Method, device and electronic equipment for data product use control under separation of three powers

By implementing the separation of ownership, management, and use rights in data products, the problem of loss of control in cross-domain data use is solved, and the secure sharing and value enhancement of data products are realized.

CN117454399BActive Publication Date: 2026-07-03ZHEJIANG ANT SECRET TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ZHEJIANG ANT SECRET TECH CO LTD
Filing Date
2023-10-27
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

In the process of data informatization, data holders are prone to losing control of their data when using it across domains, leading to data leakage or abuse, which fails to protect the rights and interests of data holders and also affects the rights and interests of other data-related personnel besides the holders.

Method used

By adopting a three-rights separation approach, the ownership, operation, and usage rights of data products are managed separately. Cross-domain control of data product usage is achieved through authorization and certificate management among data product users, operators, and providers.

Benefits of technology

Effectively prevent the abuse of data products in cross-domain use, protect the rights and interests of all parties, and promote the sharing and value enhancement of data products.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN117454399B_ABST
    Figure CN117454399B_ABST
Patent Text Reader

Abstract

The one or more embodiments of the specification disclose a method, device and electronic equipment for data product use control under three rights separation. The method comprises: receiving a use request for a target data product sent by a data product user, the data product user being a user other than an operation and maintenance domain of the target data product; obtaining information of a data product operator for controlling use rights of each sub-target data product in the target data product, the operation right of the data product operator being authorized by a data product provider having a holding right of the sub-target data product; sending a use authorization application for a sub-target data product operated by the data product operator to the data product operator; and in the case of receiving a use authorization notification corresponding to each sub-target data product, issuing a use right certificate for the target data product to the data product user, so that the data product user uses the target data product based on the use right certificate.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This specification relates to the field of data processing technology, and in particular to a method, apparatus, and electronic device for managing the use of data products under the separation of powers. Background Technology

[0002] Data access control is a crucial aspect of data security. Traditional data access control schemes primarily target data usage within the same operational domain. This means that data providers and users are all within the same control domain, avoiding issues of data leaving the domain or cross-domain data ownership management.

[0003] However, with the increasing need for data informatization, various previously isolated pieces of information are being connected, potentially leading to data leaving the holder's control. In such cases, data holders can easily lose control over data usage, leading to data leaks or misuse, thus failing to protect their rights. Furthermore, with people increasingly valuing their privacy, data leaks or misuse can also harm the rights of other data-related parties besides the data holder. Therefore, there is an urgent need to provide a better data product usage management solution to overcome these difficulties. Summary of the Invention

[0004] This specification provides a method, apparatus, and electronic device for managing the use of data products under a system of separation of powers, in order to provide a data product usage management solution that meets the expectations of data providers.

[0005] Firstly, one or more embodiments of this specification provide a method for managing the use of data products under a separation of powers system, comprising: receiving a usage request for a target data product from a data product user, wherein the data product user is a user outside the operation and maintenance domain of the target data product; obtaining information on a data product operator that manages the usage rights of each sub-target data product within the target data product, wherein the operating rights of the data product operator are authorized by a data product provider that holds the rights to the sub-target data products; issuing a usage authorization application to the data product operator for the sub-target data products operated by the data product operator; and, upon receiving usage authorization notifications corresponding to each sub-target data product, issuing a usage right certificate for the target data product to the data product user, so that the data product user can use the target data product based on the usage right certificate.

[0006] Secondly, embodiments of this application provide an apparatus for managing the use of data products under a separation of powers system, comprising: receiving a usage request for a target data product sent by a data product user, wherein the data product user is a user outside the operation and maintenance domain of the target data product; obtaining information on a data product operator that manages the usage rights of each sub-target data product within the target data product, wherein the operating rights of the data product operator are authorized by a data product provider that holds the rights to the sub-target data products; issuing a usage authorization application to the data product operator for the sub-target data products operated by the data product operator; and, upon receiving usage authorization notifications corresponding to each sub-target data product, issuing a usage right certificate for the target data product to the data product user, so that the data product user can use the target data product based on the usage right certificate.

[0007] Thirdly, embodiments of this application provide an electronic device, comprising: a processor and a memory arranged to store computer-executable instructions, wherein when the executable instructions are executed, the processor is able to: receive a usage request for a target data product sent by a data product user, wherein the data product user is a user outside the operation and maintenance domain of the target data product; obtain information on a data product operator that manages the usage rights of each sub-target data product in the target data product, wherein the operating rights of the data product operator are authorized by a data product provider that holds the rights to the sub-target data products; issue a usage authorization application to the data product operator for the sub-target data products operated by the data product operator; and, upon receiving usage authorization notifications corresponding to each sub-target data product, issue a usage right certificate for the target data product to the data product user, so that the data product user can use the target data product based on the usage right certificate.

[0008] Fourthly, embodiments of this specification provide a storage medium for storing a computer program that can be executed by a processor to implement the following process: receiving a usage request for a target data product from a data product user, wherein the data product user is a user outside the operation and maintenance domain of the target data product; obtaining information about a data product operator that manages the usage rights of each sub-target data product within the target data product, wherein the operating rights of the data product operator are authorized by a data product provider that holds the rights to the sub-target data products; issuing a usage authorization application to the data product operator for the sub-target data products operated by the data product operator; and, upon receiving usage authorization notifications corresponding to each sub-target data product, issuing a usage right certificate for the target data product to the data product user, so that the data product user can use the target data product based on the usage right certificate. Attached Figure Description

[0009] To more clearly illustrate the technical solutions in one or more embodiments of this specification or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in one or more embodiments of this specification. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0010] Figure 1 This is a schematic flowchart illustrating a method for managing the use of data products under a three-tiered system, according to an embodiment of this specification.

[0011] Figure 2 This is a schematic diagram illustrating an application scenario of a method for managing the use of data products under a three-tiered system, according to an embodiment of this specification.

[0012] Figure 3 This is a schematic block diagram of a system for managing the use of data products under a three-tiered system, according to an embodiment of this specification.

[0013] Figure 4 This is a schematic diagram of a device for managing the use of data products under a three-tiered system, according to an embodiment of this specification.

[0014] Figure 5 This is a schematic diagram of the structure of an electronic device according to an embodiment of this specification. Detailed Implementation

[0015] The technical solutions in the embodiments of this specification will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments in this specification. All other embodiments obtained by those skilled in the art based on the embodiments in this specification without creative effort are within the scope of protection of this application.

[0016] The terms "first," "second," etc., used in the specification and claims of this application are used to distinguish similar objects and not to describe a specific order or sequence. It should be understood that such use of data can be interchanged where appropriate so that embodiments of this specification can be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first," "second," etc., are generally of the same class and the number of objects is not limited; for example, a first object can be one or more. Furthermore, in the specification and claims, "and / or" indicates at least one of the connected objects, and the character " / " generally indicates that the preceding and following objects are in an "or" relationship.

[0017] The following description, in conjunction with the accompanying drawings, details the method, apparatus, and electronic equipment for managing the use of data products under the separation of powers system provided in this specification, through specific embodiments and application scenarios.

[0018] Figure 1 This illustration demonstrates an embodiment of the present invention providing a method for managing the use of data products under a separation of powers framework. This method can be executed by an electronic device, which may include a server and / or a terminal device, such as an in-vehicle terminal or a mobile terminal. In other words, the method can be executed by software or hardware installed on the aforementioned electronic device, and the method includes the following steps:

[0019] S102: Receive a usage request for the target data product from a user outside the operation and maintenance domain of the target data product.

[0020] S104: Obtain information on the data product operator that controls the right to use each sub-target data product in the target data product. The operating rights of the data product operator are authorized by the data product provider that holds the rights to the sub-target data products.

[0021] S106: Issue a usage authorization application to the data product operator for the sub-target data products operated by the data product operator;

[0022] S108: Upon receiving the usage authorization notice corresponding to each sub-target data product, issue a usage right certificate for the target data product to the data product user, so that the data product user can use the target data product based on the usage right certificate.

[0023] The target data product is a data product that can be used outside the control area of ​​the person or organization that holds the target data product. The control area is the established operation and maintenance domain of the target data product. In order to better illustrate the present invention and highlight its main points, the specific embodiments in this specification describe the flow of the target data product outside the operation and maintenance domain. Those skilled in the art should understand that this specification can be implemented by the same or similar means for the flow of the target data product within the operation and maintenance domain.

[0024] In one example, the ownership, operation, and usage rights of the target data product can be managed and controlled by different entities. Specifically, the data product provider can be the provider of the target data product, the data product operator can be the operator of the target data product, and the data product user can be the user of the target data product. Correspondingly, after the data product provider grants the data product operator the operation rights of the target data product, the cross-domain (beyond the established operation and maintenance domain) usage process of the target data product can include: the data product user submitting an application to use the target data product, and the data product operator authorizing the data product user to use the product.

[0025] Typically, data products originate from a wide range of sources, including multiple data sources. In one example, a target data product may consist of at least one sub-target data product. Therefore, upon receiving a usage request for the target data product from a cross-domain user, it is necessary to identify the data product operator corresponding to each sub-target data product, submit usage authorization applications for the sub-target data products to each data product operator, and wait until each data product operator grants the user the right to use the corresponding sub-target data product and returns a usage authorization notification before the user can use the target data product. The user obtains the right to use the target data product by acquiring a usage right certificate corresponding to the target data product; this certificate may contain usage rights for each of the sub-target data products included in the target data product.

[0026] Specifically, when granting operating rights to data product providers, data product operators can limit the scope of those rights, such as restricting the scope and duration of operation, to better manage the data products held by the data product provider. Similarly, when granting usage rights to data product users, data product operators can limit the scope and duration of those rights, such as restricting the use of the data products, to better manage the behavior of data product users, prevent the abuse of data products, and better protect the rights and interests of all parties involved in the data product (including data product providers, data product operators, data product users, and other data-related personnel).

[0027] Furthermore, different access permissions can be set for each sub-target data product based on its sensitivity level. Similarly, access permissions can be finely configured based on the different users of the data product or their usage behaviors.

[0028] Furthermore, when a data product user uses the target data product, their usage rights can be authenticated. Similarly, when identifying the data product provider / operator corresponding to each sub-target data product, authentication can be performed on the data product provider / operator to improve the accuracy of the data product usage control process under the separation of powers.

[0029] In the embodiments described in this specification, after the data product providers of each sub-target data product in the target data product grant operating rights to the data product operators, the data product users submit a request to use the target data product, and each data product operator authorizes the use of the sub-target data products they operate. This process, through the separation of ownership, operating rights, and usage rights of the data product, achieves cross-domain control of the data product, prevents its abuse after leaving its domain, protects the rights and interests of all parties involved in the data product, and thus promotes data product sharing, giving the data product higher value.

[0030] Figure 2 This provides an application scenario diagram illustrating a method for managing the use of data products under a system of separation of powers, such as... Figure 2 As shown, the user server sends a usage request for the target data product to the data management server. After receiving the usage request, the data product server uses the data product usage management method under the separation of powers described in this manual to send a usage authorization application to the operator server, receives a usage authorization notification from the operator server, and sends the usage right certificate to the terminal so that the user server can use the target data product.

[0031] Because data products are used in diverse ways, the usage rights of data product users can be refined to further prevent abuse. Specifically, the usage rights of data product users can be subdivided into: computation rights, query rights, access rights, download rights, and encrypted data extraction rights. The computation right is the right of the data product user to perform calculations on authorized data; the access right is the right of the data product user to obtain data services through API calls; the query right is the right of the data product user to browse and view data; the download right is the right of the data product user to save data from a remote location to their local machine; and the encrypted data extraction right is the right of the data product user to parse encrypted data into plaintext.

[0032] Furthermore, since the threats to the ownership / operation rights of data products vary across different usage scenarios, the management of data product usage rights can be closely integrated with the specific usage scenarios of the data products to effectively prevent data leakage or misuse and protect the rights and interests of all parties involved in the data product. In one implementation, before step S104, the method for managing the use of data products under the separation of powers also includes:

[0033] Based on the information of the use scenarios of the target data product, the target data product is divided into at least one sub-target data product, and the usage rights corresponding to each sub-target data product are determined.

[0034] Step S106 includes:

[0035] Issue a usage authorization application to the data product operator for the sub-target data products operated by the data product operator. The usage authorization application includes an authorization application for the right to use the sub-target data products in the usage scenario.

[0036] The usage scenarios can include computational scenarios involving the processing and analysis of data products, as well as scenarios where data products are invoked within various software applications. Specifically, in computational scenarios, the right to use the target data product can be computational rights. Furthermore, computational rights can be bound to computational methods to prevent the target data product from being abused in various computational methods. In invocation scenarios, the right to use the target data product can be accessed through an interface. Furthermore, downloading and storage can be excluded from invocation rights, requiring additional permissions to be requested when downloading or storing the target data product to prevent its abuse after download or storage.

[0037] Specifically, when the right of use includes the right to invoke a sub-target data product, the use request includes the version information of the application that invokes the sub-target data product. In this process, when invoking the target data product, the right to use the target data product is bound to the specific application version. When the application iterates or changes, the right to invoke the target data product by the iterated or changed application will become invalid, and a new application for the right to invoke the target data product will need to be submitted. This fine-grained control can better protect the ownership and / or operating rights corresponding to the data product.

[0038] Similarly, when the right of use includes the right to decrypt and extract the ciphertext of the encrypted sub-target data product, the method for controlling the use of data products under the separation of powers also includes: sending a notification to the data product user requesting the right to view and / or access the decrypted sub-target data product. During this process, if the data product is in encrypted form, the right to ciphertext parsing is also required. After the target data product is parsed, when viewing or accessing the parsed results, a reminder notification can be sent to the data product user, reminding them that additional authorization is required; otherwise, they cannot view and / or access the parsed sub-target data product, thus further enhancing the security of the encrypted data product.

[0039] In one example, the target data product can be integrated with usage scenarios to determine the usage rights required for each sub-target data product that constitutes the target data product in a specific usage scenario. This includes determining which sub-target data product requires viewing rights and which requires access rights. Subsequently, the scenario-based target data products can be provided to customers for them to query and retrieve the scenario-based target data products they need.

[0040] After the data product user has identified the target data product for a specific scenario, they can submit a usage request to the data management server (the server running the data product usage management method under the three-tiered separation of powers as described in this embodiment). Upon receiving the usage request, the data management server can break down the target data product into sub-target data products based on the usage scenario information corresponding to the target data product, obtain the usage rights corresponding to each sub-target data product, and then authorize the data product user who submitted the usage request to use the usage rights corresponding to each sub-target data product, enabling the data product user to use the target data product in that specific usage scenario.

[0041] In the embodiments described in this specification, after applying for the right to use the target data product, the data product user determines the right to use the sub-target data products that constitute the target data product based on the usage scenario of the target data product, and then obtains the corresponding usage right certificate for each sub-target data product, so that the data product user can use the target data product. This process binds the usage scenario with the right to use, encapsulating scenario-level usage permissions. The data product user only needs to directly apply for the right to use the corresponding scenario-based data product, without having to apply for authorization for each sub-data product that constitutes the data product separately, thus improving the user experience.

[0042] In one implementation, step S106 can be executed as follows: steps A1-A2:

[0043] Step A1: In the absence of a data product operator that controls the right to use the sub-target data product, obtain information on the data product provider that controls the right to use the sub-target data product;

[0044] Step A2: Send an application to the data product provider for authorization to use the sub-target data products held by the data product provider.

[0045] Specifically, in cases where the sub-target data product is directly managed by the data product provider, or where the data product operator lacks sufficient control over the sub-target data product (i.e., does not have the right to use a certain aspect of the sub-target data product), it is necessary to directly apply to the data product provider for authorization of the sub-target data product. This process avoids the inability to use the sub-target data product when the data product operator corresponding to the right to use the sub-target data product is missing, thereby improving the robustness of the data product use and management process under the separation of powers.

[0046] In one implementation, step S108 can be executed as follows: steps B1-B3:

[0047] Step B1: Request the certificate authority server to issue a certificate of right to use the target data product;

[0048] Step B2: Upon receiving the certificate of use for the target data product from the certificate center server, issue the certificate of use to the data product user.

[0049] Step B3: Submit the right to use certificate to the evidence storage service equipment for storage processing.

[0050] The certificate center server is responsible for issuing various permission certificates or credentials, while the evidence storage service device is used to store and retrieve various certificates or operation / transaction credentials. In one example, the data management server can initiate a request to the certificate center server to create operating rights or usage rights (or credentials). After the certificate center server creates and returns the operating rights / usage rights certificate to the data management server, the data management server issues the operating rights / usage rights certificate to the data product operator / user. Furthermore, upon receiving the operating rights / usage rights certificate, it can also store the certificate in the evidence storage service device to support audit traceability and improve the security of data product usage management under the separation of powers.

[0051] Specifically, the certificate center server and the evidence storage service device can be the same server as the data management server running the data product usage management method under the separation of powers in the embodiments of this specification. To ensure the security and trustworthiness of the data product ownership transfer process, in one example, the certificate center server and the evidence storage service device can be operated and maintained by different management agencies to improve the security of the data product ownership transfer process. Furthermore, the certificate center server, the evidence storage service module, and the data management server can also be set up as three different servers.

[0052] In the embodiments described in this specification, the creation and storage of usage rights certificates are completed through the cooperation of a certificate center server and a certificate storage service device. This process achieves a light load on the data management server, thereby enabling high real-time processing of usage requests for target data products and improving the efficiency of data product ownership transfer.

[0053] In one implementation, the authorization process for operating the sub-target data product includes:

[0054] Receive operational requests for sub-target data products from data product operators;

[0055] Obtain information about the data product provider that has ownership rights to the sub-target data product;

[0056] Issue an application for operating authorization for the sub-target data products to the data product provider;

[0057] Upon receiving a notification of operating authorization for the sub-target data product from the data product provider, an operating license certificate for the sub-target data product is issued to the data product operator, enabling the data product operator to operate the target data product based on the operating license certificate.

[0058] Specifically, after the data management server receives an operation request from the data product operator, it obtains information about the data product provider of the sub-target data product targeted by the operation request, and then sends an operation authorization application to the data product provider. The operation authorization application may include: the applicant organization (such as the data product operator), the requested permissions, and the requested data product (i.e., the sub-target data product). Upon receiving the operation authorization application, the data product provider approves the requested permissions and sends an operation authorization notification to the data management server, instructing the data product provider to grant the data product operator the permissions. Further, the data management server issues an operation license certificate to the data product operator, enabling the data product operator to use the sub-target data product according to the permissions indicated in the operation license certificate. Specifically, the operation license certificate can be created by a dedicated certificate center server.

[0059] In the embodiments described in this specification, the data product operator initiates a request to operate the sub-target data product, and the data product provider authorizes the operation of the sub-target data product. This process separates the operating rights and ownership rights of the data product, thereby facilitating the cross-domain transfer of data products, enabling data product sharing, and enhancing the value of the data product.

[0060] In one implementation, the authorization process for holding ownership of the sub-target data product includes:

[0061] Receive hosting requests for sub-target data products from data product providers;

[0062] Confirm the target data product provider's ownership rights over the sub-target data product, and apply to the certificate center server for a certificate issuance request for the ownership rights of the sub-target data product. The ownership rights requested for the sub-target data product in the certificate issuance request are the same as the confirmed ownership rights.

[0063] Upon receiving a certificate of ownership for the sub-target data product from the certificate authority server, a certificate of ownership is issued to the data product provider, enabling the data product provider to hold the sub-target data product based on the certificate of ownership.

[0064] Specifically, the data product provider submits a hosting request to the data management server. After confirming the target data product provider's ownership rights to the sub-target data product, the data management server requests the certificate authority server to create a certificate of ownership. After creating the certificate of ownership, the certificate authority server returns it to the data management server, which then issues the certificate of ownership to the data product provider, enabling the data product provider to transfer the operating rights and / or usage rights of the sub-target data product based on the certificate of ownership.

[0065] In the embodiments described in this specification, the data product provider initiates a hosting request for the sub-target data product. The data management server confirms the data product provider's ownership rights and issues a holding certificate. This process secures the data product provider's ownership of the sub-target data product in the form of a holding certificate, facilitating cross-domain data product deployment.

[0066] Figure 3 This is a schematic block diagram of a system for managing the use of data products under a three-tiered system of authority, based on one embodiment. For example... Figure 3 As shown, the system for managing the use of data products under the separation of powers includes the provider's server, the operator's server, the user's server, the data management server, the certificate center server, and the evidence storage service equipment. Among these, the data product user refers to the user outside the target data product's operational domain.

[0067] like Figure 3 As shown, the data management server mainly consists of two layers. The upper layer comprises the data holding rights management module, the operational rights management module, and the usage rights management module, corresponding to the management and control of data holding rights, operational rights, and usage rights, respectively. The lower layer consists of the rights confirmation center, the authorization center, and the authentication center, primarily responsible for handling rights-related matters. Specifically, the rights confirmation center is mainly used to confirm data holding rights and is responsible for initiating requests to the certificate center server for the creation of holding rights certificates (or credentials); the authorization center is responsible for initiating requests to the certificate center server for the creation of operational rights or usage rights (or credentials) after the data provider grants entrusted operational and data usage rights; and the authentication center is responsible for verifying the scope of rights when data participants exercise their rights.

[0068] The certificate center server is mainly responsible for issuing various permission certificates or credentials; the evidence storage service equipment is mainly used to store and retrieve various certificates or operation / transaction credentials to support audit traceability.

[0069] The workflow of the system for managing the use of data products under the separation of powers can include:

[0070] Step 1: Data Hosting. Specifically, the provider server sends a hosting request for a sub-target data product within the target data product to the data management server. The data management server confirms the target data provider's ownership rights to the sub-target data product and sends a certificate issuance request for the sub-target data product to the certificate center server. The certificate center creates the corresponding certificate and returns it to the data management server, which then issues the certificate to the provider server and submits it to the evidence storage service equipment for safekeeping.

[0071] The second step is data management. Specifically, the operator's server sends a management request for the sub-target data product to the data management server. The data management server confirms the operator's server's management authority over the sub-target data product and sends a request to the certificate center server for the issuance of a management right certificate for the sub-target data product. The certificate center creates the corresponding holding certificate and returns it to the data management server. The data management server issues the management right certificate to the data product operator and submits the management right certificate to the evidence storage service equipment for safekeeping.

[0072] The third step is data usage. Specifically, the user server sends a usage request to the data management server for the target data product under a specific usage scenario. Based on this specific usage scenario, the data management server breaks down the target data product into at least one sub-target data product and sends usage authorization applications to the operator / provider servers of each sub-target data product. Each operator / provider server confirms the user server's usage rights for the sub-target data products it operates / holds and returns a usage authorization notification to the data management server. When each sub-target data product of the target data product has a corresponding usage authorization notification, the data management server sends a request to the certificate center server for the issuance of a usage right certificate for the target data product. The certificate center server creates the corresponding usage right certificate and returns it to the data management server. The data management server issues the usage right certificate to the data product user and submits the usage right certificate to the evidence storage service equipment for storage processing.

[0073] It should be noted that the method for managing the use of data products under the separation of powers provided in the embodiments of this specification can be executed by a device for managing the use of data products under the separation of powers, or a control module within that device for executing the method. This specification uses the example of a device for managing the use of data products under the separation of powers executing the method to illustrate the device for managing the use of data products under the separation of powers provided in the embodiments of this specification.

[0074] Figure 4 This is a schematic diagram of a device for managing the use of data products under the separation of powers according to an embodiment of the present invention. Figure 4 As shown, the device 400 for managing the use of data products under the separation of powers includes:

[0075] The receiving module 410 is used to receive a usage request for the target data product sent by the user of the data product, wherein the user of the data product is a user outside the operation and maintenance domain of the target data product.

[0076] The acquisition module 420 is used to acquire information about the data product operator that controls the right to use each sub-target data product in the target data product. The operating rights of the data product operator are authorized by the data product provider that holds the rights to the sub-target data products.

[0077] Application module 430 is used to send a usage authorization application to the data product operator for the sub-target data products operated by the data product operator;

[0078] The issuance module 440 is used to issue a usage right certificate for the target data product to the data product user when it receives the usage authorization notice corresponding to each sub-target data product, so that the data product user can use the target data product based on the usage right certificate.

[0079] In one embodiment, the device 400 for managing the use of data products under the separation of powers further includes:

[0080] The splitting module is used to split the target data product into at least one sub-target data product based on the information of the target data product's usage scenario, and to determine the usage rights corresponding to each of the split sub-target data products.

[0081] Application module 430 includes:

[0082] The first application unit is used to issue a usage authorization application to the data product operator for the sub-target data products operated by the data product operator. The usage authorization application includes an authorization application for the right to use the sub-target data products in the usage scenario.

[0083] In one embodiment, where the right of use includes the right to invoke a sub-target data product, the use request includes version information of the application that invokes the sub-target data product.

[0084] In one embodiment, where the right of use includes the right to extract ciphertext from encrypted sub-target data products, the data product use control apparatus 400 under the separation of powers further includes:

[0085] The notification module is used to send notifications to users of data products regarding their requests to view and / or access the decrypted sub-target data products.

[0086] In one embodiment, the application module 430 includes:

[0087] The acquisition unit is used to acquire information about the data product provider that controls the right to use the sub-target data product when there is no data product operator that controls the right to use the sub-target data product.

[0088] The second application unit is used to issue a usage authorization application to the data product provider for the sub-target data product held by the data product provider.

[0089] In one embodiment, the disbursement module 440 includes:

[0090] The request unit is used to request the issuance of a certificate of right to use the target data product from the certificate authority server;

[0091] The issuing unit is used to issue a certificate of right to use to the user of the data product upon receiving a certificate of right to use for the target data product from the certificate center server.

[0092] The storage unit is used to submit the right to use certificate to the certificate storage service equipment for storage processing.

[0093] In one embodiment, the authorization process for ownership of the sub-target data product includes:

[0094] Receive hosting requests for sub-target data products from data product providers;

[0095] Confirm the target data product provider's ownership rights over the sub-target data product, and apply to the certificate center server for a certificate issuance request for the ownership rights of the sub-target data product. The ownership rights requested for the sub-target data product in the certificate issuance request are the same as the confirmed ownership rights.

[0096] Upon receiving a certificate of ownership for the sub-target data product from the certificate authority server, a certificate of ownership is issued to the data product provider, enabling the data product provider to hold the sub-target data product based on the certificate of ownership.

[0097] In one embodiment, the authorization process for operating rights of a sub-target data product includes:

[0098] Receive operational requests for sub-target data products from data product operators;

[0099] Obtain information about the data product provider that has ownership rights to the sub-target data product;

[0100] Issue an application for operating authorization for the sub-target data products to the data product provider;

[0101] Upon receiving a notification of operating authorization for the sub-target data product from the data product provider, an operating license certificate for the sub-target data product is issued to the data product operator, enabling the data product operator to operate the target data product based on the operating license certificate.

[0102] The device for managing the use of data products under the separation of powers in the embodiments of this specification can be a device, or a component, integrated circuit, or chip in a terminal. This device can be a mobile electronic device or a non-mobile electronic device. For example, mobile electronic devices can be mobile phones, tablets, laptops, PDAs, in-vehicle electronic devices, wearable devices, ultra-mobile personal computers (UMPCs), netbooks, or personal digital assistants (PDAs), etc., while non-mobile electronic devices can be servers, network-attached storage (NAS), personal computers (PCs), televisions (TVs), ATMs, or self-service machines, etc. The embodiments of this specification do not impose specific limitations.

[0103] The device for managing the use of data products under the separation of powers in the embodiments of this specification can be a device with an operating system. This operating system can be Android, iOS, or other possible operating systems; this specification does not specifically limit the embodiments to this type of device.

[0104] The device for managing the use of data products under the separation of powers system provided in the embodiments of this specification can achieve... Figure 1 The various processes implemented in the method embodiments are not described in detail here to avoid repetition.

[0105] Based on the same idea, one or more embodiments of this specification also provide an electronic device, such as... Figure 5 As shown. Electronic devices can vary considerably due to differences in configuration or performance, and may include one or more processors 501 and memory 502. Memory 502 may store one or more application programs or data. Memory 502 may be temporary or persistent storage. The application programs stored in memory 502 may include one or more modules (not shown), each module may include a series of computer-executable instructions for the electronic device. Furthermore, processor 501 may be configured to communicate with memory 502 and execute the series of computer-executable instructions in memory 502 on the electronic device. The electronic device may also include one or more power supplies 503, one or more wired or wireless network interfaces 504, one or more input / output interfaces 505, and one or more keyboards 506.

[0106] Specifically, in this embodiment, the electronic device includes a memory and one or more programs, wherein one or more programs are stored in the memory, and one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for use in the electronic device, and is configured to be executed by one or more processors. The one or more programs include computer-executable instructions for performing the following:

[0107] Receive usage requests for the target data product from users outside the target data product's operation and maintenance domain;

[0108] Information on the data product operator who manages the right to use each sub-target data product within the target data product is obtained. The operating rights of the data product operator are authorized by the data product provider who holds the rights to the sub-target data products.

[0109] Issue a usage authorization application to the data product operator for the sub-target data products operated by the data product operator;

[0110] Upon receiving the usage authorization notice for each sub-target data product, a usage right certificate for the target data product is issued to the data product user, enabling the data product user to use the target data product based on the usage right certificate.

[0111] This specification also provides a storage medium for storing one or more computer programs, the computer programs including instructions that, when executed by an electronic device including multiple applications, enable the electronic device to perform various processes of the above-described embodiments of the method for controlling the use of data products under the separation of powers, and specifically for executing:

[0112] Receive usage requests for the target data product from users outside the target data product's operation and maintenance domain;

[0113] Information on the data product operator who manages the right to use each sub-target data product within the target data product is obtained. The operating rights of the data product operator are authorized by the data product provider who holds the rights to the sub-target data products.

[0114] Issue a usage authorization application to the data product operator for the sub-target data products operated by the data product operator;

[0115] Upon receiving the usage authorization notice for each sub-target data product, a usage right certificate for the target data product is issued to the data product user, enabling the data product user to use the target data product based on the usage right certificate.

[0116] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to mutually. Each embodiment focuses on describing the differences from other embodiments. In particular, the above-described storage medium embodiment is basically similar to the method embodiment, so the description is relatively simple; relevant parts can be referred to the description of the method embodiment.

[0117] The methods, apparatus, modules, or units described in the above embodiments can be implemented by a computer chip or entity, or by a product with a certain function. A typical implementation device is a computer. Specifically, the computer can be, for example, a personal computer, laptop computer, cellular phone, camera phone, smartphone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or any combination of these devices.

[0118] For ease of description, the above apparatus is described by dividing it into various functional units. Of course, when implementing one or more embodiments of this specification, the functions of each unit can be implemented in one or more software and / or hardware.

[0119] Those skilled in the art will understand that one or more embodiments of this specification can be provided as a method, system, or computer program product. Therefore, one or more embodiments of this specification may take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of this specification may take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0120] This specification describes one or more embodiments of methods, apparatus (systems), and computer program products according to embodiments of this specification with reference to flowchart illustrations and / or block diagrams. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, produce a machine for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0121] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0122] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0123] In a typical configuration, a computing device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.

[0124] Memory may include non-persistent storage in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.

[0125] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.

[0126] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0127] One or more embodiments of this specification can be described in the general context of computer-executable instructions, such as program modules, that are executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform a particular task or implement a particular abstract data type. This specification can also be practiced in distributed computing environments where tasks are performed by remote processing devices connected via a communication network. In distributed computing environments, program modules can reside in local and remote computer storage media, including storage devices.

[0128] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to interchangeably. Each embodiment focuses on describing the differences from other embodiments. In particular, the system embodiments are basically similar to the method embodiments, so the description is relatively simple; relevant parts can be referred to the descriptions in the method embodiments.

[0129] The above description is merely one or more embodiments of this specification and is not intended to limit this application. Various modifications and variations can be made to the one or more embodiments of this specification by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principle of one or more embodiments of this specification should be included within the scope of the claims of one or more embodiments of this specification.

Claims

1. A method for managing the use of data products under a separation of powers system, used in a data management server, comprising: Receive a usage request for a target data product from a user of the data product, wherein the user is a user outside the operation and maintenance domain of the target data product; Information on the data product operator that manages the usage rights of each sub-target data product within the target data product is obtained. The operating rights of the data product operator are authorized by the data product provider that holds the rights to the sub-target data products. The sub-target data products are obtained by splitting the target data product based on its usage scenario information. Each sub-target data product corresponds to different usage rights, including viewing rights, access rights, and calculation rights. The calculation rights are bound to calculation methods. Send a usage authorization application to the data product operator for the sub-target data product operated by the data product operator; Upon receiving a usage authorization notification corresponding to each of the sub-target data products, a usage right certificate for the target data product is issued to the data product user, so that the data product user can use the target data product based on the usage right certificate.

2. The method according to claim 1, before obtaining information on the data product operator that controls the right to use each sub-target data product in the target data product, the method further includes: Based on the information of the usage scenarios of the target data product, the target data product is split into at least one of the sub-target data products, and the usage rights corresponding to each of the split sub-target data products are determined. The step of issuing a usage authorization application to the data product operator for the sub-target data product operated by the data product operator includes: A usage authorization application is issued to the data product operator for the sub-target data product operated by the data product operator, the usage authorization application including an authorization application for the right to use the sub-target data product corresponding to the usage scenario.

3. The method according to claim 2, wherein if the right of use includes the right to invoke the sub-target data product, the use request includes version information of the application that invokes the sub-target data product.

4. The method of claim 2, wherein if the right of use includes the right to extract ciphertext for decrypting the encrypted sub-target data product, the method further comprises: Send a notification to the user of the data product requesting viewing and / or access rights for the decrypted sub-target data product.

5. The method according to claim 1, wherein issuing a usage authorization application to the data product operator for the sub-target data product operated by the data product operator comprises: In the absence of a data product operator that controls the right to use the sub-target data product, obtain information about the data product provider that controls the right to use the sub-target data product; A usage authorization application for the sub-target data product held by the data product provider is issued to the data product provider.

6. The method according to claim 1, wherein issuing a certificate of right to use the target data product to the data product user comprises: Request the certificate authority server to issue a certificate of right to use the target data product; Upon receiving the certificate of use for the target data product returned by the certificate center server, the certificate of use is issued to the user of the data product. The right to use certificate is submitted to the evidence storage service equipment for storage processing.

7. The method according to claim 6, wherein the authorization process for the ownership of the sub-target data product includes: Receive a hosting request for the sub-target data product sent by the data product provider; Confirm the target data product provider's ownership rights to the sub-target data product, and apply to the certificate center server for a certificate issuance request for the sub-target data product. The ownership rights requested for the sub-target data product in the certificate issuance request are the same as the confirmed ownership rights. Upon receiving a certificate of ownership for the sub-target data product returned by the certificate center server, the certificate of ownership is issued to the data product provider so that the data product provider can hold the sub-target data product based on the certificate of ownership.

8. The method according to claim 1, wherein the authorization process for the operating rights of the sub-target data product includes: Receive the business request for the sub-target data product sent by the data product operator; Obtain information about the data product provider that has ownership of the sub-target data product; Send an application for an operating license for the sub-target data product to the data product provider; Upon receiving an operating authorization notification for the sub-target data product from the data product provider, an operating license certificate for the sub-target data product is issued to the data product operator, enabling the data product operator to operate the target data product based on the operating license certificate.

9. A system for managing the use of data products under a separation of powers structure, the system comprising a provider server for the data product provider, an operator server for the data product operator, a user server for the data product user, and a data management server, wherein the data product user is a user outside the operation and maintenance domain of the target data product, wherein: The provider server is configured to authorize the operation rights of sub-target data products within the target data product; The user server is configured to send a usage request for the target data product to the data management server; The data management server is configured to acquire information about the data product operator that manages the usage rights of each sub-target data product within the target data product; and to send a usage authorization application to the operator's server for the sub-target data products operated by the data product operator. The sub-target data products are obtained by splitting the target data product based on its usage scenario information. Each sub-target data product corresponds to different usage rights, including viewing rights, access rights, and calculation rights, with the calculation rights bound to a calculation method. The operator's server is configured to send a usage authorization notification corresponding to the sub-target data product operated by the data product operator to the data management server; The data management server is configured to issue a certificate of right to use the target data product to the user server; The user server is configured to use the target data product based on the usage certificate.

10. The system according to claim 9, further comprising a certificate center server and an evidence storage device, wherein: The data management server is configured to request the issuance of a certificate of use right for the target data product from the certificate center server; The certificate center server is configured to create a usage certificate for the target data product and send the usage certificate to the data management server. The data management server is configured to issue the usage right certificate to the user server and submit the usage right certificate to the evidence storage service device for storage processing. The evidence storage device is configured to store the right of use certificate.

11. A device for managing the use of data products under a system of separation of powers, comprising: The receiving module is used to receive usage requests for a target data product sent by a data product user, wherein the data product user is a user outside the operation and maintenance domain of the target data product; The acquisition module is used to acquire information about the data product operator that controls the usage rights of each sub-target data product in the target data product. The operating rights of the data product operator are authorized by the data product provider that holds the rights to the sub-target data products. The sub-target data products are obtained by splitting the target data product based on the usage scenario information of the target data product. Each sub-target data product corresponds to different usage rights, including viewing rights, access rights, and calculation rights. The calculation rights are bound to calculation methods. The application module is used to send a usage authorization application to the data product operator for the sub-target data product operated by the data product operator; The issuance module is used to issue a usage right certificate for the target data product to the data product user upon receiving a usage authorization notification corresponding to each of the sub-target data products, so that the data product user can use the target data product based on the usage right certificate.

12. An electronic device, comprising: processor, and A memory configured to store computer-executable instructions, which, when executed, enable the processor to: Receive a usage request for a target data product from a user of the data product, wherein the user is a user outside the operation and maintenance domain of the target data product; Information on the data product operator that manages the usage rights of each sub-target data product within the target data product is obtained. The operating rights of the data product operator are authorized by the data product provider that holds the rights to the sub-target data products. The sub-target data products are obtained by splitting the target data product based on its usage scenario information. Each sub-target data product corresponds to different usage rights, including viewing rights, access rights, and calculation rights. The calculation rights are bound to calculation methods. Send a usage authorization application to the data product operator for the sub-target data product operated by the data product operator; Upon receiving a usage authorization notification corresponding to each of the sub-target data products, a usage right certificate for the target data product is issued to the data product user, so that the data product user can use the target data product based on the usage right certificate.