowledge Graph
JP2020064688A (en) Access management method, information processing device, program, and recording medium
JP4728610B2 (en) Access control list attachment system, original content creator terminal, policy server, original content data management server, program, and recording medium
JP2020528602A (en) Approval method to get form data based on role
Ali et al. SeSPHR: a methodology for secure sharing of personal health records in the cloud
US11909861B2 (en) Privately querying a database with private set membership using succinct filters
Aftab et al. Role-based ABAC model for implementing least privileges
Ikuomola et al. Securing patient privacy in e-health cloud using homomorphic encryption and access control
CN112016116A (en) Data management and access method, device, electronic equipment and readable storage medium
US7383576B2 (en) Method and system for displaying and managing security information
US9973339B1 (en) Anonymous cloud data storage and anonymizing non-anonymous storage
Yao et al. Online/offline attribute-based boolean keyword search for Internet of Things
US11824896B2 (en) Cross-service rulebook management in a dynamic and adversarial environment
Pervez et al. Privacy-aware relevant data access with semantically enriched search queries for untrusted cloud storage services
Balamurugan et al. Common cloud architecture for cloud interoperability
JP7399364B1 (en) Information management control device, information management control system, information management control method, and program
US20250148064A1 (en) Method and Device for Dynamic Access Control
US9613222B2 (en) Assigning access rights in enterprise digital rights management systems
Müldner et al. Parameterized role-based access control policies for XML documents
He et al. Fine-grained Access Control Scheme Supporting Cloud-assisted Write Permission Control in Cloud-aided E-Health System
Li et al. A New Transparent File Encryption Method Based on SM4 for Android Platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant