Data access method and device, electronic equipment and storage medium
By generating data access statements and dynamically adjusting access permissions based on user attributes and permission restriction interface identifiers, the problem of low flexibility in data access permission configuration is solved, achieving refined and flexible permission management.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- 中国联合网络通信有限公司广东省分公司
- Filing Date
- 2024-11-27
- Publication Date
- 2026-06-05
AI Technical Summary
In existing technologies, data access permission configuration methods are not very flexible, are difficult to maintain and are cumbersome to operate, making it difficult to achieve dynamic and fine-grained permission control.
By receiving data access requests from target users, generating data access statements, and determining access permission types based on user attribute information, access item identifiers, and permission restriction interface identifiers, access filtering conditions are generated using preset filtering condition configuration information, and permission control is dynamically adjusted.
It has enhanced the granularity and flexibility of data permission control while reducing the difficulty of permission configuration, and achieved dynamic and refined data access permission management.
Smart Images

Figure CN119646849B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of computer technology, and in particular to a data access method, apparatus, electronic device, and storage medium. Background Technology
[0002] Currently, when performing data access with authentication, authentication filtering based on user permissions is usually implemented through hard-coded access control.
[0003] However, when configuring permissions using the above method, the source code needs to be modified every time a user's data permissions change, which is inflexible and difficult to maintain. Furthermore, when permission rules are modified, the permission control needs to be hard-coded, which is difficult to implement and highly intrusive to the code. Summary of the Invention
[0004] This invention provides a data access method, apparatus, electronic device, and storage medium to enhance the granularity of data access control while reducing the difficulty of configuring data access permissions, thereby improving the flexibility of data access permission control and achieving dynamic and granular control of data access permissions during the data access process.
[0005] According to one aspect of the present invention, a data access method is provided, the method comprising:
[0006] Receive a data access request from a target user for a target access item, and generate a data access statement corresponding to at least one data access interface associated with the target access item based on the data access request;
[0007] For at least one of the data access interfaces, if the data access interface is a permission-restricted interface, the access permission type of the target user to the permission-restricted interface is determined based on the user attribute information corresponding to the target user, the access item identifier corresponding to the target access item, and the interface identifier corresponding to the permission-restricted interface; wherein, the permission-restricted interface is a data access interface that requires permission control.
[0008] When the access permission type is a target access permission type, the access filtering conditions corresponding to the target user are determined based on the user attribute information, the access item identifier, and the preset filtering condition configuration information. Based on the data access statement corresponding to the access restriction interface and the access filtering conditions, a target access statement corresponding to the access restriction interface is generated. The filtering condition configuration information is used to indicate the mapping relationship between the user attribute information, the access item identifier, and the access filtering conditions.
[0009] Based on the target access statement corresponding to at least one of the permission restriction interfaces and the data access statement corresponding to other data access interfaces among the at least one data access interface besides the permission restriction interface, the target access data corresponding to the data access request is determined.
[0010] According to another aspect of the present invention, a data access device is provided, the device comprising:
[0011] The request receiving module is used to receive a data access request from a target user for a target access item, and generate a data access statement corresponding to at least one data access interface associated with the target access item based on the data access request.
[0012] The permission type determination module is used to determine the access permission type of the target user to the permission-restricted interface based on the user attribute information corresponding to the target user, the access item identifier corresponding to the target access item, and the interface identifier corresponding to the permission-restricted interface, when the data access interface is a permission-restricted interface.
[0013] The access statement generation module is used to determine the access filtering conditions corresponding to the target user based on the user attribute information, the access item identifier, and the preset filtering condition configuration information when the access permission type is the target permission type, and to generate the target access statement corresponding to the permission restriction interface based on the data access statement corresponding to the permission restriction interface and the access filtering conditions; wherein, the filtering condition configuration information is used to indicate the mapping relationship between the user attribute information, the access item identifier, and the access filtering conditions;
[0014] The access data determination module is used to determine the target access data corresponding to the data access request based on the target access statement corresponding to at least one of the permission restriction interfaces and the data access statements corresponding to other data access interfaces among the at least one data access interface besides the permission restriction interface.
[0015] According to another aspect of the present invention, an electronic device is provided, the electronic device comprising:
[0016] At least one processor; and
[0017] A memory communicatively connected to the at least one processor; wherein,
[0018] The memory stores a computer program that can be executed by the at least one processor, the computer program being executed by the at least one processor to enable the at least one processor to perform the data access method according to any embodiment of the present invention.
[0019] According to another aspect of the present invention, a computer-readable storage medium is provided, the computer-readable storage medium storing computer instructions for causing a processor to execute and implement the data access method described in any embodiment of the present invention.
[0020] The technical solution of this embodiment receives a data access request from a target user for a target access item, and generates a data access statement corresponding to at least one data access interface associated with the target access item based on the data access request. Further, for the at least one data access interface, if the data access interface is a permission-restricted interface, the access permission type of the target user to the permission-restricted interface is determined based on the user attribute information corresponding to the target user, the access item identifier corresponding to the target access item, and the interface identifier corresponding to the permission-restricted interface. Further, if the access permission type is a target permission type, access filtering conditions corresponding to the target user are determined according to the user attribute information, the access item identifier, and preset filtering condition configuration information, and based on the permission... The system generates target access statements corresponding to the permission restriction interfaces by defining the data access statements and access filtering conditions corresponding to the permission restriction interfaces. Furthermore, based on the target access statements corresponding to at least one permission restriction interface and the data access statements corresponding to other data access interfaces (excluding the permission restriction interface) among at least one data access interface, the system determines the target access data corresponding to the data access request. This solves the problems of low flexibility, difficult maintenance, and cumbersome operation in related technologies regarding permission configuration methods. It enhances the granularity of data permission control while reducing the difficulty of configuring data access permissions, improving the flexibility of data access permission control, and ultimately achieving dynamic and refined control of data access permissions during the data access process.
[0021] It should be understood that the description in this section is not intended to identify key or essential features of the embodiments of the present invention, nor is it intended to limit the scope of the invention. Other features of the invention will become readily apparent from the following description. Attached Figure Description
[0022] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0023] Figure 1 This is a flowchart of a data access method provided according to Embodiment 1 of the present invention;
[0024] Figure 2This is a flowchart of a data access method provided according to Embodiment 2 of the present invention;
[0025] Figure 3 This is a schematic diagram of the structure of a data access device according to Embodiment 3 of the present invention;
[0026] Figure 4 This is a schematic diagram of the structure of an electronic device that implements the data access method of the present invention. Detailed Implementation
[0027] To enable those skilled in the art to better understand the present invention, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of the present invention.
[0028] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of the invention described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.
[0029] Example 1
[0030] Figure 1 This is a flowchart of a data access method provided in Embodiment 1 of the present invention. This embodiment is applicable to situations where data access is performed on a target access item. The method can be executed by a data access device, which can be implemented in hardware and / or software, and can be configured in a terminal and / or server. Figure 1 As shown, the method includes:
[0031] S110. Receive a data access request from the target user for the target access item, and generate a data access statement corresponding to at least one data access interface associated with the target access item based on the data access request.
[0032] In this context, the target user can be the object currently accessing the target access item. The target access item can be understood as an access item that integrates at least one data access interface and is to be accessed. For example, the target access item could be "query supplier user". The data access request can be a pre-written piece of program code used to implement data access functionality. The target access item can include at least one associated data access interface. A data access interface refers to the connection between the application and the database. It can be understood that a data access interface enables the application to access and manipulate data in the database. Different data access interfaces can be used to access different databases. For example, a data access interface can be an Application Programming Interface (API). Generally, when accessing a target access item, the corresponding database can be accessed based on at least one data access interface associated with the target access item to obtain the required data. A data access statement refers to an instruction or command used to access and manipulate data in the database. Through data access statements, the application can interact with the database and perform operations such as data querying, inserting, updating, and deleting. A data access statement can be any statement written in programming language; optionally, it can be an SQL statement.
[0033] In this embodiment, upon detecting the generation of a data access request for a target access item, the generated data access request can be sent to the server, enabling the server to access the target access item based on the data access request. The generation of the data access request can include various methods. Optionally, a data access request corresponding to the target access item can be generated upon detecting a trigger operation by the target user on the access control corresponding to the target access item; or, a data access request can be generated upon detecting that the received audio information includes a trigger word associated with accessing the target access item; or, a data access request can be generated upon receiving a preset data access instruction. The data access instruction can be a string consisting of at least one character and / or a key combination consisting of at least one key, etc.
[0034] As an optional implementation of this embodiment, at least one access item can be predetermined, and access controls corresponding to each access item can be set. Furthermore, upon detecting a trigger operation by a target user on the access control of a target access item, a data access request corresponding to the target access item can be generated, and the generated data access request can be sent to a server capable of performing data access. Furthermore, upon receiving a data access request from a target user for a target access item, at least one data access interface associated with the target access item can be determined, and a data access statement corresponding to at least one data access interface can be generated based on the data access request.
[0035] S120. For at least one data access interface, if the data access interface is a permission-restricted interface, determine the access permission type of the target user to the permission-restricted interface based on the user attribute information corresponding to the target user, the access item identifier corresponding to the target access item, and the interface identifier corresponding to the permission-restricted interface.
[0036] Among them, the permission-restricted interface can be understood as an interface that requires access control. The permission-restricted interface is a data access interface that requires access control. That is, when accessing this type of data access interface, it is necessary to first determine whether the target user has the necessary access permissions. If the target user has the necessary access permissions, they can access the data access interface. If the target user does not have the necessary access permissions, they cannot access the data access interface. User attribute information can be understood as information associated with the user. User attribute information can refer to personal information filled in by the user when registering or using internet services, or information automatically collected by the system. User attribute information can be used to represent the user's identity information. User attribute information can include multiple pieces of information associated with the user, optionally including user identifier, the user's organization identifier, user role identifier, and the user's historical access data. Access item identifier can be information used to identify access items. Access item identifier can be any form of identification information; optionally, it is a string consisting of at least one character, and the character can be at least one of letters, numbers, or English letters. For example, assuming the target access item is access item A, then the access item identifier of the target access item is MenuA. An interface identifier can be information used to identify a data access interface. The interface identifier can be any form of identification information; optionally, it is a string consisting of at least one character, and the character can be at least one of letters, numbers, or English letters. For example, continuing with the previous example, the data access interfaces associated with access item A include three: interface A, interface B, and interface C. Therefore, the interface identifier corresponding to interface A is IntfA; the interface identifier corresponding to interface B is IntfB; and the interface identifier corresponding to interface C is IntfC. Access permission types can be understood as pre-defined permission types for users to access business data through data access interfaces. Access permission types determine the range of data a user can access; by configuring access permission types, the range of data that relevant users can access through the relevant interfaces of that access item is restricted. For example, access permission types can include access permission type A, access permission type B, access permission type C, access permission type D, and access permission type Z. Among them, access permission type A corresponds to personal data, indicating that users can only access data related to themselves; access permission type B corresponds to all data of the department, indicating that users can access data related to their department; access permission type C corresponds to all data, indicating that users can access all data; access permission type D corresponds to custom permissions, which can determine the range of data that users can access based on their user attribute information; access permission type Z corresponds to default permissions, which can be matched to users when the system cannot determine the user's access permission type.
[0037] In this embodiment, among at least one data access interface associated with the target access item, there may be data access interfaces that require permission control and / or data access interfaces that do not require permission control. For data access interfaces that do not require permission control, the associated business data can be accessed directly through the data access interface. For data access interfaces that require permission control, the access permission type of the target user for the data access interface can be determined, and then, based on the access permission type, business data within the corresponding permission range can be accessed through the data access interface.
[0038] In this embodiment, for at least one data access interface associated with a target access item, it can be determined whether the data access interface is a permission-restricted interface based on the interface attribute information corresponding to the data access interface. Furthermore, if the data access interface is a permission-restricted interface, the target user's user attribute information, the access item identifier corresponding to the target access item, and the interface identifier corresponding to the permission-restricted interface can be obtained. Then, the access permission type of the target user to the permission-restricted interface can be determined based on the user attribute information, the access item identifier, and the interface identifier.
[0039] As an optional implementation of this embodiment, at least one access permission type can be predetermined, and the access permission type can be associated with user roles, access items, and data access interfaces. That is, access permission types are configured for each data access interface associated with an access item for a user role. Furthermore, for at least one data access interface, if the data access interface is a permission-restricted interface, the user attribute information of the target user can be obtained, and the role identifier corresponding to the role to which the target user belongs can be determined based on the user attribute information. Furthermore, the access permission type of the target user for that permission-restricted interface can be determined based on the association between the role identifier, access item identifier, interface identifier, and access permission type.
[0040] As another implementation of this embodiment, at least one access permission type can be predetermined, and the access permission type can be associated with users, access items, and data access interfaces. That is, access permission types are configured for each user for each data access interface associated with an access item. Furthermore, for at least one data access interface, if the data access interface is a permission-restricted interface, user attribute information of the target user can be obtained, and the user identifier corresponding to the target user can be determined based on the user attribute information. Furthermore, the access permission type of the target user for that permission-restricted interface can be determined based on the association between the user identifier, access item identifier, interface identifier, and access permission type.
[0041] In this embodiment, in order to achieve dynamic data access control during data access, the data access interfaces that need to be controlled can be pre-determined and annotated to mark these data access interfaces so that the access restriction interfaces can be quickly determined based on the interface markings during data access.
[0042] Optionally, based on the above technical solutions, the method further includes: for at least one data access interface, if the data access interface is an interface that requires permission management, annotating and marking the data access interface according to at least one preset permission marker field and the field value corresponding to the permission marker field, and using the marked data access interface as a permission restriction interface.
[0043] It's understandable that when access to certain data access interfaces requires specific permission controls, developers can mark these interfaces by adding custom annotations to their definitions. This allows the system to recognize and apply the corresponding permission check logic. Annotations can provide additional metadata information to the interface without modifying the code logic. This metadata information can be used for various purposes such as permission checks, logging, and API documentation generation.
[0044] The permission flag field can be a pre-defined field representing the corresponding permission. Optionally, the permission flag field can include fields such as table, field, and value. The table field is used to mark the table name to be controlled; if the table field is the default value (empty string), SQL statements for all tables will be intercepted by default. The field field is used to control the fields returned after executing the original SQL statement; if the field field is the default value, all field information from the interface will be returned by default. The value field is used to represent the filtering conditions after nesting and concatenating the original SQL, generally through filtering using limiting conditions with placeholders. It should be noted that different permission flag fields can be used to control different permission checks.
[0045] As an optional implementation of this embodiment, for at least one data access interface, if the data access interface is an interface requiring access control, the access restriction items that require access control for the data access interface can be determined. Further, corresponding access restriction fields and their corresponding field values can be determined based on the determined access restriction items. Then, the data access interface can be annotated and marked according to at least one access restriction resource and the field values corresponding to each access restriction field, and the marked data access interface can be used as the access restriction interface. The access restriction items may include table access restriction items, access feedback restriction items, and other access restriction items.
[0046] S130. When the access permission type is the target permission type, determine the access filtering conditions corresponding to the target user based on the user attribute information, access item identifier and preset filtering condition configuration information, and generate the target access statement corresponding to the permission restriction interface based on the data access statement and access filtering conditions corresponding to the permission restriction interface.
[0047] The target permission type can be any of the pre-defined access permission types that require determining access filtering conditions based on user attribute information. The target permission type can be any of at least one preset access permission type. For example, the target access permission type can be a custom permission type. Filtering condition configuration information can be understood as information used to configure access filtering conditions associated with a user. Filtering condition configuration information is used to indicate the mapping relationship between user attribute information, access item identifiers, and access filtering conditions. Access filtering conditions can be understood as conditions or rules used to limit the range of data access results. When data access is performed based on access filtering conditions, data in the database can be filtered according to the access filtering conditions so that only data records that meet specific requirements are returned. The target access statement can be the access execution statement applied to ultimately perform the data access.
[0048] In this embodiment, if the access permission type of the target user to the permission-restricted interface is determined, it can be determined whether the access permission type is the target permission type. Furthermore, if the access permission type is the target permission type, a query can be performed in the preset filter condition configuration information based on user attribute information and access item identifier to obtain the access filter conditions corresponding to the target user.
[0049] In this embodiment, in order to accurately determine the access filtering conditions corresponding to the target user based on the filtering condition configuration information, the association between user identifier, access item identifier, filter identifier and access filtering conditions can be established in advance, and the filtering condition configuration information can be determined based on the association.
[0050] Optionally, user attribute information is used to determine the filter identifier; the user attribute information includes a user identifier; based on the user attribute information, the access item identifier, and the preset filter condition configuration information, the access filter condition corresponding to the target user is determined, including: determining the access item identifier corresponding to the target access item; parsing the user attribute information to obtain the filter identifier corresponding to the target user, and determining the user identifier corresponding to the target user based on the user attribute information; querying the preset filter condition configuration information based on the access item identifier, the filter identifier, and the user identifier to determine the access filter condition corresponding to the target user.
[0051] The filter identifier can be used to identify the scope of data filtering. The user identifier can be information used to identify the user. The user identifier can be any form of identification information; optionally, it is a string consisting of at least one character, and the character can be at least one of letters, numbers, or English letters.
[0052] As an optional implementation of this embodiment, when the target user's access permission type for the permission-restricted interface is the target permission type, the access item identifier corresponding to the target access item can be determined, and the user attribute information corresponding to the target user can be parsed to obtain the filter identifier corresponding to the target user. Furthermore, the user identifier of the target user can be obtained based on the user attribute information. Further, the access item identifier, filter identifier, and user identifier can be queried in the preset filter condition configuration information to obtain the access filter conditions corresponding to the target user.
[0053] It should be noted that when the access permission type is the target permission type, dynamically configuring the access filtering conditions corresponding to the target user based on user attribute information can achieve flexible data permission control and also achieve the effect of personalized permission control for different users.
[0054] For example, assuming the target user is user D, the user identifier is UserD, the access item identifier is Menu_QryProvider, and the filter identifier is QryProvider_Org, then based on the filter condition configuration information (as shown in Table 1), the access filter condition corresponding to the target user can be determined as org_id in({#orgId}).
[0055] Table 1 Filtering Condition Configuration Information
[0056]
[0057] In this embodiment, when the access permission type is not the target access permission type, a filter condition template corresponding to the access permission type can be determined from the preset filter condition template. Then, the filter condition template can be directly applied to determine the access filter conditions corresponding to the target user.
[0058] Optionally, based on the above technical solutions, the method further includes: when the access permission type is not the target access permission type, determining the filter condition template corresponding to the access permission type according to the preset filter condition mapping information; processing the filter condition template based on user attribute information to obtain the access filter conditions corresponding to the access restriction interface.
[0059] The non-target permission type can be any of the at least one preset access permission types other than the target access type. For example, non-target permission types may include personal data access permissions, departmental data access permissions, all data access permissions, and default access permissions. The filter condition mapping information is used to indicate the association between at least one non-target permission type and the filter condition template. In this embodiment, at least one access permission type can be predetermined, and non-target permission types can be determined from among these at least one access permission type. Further, a filter condition template corresponding to each non-target permission type can be determined based on the permission scope corresponding to each non-target permission type, establishing a mapping relationship between the non-target permission type and the filter condition template, and filter condition mapping information can be constructed based on this mapping relationship.
[0060] For example, Table 2 is an illustration of the effect of the filtering condition mapping information provided in this embodiment. As shown in Table 2, authTypeA corresponds to personal data access permissions; authTypeB corresponds to departmental data access permissions; authTypeC corresponds to all data access permissions; and authTypeZ corresponds to default access permissions. It should be noted that the advantage of setting the scope of default access permissions to personal data is that, in cases where the access permission type of the target user cannot be determined, configuring default access permissions for the target user ensures that the target user can only access business data related to them, thereby improving data security.
[0061] Table 2 Filtering Condition Mapping Information
[0062]
[0063] As an optional implementation of this embodiment, when the access permission type is not the target access permission type, a query can be performed in the preset filter condition mapping information according to the access permission type to obtain the filter condition template corresponding to the access permission type. Further, the information to be filled in the filter condition template can be determined, and the corresponding information can be obtained from the user attribute information. The obtained information is then filled into the filter condition template to obtain the access filter conditions corresponding to the permission restriction interface. Optionally, the information to be filled in the filter condition template may include the user identifier and / or the department identifier of the user's department, etc.
[0064] In this embodiment, the generated data access statement corresponding to the access restriction interface is an access statement without any access filtering conditions. To obtain the required access data based on the access filtering conditions, given the access filtering conditions corresponding to the target user, the data access statement and access filtering conditions corresponding to the access restriction interface can be processed according to a preset statement concatenation method to generate the target access statement for the access restriction interface. The statement concatenation method can be any method that can combine at least two statements into one statement; optionally, a nested concatenation method is used.
[0065] Optionally, based on the data access statement and access filtering conditions corresponding to the permission restriction interface, a target access statement corresponding to the permission restriction interface is generated, including: generating a filtering condition clause based on the access filtering conditions; nesting and concatenating the data access statement based on the filtering condition clause, and using the concatenated statement as the target access statement corresponding to the permission restriction interface.
[0066] As an optional implementation of this embodiment, given the access filtering conditions, a filtering condition clause can be generated based on those conditions. Furthermore, the filtering condition clause can be nested and concatenated around the data access statement, and the resulting statement can be used as the target access statement corresponding to the permission restriction interface.
[0067] S140. Based on the target access statement corresponding to at least one permission restriction interface and the data access statement corresponding to other data access interfaces among at least one data access interface besides the permission restriction interface, determine the target access data corresponding to the data access request.
[0068] The target access data can be data associated with the target access item that is accessible within the target user's access permission scope.
[0069] In this embodiment, for at least one data access interface associated with a target access item, for a permission-restricted interface, a target access statement corresponding to the permission-restricted interface can be determined; for other access interfaces besides the permission-restricted interface, the data access statement corresponding to that data access interface can be directly applied. Furthermore, the target access statement corresponding to at least one permission-restricted interface and the data access statements corresponding to other access interfaces among the at least one data access interface can be executed to obtain access data corresponding to each data access interface. Subsequently, the access data corresponding to each data access interface can be used as the target access data corresponding to the data access request.
[0070] In this embodiment, in order to enable users to browse the target access data more clearly and intuitively, after determining the target access data corresponding to the data access request, the method further includes: feeding back the target access data to the user terminal associated with the target user, and displaying the target access data based on the user terminal.
[0071] The user terminal can be a terminal device that supports receiving user operations and / or displaying relevant data. The user terminal can be the user end that issues the data access request. Optionally, the user terminal can be a mobile terminal and / or a fixed terminal.
[0072] As an optional implementation of this embodiment, upon obtaining the target access data corresponding to the data access request, the target access data can be fed back to the user terminal associated with the target user. Furthermore, the target access data can be displayed on the user terminal's display interface.
[0073] The technical solution of this embodiment receives a data access request from a target user for a target access item, and generates a data access statement corresponding to at least one data access interface associated with the target access item based on the data access request. Further, for the at least one data access interface, if the data access interface is a permission-restricted interface, the access permission type of the target user to the permission-restricted interface is determined based on the user attribute information corresponding to the target user, the access item identifier corresponding to the target access item, and the interface identifier corresponding to the permission-restricted interface. Further, if the access permission type is a target permission type, access filtering conditions corresponding to the target user are determined according to the user attribute information, the access item identifier, and preset filtering condition configuration information, and based on the permission... The system generates target access statements corresponding to the permission restriction interfaces by defining the data access statements and access filtering conditions corresponding to the permission restriction interfaces. Furthermore, based on the target access statements corresponding to at least one permission restriction interface and the data access statements corresponding to other data access interfaces (excluding the permission restriction interface) among at least one data access interface, the system determines the target access data corresponding to the data access request. This solves the problems of low flexibility, difficult maintenance, and cumbersome operation in related technologies regarding permission configuration methods. It enhances the granularity of data permission control while reducing the difficulty of configuring data access permissions, improving the flexibility of data access permission control, and ultimately achieving dynamic and refined control of data access permissions during the data access process.
[0074] Example 2
[0075] Figure 2This is a flowchart of a data access method provided in Embodiment 2 of the present invention. Based on the aforementioned embodiments, user attribute information includes a user role identifier. Determining the access permission type of the target user to the permission restriction interface based on the user attribute information corresponding to the target user, the access item identifier corresponding to the target access item, and the interface identifier corresponding to the permission restriction interface includes: obtaining the user attribute information corresponding to the target user, and determining the user role identifier corresponding to the target user based on the user attribute information; determining the access item identifier corresponding to the target access item and the interface identifier corresponding to the permission restriction interface; and querying preset permission type association information based on the user role identifier, access item identifier, and interface identifier to obtain the access permission type of the target user to the permission restriction interface. Specific implementation details can be found in the technical solution of this embodiment. Technical terms that are the same as or corresponding to those in the above embodiments will not be repeated here.
[0076] like Figure 2 As shown, the method includes:
[0077] S210. Receive a data access request from the target user for the target access item, and generate a data access statement corresponding to at least one data access interface associated with the target access item based on the data access request.
[0078] S220. For at least one data access interface, if the data access interface is a permission-restricted interface, obtain the user attribute information corresponding to the target user, and determine the user role identifier corresponding to the target user based on the user attribute information.
[0079] The user role identifier can be information used to identify user roles. It can be understood that a user role is a set of permissions and responsibilities defined in a system or application, used to describe the operations that different types of users can perform and the resources they can access. Optionally, user roles can include administrators, regular users, visitors, auditors, and developers, etc. The user role identifier can be any form of identification information; optionally, it is a string consisting of at least one character, and the character can be at least one of letters, numbers, or English letters.
[0080] In this embodiment, for at least one data access interface, if the data access interface is a permission-restricted interface, in order to determine the access permission type of the target user for that permission-restricted interface, the user attribute information corresponding to the target user can be obtained. Furthermore, the user role identifier corresponding to the target user can be obtained from the user attribute information.
[0081] S230. Determine the access item identifier corresponding to the target access item and the interface identifier corresponding to the permission restriction interface.
[0082] In this embodiment, the access item identifier corresponding to the target access item and the interface identifier corresponding to the permission restriction interface can be determined.
[0083] S240. Based on the user role identifier, access item identifier, and interface identifier, query the preset permission type association information to obtain the access permission type of the target user to the permission restriction interface.
[0084] The permission type association information can be understood as information used to represent the relationship between user roles, access items, data access interfaces, and permission access types. This information indicates the mapping relationship between user role identifiers, access item identifiers, interface identifiers, and permission access types.
[0085] As an optional implementation of this embodiment, at least one access permission type can be predetermined, and the access permission type can be associated with user roles, access items, and data access interfaces. That is, access permission types are configured for each data access interface associated with an access item for a user role, and permission type association information is constructed based on the determined association relationship. Further, given the user role identifier corresponding to the target user, the access item identifier corresponding to the target access item, and the interface identifier corresponding to the permission restriction interface, a query can be performed in the preset permission type association information based on the user role identifier, access item identifier, and interface identifier, and the obtained access permission type can be used as the access permission type for the target user to the permission restriction interface.
[0086] It should be noted that by setting the access permission type for each role to a certain access item, each role can individually configure the access permission of the data access interface associated with that access item. At runtime, the program dynamically uses different access permission types to execute the data access interface corresponding to the access item based on the user's role, thus achieving fine-grained configuration.
[0087] S250. When the access permission type is the target permission type, determine the access filtering conditions corresponding to the target user based on the user attribute information, access item identifier and preset filtering condition configuration information, and generate the target access statement corresponding to the permission restriction interface based on the data access statement and access filtering conditions corresponding to the permission restriction interface.
[0088] S260. Based on the target access statement corresponding to at least one of the permission restriction interfaces and the data access statement corresponding to other data access interfaces among the at least one of the data access interfaces besides the permission restriction interface, determine the target access data corresponding to the data access request.
[0089] The technical solution of this embodiment receives a data access request from a target user for a target access item, and generates a data access statement corresponding to at least one data access interface associated with the target access item based on the data access request. Further, for the at least one data access interface, if the data access interface is a permission-restricted interface, the access permission type of the target user to the permission-restricted interface is determined based on the user attribute information corresponding to the target user, the access item identifier corresponding to the target access item, and the interface identifier corresponding to the permission-restricted interface. Further, if the access permission type is a target permission type, access filtering conditions corresponding to the target user are determined according to the user attribute information, the access item identifier, and preset filtering condition configuration information, and based on the permission... The system generates target access statements corresponding to the permission restriction interfaces by defining the data access statements and access filtering conditions corresponding to the permission restriction interfaces. Furthermore, based on the target access statements corresponding to at least one permission restriction interface and the data access statements corresponding to other data access interfaces (excluding the permission restriction interface) among at least one data access interface, the system determines the target access data corresponding to the data access request. This solves the problems of low flexibility, difficult maintenance, and cumbersome operation in related technologies regarding permission configuration methods. It enhances the granularity of data permission control while reducing the difficulty of configuring data access permissions, improving the flexibility of data access permission control, and ultimately achieving dynamic and refined control of data access permissions during the data access process.
[0090] Example 3
[0091] Figure 3 This is a schematic diagram of the structure of a data access device provided in Embodiment 3 of the present invention. Figure 3 As shown, the device includes: a request receiving module 310, a permission type determination module 320, an access statement generation module 330, and an access data determination module 340.
[0092] The request receiving module 310 is used to receive a data access request from a target user for a target access item, and generate a data access statement corresponding to at least one data access interface associated with the target access item based on the data access request; the permission type determination module 320 is used to determine the access permission type of the target user for at least one data access interface, if the data access interface is a permission-restricted interface, based on the user attribute information corresponding to the target user, the access item identifier corresponding to the target access item, and the interface identifier corresponding to the permission-restricted interface; the access statement generation module 330 is used to, if the access permission type is a target permission type, generate a data access statement based on the user attributes... The system uses information, the access item identifier, and preset filtering condition configuration information to determine the access filtering conditions corresponding to the target user, and generates a target access statement corresponding to the permission restriction interface based on the data access statement corresponding to the permission restriction interface and the access filtering conditions; wherein, the filtering condition configuration information is used to indicate the mapping relationship between the user attribute information, the access item identifier, and the access filtering conditions; the access data determination module 340 is used to determine the target access data corresponding to the data access request based on the target access statement corresponding to at least one permission restriction interface and the data access statements corresponding to other data access interfaces among at least one data access interface besides the permission restriction interface.
[0093] The technical solution of this embodiment receives a data access request from a target user for a target access item, and generates a data access statement corresponding to at least one data access interface associated with the target access item based on the data access request. Further, for the at least one data access interface, if the data access interface is a permission-restricted interface, the access permission type of the target user to the permission-restricted interface is determined based on the user attribute information corresponding to the target user, the access item identifier corresponding to the target access item, and the interface identifier corresponding to the permission-restricted interface. Further, if the access permission type is a target permission type, access filtering conditions corresponding to the target user are determined according to the user attribute information, the access item identifier, and preset filtering condition configuration information, and based on the permission... The system generates target access statements corresponding to the permission restriction interfaces by defining the data access statements and access filtering conditions corresponding to the permission restriction interfaces. Furthermore, based on the target access statements corresponding to at least one permission restriction interface and the data access statements corresponding to other data access interfaces (excluding the permission restriction interface) among at least one data access interface, the system determines the target access data corresponding to the data access request. This solves the problems of low flexibility, difficult maintenance, and cumbersome operation in related technologies regarding permission configuration methods. It enhances the granularity of data permission control while reducing the difficulty of configuring data access permissions, improving the flexibility of data access permission control, and ultimately achieving dynamic and refined control of data access permissions during the data access process.
[0094] Optionally, the user attribute information includes a user role identifier; the permission type determination module 320 includes: a role identifier determination unit, an interface identifier determination unit, and a permission type determination unit.
[0095] The role identifier determination unit is used to obtain user attribute information corresponding to the target user, and determine the user role identifier corresponding to the target user based on the user attribute information;
[0096] An interface identifier determination unit is used to determine the access item identifier corresponding to the target access item and the interface identifier corresponding to the permission restriction interface;
[0097] The permission type determination unit is used to query preset permission type association information based on the user role identifier, the access item identifier, and the interface identifier to obtain the access permission type of the target user to the permission-restricted interface; wherein, the permission type association information is used to indicate the mapping relationship between the user role identifier, the access item identifier, the interface identifier, and the access permission type.
[0098] Optionally, the user attribute information is used to determine the filter identifier; the user attribute information includes a user identifier; the access statement generation module 330 includes: an access item identifier determination unit, a filter identifier determination unit, and a filter condition determination unit.
[0099] An access item identifier determination unit is used to determine the access item identifier corresponding to the target access item;
[0100] A filter identifier determination unit is used to parse the user attribute information to obtain a filter identifier corresponding to the target user, and to determine a user identifier corresponding to the target user based on the user attribute information.
[0101] The filtering condition determination unit is used to query preset filtering condition configuration information based on the access item identifier, the filtering identifier, and the user identifier to determine the access filtering conditions corresponding to the target user.
[0102] Optionally, the device further includes a filter condition template determination module and a filter condition determination module.
[0103] A filter condition template determination module is used to determine a filter condition template corresponding to the access permission type based on preset filter condition mapping information when the access permission type is a non-target access permission type; wherein, the filter condition mapping information is used to indicate the association relationship between at least one of the non-target access permission types and the filter condition template;
[0104] The filtering condition determination module is used to process the filtering condition template based on the user attribute information to obtain the access filtering conditions corresponding to the permission restriction interface.
[0105] Optionally, the access statement generation module 330 includes: a condition clause generation unit and an access statement generation unit.
[0106] The condition clause generation unit is used to generate a filter condition clause based on the access filter condition;
[0107] The access statement generation unit is used to nest and concatenate the data access statement based on the filtering condition clause, and use the concatenated statement as the target access statement corresponding to the data access interface.
[0108] Optionally, the device may further include an interface tagging module.
[0109] An interface marking module is used to annotate and mark at least one of the data access interfaces, when the data access interface is an interface that requires permission control, based on at least one preset permission marking field and the field value corresponding to the permission marking field, and to mark the marked data access interface as a permission restriction interface.
[0110] Optionally, the device may further include an access data display module.
[0111] The access data display module is used to feed back the target access data to the user terminal associated with the target user, and display the target access data based on the user terminal.
[0112] The data access device provided in the embodiments of the present invention can execute the data access method provided in any embodiment of the present invention, and has the corresponding functional modules and beneficial effects of executing the method.
[0113] Example 4
[0114] Figure 4 A schematic diagram of an electronic device 10 that can be used to implement embodiments of the present invention is shown. The electronic device is intended to represent various forms of digital computers, such as laptop computers, desktop computers, workstations, personal digital assistants, servers, blade servers, mainframe computers, and other suitable computers. The electronic device can also represent various forms of mobile devices, such as personal digital processors, cellular phones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions are merely illustrative and are not intended to limit the implementation of the invention described and / or claimed herein.
[0115] like Figure 4 As shown, the electronic device 10 includes at least one processor 11 and a memory, such as a read-only memory (ROM) 12 or a random access memory (RAM) 13, communicatively connected to the at least one processor 11. The memory stores computer programs executable by the at least one processor. The processor 11 can perform various appropriate actions and processes based on the computer program stored in the ROM 12 or loaded from storage unit 18 into the RAM 13. The RAM 13 may also store various programs and data required for the operation of the electronic device 10. The processor 11, ROM 12, and RAM 13 are interconnected via a bus 14. An input / output (I / O) interface 15 is also connected to the bus 14.
[0116] Multiple components in electronic device 10 are connected to I / O interface 15, including: input unit 16, such as keyboard, mouse, etc.; output unit 17, such as various types of displays, speakers, etc.; storage unit 18, such as disk, optical disk, etc.; and communication unit 19, such as network card, modem, wireless transceiver, etc. Communication unit 19 allows electronic device 10 to exchange information / data with other devices through computer networks such as the Internet and / or various telecommunications networks.
[0117] Processor 11 can be a variety of general-purpose and / or special-purpose processing components with processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a central processing unit (CPU), a graphics processing unit (GPU), various special-purpose artificial intelligence (AI) computing chips, various processors running machine learning model algorithms, a digital signal processor (DSP), and any suitable processor, controller, microcontroller, etc. Processor 11 performs the various methods and processes described above, such as data access methods.
[0118] In some embodiments, the data access method may be implemented as a computer program tangibly contained in a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and / or mounted on electronic device 10 via ROM 12 and / or communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the data access method described above may be performed. Alternatively, in other embodiments, processor 11 may be configured to perform the data access method by any other suitable means (e.g., by means of firmware).
[0119] Various embodiments of the systems and techniques described above herein can be implemented in digital electronic circuit systems, integrated circuit systems, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), application-specific standard products (ASSPs), systems-on-a-chip (SoCs), payload-programmable logic devices (CPLDs), computer hardware, firmware, software, and / or combinations thereof. These various embodiments may include implementations in one or more computer programs that can be executed and / or interpreted on a programmable system including at least one programmable processor, which may be a dedicated or general-purpose programmable processor, capable of receiving data and instructions from a storage system, at least one input device, and at least one output device, and transmitting data and instructions to the storage system, the at least one input device, and the at least one output device.
[0120] Computer programs used to implement the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing device, such that when executed by the processor, the computer programs cause the functions / operations specified in the flowcharts and / or block diagrams to be performed. The computer programs may be executed entirely on a machine, partially on a machine, or as a standalone software package, partially on a machine and partially on a remote machine, or entirely on a remote machine or server.
[0121] In the context of this invention, a computer-readable storage medium can be a tangible medium that may contain or store a computer program for use by or in conjunction with an instruction execution system, apparatus, or device. A computer-readable storage medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination thereof. Alternatively, a computer-readable storage medium may be a machine-readable signal medium. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fibers, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.
[0122] To provide interaction with a user, the systems and techniques described herein can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user; and a keyboard and pointing device (e.g., a mouse or trackball) through which the user provides input to the electronic device. Other types of devices can also be used to provide interaction with the user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form (including sound input, voice input, or tactile input).
[0123] The systems and technologies described herein can be implemented in computing systems that include backend components (e.g., as data servers), or computing systems that include middleware components (e.g., application servers), or computing systems that include frontend components (e.g., user computers with graphical user interfaces or web browsers through which users can interact with implementations of the systems and technologies described herein), or any combination of such backend, middleware, or frontend components. The components of the system can be interconnected via digital data communication of any form or medium (e.g., communication networks). Examples of communication networks include local area networks (LANs), wide area networks (WANs), blockchain networks, and the Internet.
[0124] A computing system can include clients and servers. Clients and servers are generally located far apart and typically interact through communication networks. The client-server relationship is created by computer programs running on the respective computers and having a client-server relationship with each other. The server can be a cloud server, also known as a cloud computing server or cloud host, which is a hosting product within the cloud computing service system to address the shortcomings of traditional physical hosts and VPS services, such as high management difficulty and weak business scalability.
[0125] It should be understood that the various forms of processes shown above can be used, with steps reordered, added, or deleted. For example, the steps described in this invention can be executed in parallel, sequentially, or in different orders, as long as the desired result of the technical solution of this invention can be achieved, and this is not limited herein.
[0126] The specific embodiments described above do not constitute a limitation on the scope of protection of this invention. Those skilled in the art should understand that various modifications, combinations, sub-combinations, and substitutions can be made according to design requirements and other factors. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of this invention should be included within the scope of protection of this invention.
Claims
1. A data access method, characterized in that, include: Receive a data access request from a target user for a target access item, and generate a data access statement corresponding to at least one data access interface associated with the target access item based on the data access request; For at least one of the data access interfaces, if the data access interface is a permission-restricted interface, the access permission type of the target user to the permission-restricted interface is determined based on the user attribute information corresponding to the target user, the access item identifier corresponding to the target access item, and the interface identifier corresponding to the permission-restricted interface; wherein, the permission-restricted interface is a data access interface that requires permission control. When the access permission type is a target access permission type, the access filtering conditions corresponding to the target user are determined based on the user attribute information, the access item identifier, and the preset filtering condition configuration information. Based on the data access statement corresponding to the access restriction interface and the access filtering conditions, a target access statement corresponding to the access restriction interface is generated. The filtering condition configuration information is used to indicate the mapping relationship between the user attribute information, the access item identifier, and the access filtering conditions. Based on the target access statement corresponding to at least one of the permission restriction interfaces and the data access statement corresponding to other data access interfaces among the at least one data access interfaces besides the permission restriction interface, determine the target access data corresponding to the data access request; The user attribute information includes a user role identifier; determining the access permission type of the target user to the permission restriction interface based on the user attribute information corresponding to the target user, the access item identifier corresponding to the target access item, and the interface identifier corresponding to the permission restriction interface includes: Obtain user attribute information corresponding to the target user, and determine the user role identifier corresponding to the target user based on the user attribute information; Determine the access item identifier corresponding to the target access item and the interface identifier corresponding to the permission restriction interface; Based on the user role identifier, the access item identifier, and the interface identifier, a query is performed in the preset permission type association information to obtain the access permission type of the target user to the permission-restricted interface; The permission type association information is used to indicate the mapping relationship between the user role identifier, the access item identifier, the interface identifier, and the access permission type.
2. The data access method according to claim 1, characterized in that, The user attribute information is used to determine the filter identifier; the user attribute information includes a user identifier; determining the access filter conditions corresponding to the target user based on the user attribute information, the access item identifier, and preset filter condition configuration information includes: Determine the access item identifier corresponding to the target access item; The user attribute information is parsed to obtain a filter identifier corresponding to the target user, and the user identifier corresponding to the target user is determined based on the user attribute information. The access filtering conditions corresponding to the target user are determined by querying the preset filtering condition configuration information based on the access item identifier, the filter identifier, and the user identifier.
3. The data access method according to claim 1, characterized in that, Also includes: When the access permission type is a non-target access permission type, a filter condition template corresponding to the access permission type is determined according to preset filter condition mapping information; wherein, the filter condition mapping information is used to indicate the association relationship between at least one of the non-target access permission types and the filter condition template; The filter condition template is processed based on the user attribute information to obtain the access filter conditions corresponding to the permission restriction interface.
4. The data access method according to claim 1, characterized in that, The step of generating a target access statement corresponding to the permission restriction interface based on the data access statement corresponding to the permission restriction interface and the access filtering conditions includes: Generate filtering condition clauses based on the access filtering conditions; The data access statements are nested and concatenated based on the filtering condition clauses, and the concatenated statements are used as the target access statements corresponding to the permission restriction interface.
5. The data access method according to claim 1, characterized in that, Also includes: For at least one of the data access interfaces, if the data access interface is an interface that requires permission control, the data access interface is annotated and marked according to at least one preset permission flag field and the field value corresponding to the permission flag field, and the marked data access interface is used as a permission restriction interface.
6. The data access method according to claim 1, characterized in that, Also includes: The target access data is fed back to the user terminal associated with the target user, and the target access data is displayed on the user terminal.
7. A data access device, characterized in that, include: The request receiving module is used to receive a data access request from a target user for a target access item, and generate a data access statement corresponding to at least one data access interface associated with the target access item based on the data access request. The permission type determination module is used to determine the access permission type of the target user to the permission-restricted interface based on the user attribute information corresponding to the target user, the access item identifier corresponding to the target access item, and the interface identifier corresponding to the permission-restricted interface, when the data access interface is a permission-restricted interface. The access statement generation module is used to determine the access filtering conditions corresponding to the target user based on the user attribute information, the access item identifier, and the preset filtering condition configuration information when the access permission type is the target permission type, and to generate the target access statement corresponding to the permission restriction interface based on the data access statement corresponding to the permission restriction interface and the access filtering conditions; wherein, the filtering condition configuration information is used to indicate the mapping relationship between the user attribute information, the access item identifier, and the access filtering conditions; The access data determination module is used to determine the target access data corresponding to the data access request based on the target access statement corresponding to at least one of the permission restriction interfaces and the data access statements corresponding to other data access interfaces among the at least one data access interfaces besides the permission restriction interface. The user attribute information includes a user role identifier; the permission type determination module includes: a role identifier determination unit, an interface identifier determination unit, and a permission type determination unit; The role identifier determination unit is used to obtain user attribute information corresponding to the target user, and determine the user role identifier corresponding to the target user based on the user attribute information; The interface identifier determination unit is used to determine the access item identifier corresponding to the target access item and the interface identifier corresponding to the permission restriction interface; The permission type determination unit is used to query preset permission type association information based on the user role identifier, the access item identifier, and the interface identifier to obtain the access permission type of the target user to the permission-restricted interface; wherein, the permission type association information is used to indicate the mapping relationship between the user role identifier, the access item identifier, the interface identifier, and the access permission type.
8. An electronic device, characterized in that, The electronic device includes: At least one processor; and A memory communicatively connected to the at least one processor; wherein, The memory stores a computer program that can be executed by the at least one processor, the computer program being executed by the at least one processor to enable the at least one processor to perform the data access method according to any one of claims 1-6.
9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer instructions that cause a processor to execute the data access method according to any one of claims 1-6.