技术领域technical field
本申请涉及数据管理技术领域,特别涉及一种存储数据的访问管理方法及系统。The present application relates to the technical field of data management, in particular to a storage data access management method and system.
背景技术Background technique
随着数据量的日益增长,怎样对存储的数据进行管理和保护逐渐越发被人们重视。With the increasing amount of data, how to manage and protect the stored data has been paid more and more attention.
在传统的分布式存储数据访问管理系统中,一般是通过基于角色的访问控制来限制用户使用权限的,即,在设定伊始,就赋予不同的用户以不同的访问权限,但是在大规模的分布式存储系统中,在完成用户、角色和权限的指派过程中需要很大的工作量,会降低访问控制的效率,同时会耗费大量的时间,人工操作的过程中还存在着遗漏或者出错的风险。In traditional distributed storage data access management systems, user access rights are generally limited through role-based access control, that is, different users are given different access rights at the beginning of setting, but in large-scale In a distributed storage system, a large amount of work is required to complete the assignment of users, roles, and permissions, which will reduce the efficiency of access control and consume a lot of time. There are still omissions or errors in the manual operation process. risk.
所以,如何提供一种无需手动指派、更加科学、更加准确以及更小的工作量的存储数据访问管理机制是本领域技术人员亟待解决的问题。Therefore, how to provide a storage data access management mechanism that does not require manual assignment, is more scientific, more accurate, and requires less workload is an urgent problem to be solved by those skilled in the art.
发明内容Contents of the invention
本申请的目的是提供一种存储数据的访问管理方法及系统,其无需管理人员手动为每位用户进行权限的分配,能够自动判别用户的权限范围,更加准确的对用户权限进行管理,降低了手动操作的出错几率,提高了工作效率。The purpose of this application is to provide a method and system for access management of stored data, which does not require managers to manually assign permissions to each user, can automatically determine the scope of user permissions, manage user permissions more accurately, and reduce The probability of error in manual operation improves work efficiency.
为解决上述技术问题,本申请提供一种存储数据的访问管理方法,该访问管理方法包括:In order to solve the above technical problems, this application provides an access management method for stored data, the access management method includes:
根据用户的登陆信息获取所述用户的权限信息;Obtain permission information of the user according to the login information of the user;
利用所述权限信息判断所述用户是否拥有数据读写权限;Using the authority information to determine whether the user has data read and write authority;
若所述用户拥有读写权限,则利用所述权限信息对所述用户上传的数据进行加密、对下载的数据进行解密。If the user has read and write permissions, the permission information is used to encrypt the data uploaded by the user and decrypt the downloaded data.
可选的,根据用户的登陆信息获取所述用户的权限信息,包括:Optionally, acquire permission information of the user according to the login information of the user, including:
获取所述用户的所述权限信息,并将所述权限信息与所述用户的特征信息的对应关系保存在数据库中;Obtaining the authority information of the user, and storing the corresponding relationship between the authority information and the characteristic information of the user in a database;
从所述用户的所述登陆信息中提取得到所述特征信息;extracting the characteristic information from the login information of the user;
利用所述特征信息以及所述对应关系在所述数据库中查得所述权限信息。The permission information is searched in the database by using the characteristic information and the corresponding relationship.
可选的,利用所述权限信息对所述用户上传的数据进行加密、对下载的数据进行解密,包括:Optionally, using the permission information to encrypt the data uploaded by the user and decrypt the downloaded data includes:
将所述权限信息按预设方式生成加密因子;generating an encryption factor for the permission information in a preset manner;
将所述加密因子写入加密算法,得到新加密算法;Writing the encryption factor into an encryption algorithm to obtain a new encryption algorithm;
利用所述新加密算法对所述用户上传的数据进行加密、对下载的数据进行解密。The new encryption algorithm is used to encrypt the data uploaded by the user, and to decrypt the downloaded data.
可选的,该访问管理方法还包括:Optionally, the access management method also includes:
当检测到所述用户至少连续三次访问未拥有权限的数据,则通过预设路径将所述用户的所述特征信息发送给管理员。When it is detected that the user accesses the data without permission for at least three consecutive times, the characteristic information of the user is sent to the administrator through a preset path.
本申请还提供了一种存储数据的访问管理系统,该访问管理系统包括:The present application also provides an access management system for storing data, the access management system comprising:
权限信息获取单元,用于根据用户的登陆信息获取所述用户的权限信息;an authority information acquiring unit, configured to acquire authority information of the user according to the login information of the user;
判断单元,用于利用所述权限信息判断所述用户是否拥有数据读写权限;A judging unit, configured to use the permission information to judge whether the user has data read and write permission;
处理单元,用于若拥有读写权限,则利用所述权限信息对所述用户上传的数据进行加密、对下载的数据进行解密。The processing unit is configured to use the permission information to encrypt the data uploaded by the user and decrypt the downloaded data if the user has the read-write permission.
可选的,所述权限信息获取单元包括:Optionally, the authority information acquisition unit includes:
权限信息保存子单元,用于获取所述用户的所述权限信息,并将所述权限信息与所述用户的特征信息的对应关系保存在数据库中;a permission information saving subunit, configured to acquire the permission information of the user, and store the corresponding relationship between the permission information and the user's feature information in a database;
特征信息提取子单元,用于从所述用户的所述登陆信息中提取得到所述特征信息;A feature information extraction subunit, configured to extract the feature information from the login information of the user;
查询子单元,用于利用所述特征信息以及所述对应关系在所述数据库中查得所述权限信息。The query subunit is configured to use the characteristic information and the corresponding relationship to query the permission information in the database.
可选的,所述处理单元包括:Optionally, the processing unit includes:
加密因子生成子单元,用于将所述权限信息按预设方式生成加密因子;An encryption factor generating subunit, configured to generate an encryption factor from the permission information in a preset manner;
新加密算法生成子单元,用于将所述加密因子写入加密算法,得到新加密算法;A new encryption algorithm generation subunit is used to write the encryption factor into the encryption algorithm to obtain a new encryption algorithm;
加密解密子单元,用于利用所述新加密算法对所述用户上传的数据进行加密、对下载的数据进行解密。The encryption and decryption subunit is configured to use the new encryption algorithm to encrypt the data uploaded by the user and decrypt the downloaded data.
可选的,该访问管理系统还包括:Optionally, the access management system also includes:
异常通知单元,用于当检测到所述用户至少连续三次访问未拥有权限的数据,则通过预设路径将所述用户的所述特征信息发送给管理员。The abnormality notification unit is configured to send the feature information of the user to an administrator through a preset path when it is detected that the user has accessed at least three consecutive accesses to data without authorization.
本申请所提供的一种存储数据的访问管理方法,通过根据用户的登陆信息获取所述用户的权限信息;利用所述权限信息判断所述用户是否拥有数据读写权限;若所述用户拥有读写权限,则利用所述权限信息对所述用户上传的数据进行加密、对下载的数据进行解密。An access management method for stored data provided by the present application obtains the user's authority information according to the user's login information; uses the authority information to determine whether the user has data read and write authority; if the user has read and write write permission, use the permission information to encrypt the data uploaded by the user and decrypt the downloaded data.
显然,本申请所提供的技术方案,通过从用户登录存储系统的登陆信息中获取到该用户的权限信息,并对该权限信息进行分析,判别该用户是否拥有在该存储系统中相关数据文件的读写权限,若是,则利用每位用户都不同的权限信息对该用户上传或下载的数据进行加密。该访问管理方法无需管理人员手动为每位用户进行权限的分配,能够自动判别用户的权限范围,更加准确的管理用户权限,降低了手动分配权限时的出错几率,提高了工作效率。本申请同时还提供了一种存储数据的访问管理系统,具有上述有益效果,在此不再赘述。Obviously, the technical solution provided by this application obtains the user's permission information from the login information of the user's login storage system, and analyzes the permission information to determine whether the user owns the relevant data files in the storage system. Read and write permissions, if so, use the permission information that is different for each user to encrypt the data uploaded or downloaded by the user. The access management method does not require managers to manually assign permissions to each user, and can automatically determine the scope of user permissions, manage user permissions more accurately, reduce the probability of errors when manually assigning permissions, and improve work efficiency. At the same time, the present application also provides an access management system for storing data, which has the above-mentioned beneficial effects, and will not be repeated here.
附图说明Description of drawings
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present application, and those skilled in the art can also obtain other drawings according to the provided drawings without creative work.
图1为本申请实施例所提供的一种存储数据的访问管理方法的流程图;FIG. 1 is a flow chart of a storage data access management method provided by an embodiment of the present application;
图2为本申请实施例所提供的另一种存储数据的访问管理方法的流程图;FIG. 2 is a flow chart of another storage data access management method provided by the embodiment of the present application;
图3为本申请实施例所提供的一种存储数据的访问管理系统的结构框图;FIG. 3 is a structural block diagram of an access management system for storing data provided by an embodiment of the present application;
图4为本申请实施例所提供的另一种存储数据的访问管理系统的结构示意图。FIG. 4 is a schematic structural diagram of another access management system for storing data provided by an embodiment of the present application.
图5为本申请实施例所提供的一种存储数据的访问管理系统中数据上传流程图;FIG. 5 is a flow chart of data uploading in an access management system for storing data provided by an embodiment of the present application;
图6为本申请实施例所提供的一种存储数据的访问管理系统中数据下载流程图。FIG. 6 is a flow chart of data downloading in an access management system for storing data provided by an embodiment of the present application.
具体实施方式detailed description
本申请的核心是提供一种存储数据的访问管理方法及系统,其无需管理人员手动为每位用户进行权限的分配,能够自动判别用户的权限范围,更加准确的管理用户权限,降低了手动分配权限时的出错几率,提高了工作效率。The core of this application is to provide a method and system for access management of stored data, which does not require managers to manually assign permissions to each user, can automatically determine the scope of user permissions, manage user permissions more accurately, and reduce manual allocation. The probability of error in permissions is improved, which improves work efficiency.
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本申请保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments It is a part of the embodiments of this application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.
以下结合图1,图1为本申请实施例所提供的一种存储数据的访问管理方法的流程图。Referring to FIG. 1 below, FIG. 1 is a flow chart of a storage data access management method provided by an embodiment of the present application.
其具体包括以下步骤:It specifically includes the following steps:
S101:根据用户的登陆信息获取用户的权限信息;S101: Obtain permission information of the user according to the login information of the user;
本实施例旨在通过从用户的登陆信息中获取到该用户的权限信息。其中,该登陆信息通常为用户经由访问客户端向存储系统发出的访问请求,该客户端通常设置在企业内经过授权或登记相关信息的计算机或者远程代理访问过程中使用了代理信息的计算机等,只有通过这类拥有识别途径的访问请求的发起端才能被存储系统的鉴权模块识别到相应的权限信息。This embodiment aims to obtain the user's authority information from the user's login information. Among them, the login information is usually an access request sent by the user to the storage system via the access client, which is usually set up in the enterprise with a computer that has authorized or registered relevant information or a computer that uses proxy information in the process of remote proxy access, etc. Only the originator of the access request through this type of identification path can be identified by the authentication module of the storage system to have the corresponding permission information.
其中,权限信息包含的内容很多,例如,该用户对应的业务访问范围;读、写以及删除的权限;访问时限等等,此处并不做具体限定,具体包含什么样的内容应视实际情况中采用的设备型号、权限划分方式以及相关规章制度等来综合考虑。Among them, the permission information contains many contents, for example, the scope of business access corresponding to the user; permissions for reading, writing and deleting; access time limit, etc., which are not specifically limited here. Consider the equipment model, authority division method, and related rules and regulations adopted in the application.
S102:利用权限信息判断用户是否拥有数据读写权限;S102: Use the authority information to determine whether the user has data read and write authority;
在S101的基础上,本步骤旨在通过获取到的权限信息来判断该用户是否拥有相关数据的读或写的权限。其中,读或写的权限可以对应理解为用户下载和上传数据的权限,因为前者需要读取相关数据,后者需要写入数据。On the basis of S101, this step aims to judge whether the user has the read or write permission of the relevant data through the obtained permission information. Among them, the read or write permission can be understood as the user's permission to download and upload data, because the former needs to read relevant data, and the latter needs to write data.
因为在S101中提到,权限信息包括的内容很多,在获取到该用户的权限信息后,需要从中找寻到读写权限的部分,并根据读写权限部分对应的参数来判断得到该用户到底是全部拥有、部分拥有还是均不拥有,以便根据判断的结果来在后续处理步骤中,对该用户的在存储系统的相关行为进行限制或进行相关处理操作。Because it is mentioned in S101 that the permission information includes a lot of content, after obtaining the permission information of the user, it is necessary to find the part of the read and write permission, and judge whether the user is based on the parameters corresponding to the read and write permission part. All ownership, partial ownership, or no ownership, so as to restrict or perform related processing operations on the user's related behaviors in the storage system in the subsequent processing steps according to the judgment result.
当然,如何从登陆信息获取到的权限信息以及如何从该权限信息中找寻到读写的部分,方式多种多样,例如,从该用户的登陆信息中携带的计算机的机器码(机器码通常根据该机器的某个核心与器件生成或从出厂时固化在其内部,且唯一对应),并根据预先设置好的机器码与权限信息的对应关系来得到该用户的权限信息;也可以在先前就将该用户的权限信息内置在其在办公环境中的计算机中,在发起登陆请求中就会携带或者携带有得到权限信息的路径,鉴权模块则根据这些信息获取得到。Of course, there are many ways how to obtain the permission information from the login information and how to find the read-write part from the permission information, for example, from the machine code of the computer carried in the user's login information (the machine code is usually based on A certain core of the machine and a device are generated or solidified inside it from the factory, and they are uniquely corresponding), and the user’s permission information is obtained according to the preset correspondence between the machine code and the permission information; The user's permission information is built into his computer in the office environment, and the login request will carry or carry the path to obtain the permission information, and the authentication module will obtain it based on the information.
相应的,在从包含很多内容的权限信息中找寻到读写的部分权限内容,方式也会有很多,例如按照关键字(read和write或它们的首字母)在全部权限信息中进行检索;也可以根据在某些系统中会将权限信息直接放置在相关的位置中的特性,直接检查目标位置的文件属性即可,类似方式还有很多,此处并不对具体如何根据登陆信息获取到权限信息以及如何得到读写权限进行限定,应视实际情况进行相应的选择。Correspondingly, there are also many ways to find part of the permission content for reading and writing from the permission information containing many contents, such as searching in all permission information according to keywords (read and write or their initial letters); According to the feature that the permission information is directly placed in the relevant location in some systems, you can directly check the file attributes of the target location. There are many similar methods. Here, it is not specific how to obtain the permission information based on the login information. And how to get the read and write permissions to limit, should be selected according to the actual situation.
S103:利用权限信息对用户上传的数据进行加密、对下载的数据进行解密。S103: Encrypt the data uploaded by the user and decrypt the downloaded data by using the authority information.
本步骤建立在S102的判断结果为该用户拥有读写的权限的基础上,旨在利用获取到的该用户的权限信息对该用户上传的数据进行加密,对下载的数据进行解密。This step is based on the judgment result of S102 that the user has read and write permissions, and aims to use the obtained permission information of the user to encrypt the data uploaded by the user and decrypt the downloaded data.
需要说明的是,读写权限只是一个名词,其具体代表着三种表现形式,其一,只拥有读的权限,即只拥有只读权限,即可以通过下载的方式获取到该数据文件,并阅读其中的内容,但无法执行写入即修改的操作,也无法执行上传某个文件至存储系统的写入操作;其二,只拥有写入的权限,例如,公司内容的文员或者统计工作者,他们并不需要获取到某些信息,只需要根据纸质材料生成诸如考勤表或某些特殊要求的电子报表;其三,即拥有读的权限,也拥有写的权限,即该用户不仅可以下载和上传数据,也可以进行修改等操作。需要根据具体情况具体分析,并不一概而论。It should be noted that the read-write permission is just a noun, which specifically represents three manifestations. First, only have the read permission, that is, only have the read-only permission, that is, the data file can be obtained by downloading, and Read the content, but cannot perform the operation of writing and modifying, nor can it perform the writing operation of uploading a file to the storage system; second, only have the permission to write, for example, the company's content clerk or statistician , they do not need to obtain certain information, they only need to generate electronic reports such as attendance sheets or some special requirements based on paper materials; third, they have both read and write permissions, that is, the user can not only Data can be downloaded and uploaded, and operations such as modification can also be performed. It needs to be analyzed on a case-by-case basis and cannot be generalized.
进一步的,本申请所提供的一种存储数据的访问管理方法可以在检测到用户连续多次访问自己没有权限的文件或执意写入某些可疑文件至存储系统时,通过预设路径向管理员进行反馈,以根据管理员的判断得到结果,使得该机制更加完善,更加有效的保护数据。Further, the access management method for stored data provided by the present application can send a notification to the administrator through a preset path when it detects that the user has repeatedly accessed files that he does not have permission to or insists on writing some suspicious files to the storage system. Feedback is used to obtain results based on the administrator's judgment, making the mechanism more complete and protecting data more effectively.
基于上述技术方案,本申请实施例提供的一种存储数据的访问管理方法,通过从用户登录存储系统的登陆信息中获取到该用户的权限信息,并对该权限信息进行分析,判别该用户是否拥有在该存储系统中相关数据文件的读写权限,若是,则利用每位用户都不同的权限信息对该用户上传或下载的数据进行加密。该访问管理方法无需管理人员手动为每位用户进行权限的分配,能够自动判别用户的权限范围,更加准确的管理用户权限,降低了手动分配权限时的出错几率,提高了工作效率。Based on the above technical solution, an access management method for stored data provided by the embodiment of the present application obtains the user's permission information from the login information of the user's login storage system, and analyzes the permission information to determine whether the user is Have the read and write authority of relevant data files in the storage system, if so, use the different authority information of each user to encrypt the data uploaded or downloaded by the user. The access management method does not require managers to manually assign permissions to each user, and can automatically determine the scope of user permissions, manage user permissions more accurately, reduce the probability of errors when manually assigning permissions, and improve work efficiency.
以下结合图2,图2为本申请实施例所提供的另一种存储数据的访问管理方法的流程图。Referring to FIG. 2 below, FIG. 2 is a flow chart of another storage data access management method provided by an embodiment of the present application.
其具体包括以下步骤:It specifically includes the following steps:
S201:获取用户的权限信息,并将权限信息与用户的特征信息的对应关系保存在数据库中;S201: Obtain permission information of the user, and store the corresponding relationship between the permission information and the characteristic information of the user in a database;
本步骤旨在通过在整个存储系统初期,设立一个用户权限信息与用于特征信息的对应关系,即可以由该用户的工作部门、工作性质和授权信息确定到该用户应该拥有什么样的权限信息,并将确定的权限信息与该用户的特征信息绑定起来,以便根据该特征信息就可以直接在数据库中查询得到对应的权限信息。This step aims to establish a corresponding relationship between user authority information and user feature information at the initial stage of the entire storage system, that is, the user's work department, work nature, and authorization information can determine what authority information the user should have. , and bind the determined permission information with the characteristic information of the user, so that the corresponding permission information can be directly queried in the database according to the characteristic information.
其中,该特征信息是一个能代表该用户身份的信息,表现形式多种多样,例如,可以是一个特殊的编号,该编号可以与用户的私人信息绑定,也可以是与该用户进行企业时的一个工号等等相关;还可以是为该用户分配的在办公环境中的计算机的固定IP地址,即,通过为固定的计算机分配固定的IP地址,就可以初步的根据IP地址判断得到使用者,当然,还可以是其它信息,此处并不做具体限定,应视不同企业或者不同办公环境进行相应的选择。The feature information is information that can represent the identity of the user, and can be expressed in various forms. For example, it can be a special number, which can be bound with the user's private information, or it can be the information when conducting business with the user. It can also be the fixed IP address of the computer in the office environment assigned to the user, that is, by assigning a fixed IP address to the fixed computer, it can be used based on the preliminary judgment of the IP address Or, of course, it can also be other information, which is not specifically limited here, and should be selected according to different companies or different office environments.
S202:从用户的登陆信息中提取得到特征信息;S202: Extract feature information from the login information of the user;
S203:利用特征信息以及对应关系在数据库中查得权限信息;S203: Query permission information in the database by using the feature information and the corresponding relationship;
在S201的基础上,S202和S203旨在首先从用户再次从客户端访问存储系统时发出的登陆信息中提取得到该用户的特征信息,并利用该特征信息在之前已经存储好对应关系的数据库中进行查找,以得到该用户对应的权限信息。On the basis of S201, S202 and S203 aim to first extract the user's characteristic information from the login information sent when the user accesses the storage system from the client again, and use the characteristic information to store the corresponding relationship in the database before. Search to obtain the permission information corresponding to the user.
S204:将权限信息按预设方式生成加密因子;S204: Generate an encryption factor for the authority information according to a preset method;
本步骤建立在S203利用对应关系查得了该用户拥有在存储系统中的读写权限的基础上,旨在利用该用户的权限信息通过预设的算法生成加密因子,利用从每位用户那里得到的不同的权限信息,生成每位用户的个性化加密因子,以便利用该个性化的加密因子来对普遍的加密算法进行更新,实现更好的数据安全性。This step is based on the fact that S203 uses the corresponding relationship to find out that the user has read and write permissions in the storage system. Different permission information generates a personalized encryption factor for each user, so that the personalized encryption factor can be used to update the common encryption algorithm to achieve better data security.
进一步的,因为可能会出现不同的用户同属一个部门,导致其用户的权限信息有很大部分的重叠,可以在检测到该问题出现时,判断该现象是否是正常现象,若不是正常现象可以突出权限信息中不同的那部分来生成不同的加密因子。Furthermore, because different users may belong to the same department, resulting in a large part of their user authority information overlapping, it is possible to determine whether the phenomenon is normal when the problem is detected, and if it is not normal, it can be highlighted Different parts of the permission information are used to generate different encryption factors.
更进一步的,还可能存在同一部门上传到存储系统的数据文件需要在该部门间共享,此时可以根据这样的需要,从该部门所共有的权限信息挑选出来,生成一个部门间一致的加密因子,来实现数据的共享,同时又杜绝了其它部门的访问。还可以每个用户拥有复数的加密因子,按需要进行选用。Furthermore, there may also be data files uploaded to the storage system by the same department that need to be shared among the departments. At this time, according to such needs, it can be selected from the shared permission information of the department to generate an encryption factor that is consistent among departments. , to achieve data sharing, while preventing other departments from accessing. Each user can also have multiple encryption factors, which can be selected according to needs.
S205:将加密因子写入加密算法,得到新加密算法;S205: Write the encryption factor into the encryption algorithm to obtain a new encryption algorithm;
在S204的基础上,本步骤旨在利用得到的个性化加密因子写入普遍的加密因子,以得到一个新的加密算法。换句话说,就是借用因权限信息不同生成的不同加密因子为通用的加密算法二次加密,得到了一个与用户权限信息有关的新的加密算法。On the basis of S204, this step aims to use the obtained personalized encryption factor to write the universal encryption factor to obtain a new encryption algorithm. In other words, a new encryption algorithm related to user authority information is obtained by using different encryption factors generated due to different authority information to encrypt the general encryption algorithm twice.
具体的实现方式及挑选那些可以利用加密因子进行算法加密的算法,选择范围有很多,此处并不做具体限定,应视实际情况中的具体需求来选择,例如,可能会需要更快的加密速度、更好的加密性能等要求。The specific implementation method and the selection of algorithms that can use the encryption factor for algorithm encryption have many options, and there is no specific limitation here. It should be selected according to the specific needs of the actual situation. For example, faster encryption may be required Speed, better encryption performance and other requirements.
S206:利用新加密算法对用户上传的数据进行加密、对下载的数据进行解密;S206: Use the new encryption algorithm to encrypt the data uploaded by the user and decrypt the downloaded data;
在S205的基础上,本步骤旨在利用新生成的加密算法来为该用户上传的数据进行加密或对下载的数据进行解密,以使用户能够充分保证存储在存储系统上的文件的安全性和保密性。On the basis of S205, this step aims to use the newly generated encryption algorithm to encrypt the data uploaded by the user or decrypt the data downloaded, so that the user can fully guarantee the security and security of the files stored on the storage system. confidentiality.
当然,具体能执行什么样的操作,要看在S203中查询得到的具体权限内容,此部分也在S103部分有过详细说明,可以参见相关部分,此处不再赘述。Of course, what kind of operations can be performed depends on the specific permission content obtained in S203. This part has also been described in detail in S103. You can refer to relevant parts and will not repeat them here.
S207:当检测到用户至少连续三次访问未拥有权限的数据,则通过预设路径将用户的特征信息发送给管理员。S207: When it is detected that the user accesses the data without authorization for at least three consecutive times, send the characteristic information of the user to the administrator through a preset path.
本步骤是考虑到该访问管理方法的完善性,提出的一种异常检测方法,即当用户连续三次访问未拥有权限的数据时,或者执意要在存储系统中写入某些可疑文件时,通过预设路径将该用户的特征信息发送给管理员,以便管理员根据该特征信息找到操作的员工或者恶意访问者。This step is an anomaly detection method proposed in consideration of the perfection of the access management method, that is, when the user accesses the data without permission for three consecutive times, or insists on writing some suspicious files in the storage system, through The preset path sends the characteristic information of the user to the administrator, so that the administrator can find the operating employees or malicious visitors according to the characteristic information.
基于上述技术方案,本申请实施例提供的一种存储数据的访问管理方法,通过从用户登录存储系统的登陆信息中获取到该用户的权限信息,并对该权限信息进行分析,判别该用户是否拥有在该存储系统中相关数据文件的读写权限,若是,则利用每位用户都不同的权限信息对该用户上传或下载的数据进行加密。该访问管理方法无需管理人员手动为每位用户进行权限的分配,能够自动判别用户的权限范围,更加准确的管理用户权限,降低了手动分配权限时的出错几率,提高了工作效率。Based on the above technical solution, an access management method for stored data provided by the embodiment of the present application obtains the user's permission information from the login information of the user's login storage system, and analyzes the permission information to determine whether the user is Have the read and write authority of relevant data files in the storage system, if so, use the different authority information of each user to encrypt the data uploaded or downloaded by the user. The access management method does not require managers to manually assign permissions to each user, and can automatically determine the scope of user permissions, manage user permissions more accurately, reduce the probability of errors when manually assigning permissions, and improve work efficiency.
因为情况复杂,无法一一列举进行阐述,本领域技术人员应能意识到更具本申请提供的基本方法原理结合实际情况可以存在很多的例子,在不付出足够的创造性劳动下,应均在本申请的保护范围内。Because of the complexity of the situation, it is impossible to list and explain them one by one. Those skilled in the art should be able to realize that there may be many examples in combination with the basic method principles provided by the application and the actual situation. within the scope of protection applied for.
下面请参见图3,图3为本申请实施例所提供的一种存储数据的访问管理系统的结构框图。Referring to FIG. 3 below, FIG. 3 is a structural block diagram of an access management system for storing data provided by an embodiment of the present application.
该系统可以包括:The system can include:
权限信息获取单元100,用于根据用户的登陆信息获取用户的权限信息;An authority information acquisition unit 100, configured to acquire the user's authority information according to the user's login information;
判断单元200,用于利用权限信息判断用户是否拥有数据读写权限;A judging unit 200, configured to use the permission information to judge whether the user has data read and write permission;
处理单元300,用于若拥有读写权限,则利用权限信息对用户上传的数据进行加密、对下载的数据进行解密。The processing unit 300 is configured to use the permission information to encrypt the data uploaded by the user and decrypt the downloaded data if the user has read and write permission.
其中,该权限信息获取单元100可以包括:Wherein, the authority information acquisition unit 100 may include:
权限信息保存子单元,用于获取用户的权限信息,并将权限信息与用户的特征信息的对应关系保存在数据库中;The permission information storage subunit is used to obtain the user's permission information, and store the corresponding relationship between the permission information and the user's feature information in the database;
特征信息提取子单元,用于从用户的登陆信息中提取得到特征信息;The feature information extraction subunit is used to extract feature information from the user's login information;
查询子单元,用于利用特征信息以及对应关系在数据库中查得权限信息。The query subunit is used to search the permission information in the database by using the feature information and the corresponding relationship.
其中,该处理单元300可以包括:Wherein, the processing unit 300 may include:
加密因子生成子单元,用于将权限信息按预设方式生成加密因子;An encryption factor generating subunit, used to generate an encryption factor from the authority information in a preset manner;
新加密算法生成子单元,用于将加密因子写入加密算法,得到新加密算法;The new encryption algorithm generation subunit is used to write the encryption factor into the encryption algorithm to obtain the new encryption algorithm;
加密解密子单元,用于利用新加密算法对用户上传的数据进行加密、对下载的数据进行解密。The encryption and decryption subunit is used to encrypt the data uploaded by the user and decrypt the downloaded data by using the new encryption algorithm.
进一步的,该访问管理系统还可以包括:Further, the access management system may also include:
异常通知单元,用于当检测到用户至少连续三次访问未拥有权限的数据,则通过预设路径将用户的特征信息发送给管理员。The abnormality notification unit is configured to send the characteristic information of the user to the administrator through a preset path when it is detected that the user accesses the data without authorization for at least three consecutive times.
以上各单元可以应用于以下的一个具体的实际例子中:The above units can be applied to a specific practical example as follows:
如图4所示,图4为本申请实施例所提供的另一种存储数据的访问管理系统的结构示意图。As shown in FIG. 4 , FIG. 4 is a schematic structural diagram of another access management system for storing data provided by an embodiment of the present application.
管理系统位于用户客户端与存储服务器之间,通过控制用户访问权限及对用户数据进行加密和解密操作达到保护数据安全性的目的。用户权限数据库存储用户的访问权限数据。控制权限解析模块将用户的访问权限数据进行分析以便其他模块使用。数据加密模块根据用户权限信息对用户数据进行加密后上传至存储服务器,数据解密模块根据用户权限数据将用户数据解密后供用户访问。以上的控制权限解析模块和数据加密、解密模块等同于之前描述的判断单元200与处理单元300。The management system is located between the user client and the storage server, and protects data security by controlling user access rights and encrypting and decrypting user data. The user authority database stores user access authority data. The control authority analysis module analyzes the user's access authority data for use by other modules. The data encryption module encrypts the user data according to the user authority information and uploads it to the storage server, and the data decryption module decrypts the user data according to the user authority data for user access. The above control authority analysis module and data encryption and decryption module are equivalent to the judging unit 200 and the processing unit 300 described above.
如图5所示,图5为本申请实施例所提供的一种存储数据的访问管理系统中数据上传流程图。控制权限解析模块解析用户的登录信息并从用户权限数据库获取用户的业务范围、使用权限、使用时限等访问属性数据。当用户需上传数据时,将上传操作请求传至控制权限解析模块,通过解析后判断用户是否可以进行上传操作。当用户拥有上传权限时,上传数据传至数据加密模块,同时控制权限解析模块将用户访问属性作为加密因子传至数据加密模块。数据加密模块将加密因子写入加密算法将上传数据加密后传至存储服务器。As shown in FIG. 5 , FIG. 5 is a flow chart of uploading data in an access management system for storing data provided by an embodiment of the present application. The control authority analysis module analyzes the user's login information and obtains access attribute data such as the user's business scope, use authority, and use time limit from the user authority database. When the user needs to upload data, the upload operation request is sent to the control authority analysis module, and whether the user can perform the upload operation is determined after analysis. When the user has the upload authority, the upload data is transmitted to the data encryption module, and at the same time, the control authority analysis module transmits the user access attribute as an encryption factor to the data encryption module. The data encryption module writes the encryption factor into the encryption algorithm to encrypt the uploaded data and then transmits it to the storage server.
如图6所示,图6为本申请实施例所提供的一种存储数据的访问管理系统中数据下载流程图。控制权限解析模块解析用户的登录信息并从用户权限数据库获取用户的业务范围、使用权限、使用时限等访问属性数据。当用户需下载数据时,将下载操作请求传至控制权限解析模块,通过解析后判断用户是否可以进行下载操作。当用户拥有下载权限时,数据解密模块从存储服务器获取下载数据,同时从控制权限解析模块获取用户访问属性作为解密因子。数据解密模块将解密因子写入加解算法对下载数据进行解密。只有当用户的访问属性满足要求时才可以正确地解密数据进行下载。As shown in FIG. 6 , FIG. 6 is a flowchart of data downloading in an access management system for storing data provided by an embodiment of the present application. The control authority analysis module analyzes the user's login information and obtains access attribute data such as the user's business scope, use authority, and use time limit from the user authority database. When the user needs to download data, the download operation request is transmitted to the control authority analysis module, and whether the user can perform the download operation is determined after analysis. When the user has the download permission, the data decryption module obtains the download data from the storage server, and at the same time obtains the user access attribute from the control permission analysis module as a decryption factor. The data decryption module writes the decryption factor into the encryption algorithm to decrypt the downloaded data. Only when the user's access attributes meet the requirements can the data be correctly decrypted for download.
说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。Each embodiment in the description is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for the related information, please refer to the description of the method part.
专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Professionals can further realize that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, computer software or a combination of the two. In order to clearly illustrate the possible For interchangeability, in the above description, the composition and steps of each example have been generally described according to their functions. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.
本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想。应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以对本申请进行若干改进和修饰,这些改进和修饰也落入本申请权利要求的保护范围内。In this paper, specific examples are used to illustrate the principles and implementation methods of the present application, and the descriptions of the above embodiments are only used to help understand the methods and core ideas of the present application. It should be pointed out that those skilled in the art can make some improvements and modifications to the application without departing from the principles of the application, and these improvements and modifications also fall within the protection scope of the claims of the application.
还需要说明的是,在本说明书中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其它变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其它要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括要素的过程、方法、物品或者设备中还存在另外的相同要素。It should also be noted that in this specification, relative terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that these entities or operations There is no such actual relationship or order between the operations. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising a ..." does not preclude the presence of additional identical elements in the process, method, article, or apparatus that includes the element.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710607526.XACN107358122A (en) | 2017-07-24 | 2017-07-24 | The access management method and system of a kind of data storage |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710607526.XACN107358122A (en) | 2017-07-24 | 2017-07-24 | The access management method and system of a kind of data storage |
| Publication Number | Publication Date |
|---|---|
| CN107358122Atrue CN107358122A (en) | 2017-11-17 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710607526.XAPendingCN107358122A (en) | 2017-07-24 | 2017-07-24 | The access management method and system of a kind of data storage |
| Country | Link |
|---|---|
| CN (1) | CN107358122A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108217538A (en)* | 2017-12-28 | 2018-06-29 | 宁波如意股份有限公司 | A kind of electri forklift coded lock device and application method |
| CN110008654A (en)* | 2018-01-04 | 2019-07-12 | 北大方正集团有限公司 | Electronic document treating method and apparatus |
| WO2019178820A1 (en)* | 2018-03-22 | 2019-09-26 | 深圳达闼科技控股有限公司 | Method and system for uploading substance detection information, method and system for determining upload permission for substance detection information, and devices |
| CN110311880A (en)* | 2018-03-20 | 2019-10-08 | 中移(苏州)软件技术有限公司 | File upload method, device and system |
| CN111723363A (en)* | 2020-06-18 | 2020-09-29 | 西安万像电子科技有限公司 | Data export method and device |
| CN112541190A (en)* | 2020-12-03 | 2021-03-23 | 苏州工业园区测绘地理信息有限公司 | Map authority control method and control system based on unified user information |
| CN113282948A (en)* | 2021-07-22 | 2021-08-20 | 成都华唯科技股份有限公司 | Information system using method and information system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104852925A (en)* | 2015-05-28 | 2015-08-19 | 江南大学 | Method for leakproof, secure storage and backup of data of mobile smart terminal |
| CN105516059A (en)* | 2014-09-25 | 2016-04-20 | 阿里巴巴集团控股有限公司 | Resource access control method and device |
| CN105912949A (en)* | 2016-04-13 | 2016-08-31 | 北京京东尚科信息技术有限公司 | Data permission management method, data permission management system and service management system |
| CN106411884A (en)* | 2016-09-29 | 2017-02-15 | 郑州云海信息技术有限公司 | Method and device for data storage and encryption |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105516059A (en)* | 2014-09-25 | 2016-04-20 | 阿里巴巴集团控股有限公司 | Resource access control method and device |
| CN104852925A (en)* | 2015-05-28 | 2015-08-19 | 江南大学 | Method for leakproof, secure storage and backup of data of mobile smart terminal |
| CN105912949A (en)* | 2016-04-13 | 2016-08-31 | 北京京东尚科信息技术有限公司 | Data permission management method, data permission management system and service management system |
| CN106411884A (en)* | 2016-09-29 | 2017-02-15 | 郑州云海信息技术有限公司 | Method and device for data storage and encryption |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108217538A (en)* | 2017-12-28 | 2018-06-29 | 宁波如意股份有限公司 | A kind of electri forklift coded lock device and application method |
| CN110008654A (en)* | 2018-01-04 | 2019-07-12 | 北大方正集团有限公司 | Electronic document treating method and apparatus |
| CN110311880A (en)* | 2018-03-20 | 2019-10-08 | 中移(苏州)软件技术有限公司 | File upload method, device and system |
| CN110311880B (en)* | 2018-03-20 | 2021-08-06 | 中移(苏州)软件技术有限公司 | File uploading method, device and system |
| WO2019178820A1 (en)* | 2018-03-22 | 2019-09-26 | 深圳达闼科技控股有限公司 | Method and system for uploading substance detection information, method and system for determining upload permission for substance detection information, and devices |
| CN111723363A (en)* | 2020-06-18 | 2020-09-29 | 西安万像电子科技有限公司 | Data export method and device |
| CN112541190A (en)* | 2020-12-03 | 2021-03-23 | 苏州工业园区测绘地理信息有限公司 | Map authority control method and control system based on unified user information |
| CN112541190B (en)* | 2020-12-03 | 2024-03-12 | 园测信息科技股份有限公司 | Map authority control method and control system based on unified user information |
| CN113282948A (en)* | 2021-07-22 | 2021-08-20 | 成都华唯科技股份有限公司 | Information system using method and information system |
| Publication | Publication Date | Title |
|---|---|---|
| US11240251B2 (en) | Methods and systems for virtual file storage and encryption | |
| US10666647B2 (en) | Access to data stored in a cloud | |
| US8909925B2 (en) | System to secure electronic content, enforce usage policies and provide configurable functionalities | |
| CN107358122A (en) | The access management method and system of a kind of data storage | |
| US20180285591A1 (en) | Document redaction with data isolation | |
| US11487885B2 (en) | Enabling and validating data encryption | |
| US20170277773A1 (en) | Systems and methods for secure storage of user information in a user profile | |
| US20170277774A1 (en) | Systems and methods for secure storage of user information in a user profile | |
| WO2021003980A1 (en) | Blacklist sharing method and apparatus, computer device and storage medium | |
| US20150026462A1 (en) | Method and system for access-controlled decryption in big data stores | |
| CN105516059B (en) | A kind of resource access control method and device | |
| CA3020743A1 (en) | Systems and methods for secure storage of user information in a user profile | |
| US12061706B2 (en) | Encrypted file control | |
| CN105512565A (en) | Method and server for preventing electronic document leakage | |
| CN110889121A (en) | Method, server and storage medium for preventing data leakage | |
| CN118679477A (en) | Secure collaboration using file encryption at download | |
| US10726104B2 (en) | Secure document management | |
| CN107368749A (en) | File processing method, device, equipment and computer storage medium | |
| CN111740940A (en) | Information processing system | |
| JP7361384B2 (en) | Electronic application assistance method, electronic application assistance system, electronic application assistance system program and its recording medium | |
| KR101918501B1 (en) | Security Policy Management System | |
| WO2018232021A2 (en) | Systems and methods for secure storage of user information in a user profile | |
| Day | Seizing, imaging, and analyzing digital evidence: step-by-step guidelines | |
| TR2023006911T2 (en) | ENCRYPTED FILE CONTROL | |
| KR20140137076A (en) | Device for managing passwords of server and method for managing passwords applying the same |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | Application publication date:20171117 | |
| RJ01 | Rejection of invention patent application after publication |