CN119720157A - Data access control method, device, equipment, medium and program product - Google Patents

Data access control method, device, equipment, medium and program product Download PDF

Info

Publication number
CN119720157A
CN119720157A CN202411928375.4A CN202411928375A CN119720157A CN 119720157 A CN119720157 A CN 119720157A CN 202411928375 A CN202411928375 A CN 202411928375A CN 119720157 A CN119720157 A CN 119720157A
Authority
CN
China
Prior art keywords
user
data
access
target
data access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411928375.4A
Other languages
Chinese (zh)
Inventor
唐一帆
李湘玲
栾杰
聂冬琴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202411928375.4A priority Critical patent/CN119720157A/en
Publication of CN119720157A publication Critical patent/CN119720157A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The application discloses a data access control method, a device, equipment, a medium and a program product; the method comprises the steps of receiving a data access request sent by a user, obtaining field-level data access rights of the user according to the data access request, wherein the data access rights comprise one or more target data tables which the user has rights to access and one or more target fields in each target data table, and controlling the user to access each target field in each target data table according to the field-level data access rights. The embodiment of the application can carry out fine control on data access, reduce the risk of data leakage and realize maximized data sharing.

Description

Data access control method, device, equipment, medium and program product
Technical Field
The embodiment of the application relates to the technical field of data security, in particular to a data access control method, a device, equipment, a medium and a program product.
Background
Data access control is an important component in the field of information security, and aims to ensure that information resources can only be accessed by authorized users in an authorized manner. Along with the fact that data become strategic resources and production elements of enterprises, the data security management and control capability becomes one of important indexes for measuring the competitive power of the enterprises. In order to ensure data security and reduce data leakage risk, the scope of access to enterprise data by users needs to be strictly controlled.
The existing data access control scheme is mainly based on the data table access approval records of users and the regional information of the users, and according to the granularity of a physical table, the data which can be queried by the users in the region of the physical table is realized. Because the granularity of the physical table is relatively large, fine control cannot be performed on data access, the risk of data leakage is relatively large, and maximized data sharing cannot be realized.
Disclosure of Invention
The application provides a data access control method, a device, equipment, a medium and a program product, which can carry out fine control on data access, reduce the risk of data leakage and realize maximized data sharing.
In a first aspect, an embodiment of the present application provides a data access control method, where the method includes:
Receiving a data access request sent by a user;
Acquiring field-level data access rights of the user according to the data access request, wherein the data access rights comprise one or more target data tables which the user has rights to access and one or more target fields in each target data table;
and controlling the user to access each target field in each target data table according to the field-level data access authority.
In a second aspect, the embodiment of the application also provides a data access control device, which comprises a request receiving module, a right acquiring module and an access control module, wherein,
The request receiving module is used for receiving a data access request sent by a user;
The permission acquisition module is used for acquiring field-level data access permission of the user according to the data access request, wherein the data access permission comprises one or more target data tables which the user has permission to access and one or more target fields in each target data table;
and the access control module is used for controlling the user to access each target field in each target data table according to the field-level data access authority.
In a third aspect, an embodiment of the present application provides an electronic device, including:
One or more processors;
A memory for storing one or more programs,
The one or more programs, when executed by the one or more processors, cause the one or more processors to implement the data access control method according to any of the embodiments of the present application.
In a fourth aspect, an embodiment of the present application provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the data access control method according to any embodiment of the present application.
In a fifth aspect, embodiments of the present application provide a computer program product comprising a computer program which, when executed by a processor, implements the data access control method according to any of the embodiments of the present application.
The embodiment of the application provides a data access control method, a device, equipment, a medium and a program product, which are used for firstly receiving a data access request sent by a user, then acquiring field-level data access rights of the user according to the data access request, wherein the data access rights comprise one or more target data tables which the user has rights to access and one or more target fields in each target data table, and then controlling the user to access each target field in each target data table according to the field-level data access rights. That is, in the technical solution of the present application, the data access authority of the user may be a granularity of a field level, so that the user may access only a part of fields in a certain data table. In the prior art, users can only access the whole data table, and because the granularity of the physical table is larger, the data access cannot be finely controlled, the risk of data leakage is larger, and the maximized data sharing cannot be realized. Compared with the prior art, the data access control method, the device, the equipment, the medium and the program product provided by the embodiment of the application can carry out fine control on data access, reduce the risk of data leakage and realize maximized data sharing, and the technical scheme of the embodiment of the application is simple and convenient to realize, convenient to popularize and wider in application range.
Drawings
FIG. 1 is a flow chart of a data access control method according to an embodiment of the present application;
FIG. 2 is a flow chart of a data access control method according to another embodiment of the present application;
FIG. 3 is a flowchart illustrating a data access control method according to another embodiment of the present application;
fig. 4 is a schematic structural diagram of a data access control device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present application are shown in the drawings.
Fig. 1 is a schematic flow chart of a data access control method according to an embodiment of the present application, where the method may be performed by a data access control device or an electronic device, and the device or the electronic device may be implemented by software and/or hardware, and the device or the electronic device may be integrated into any intelligent device having a network communication function. As shown in fig. 1, the data access control method may include the steps of:
S101, receiving a data access request sent by a user.
In one embodiment, the data query statement submitted by the user may be received directly and then rewritten to the data access request. In this case, the user may directly input an SQL query statement or other structured query language. The system needs to ensure 1) security against security risks such as SQL injection, ensuring that all inputs are properly escaped or parameterized queries are used. 2) Grammar verification, checking whether the query statement meets the expected grammar specification. 3) Rights control, confirming that the user has rights to perform a particular type of query and restricting access to sensitive data. 4) Performance optimization-queries are analyzed and possibly optimized to improve efficiency. Once the query statement passes the above-described checks, it can be sent directly to the database for processing, or modified slightly as needed to accommodate the internal data model and structure.
In another embodiment, the data query statement input by the user can also be received through the intelligent question-answering system, and the data query statement is rewritten into the data access request through the intelligent question-answering system. This process is more complex because it involves natural language processing techniques to understand the user's intent and translate it into an efficient data access request. This step typically includes 1) natural language parsing, which uses natural language processing algorithms to understand the user's query intent. This may involve techniques of word segmentation, part-of-speech tagging, entity identification, syntactic analysis, etc. 2) Intent recognition, determining the type of operation that the user wants to perform, e.g., retrieve, update, delete, etc. 3) Query rewrite, constructing one or more candidate queries based on user intent. This may require mapping to a predefined schema or template to generate the correct SQL or other form of query statement. 4) Context management-maintaining dialog states to handle continuous queries in multiple rounds of interactions, such as when a user progressively refines their needs in a series of related questions.
S102, acquiring field-level data access rights of a user according to a data access request, wherein the data access rights comprise one or more target data tables which the user has rights to access and one or more target fields in each target data table.
In the step, the basic information of the user and the basic information of one or more target data tables which the user has permission to access can be extracted from the data access request, and then the field-level data access permission of the user is generated according to the pre-constructed data registration table, the basic information of the user and the basic information of one or more target data tables which the user has permission to access.
S103, controlling the user to access each target field in each target data table according to the field-level data access authority.
In one embodiment, the user authorization control parameter information can be extracted from the field-level data access authority control, if the information storage form of each target data table is a horizontal table form, each target data table can be associated with the user authorization control parameter information to generate temporary views corresponding to each horizontal table-form target data table, and then the temporary views corresponding to each horizontal table-form target data table are used for controlling the user to access each target field in each target data table.
In another embodiment, the user authorization control parameter information may be extracted from the field-level data access authority control, if the information storage form of each target data table is a vertical table form, each target data table may be associated with the user authorization control parameter information to generate temporary views corresponding to each vertical table form target data table, and then the temporary views corresponding to each vertical table form target data table are used to control the user to access each target field in each target data table.
The data access control method provided by the embodiment of the application firstly receives a data access request sent by a user, then obtains the field-level data access permission of the user according to the data access request, wherein the data access permission comprises one or more target data tables which the user has permission to access and one or more target fields in each target data table, and then controls the user to access each target field in each target data table according to the field-level data access permission. That is, in the technical solution of the present application, the data access authority of the user may be a granularity of a field level, so that the user may access only a part of fields in a certain data table. In the prior art, users can only access the whole data table, and because the granularity of the physical table is larger, the data access cannot be finely controlled, the risk of data leakage is larger, and the maximized data sharing cannot be realized. Compared with the prior art, the data access control method provided by the embodiment of the application can carry out fine control on data access, reduce the risk of data leakage and realize maximized data sharing, and the technical scheme of the embodiment of the application is simple and convenient to realize, convenient to popularize and wider in application range.
Fig. 2 is a flowchart of a data access control method according to another embodiment of the present application. Further optimization and expansion based on the above technical solution can be combined with the above various alternative embodiments. As shown in fig. 2, the data access control method may include the steps of:
S201, receiving a data access request sent by a user.
In one embodiment, the data query statement submitted by the user may be received directly and then rewritten to the data access request. The user may directly express complex query requirements without being limited to predefined query formats or options. For users familiar with SQL or other query languages, the user can write query sentences directly to obtain the required information more quickly, and the interaction process with a question-answering system is avoided. The user can accurately specify query conditions, ordering rules, aggregation functions and the like, and ensure that the obtained data completely meets the expectations.
In another embodiment, the data query statement input by the user can also be received through the intelligent question-answering system, and the data query statement is rewritten into the data access request through the intelligent question-answering system. For non-technical personnel or users unfamiliar with query language, the intelligent question-answering system driven by natural language processing provides a more friendly interface, reduces the use threshold of users, can help users to construct correct query sentences through the functions of contextual understanding, grammar checking and the like, so as to reduce query failures caused by grammar or logic errors, and can gradually guide the users to complete query construction according to user input, and particularly provide useful prompts and suggestions when the users are uncertain how to accurately express query intention. And the intelligent question-answering system can automatically optimize the query, recommend the most commonly used query mode according to the history record and the user behavior, and improve the working efficiency.
S202, acquiring field-level data access rights of a user according to a data access request, wherein the data access rights comprise one or more target data tables which the user has rights to access and one or more target fields in each target data table.
In the step, the basic information of the user and the basic information of one or more target data tables which the user has permission to access can be extracted from the data access request, and then the field-level data access permission of the user is generated according to the pre-constructed data registration table, the basic information of the user and the basic information of one or more target data tables which the user has permission to access. The field level access control allows administrators to provide accurate access rights to different users, ensuring that users can only see the data they should see, thus reducing the risk of sensitive data leakage. For businesses that need to comply with strict regulations, field level rights control helps ensure that businesses only process personal data if allowed by law, thereby helping to meet compliance requirements. And, limiting the user's access to a particular field can also reduce the amount of data returned by database queries, thereby improving the system response speed and efficiency.
Further, the method comprises the steps of acquiring one or more target fields which are authorized to be accessed by a user in each target data table from a data registration table according to the basic information of the user and the basic information of one or more target data tables which are authorized to be accessed by the user, and generating the field-level data access authorization of the user according to the one or more target fields which are authorized to be accessed in each target data table. By severely limiting the minimum range of fields that a user can only access for his work, the risk of sensitive data exposure is minimized. Even if the system is under attack, it is difficult for an attacker to obtain complete information. For data sheets containing personal identity information or other sensitive information, field level permissions ensure that only authorized personnel can access the information, helping to comply with privacy regulations and internal policies. Users with different roles can be given different field access rights, so that the responsibility separation principle is ensured to be implemented, and the possibility of misoperation or malicious behavior is reduced.
S203, extracting user authorization control parameter information from field-level data access authority control.
In field-level data access rights control, extracting user authorization control parameter information is a key step to ensure that the system can perform rights checking correctly. Such parameter information typically includes, but is not limited to, 1) User Identity (User Identity), user ID or User name, user role or User group. 2) Target Resource (Target Resource) data Table Name (Table Name), field Name (FIELD NAMES). 3) Operation Type (Operation Type): read, write, delete. 4) Permission Level (Permission Level) whether an operation (Permission/Deny) is allowed, the scope of Permission (global, specific record, specific time period, etc.). 5) Conditions and constraints (Conditions and Constraints) there may be additional conditions such as time-based validity, certain attribute values of the data line, etc.
S204, if the information storage form of each target data table is a transverse table form, associating each target data table with the user authorization control parameter information, and generating a temporary view corresponding to each transverse table form target data table.
The transverse table in the embodiment of the present application refers to a data table structure in which each record (row) includes a plurality of fields (columns). This structure is suitable for the case where the number of attributes recorded per line is relatively fixed and small. The traverse table generally contains a large number of fields, and the indexes or tag names related to a plurality of business topics are used as field names, and each row of data contains all related attributes and is stored in the same data table. The access authority control of the user field level can be realized by correlating the physical table in the query Sql with the user authorization control parameter information to form a temporary view and replacing the access of the original physical table in the Sql by the temporary view, and the rewritten samples are as follows:
Temporary view corresponding to Database1.M01_AAA_BBB (Cross Table)
Select
CASE WHEN UPPER(T2.ColName)='ASSET_IN'THEN T1.ASSET_IN ELSE'*'END AS ASSET_IN
,CASE WHEN UPPER(T2.ColName)='ASSET_OUT'THEN T1.ASSET_OUT'*'END AS ASSET_OUT
,T1.DATA_DT
From Database1.M01_AAA_BBB T1
inner join
(SELECT
CONCAT_WS('#',COLLECT_SET(ColName))AS ColName
FROM user_ctrl/USER authorization control parameter information table
WHERE DataBaseType='HADOOP'
AND DataBase='Database1'
AND TABLE_NAME='M01_AAA_BBB'
AND UserID = current_user ()/-user ID
)T2
ON 1=1。
S205, using temporary views corresponding to the target data tables in the form of the transverse tables to control the user to access each target field in each target data table.
Through the temporary view, users can be precisely restricted from accessing only the fields and records they are authorized to access. Even if the underlying database structure changes or sensitive data exists, the temporary view ensures that the user sees only a particular data set, thereby enhancing the security of the data. The temporary view may optimize the query logic as needed, reducing unnecessary data processing and transmission. For example, the view may pre-compute some aggregate results or filter out irrelevant rows, thereby speeding up the query and improving system performance. For scenarios where complex queries need to be performed, such as connections involving multiple tables, sub-queries, etc., views may encapsulate these complex logic, making the end-user's query simpler and more transparent. And moreover, the temporary view can be dynamically generated according to the role of the user and only contains the field which the user has permission to access, so that fine-granularity field-level access control is realized, and the safety and privacy protection are further improved.
The data access control method provided by the embodiment of the application firstly receives a data access request sent by a user, then obtains the field-level data access permission of the user according to the data access request, wherein the data access permission comprises one or more target data tables which the user has permission to access and one or more target fields in each target data table, and then controls the user to access each target field in each target data table according to the field-level data access permission. That is, in the technical solution of the present application, the data access authority of the user may be a granularity of a field level, so that the user may access only a part of fields in a certain data table. In the prior art, users can only access the whole data table, and because the granularity of the physical table is larger, the data access cannot be finely controlled, the risk of data leakage is larger, and the maximized data sharing cannot be realized. Compared with the prior art, the data access control method provided by the embodiment of the application can carry out fine control on data access, reduce the risk of data leakage and realize maximized data sharing, and the technical scheme of the embodiment of the application is simple and convenient to realize, convenient to popularize and wider in application range.
Fig. 3 is a flowchart illustrating a data access control method according to still another embodiment of the present application. Further optimization and expansion based on the above technical solution can be combined with the above various alternative embodiments. As shown in fig. 3, the data access control method may include the steps of:
S301, receiving a data access request sent by a user.
In one embodiment, the data query statement submitted by the user may be received directly and then rewritten to the data access request. In another embodiment, the data query statement input by the user can also be received through the intelligent question-answering system, and the data query statement is rewritten into the data access request through the intelligent question-answering system.
S302, acquiring field-level data access rights of a user according to a data access request, wherein the data access rights comprise one or more target data tables which the user has rights to access and one or more target fields in each target data table.
In the step, the basic information of the user and the basic information of one or more target data tables which the user has permission to access can be extracted from the data access request, and then the field-level data access permission of the user is generated according to the pre-constructed data registration table, the basic information of the user and the basic information of one or more target data tables which the user has permission to access.
Further, the method comprises the steps of acquiring one or more target fields which are authorized to be accessed by a user in each target data table from a data registration table according to the basic information of the user and the basic information of one or more target data tables which are authorized to be accessed by the user, and generating the field-level data access authorization of the user according to the one or more target fields which are authorized to be accessed in each target data table.
S303, extracting user authorization control parameter information from field-level data access authority control.
In field-level data access rights control, extracting user authorization control parameter information is a key step to ensure that the system can perform rights checking correctly. Such parameter information typically includes, but is not limited to, 1) User Identity (User Identity), user ID or User name, user role or User group. 2) Target Resource (Target Resource) data Table Name (Table Name), field Name (FIELD NAMES). 3) Operation Type (Operation Type): read, write, delete. 4) Permission Level (Permission Level) whether an operation (Permission/Deny) is allowed, the scope of Permission (global, specific record, specific time period, etc.). 5) Conditions and constraints (Conditions and Constraints) there may be additional conditions such as time-based validity, certain attribute values of the data line, etc.
S304, if the information storage form of each target data table is a vertical table form, associating each target data table with the user authorization control parameter information, and generating a temporary view corresponding to each vertical table form target data table.
The vertical table in the embodiment of the application refers to a data table structure for splitting a plurality of attributes originally in the same row into a plurality of rows for representation. Such structures are common in situations where flexible addition of attributes or very large numbers of attributes are required. Vertical tables are non-conventional table structure designs featuring attributes stored as rows rather than columns, and generally include three fields, entity ID, attribute name, and attribute value. The access authority control of the user field level can be realized by associating the physical table in the query Sql with the user authorization control parameter information to form a temporary view, replacing the access of the original physical table in the Sql with the temporary view, and replacing the access of the original physical table in the Sql with the temporary view, wherein the rewritten sample is as follows:
Temporary view corresponding to database3.m01_ccc_dd (vertical table):
SELECT
index_name/. About.attribute Name
Index_value/attribute Value
,data_dt
FROM Database2.M01_CCC_DDD T1
inner join
(SELECT
ColName
FROM user_ctrl/. About.user authorization control parameter information table
WHERE DataBaseType='HADOOP'
AND DataBase='Database2'
AND Table_Name='M01_CCC_DDD'
AND userid=current_user ()/user ID /) T2
ON T1.Index_Name=T2.ColName。
S305, using temporary views corresponding to the target data tables in the form of vertical tables to control the user to access each target field in each target data table.
The field-level data authorization capability can meet the requirement of most data authorization in the field of big data service, and realize the requirement of service personnel on the fine data control right, on one hand, the agreement of account and reality of data management is practically realized, the data used by a user and the data permitted to be used are ensured to be consistent, on the other hand, under the scene that the user only needs to use a few fields in a physical table in practice, the service is prevented from directly rejecting the data authorization application of the user because of worry about amplifying the data use right through the realization of fine authorization, and the maximized data sharing is facilitated.
The data access control method provided by the embodiment of the application firstly receives a data access request sent by a user, then obtains the field-level data access permission of the user according to the data access request, wherein the data access permission comprises one or more target data tables which the user has permission to access and one or more target fields in each target data table, and then controls the user to access each target field in each target data table according to the field-level data access permission. That is, in the technical solution of the present application, the data access authority of the user may be a granularity of a field level, so that the user may access only a part of fields in a certain data table. In the prior art, users can only access the whole data table, and because the granularity of the physical table is larger, the data access cannot be finely controlled, the risk of data leakage is larger, and the maximized data sharing cannot be realized. Compared with the prior art, the data access control method provided by the embodiment of the application can carry out fine control on data access, reduce the risk of data leakage and realize maximized data sharing, and the technical scheme of the embodiment of the application is simple and convenient to realize, convenient to popularize and wider in application range.
Fig. 4 is a schematic structural diagram of a data access control device according to an embodiment of the present application. As shown in fig. 4, the data access control apparatus includes a request receiving module 401, a right acquiring module 402, and an access control module 403, wherein,
The request receiving module 401 is configured to receive a data access request sent by a user;
the permission acquisition module 402 is configured to acquire field-level data access permission of the user according to the data access request, where the data access permission includes one or more target data tables to which the user has permission to access and one or more target fields in each target data table;
The access control module 403 is configured to control the user to access each target field in each target data table according to the field-level data access right.
The data access control device can execute the method provided by any embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method. Technical details not described in detail in this embodiment may be referred to the data access control method provided in any embodiment of the present application.
The embodiment of the invention also provides a computer program product.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include being implemented in one or more computer program products, which may include one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be a special or general purpose programmable processor, operable to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application, and referring to fig. 5, the electronic device 12 shown in fig. 5 is merely an example, and should not be construed to limit the functions and the application scope of the embodiment of the present application. As shown in fig. 5, the electronic device 12 is in the form of a general purpose computing device. The components of the electronic device 12 may include, but are not limited to, one or more processors or processing units 16, a system memory 28, and a bus 18 that connects the various system components, including the system memory 28 and the processing units 16.
Bus 18 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, and a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, micro channel architecture (MAC) bus, enhanced ISA bus, video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Electronic device 12 typically includes a variety of computer system readable media. Such media can be any available media that is accessible by electronic device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM) 30 and/or cache memory 32. The electronic device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from or write to non-removable, nonvolatile magnetic media (not shown in FIG. 5, commonly referred to as a "hard disk drive"). Although not shown in fig. 5, a magnetic disk drive for reading from and writing to a removable non-volatile magnetic disk (e.g., a "floppy disk"), and an optical disk drive for reading from or writing to a removable non-volatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In such cases, each drive may be coupled to bus 18 through one or more data medium interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of embodiments of the application.
Program/utility 40 having a set (at least one) of program modules 46 may be stored in, for example, memory 28, such program modules 46 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment. Program modules 46 generally perform the functions and/or methods of the embodiments described herein.
The electronic device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), one or more devices that enable a user to interact with the electronic device 12, and/or any devices (e.g., network card, modem, etc.) that enable the electronic device 12 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 22. Also, the electronic device 12 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, through a network adapter 20. As shown, the network adapter 20 communicates with other modules of the electronic device 12 over the bus 18. It should be appreciated that although not shown in FIG. 5, other hardware and/or software modules may be used in connection with electronic device 12, including, but not limited to, microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
The processing unit 16 executes various functional applications and data processing by running a program stored in the system memory 28, for example, to implement a data access control method provided by an embodiment of the present invention, where the data access control method includes receiving a data access request sent by a user, and obtaining a field-level data access right of the user according to the data access request, where the data access right includes one or more target data tables to which the user has permission to access and one or more target fields in each target data table, and controlling the user to access each target field in each target data table according to the field-level data access right.
The embodiment of the invention provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements a data access control method as provided by all the embodiments of the invention, and the method comprises the steps of receiving a data access request sent by a user; the method comprises the steps of acquiring field-level data access rights of a user according to the data access request, wherein the data access rights comprise one or more target data tables which the user has rights to access and one or more target fields in each target data table, and controlling the user to access each target field in each target data table according to the field-level data access rights. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic device, apparatus, or device of electronic, magnetic, optical, electromagnetic, infrared, or semiconductor, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution electronic device, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution electronic device, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present invention may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.

Claims (10)

1.一种数据访问控制方法,其特征在于,所述方法包括:1. A data access control method, characterized in that the method comprises: 接收用户发送的数据访问请求;Receive data access requests sent by users; 根据所述数据访问请求获取所述用户的字段级的数据访问权限;其中,所述数据访问权限包括:所述用户有权限访问的一个或者多个目标数据表以及各个目标数据表中的一个或者多个目标字段;Acquire the field-level data access permission of the user according to the data access request; wherein the data access permission includes: one or more target data tables that the user has permission to access and one or more target fields in each target data table; 根据所述字段级的数据访问权限控制所述用户对各个目标数据表中的各个目标字段进行访问。The user's access to each target field in each target data table is controlled according to the field-level data access authority. 2.根据权利要求1所述的方法,其特征在于,根据所述数据访问请求获取所述用户的字段级的数据访问权限,包括:2. The method according to claim 1, characterized in that obtaining the field-level data access permission of the user according to the data access request comprises: 在所述数据访问请求中提取出所述用户的基本信息和所述用户有权限访问的一个或者多个目标数据表的基本信息;Extracting basic information of the user and basic information of one or more target data tables that the user has the authority to access from the data access request; 根据预先构建的数据登记表以及所述用户的基本信息和所述用户有权限访问的一个或者多个目标数据表的基本信息,生成所述用户的字段级的数据访问权限。The field-level data access permission of the user is generated according to the pre-built data registration table, the basic information of the user, and the basic information of one or more target data tables that the user has the permission to access. 3.根据权利要求2所述的方法,其特征在于,根据预先构建的数据登记表以及所述用户的基本信息和所述用户有权限访问的一个或者多个目标数据表的基本信息,生成所述用户的字段级的数据访问权限,包括:3. The method according to claim 2, characterized in that the field-level data access permissions of the user are generated according to the pre-built data registration form and the basic information of the user and the basic information of one or more target data tables that the user has the right to access, comprising: 根据所述用户的基本信息和所述用户有权限访问的一个或者多个目标数据表的基本信息,在所述数据登记表中获取所述用户在各个目标数据表中有权限访问的一个或者多个目标字段;According to the basic information of the user and the basic information of one or more target data tables that the user has the right to access, obtaining one or more target fields that the user has the right to access in each target data table in the data registration table; 根据所述在各个目标数据表中有权限访问的一个或者多个目标字段,生成所述用户的字段级的数据访问权限。The field-level data access permission of the user is generated according to the one or more target fields in each target data table that have access permission. 4.根据权利要求1所述的方法,其特征在于,接收用户发送的数据访问请求,包括:4. The method according to claim 1, wherein receiving a data access request sent by a user comprises: 接收所述用户提交的数据查询语句,将所述数据查询语句改写为所述数据访问请求;或者,通过智能问答系统接收所述用户输入的数据查询语句,通过所述智能问答系统将所述数据查询语句改写为所述数据访问请求。Receive the data query statement submitted by the user, and rewrite the data query statement into the data access request; or, receive the data query statement input by the user through an intelligent question-answering system, and rewrite the data query statement into the data access request through the intelligent question-answering system. 5.根据权利要求1所述的方法,其特征在于,根据所述字段级的数据访问权限控制所述用户对各个目标数据表中的各个目标字段进行访问,包括:5. The method according to claim 1, characterized in that controlling the user's access to each target field in each target data table according to the field-level data access permission comprises: 在所述字段级的数据访问权限控制中提取出用户授权控制参数信息;Extracting user authorization control parameter information from the field-level data access permission control; 若各个目标数据表的信息存储形式为横表形式,则将各个目标数据表与所述用户授权控制参数信息相关联,生成各个横表形式的目标数据表所对应的临时视图;If the information storage form of each target data table is a horizontal table form, then each target data table is associated with the user authorization control parameter information to generate a temporary view corresponding to each target data table in the horizontal table form; 使用各个横表形式的目标数据表所对应的临时视图,控制所述用户对各个目标数据表中的各个目标字段进行访问。The temporary views corresponding to the target data tables in the horizontal table format are used to control the user to access the target fields in the target data tables. 6.根据权利要求1所述的方法,其特征在于,根据所述字段级的数据访问权限控制所述用户对各个目标数据表中的各个目标字段进行访问,包括:6. The method according to claim 1, characterized in that controlling the user's access to each target field in each target data table according to the field-level data access permission comprises: 在所述字段级的数据访问权限控制中提取出用户授权控制参数信息;Extracting user authorization control parameter information from the field-level data access permission control; 若各个目标数据表的信息存储形式为竖表形式,则将各个目标数据表与所述用户授权控制参数信息相关联,生成各个竖表形式的目标数据表所对应的临时视图;If the information storage form of each target data table is a vertical table form, then each target data table is associated with the user authorization control parameter information to generate a temporary view corresponding to each target data table in the vertical table form; 使用各个竖表形式的目标数据表所对应的临时视图,控制所述用户对各个目标数据表中的各个目标字段进行访问。The temporary views corresponding to the target data tables in the form of vertical tables are used to control the user to access the target fields in the target data tables. 7.一种数据访问控制装置,其特征在于,所述装置包括:请求接收模块、权限获取模块和访问控制模块;其中,7. A data access control device, characterized in that the device comprises: a request receiving module, a permission obtaining module and an access control module; wherein, 所述请求接收模块,用于接收用户发送的数据访问请求;The request receiving module is used to receive a data access request sent by a user; 所述权限获取模块,用于根据所述数据访问请求获取所述用户的字段级的数据访问权限;其中,所述数据访问权限包括:所述用户有权限访问的一个或者多个目标数据表以及各个目标数据表中的一个或者多个目标字段;The permission acquisition module is used to acquire the field-level data access permission of the user according to the data access request; wherein the data access permission includes: one or more target data tables that the user has permission to access and one or more target fields in each target data table; 所述访问控制模块,用于根据所述字段级的数据访问权限控制所述用户对各个目标数据表中的各个目标字段进行访问。The access control module is used to control the user's access to each target field in each target data table according to the field-level data access permission. 8.一种电子设备,其特征在于,包括:8. An electronic device, comprising: 一个或多个处理器;one or more processors; 存储器,用于存储一个或多个程序,a memory for storing one or more programs, 当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现如权利要求1至6中任一项所述的数据访问控制方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the data access control method according to any one of claims 1 to 6. 9.一种存储介质,其上存储有计算机程序,其特征在于,该程序被处理器执行时实现如权利要求1至6中任一项所述的数据访问控制方法。9. A storage medium having a computer program stored thereon, wherein when the program is executed by a processor, the data access control method according to any one of claims 1 to 6 is implemented. 10.一种计算机程序产品,包括计算机程序,其特征在于,所述计算机程序在被处理器执行时实现如权利要求1至6中任一项所述的数据访问控制方法。10. A computer program product, comprising a computer program, wherein the computer program implements the data access control method according to any one of claims 1 to 6 when executed by a processor.
CN202411928375.4A 2024-12-25 2024-12-25 Data access control method, device, equipment, medium and program product Pending CN119720157A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411928375.4A CN119720157A (en) 2024-12-25 2024-12-25 Data access control method, device, equipment, medium and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411928375.4A CN119720157A (en) 2024-12-25 2024-12-25 Data access control method, device, equipment, medium and program product

Publications (1)

Publication Number Publication Date
CN119720157A true CN119720157A (en) 2025-03-28

Family

ID=95074758

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411928375.4A Pending CN119720157A (en) 2024-12-25 2024-12-25 Data access control method, device, equipment, medium and program product

Country Status (1)

Country Link
CN (1) CN119720157A (en)

Similar Documents

Publication Publication Date Title
US9811683B2 (en) Context-based security screening for accessing data
KR101976220B1 (en) Recommending data enrichments
US10579619B2 (en) Validation of query plan
US8914323B1 (en) Policy-based data-centric access control in a sorted, distributed key-value data store
US10180984B2 (en) Pivot facets for text mining and search
US9158814B2 (en) Obtaining partial results from a database query
US9875364B2 (en) Multi-focused fine-grained security framework
US8782777B2 (en) Use of synthetic context-based objects to secure data stores
US8214382B1 (en) Database predicate constraints on structured query language statements
US9552411B2 (en) Trending suggestions
US9646048B2 (en) Declarative partitioning for data collection queries
CN110888839A (en) Data storage and data search method and device
CN114580008B (en) Document access control based on document component layout
CN119720157A (en) Data access control method, device, equipment, medium and program product
CN118972403B (en) Data sharing method, device and system
CN117932645B (en) A tenant management method, device and readable storage medium for distributed database
CN114201497B (en) Resource retrieval method, device, electronic device and storage medium
US20250086391A1 (en) Techniques for using generative artificial intelligence to formulate search answers
US11496444B1 (en) Enforcing access control to resources of an indexing system using resource paths
CN119149788A (en) Resource access control method, device, electronic equipment, storage medium and program product
CN116049222A (en) Verification method and device for database access request, electronic equipment and storage medium
CN117332400A (en) User authority checking method, device, electronic equipment and readable storage medium
CN116561803A (en) Security policy information processing method, device, equipment and storage medium
Mátyás et al. A novel data storage logic in the cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
OSZAR »