A data security control method and system based on park enterprise entry

By using evidence closure determination and root identifier generation for entry qualifications, combined with data view templates and derivation diagrams, the problems of dynamic permission adjustment and data reclamation during the entry process of enterprises in the park are solved, thereby improving the granularity and security of data access control.

CN122339764APending Publication Date: 2026-07-03HANGZHOU HANGQI TECH IND DEV CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HANGZHOU HANGQI TECH IND DEV CO LTD
Filing Date
2026-04-09
Publication Date
2026-07-03

Smart Images

  • Figure CN122339764A_ABST
    Figure CN122339764A_ABST
Patent Text Reader

Abstract

This invention discloses a data security control method and system based on enterprise entry into a park, relating to the field of access control technology. The method includes: determining evidence closure based on the necessary evidence node set and node dependencies of the current entry matter; generating a valid evidence node status table, a set of business matters with completed evidence closure, and an entry qualification root identifier; mapping each business matter to a minimum necessary data atom set based on the set of business matters with completed evidence closure, and generating a data view template by combining the park's direct management boundary and third-party boundary; upon receiving a single data access request, determining permission based on the current business matter status and status transition rules, and generating a one-time data view upon successful determination; establishing a derivation relationship graph, and performing reverse chain breaking and recycling when the evidence status changes. This invention achieves dynamic binding of permissions and evidence validity, precise data scope trimming, and closed-loop traceability and recycling of invalid data.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of access control technology, and in particular to a data security control method and system based on the entry of enterprises into a park. Background Technology

[0002] In the field of smart park and enterprise service management, the enterprise onboarding process involves the collection, verification, and storage of multi-source evidence data, including sensitive materials such as enterprise registration information, legal representative identification, authorization documents, and onboarding agreements. Current mainstream data security control methods are typically based on static permission division and identity authentication mechanisms. This involves pre-configuring data access policies according to enterprise roles or onboarding stages, supplemented by operation log auditing to achieve in-process and post-process traceability. Such methods can meet basic security compliance requirements in conventional enterprise information management scenarios, ensuring the confidentiality and integrity of onboarding data during storage and transmission. However, with the dynamic advancement of onboarding business and the introduction of third-party collaborations, the demand for timeliness and granularity in data access control is increasing. Traditional static policy models have limitations in adapting to changes in business status.

[0003] Specifically, the shortcomings of the aforementioned conventional methods are reflected in two aspects. First, access control strategies are usually bound to fixed roles or stages, lacking the ability to dynamically perceive the validity and dependencies of internal evidence nodes within the onboarding process. This results in expired authorization materials still potentially supporting subsequent data access, leading to coarse-grained control. Second, conventional methods lack explicit modeling and tracking mechanisms for the derived propagation paths after data output. When the upstream evidence base (such as agreement expiration or authorization revocation) changes, it is difficult to accurately identify and recover one-time data views or derived data objects that have spread downstream, creating a risk of data residue. These deficiencies are particularly prominent in park onboarding scenarios where business statuses frequently change and cross-boundary data collaboration is involved. Summary of the Invention

[0004] In view of the aforementioned existing problems, the present invention is proposed.

[0005] Therefore, this invention provides a data security control method based on the entry of enterprises into the park to solve the problems of existing technologies that cannot dynamically adjust access permissions based on evidence nodes of entry matters and that it is difficult to accurately reverse and reclaim derived data objects.

[0006] To solve the above-mentioned technical problems, the present invention provides the following technical solution:

[0007] In a first aspect, the present invention provides a data security control method based on enterprise entry into a park, comprising: collecting original evidence data of enterprise entry matters; determining evidence closure based on the necessary evidence node set and node dependency relationship of the current entry matter; generating a valid evidence node status table, a set of business matters that have completed evidence closure, and an entry qualification root identifier; mapping each business matter to a minimum necessary data atom set based on the set of business matters that have completed evidence closure, and generating a data view template for the current business matter in conjunction with the park's direct management boundary and third-party boundary; receiving a single data access request, reading the current business matter status, determining release based on state transition rules, generating a one-time data view based on the entry qualification root identifier, request message digest, and data view template when the release determination is passed, and updating the current business matter status; establishing a derivation relationship graph based on the one-time data view, regenerating the entry qualification root identifier when the valid evidence node status table changes, and performing reverse chain breakage and recycling along the derivation relationship graph when the regenerated entry qualification root identifier is inconsistent with the original entry qualification root identifier.

[0008] As a preferred embodiment of the data security control method based on the entry of enterprises into the park as described in this invention, the original evidence data includes: enterprise registration data, legal representative identity data, authorization data, entry purpose data, proposed park resource data, entry agreement data, and third-party cooperation relationship data.

[0009] As a preferred embodiment of the data security control method based on enterprise entry into the park as described in this invention, the evidence closure determination includes: performing format verification, authenticity verification, and timeliness verification on the original evidence data, generating evidence nodes, and writing the evidence nodes in a valid state into a valid evidence node status table; retrieving the necessary evidence node set and node dependency relationship set according to the current entry matter, and extracting the valid evidence node set from the valid evidence node status table; determining that the evidence closure of the current entry matter is established when the necessary evidence node set is contained in the valid evidence node set, and the preceding node in the node dependency relationship set is in a valid state before the subsequent node; when the evidence closure is established, writing the current entry matter into the business matter set that has completed evidence closure; concatenating the necessary evidence node summary values ​​of the current entry matter in front-to-back order, and generating an entry qualification root identifier after processing by a hash function.

[0010] As a preferred embodiment of the data security control method based on the entry of enterprises into the park as described in this invention, the minimum necessary data atom set includes: obtaining a set of business items with completed evidence closure and determining the current business item; retrieving the established mapping rules between business items and data objects to determine the data object identifier set of the current business item; splitting the data object according to the principle of independent invocation, independent control, and indivisibility to obtain multiple data atoms related to the current business item; selecting the minimum necessary data atoms required to complete the current business item from the multiple data atoms according to the processing requirements of the current business item, and generating the minimum necessary data atom set of the current business item; and summarizing the minimum necessary data atom sets of each business item according to the set of business items with completed evidence closure to generate the current available data atom candidate set.

[0011] As a preferred embodiment of the data security control method based on enterprise entry into the industrial park as described in this invention, the data view template related to the current business matter includes: obtaining the complete set of data atoms directly managed by the industrial park, and determining the data atoms that can be directly controlled and issued by the industrial park; reading the set of data atoms involving third-party boundaries, and determining the data atoms that cannot be directly output without additional authorization; performing intersection processing on the current set of candidate data atoms that can be applied for and the complete set of data atoms directly managed by the industrial park, and removing data atoms involving third-party boundaries to generate the current set of data atoms that can be issued; generating a data view template related to the current business matter based on the current set of data atoms that can be issued; writing the allowed set of data atoms, the rules for allowed combinations between data atoms, the identifiers of data atoms that are only allowed to participate in calculations but not allowed to be output in plaintext, the identifiers of data atoms that are prohibited from being exported, and the validity period of the template into the generated data view template; and generating a data view template identifier.

[0012] As a preferred embodiment of the data security control method based on enterprise entry in the park as described in this invention, the step of determining the release based on state transition rules includes: receiving a single data access request initiated by an enterprise for the current business matter, and extracting the enterprise identifier, business matter identifier, request action identifier, request data atom identifier, terminal identifier, and time slice identifier from the single data access request; generating a request message digest based on the enterprise identifier, business matter identifier, request action identifier, request data atom identifier, terminal identifier, and time slice identifier; reading the business matter status record table based on the enterprise identifier and business matter identifier to obtain the current business matter status; retrieving the state transition rules corresponding to the current business matter and the set of allowed prerequisite states corresponding to the request action identifier based on the business matter identifier; determining whether the current business matter status belongs to the set of allowed prerequisite states, and determining whether the request action identifier is executed under the current business matter status and then transitions to the corresponding new status according to the state transition rules; when the current business matter status belongs to the set of allowed prerequisite states and transitions to the corresponding new status, determining that the single data access request passes the release determination.

[0013] As a preferred embodiment of the data security control method based on enterprise entry into the park as described in this invention, the specific steps of generating a one-time data view based on the entry qualification root identifier, request message digest, and data view template, and updating the current business item status when the release judgment is passed, are as follows: After the release judgment is passed, the entry qualification root identifier and data view template corresponding to the current business item are read; the current request random number and the current time slice are obtained, and a one-time data view identifier is generated based on the entry qualification root identifier, request message digest, current request random number, and current time slice; the data atoms corresponding to this single data access request are filtered according to the set of allowed data atoms configured in the data view template; a one-time data view valid only for this request is generated according to the atom combination rules, calculation participation rules, and export restriction rules configured in the data view template; after the one-time data view is generated, the current business item status is updated to the new status corresponding to the status transition rule; and the updated current business item status is written back to the business item status record table.

[0014] As a preferred embodiment of the data security control method based on enterprise entry into the park as described in this invention, the establishment of the derivation graph includes: reading a one-time data view identifier, a one-time data view, and output event records; mapping the original entry qualification root identifier to a qualification root node; mapping the one-time data view identifier to a view node; and establishing a directed dependency relationship between the qualification root node and the view node; detecting downstream usage behaviors generated based on the one-time data view; generating corresponding derivation event records; mapping the derivation result object to a derivation data object node; and establishing a directed dependency relationship between the view node and the derivation data object node to form a derivation graph.

[0015] As a preferred embodiment of the data security control method based on enterprise entry into the park as described in this invention, the reverse chain breaking and recycling along the derivation relationship graph includes: when a change in the state of an evidence node in the valid evidence node status table is detected, re-extracting the evidence nodes that are in a valid state under the current business matter, and regenerating the entry qualification root identifier according to the necessary evidence node set and node dependency relationship; comparing the regenerated entry qualification root identifier with the original entry qualification root identifier, and if they are inconsistent, taking the qualification root node corresponding to the original entry qualification root identifier as the starting node, traversing all successor nodes in the derivation relationship graph to obtain the set of nodes to be recycled; performing at least one of the recycling processes of invalidation marking, access blocking, logical isolation, and deletion on the data objects in the set of nodes to be recycled, and retaining the outgoing records and invalidation markings for data objects that exceed the controlled storage range of the park, and prohibiting them from participating in new derivation processes as upstream data sources again.

[0016] Secondly, this invention provides a data security control system based on enterprise entry into a park, comprising: a closure determination module, responsible for collecting original evidence data of enterprise entry matters, determining evidence closure based on the necessary evidence node set and node dependency relationship of the current entry matter, generating a valid evidence node status table, a set of business matters that have completed evidence closure, and an entry qualification root identifier; a view template module, responsible for mapping each business matter to a minimum necessary data atom set based on the set of business matters that have completed evidence closure, and generating a data view template for the current business matter in conjunction with the park's direct management boundary and third-party boundary; a view release module, responsible for receiving single data access requests, reading the current business matter status, determining release based on state transition rules, generating a one-time data view based on the entry qualification root identifier, request message digest, and data view template when the release determination is passed, and updating the current business matter status; and a reverse link break module, responsible for establishing a derivation relationship graph based on the one-time data view, regenerating the entry qualification root identifier when the valid evidence node status table changes, and performing reverse link break recovery along the derivation relationship graph when the regenerated entry qualification root identifier is inconsistent with the original entry qualification root identifier.

[0017] The beneficial effects of this invention are as follows: By using evidence closure determination and the generation of entry qualification root identifiers, dynamic binding of permissions and evidence validity is achieved, improving the fine-grainedness and adaptability of permission control; By using the minimum necessary data atom set and data view template, combined with the boundary constraints of the park and third parties, the scope of data access can be precisely pruned in advance, reducing the risk of excessive data sharing and cross-boundary leakage; By using the derivation relationship graph and reverse chain breakage recovery, the accurate positioning and closed-loop recovery of downstream derived data after the upstream evidence becomes invalid can be achieved, solving the problem of data diffusion being difficult to trace. Attached Figure Description

[0018] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0019] Figure 1 This is a flowchart of a data security control method based on the entry of enterprises into the park.

[0020] Figure 2 This is a schematic diagram of a data security control system based on the entry of companies into the park.

[0021] Figure 3 A schematic diagram for evidence closure and data view template generation.

[0022] Figure 4 A schematic diagram for establishing a derivation relationship graph and reverse chain breaking recycling. Detailed Implementation

[0023] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, the specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

[0024] Many specific details are set forth in the following description in order to provide a full understanding of the invention. However, the invention may also be practiced in other ways different from those described herein, and those skilled in the art can make similar extensions without departing from the spirit of the invention. Therefore, the invention is not limited to the specific embodiments disclosed below.

[0025] Secondly, the term "one embodiment" or "embodiment" as used herein refers to a specific feature, structure, or characteristic that may be included in at least one implementation of the present invention. The phrase "in one embodiment" appearing in different places in this specification does not necessarily refer to the same embodiment, nor is it a single or selective embodiment that is mutually exclusive with other embodiments.

[0026] Reference Figures 1-4This is one embodiment of the present invention, which provides a data security control method based on the entry of enterprises into a park, including the following steps:

[0027] S1. Collect original evidence data for enterprise entry matters, determine evidence closure based on the necessary evidence node set and node dependency relationship of the current entry matters, and generate a valid evidence node status table, a set of business matters that have completed evidence closure, and entry qualification root identifier.

[0028] Furthermore, when a company submits an application for entry into the park through the entry application portal, the park's entry processing procedure receives the company's original evidence data.

[0029] The original evidence data was not collected arbitrarily, but rather collected in a targeted manner based on the current onboarding matters.

[0030] Specifically, the park's entry processing procedure determines the type, format, and source of evidence to be received based on the evidence collection rules for the current entry item identifier.

[0031] The original evidence data includes enterprise registration data, legal representative identity data, authorization data, intended use data, proposed park resource data, entry agreement data, and third-party cooperation relationship data.

[0032] It should be noted that the enterprise registration data is used to represent the enterprise's registration status, unified social credit code, enterprise name, and registration validity period; the legal representative identity data is used to represent the authenticity of the legal representative's identity and the corresponding relationship with the enterprise; the authorization data is used to represent whether the current handler has been authorized by the enterprise, as well as the scope and duration of the authorization; the purpose of entry data is used to represent the business purpose, area of ​​use, and planned activities of the enterprise applying to enter the park; the proposed park resource data is used to represent the office resources, equipment resources, or collaborative resources that the enterprise intends to apply for under the current entry matter; the entry agreement data is used to represent the signing status, term, and binding content of the agreement between the enterprise and the park; and the third-party collaboration relationship data is used to represent the business relationship and authorization constraint relationship between the enterprise and the third party when the current matter involves third-party collaboration.

[0033] Specifically, the park's entry processing procedure receives structured form data uploaded by enterprises through their front-end form submission interface; receives licenses, authorization documents, and agreement documents uploaded by enterprises and extracts corresponding fields; reads existing agreement data or historical registration data from the park's internal business storage area; and obtains collaboration relationship confirmation data and original evidence data from the third-party collaboration interface corresponding to the current matter.

[0034] Furthermore, after collecting the original evidence data, the original evidence data is standardized.

[0035] The standardization process includes field standardization, format validation, authenticity validation, and timeliness validation.

[0036] It should be noted that field standardization involves mapping data fields from different sources to a unified field template; for example, mapping the entity name field in a business license, the enterprise name field in an agreement, and the enterprise name field in an authorization document to the entity name field.

[0037] Format validation processing specifically involves checking the format of the unified social credit code, ID card number, date field, agreement number, and authorization period field according to fixed format rules to remove obviously illegal or missing data.

[0038] The authenticity verification process specifically involves verifying the authenticity of evidence data; for example, verifying whether the license is valid, whether the authorization relationship is consistent with the identity of the legal representative, and whether the agreement has been signed and taken effect.

[0039] The timeliness verification process specifically determines whether the evidence is still within its valid time frame. For example, authorization data must meet the requirement that the authorization start time is earlier than the current time and the authorization end time is later than the current time; agreement data must meet the requirement that the agreement's effective time covers the current matter's acceptance time.

[0040] Ultimately, after the original evidence data has been standardized, each verified data item is abstracted into an evidence node.

[0041] The attributes of each evidence node include, but are not limited to, node identifier, node type, node source, node digest value, node current status, node effective time, and node expiration time.

[0042] The current state of a node includes both a valid state and an invalid state.

[0043] Write all valid evidence nodes into the valid evidence node status table.

[0044] It should be noted that the valid evidence node status table is used to continuously record the valid status of each evidence node of the current enterprise under the current entry matter; the content recorded in the valid evidence node status table includes, but is not limited to, enterprise identifier, entry matter identifier, evidence node identifier, current node status, status write time, node summary value, effective time, and expiration time.

[0045] Furthermore, after the evidence node is generated, the park entry processing procedure retrieves the necessary evidence node set and node dependency relationship set configured for the current entry matter based on the current entry matter identifier.

[0046] The set of necessary evidence nodes represents all the evidence nodes required to complete the current onboarding process.

[0047] For example, for matters related to the opening of office space, the necessary evidence nodes may include enterprise registration node, legal representative identity node, authorization node, entry agreement node, and entry purpose node.

[0048] For matters involving access to shared resources from third parties, the necessary evidence node set further includes nodes related to third-party collaboration relationships.

[0049] The node dependency set describes the pre- and post-constraint relationships between different evidence nodes.

[0050] In this embodiment, each ordered pair in the node dependency set Indicates evidence node For evidence nodes The prerequisite node is only the evidence node. After being set to a valid state, the evidence node Only then can it be deemed valid for the current matter.

[0051] For example, the legal representative identity node can serve as a prerequisite node for the authorization node; the entry agreement node can serve as a prerequisite node for the resource application node; and the third-party collaboration relationship node can serve as a prerequisite node for the third-party shared resource usage node.

[0052] It should be noted that by processing the pre- and post-constraint relationships of the node dependency set, the evidence requirements under the current matter are no longer just whether the evidence is complete, but further require whether the pre- and post-constraint relationships between the evidence are met, thereby avoiding the erroneous release caused by passing the verification based solely on isolated materials.

[0053] Furthermore, after obtaining the valid evidence node status table, the necessary evidence node set, and the node dependency relationship set, the evidence closure determination for the current entry matter is performed.

[0054] Specifically, evidence nodes that are currently valid for the current enterprise under the current matter are extracted from the valid evidence node status table to form a set of valid evidence nodes.

[0055] Based on the combination of valid evidence nodes, the evidence closure determination is performed according to the following A1-A2 rules:

[0056] A1. Every evidence node in the set of necessary evidence nodes should also appear in the set of valid evidence nodes.

[0057] A2. For each ordered pair in the set of node dependencies It should satisfy the condition that only the preceding node... If it is already in a valid state, subsequent nodes Only then can it be included in the current item's valid node chain.

[0058] In this embodiment, the evidence closure determination value is 1 if and only if all necessary evidence nodes required by the current entry matter have been collected and verified, and the dependency relationship between each evidence node satisfies the dependency constraint; otherwise, the evidence closure determination value is 0.

[0059] If the criterion for evidence closure is taken as... This indicates that the current matter has not yet formed a complete, usable, and correctly ordered chain of evidence.

[0060] At this point, the park's entry processing procedure will mark the current matter as an unclosed matter and output a missing node identifier or an invalid node identifier to prompt for subsequent supplementary or corrected materials; at the same time, it will not generate an entry qualification root identifier corresponding to the current matter.

[0061] If the criterion for evidence closure is taken as... If so, it means that the current matter has formed a closed chain of evidence that meets the requirements, and it can proceed to the next stage of processing.

[0062] Furthermore, when the criterion for evidence closure is set to a value... At that time, the currently registered item will be added to the set of business items for which evidence closure has been completed.

[0063] In this embodiment, the set of business items for which evidence closure has been completed is used to record all items that have passed the evidence closure judgment during the current enterprise's entry into the park.

[0064] For example, a company may submit applications for opening office areas, access control systems, and third-party shared equipment at the same time.

[0065] For each item, the necessary evidence node set and node dependency relationship corresponding to the current item are retrieved, and the evidence closure judgment is performed based on the necessary evidence node set and node dependency relationship. When the item meets the closure condition, the item is written into the business item set that has completed evidence closure.

[0066] The set of business matters for which evidence closure has been completed includes, but is not limited to, the enterprise identifier, the identifier of the closed matter, the time of the matter closure, and the identifier of the set of necessary evidence nodes corresponding to the current matter.

[0067] Furthermore, after the closure determination of the evidence for the current matter is passed, in order to compress the closure qualification under the current matter into a root identifier that can be invoked, compared and traced.

[0068] In this embodiment, a root identifier for entry qualification is generated.

[0069] Specifically, the node summary values ​​of each necessary evidence node are read from the set of necessary evidence nodes corresponding to the current matter and arranged in a fixed order from front to back.

[0070] In this embodiment, the nodes are arranged sequentially from front to back. For example, the node summary values ​​for enterprise registration, legal representative identity, authorization, entry agreement, resource application, and third-party collaboration are used to calculate the root identifier for entry qualification through a hash function. , represented as:

[0071] ;

[0072] in, Indicates the qualification for entry. Represents a hash function. These represent the summary values ​​corresponding to the necessary evidence nodes required for the current matter. This indicates a concatenation operation.

[0073] It should be noted that after obtaining the root identifier for entry qualification, the root identifier generation time is recorded separately for auditing and version tracking.

[0074] S2. Based on the set of business items for which evidence closure has been completed, map each business item to a set of minimum necessary data atoms, and generate a data view template corresponding to the current business item by combining the direct management boundary of the park and the third-party boundary.

[0075] Furthermore, after determining the current business matter, the park's data control processing program does not directly provide a data view template, but instead first reads the established business matter and data object mapping rule library.

[0076] In this embodiment, the mapping rule base is used to describe which raw data objects are theoretically required to complete the current business process for each type of business matter.

[0077] For example, for matters related to opening up office areas, the corresponding data objects may include basic enterprise information objects, office area configuration objects, and workstation allocation objects; for matters related to opening up access control permissions, the corresponding data objects may include enterprise identity verification objects, access control configuration objects, and access time control objects; for matters related to accessing shared devices, the corresponding data objects may include device authorization objects, collaboration relationship objects, and reservation usage objects.

[0078] In this embodiment, the business item and data object mapping rule base includes, but is not limited to, business item identifiers, a set of data object identifiers corresponding to the business item, a description of the purpose of calling each data object, whether each data object is allowed to be split into plaintext atoms, and whether each data object contains third-party associated data.

[0079] By using a mapping rule base, a first-level mapping relationship is established between the current business item and the data objects that the current business item theoretically needs to involve, thereby avoiding a boundless search of the entire park's data in subsequent processing.

[0080] Furthermore, after identifying the data objects associated with the current business transaction, the park's data control processing program performs atomic decomposition on the data objects to form the minimum necessary data atoms.

[0081] In this embodiment, the minimum necessary data atom refers to the smallest data field or the smallest data fragment that can be independently called, controlled, and output under the current business transaction and cannot be further subdivided semantically.

[0082] Specifically, atomization splitting follows the following B1-B4 technical rules:

[0083] B1. Independently identifiable rules: A data field is retained as an independent data atom only if it can be individually identified and constrained in subsequent access control.

[0084] B2. Semantic minimization rule: For composite fields that can be further split, prioritize splitting them into smaller semantic units; for example, splitting a company address into subfields such as building number, floor number, and room number.

[0085] B3. Necessity rule: If a field exists in a data object but does not provide necessary support for the current business matter, it will not be included in the data atom scope of the current matter.

[0086] B4. Controllability rule: If a field cannot be controlled alone and can only be used in conjunction with other fields, then it should be combined with the necessary associated fields to form a minimum fragment atom, instead of forcibly breaking it into uncontrollable fragments.

[0087] For example, for matters related to the opening of office areas, the basic enterprise information object in the original data object can be broken down into one or more data atoms.

[0088] The data atoms for office area activation include the enterprise name atom, the enterprise unified social credit code atom, the start date of entry atom, the office building number atom, and the room number atom.

[0089] For access control permission activation items, the access control configuration object can be broken down into data atoms of the access control permission activation item, including enterprise identifier atom, authorized access control area number atom, access start time period atom, and access end time period atom.

[0090] In this embodiment, a minimum set of necessary data atoms is defined for each business transaction.

[0091] It should be noted that the minimum necessary set of data atoms is not dynamically and arbitrarily expanded during access, but is solidified through fixed rules, process requirements, and data object splitting rules.

[0092] Furthermore, after defining the data atoms for each business item, the park's data control processing program determines the range of candidate data atoms that can be considered for the enterprise based on the set of business items for which evidence closure has been completed.

[0093] In this embodiment, the set of business items for which evidence closure has been completed will be included. The minimum necessary set of data atoms corresponding to each business transaction. Perform a union operation to obtain the theoretically available set of candidate atomic data that a company can apply for under its current onboarding status. .

[0094] The current set of candidate data atoms that an enterprise can apply for is represented as follows:

[0095] ;

[0096] in, This represents the set of candidate data atoms that a company can currently apply for. This represents the set of business transactions for which evidence closure has been completed. Represents a set of business items The first in Each business matter Indicates business matters The corresponding minimum necessary set of data atoms, This indicates the union operation.

[0097] In this embodiment, the union operation is used to generate the candidate set of data atoms because only business matters that have completed evidence closure should be eligible to enter the candidate set of the data visibility scope; for business matters that have not yet completed evidence closure, the data atoms corresponding to the business matters, even if they have been defined in the rule base, will not enter the current enterprise's data candidate scope.

[0098] It should be noted that the candidate set of data atoms only represents the scope of theoretical course applications and does not mean that all data atoms in the candidate set can eventually be issued and output. Further screening is required by combining the direct management boundaries of the park and the boundaries of third parties.

[0099] Furthermore, after generating the candidate set of data atoms, in order to avoid including data that does not belong to the direct management boundary of the park in the template.

[0100] In this embodiment, the candidate set of data atoms is constrained by the direct management boundary of the park and the third-party boundary.

[0101] Among them, the park's direct management boundary is used to describe which data atoms belong to the scope of data that the park can directly control, issue, and revoke.

[0102] All data atoms within the direct management boundary of the park constitute the complete set of data atoms directly managed by the park.

[0103] For example, the company name atom in the company registration copy within the park, the room number atom in the office area configuration within the park, and the access control area number atom in the departmental access control configuration within the park can all be included in the complete set of data atoms directly managed by the park.

[0104] The third-party boundary is used to describe which data atoms, although related to current business matters, do not directly belong to the park in terms of ownership, update rights, or interpretation rights, or whose output requires separate authorization from a third-party entity.

[0105] The data atoms at the third-party boundary are used to form a set of data atoms involving the third-party boundary.

[0106] For example, equipment operation parameter atoms maintained by third-party equipment manufacturers, collaborative task detail atoms maintained by third-party collaborating organizations, and external processing status atoms reported by third-party business platforms can all be included in the data atom set of the third-party boundary.

[0107] In this embodiment, the park data control processing program preferably determines the data atom set of the park's direct management and third-party boundaries through the following C1-C3 technical means:

[0108] C1. Read the data atom ownership tag table to determine the direct management entity of each data atom.

[0109] C2. Read the data atom authorization constraint table to determine whether each data atom needs additional authorization.

[0110] C3. Perform boundary tagging and matching on the data atoms involved in the current business matter to form the set of directly managed atoms of the park and the set of third-party boundary atoms under the current matter.

[0111] After obtaining the candidate set of data atoms, the complete set of data atoms directly managed by the park, and the set of data atoms involving third-party boundaries, the park data control processing program further determines the set of data atoms that can be issued at present.

[0112] In this embodiment, the intersection operation is performed on the candidate set of data atoms that the enterprise can currently apply for and the complete set of data atoms directly managed by the park to retain those data atoms that are both within the candidate scope of the current business matter and within the boundary of the park's direct management; then, the set of data atoms involving third-party boundaries is removed from the operation result, and finally the set of data atoms that can be directly issued is obtained.

[0113] It should be noted that, through intersection operations, the data atoms that can ultimately enter the template under the current business matter no longer depend on the business matter itself, but rather on whether the enterprise has completed the evidence closure for the corresponding matter, whether the data atom is indeed required by the current business matter, whether the data atom is within the direct management boundary of the park, and whether the data atom involves third-party boundary restrictions.

[0114] Furthermore, after obtaining the set of currently identifiable data atoms, the park data control processing program does not directly output data, but instead generates a data view template corresponding to the current business matter based on the set of currently identifiable data atoms.

[0115] In this embodiment, the data view template is the upper-level rule carrier for the subsequent one-time data view generation. It is used to define, under the current business matter, which data atoms can be retrieved at most in a subsequent single request, which atoms can be combined, which atoms can only participate in calculations and cannot be output in plaintext, and which atoms are completely prohibited from being exported.

[0116] Furthermore, a unique data view template identifier is configured for each data view template, and a corresponding data view template content record is established.

[0117] The data view template content records include, but are not limited to, the current business item identifier, the enterprise identifier corresponding to the current template, the set of data atoms that are currently allowed to be called, the rules for the allowed combination between data atoms, the data atom identifiers that are only allowed to participate in calculations but not allowed to be output in plaintext, the data atom identifiers that are prohibited from being exported, the control identifiers for whether the generation of derived data objects is allowed, the template validity period, and the template generation time.

[0118] It should be noted that the validity period of the template is determined based on the shortest constraint time limit among the following three factors: the expected completion cycle of the current business matter, the remaining validity period of the corresponding evidence node, and the risk level of data outflow.

[0119] It should be noted that the rules for allowing the combination of data atoms refer to the fact that, based on the current business objectives, the relationships between fields, and the minimum necessary disclosure constraints, only data atoms that are consistent in origin or semantically continuous, and whose combination will not add new identification dimensions or exceed the boundaries of direct management of the park and third-party authorization, are allowed to be combined.

[0120] In this embodiment, when generating the data view template, the following C1-C4 technical control actions are preferably executed:

[0121] C1. Atomic combination rule generation: For data atoms belonging to the same business semantic chain, they are allowed to be combined according to fixed combination rules.

[0122] For example, office building number atoms and room number atoms can be combined to form office location fragments; authorized access control area number atoms and access time period atoms can be combined to form access control fragments.

[0123] Combination rules should be prohibited for atomic combinations that cross events, cross boundaries, or may lead to sensitive inferences.

[0124] C2. Calculate the atom labels involved. For special data atoms, they are allowed to participate in subsequent calculations, but they are not allowed to be output directly in plaintext.

[0125] For example, certain statistical parameter atoms can be used to calculate the access control validity determination result, but do not directly output the raw value.

[0126] C3. Prohibit exporting atom markers. For data atoms that can be used in the internal processing chain of the park but should not be output in subsequent one-time data views, set a prohibit export marker.

[0127] C4, Derivation Control Flag: Whether the current business transaction is allowed to form downstream derived data objects based on a one-time data view is written into the template in advance.

[0128] If the current business transaction does not allow the creation of derived objects, then any export or conversion actions will be blocked.

[0129] Finally, after generating the data view template for the current business task, obtain the data view template identifier and data view template content record.

[0130] S3. Receive a single data access request, read the current business item status, make a release judgment according to the status transition rules, and generate a one-time data view based on the entry qualification root identifier, request message digest and data view template when the release judgment is passed, and update the current business item status.

[0131] Furthermore, when an enterprise initiates a data access request for the current business matter during the subsequent processing of its entry into the park, the park's data control processing program receives the request and generates a corresponding request message.

[0132] In this embodiment, a single data access request refers to a specific data retrieval behavior that an enterprise must perform to complete a specific business task within a certain stage of its business process.

[0133] A single data access request does not correspond to long-term access permissions, nor does it correspond to general permissions across matters. Instead, it corresponds only to a specific access behavior within a certain enterprise, a certain business matter, a certain request action, and a certain time slice.

[0134] The request message includes, but is not limited to, enterprise identifier, current business item identifier, request action identifier, requested data atom identifier, terminal identifier, and time slice identifier.

[0135] The request action identifier includes, but is not limited to, one of the following: read action, verify action, generate action, submit action, or confirm action.

[0136] The time slice identifier uses fixed-granularity time slice coding to ensure that requests for the same business transaction initiated in different time slices can be distinguished.

[0137] Upon receiving the request message, the request message is bound to the current enterprise identifier and the current business item identifier, which serve as input for release determination and generation of a one-time data view.

[0138] Furthermore, upon receiving the request message, the park data control processing program first performs a digest generation process on the request message to form a request message digest.

[0139] In this embodiment, the request message digest is not a simple arbitrary digest, but a message digest obtained by orderly concatenating the key fields in this request that are directly related to the access semantics.

[0140] Preferably, the summary is generated in order from left to right.

[0141] The fields used to generate the summary include the enterprise identifier, the current business item identifier, the request action identifier, the requested data atom identifier, the terminal identifier, and the time slice identifier.

[0142] It should be noted that by generating the request message digest, a unique semantic binding is formed between the request message digest and this access request, thereby ensuring that the generated one-time data view identifier can uniquely correspond to this request.

[0143] At the same time, the request action identifier is extracted from the request message and recorded as . .

[0144] in, As the action input for state transition determination, it does not directly replace the request message digest. Instead, it is used as an action field within it. Covered.

[0145] In other words, in this embodiment, Used to determine whether the current state allows this action to be performed. Used to bind the overall semantics of this request when generating a one-time data view identifier.

[0146] Furthermore, after generating the request message digest and extracting the request action, the park's data control processing program reads the enterprise's business status record table under the current business matter.

[0147] In this embodiment, the business item status record table is used to continuously record the process progress status of the enterprise under each business item.

[0148] The fields in the business item status record table include enterprise identifier, business item identifier, current status identifier, status write time, most recent status transition action, and most recent status transition result.

[0149] Using the enterprise identifier and the current business item identifier, the current real-time status of the enterprise under the current business item is read from the business item status record table and recorded as follows. .

[0150] For example, in the implementation scenario, the current real-time state It can be one of the following states: pending verification, pending resource mapping, pending view issuance, pending submission confirmation, or completed.

[0151] In this embodiment, the current real-time state Instead of being inferred from the current request, the status is read directly from the business transaction status record table, thus ensuring that the status of the business transaction can be continuously connected between multiple single requests and avoiding status drift or loss.

[0152] Furthermore, in determining the current real-time state Subsequently, the park's data control processing program retrieves the state transition rules corresponding to the current business item based on the current business item identifier.

[0153] Among them, the state transition rule refers to the state change constraint relationship set for each business matter, which is used to determine the judgment rule that the current business matter can legally switch from the current state to the next state only when the corresponding request action and the prerequisite state conditions are met.

[0154] In this embodiment, a set of legal states is established for each business transaction. and state transition function .

[0155] Among them, the set of legal states is used to define all states that are allowed to occur in the current business transaction; the state transition function is used to define whether the business transaction is allowed to transition to a new state after a certain request action is performed in a certain state.

[0156] At the same time, for the current request action Retrieve the set of allowed prerequisite states corresponding to the requested action. .

[0157] Allowed set of preceding states This means that the current request action is eligible to be executed only if the current business status of the enterprise belongs to the set of allowed prerequisite statuses.

[0158] In this embodiment, the release determination quantity is determined if and only if the enterprise's current real-time status under the current business transaction is met. Belongs to the current request action Allowed set of preceding states And in the current state Execute the request action Then, the state transition function Able to give a legal new state If the condition is met, the release decision value for this request is 1; otherwise, the release decision value is 0.

[0159] For example, when the current business matter is in the pending view issuance state, if the generation action is allowed, then the current real-time status is as follows: Belongs to the set of allowed pre-states And the state transition function If the status can be transferred to the pending confirmation status after the generation action is executed, then the request can be allowed.

[0160] Conversely, if the current business transaction is already in a completed state, but the enterprise still initiates a new generation action, then the current state does not belong to the set of allowed preceding states. or state transition function If no new valid status can be provided, the request will not be allowed.

[0161] Furthermore, when the release determination quantity At this time, the park's data control and processing program enters the one-time data view generation stage.

[0162] Specifically, it reads the already generated entry qualification root identifier, the already generated data view template identifier, and the data view template content record.

[0163] Among them, the entry qualification root identifier is used to characterize the evidence closure qualification result of the enterprise under the current business matter. It directly corresponds to the necessary evidence node closure chain of the current matter, so it can serve as the root basis for whether the data access has upstream qualification support.

[0164] It should be noted that by reading the entry qualification root identifier and data view template content record, it can be ensured that the generated one-time data view is simultaneously subject to upstream qualification constraints and current item data boundary constraints.

[0165] Furthermore, after reading the entry qualification root identifier and data view template, in order to ensure that this data access can be uniquely identified and bound to the specific request.

[0166] This embodiment generates a one-time data view identifier.

[0167] Specifically, generate a request random number during the current request. and obtain the current time slice. Then, the root identifier of the entry qualification corresponding to the current business matter. Request message digest corresponding to this request The current request is for a random number. and the current time slice Concatenate the data in a fixed order and input it into the hash function. In this process, a one-time data view identifier corresponding only to this request is obtained. , represented as:

[0168] ;

[0169] One-time data view identifier in this embodiment It is not a fixed permission number, but a unique view identifier temporarily generated specifically for the current request.

[0170] Furthermore, after obtaining the one-time data view identifier, the park data control processing program generates a one-time data view that is only valid for this request, based on the data view template identifier, the data view template content record, and the one-time data view identifier.

[0171] In this embodiment, the generation of a one-time data view includes the following D1-D5 technical processing actions:

[0172] D1. Data Atomic Filtering: Recording data from the data view template. Read the set of data atoms that are currently allowed to be called, and only data atoms in the set of data atoms are allowed to be accessed in this request.

[0173] If the request data atom identifier declared in the request message does not belong to the set of allowed data atoms, then the view generation of the current atom is blocked.

[0174] D2. Atom combination control: If this request requires combining multiple data atoms, the combination result will be generated only according to the atom combination rules in the data view template content record.

[0175] For combinations that are not permitted, corresponding view fragments will not be generated.

[0176] D3. Computation participation control: For data atoms marked as only allowed to participate in computation and not allowed to be output in plaintext, they are only allowed to enter the internal computation chain and are not directly written to the plaintext output area of ​​the one-time data view.

[0177] D4. Export Prohibition Control: For data atoms marked as prohibited from export, the data atoms will not be written to the content area available for export in the one-time data view.

[0178] D5. View validity period binding: The validity period of the template configured in the data view template is written into the current one-time data view, so that the one-time data view will automatically expire when the validity period limit is exceeded or the request is completed.

[0179] Through D1-D5 processing, the one-time data view generated in this embodiment is not a direct copy of the original database records, but a temporary view that has been template-trimmed, atomically controlled, and combined with constraints and bound to a view identifier.

[0180] It should be noted that this one-time data view only serves the current single data access request and is not used as a reuse carrier for other requests, thereby significantly reducing the risks of long-term exposure and permission retention.

[0181] Furthermore, after successfully generating a one-time data view, the park data control processing program follows the state transition function. The new status is obtained, and the status of the current business matter is updated.

[0182] Specifically, the current status of the enterprise under the current business matter will be changed from... Updated to And write the updated status back to the business item status record table.

[0183] When writing back, the preferred fields to be updated synchronously include the current state identifier, state write time, most recent state transition action, and most recent state transition result.

[0184] If the release judgment quantity In this case, a one-time data view will not be generated, and the business transaction status record table will be maintained. The current state remains unchanged.

[0185] It should be noted that after the one-time data view is generated and the status update is completed, the park data control processing program generates the output event record for this access.

[0186] The output event records include, but are not limited to, enterprise identifier, current business item identifier, entry qualification root identifier, data view template identifier, one-time data view identifier, output time, output data atom range, and current status update result.

[0187] S4. Establish a derivation graph based on the one-time data view. When the status table of valid evidence nodes changes, regenerate the entry qualification root identifier. When the regenerated entry qualification root identifier is inconsistent with the original entry qualification root identifier, perform reverse chain breaking and recycling along the derivation graph.

[0188] Furthermore, based on the output event records, the original entry qualification root identifier is mapped to the qualification root node, and the one-time data view identifier is mapped to the view node.

[0189] If the current one-time data view is triggered by the original entry qualification root identifier, then a directed dependency relationship is established from the qualification root node to the view node.

[0190] Each node's attributes include node type, node identifier, affiliated enterprise identifier, the business matter mentioned, node generation time, and node validity status.

[0191] Specifically, when the node type is a qualification root node, the node identifier is the original entry qualification root identifier; when the node type is a view node, the node identifier is the one-time data view identifier.

[0192] Furthermore, the park's data control processing procedure detects downstream usage behavior related to the one-time data view to identify whether new derived data objects are formed.

[0193] Downstream usage behaviors include export behavior, copy behavior, conversion behavior, aggregation behavior, calculation behavior, and association behavior.

[0194] Among them, the export behavior refers to exporting all or part of the content in a one-time data view to a controlled storage area or other business processing area; the copy behavior refers to copying the data atoms or combination results in a one-time data view into a new data copy; the transformation behavior refers to performing format conversion, field reorganization, or structure reorganization on the data in a one-time data view; the summary behavior refers to aggregating and summarizing multiple data atoms in a one-time data view; the calculation behavior refers to generating new calculation results based on the data atoms in a one-time data view; and the association behavior refers to forming a new data object by legally associating the data in a one-time data view with other controlled data.

[0195] When the park's data control processing program detects any downstream usage behavior, it generates a derived event record.

[0196] The derived event record includes, but is limited to, the enterprise identifier, the current business matter identifier, the one-time data view identifier, the type of derived behavior, the time when the derived behavior occurred, the scope of the data atoms involved in the derivation, the identifier of the derived result object, the storage location of the derived result object, and the current state of the derived result object.

[0197] It should be noted that derived event logs are used to transform the fact that a one-time data view has produced downstream results from the runtime into a recordable, traceable, and graphable data object.

[0198] Furthermore, after establishing the qualification root node and view node, derived data object nodes are established by combining the generated derived event records, forming a complete derivation relationship graph.

[0199] Specifically, if the derived event record Indicates a one-time data view identifier If a new derived result object is generated, then the new derived result object is mapped to a derived data object node. and establish from the view node Pointer to derived data object node Directed dependency relationship.

[0200] In this embodiment, all dependency edges are uniformly denoted as Where, when the dependency edge represents the dependency between the qualification root node and the view node, then , When a dependency edge represents a dependency between a view node and a derived data object node, then... , When the same derived data object continues to generate new downstream data objects, the directed dependency relationship from the upstream derived data object node to the downstream derived data object node continues to be established.

[0201] in, The first in the derivation diagram Dependency edges, Indicates a senior root node, Indicates the first The starting node of the dependency edge. Indicates the first The terminating node of a dependency edge.

[0202] The derived relation graph is composed of all dependency edges. , represented as:

[0203] ;

[0204] in, Represents a derivation diagram. The first in the derivation diagram Dependency edges.

[0205] In this embodiment, the derivation relationship diagram It is not simply a collection of logs, but a directed graph structure that explicitly describes the dependencies between the qualification root node, view nodes, and derived data object nodes.

[0206] By using a directed graph structure, when determining that a qualifying root node is invalid, the set of all downstream nodes attached to the qualifying root node can be accurately found without having to scan all historical records one by one.

[0207] Furthermore, based on the generated valid evidence node status table, the status changes of each evidence node in the valid evidence node status table are continuously monitored to determine whether the evidence closure basis for the current business matter remains valid.

[0208] The status changes include one or more of the following: the necessary evidence node changes from a valid state to an invalid state; the expiration time of the necessary evidence node has been reached; the handling authorization node is revoked; the agreement period corresponding to the entry agreement node has expired; the third-party cooperation relationship node is terminated; and the prerequisite evidence node becomes invalid.

[0209] The monitoring methods used can be periodic polling, time-triggered, or a combination of both.

[0210] It should be noted that the periodic polling method refers to checking the node status in the valid evidence node status table at time intervals; the event-triggered method refers to triggering the check when a notification of authorization revocation, protocol invalidation, or change of collaboration relationship is received.

[0211] Furthermore, when a change in the node status in the valid evidence node status table is detected, the park data control processing program re-executes the evidence closure verification logic to regenerate the entry qualification root identifier corresponding to the current business matter.

[0212] Specifically, the evidence nodes that are currently valid under the current business matter are extracted from the valid evidence node status table to form a new set of valid evidence nodes; and the evidence closure determination is performed again by combining the necessary evidence node set and node dependency relationship set of the current business matter.

[0213] If the current business matter still meets the evidence closure conditions after reassessment, a new entry qualification root identifier will be regenerated according to the same generation rules; if the current business matter no longer meets the evidence closure conditions after reassessment, an invalid qualification identifier or empty qualification identifier that is different from the original entry qualification root identifier will still be generated, and the invalid qualification identifier or empty qualification identifier will be used as the new entry qualification root identifier for subsequent comparisons.

[0214] In this embodiment, the generation of the new entry qualification root identifier still adopts the same method, and is represented as follows:

[0215] ;

[0216] in, This indicates the regenerated root identifier for onboarding eligibility. These represent the summary values ​​of the necessary evidence nodes that remain valid after a reassessment.

[0217] Furthermore, after regenerating the new entry qualification root identifier, the new entry qualification root identifier will be... and the original entry qualification root mark Compare them.

[0218] Specifically, if If this is the case, it means that the evidence closure basis for the current business matter has not changed substantially, and the original one-time data view and downstream derived data objects still have valid eligibility support. In this case, reverse chain breakage recovery will not be triggered.

[0219] like If this occurs, it indicates that the evidence closure basis for the current business matter has changed, and the original one-time data view and its dependent downstream derived data objects should no longer remain valid, thus triggering the reverse chain breakage and recycling process.

[0220] It should be noted that in this embodiment, the comparison of the root identifiers of the new and old entry qualifications is not a simple comparison of timestamps, but a comparison of the entire root identifier value.

[0221] Since the entry qualification root identifier is determined by the necessary evidence node digest value, when the set of necessary evidence nodes, node digest values, or node dependency relationships change, the regenerated entry qualification root identifier will differ from the original entry qualification root identifier, thus accurately representing the change in the qualification basis.

[0222] Furthermore, once it is determined that a reverse link break and recycling need to be triggered, the original entry qualification root identifier will be used. Corresponding qualification root node Starting with the node, in the derivation graph Iterate through all its successor nodes to determine the set of nodes to be recycled. .

[0223] It should be noted that in the derivation diagram In the process, any qualification root node corresponding to the original qualification root identifier exists. All nodes reachable from the starting point along the directed dependency edges are included in the set of nodes to be recycled. .

[0224] It should be noted that by determining the set of nodes to be reclaimed, all one-time data views directly attached to the original entry qualification root identifier, as well as all derived data objects further generated from the one-time data views, can be included in the scope of reclaiming.

[0225] Furthermore, after obtaining the set of nodes to be recycled, the park's data control processing program performs reverse chain breaking recycling on the data corresponding to the nodes in the set of nodes to be recycled.

[0226] The reverse chain breakage recovery includes one or more of the following E1-E6 processing actions:

[0227] E1. Failure Marking Processing: Write failure marks on the data objects corresponding to the set of nodes to be recycled to indicate that the data objects have lost their upstream qualification support and can no longer be used as valid data objects.

[0228] E2. Access blocking processing: Blocks subsequent read, download, copy, or re-derive operations on the data objects corresponding to the set of nodes to be reclaimed.

[0229] E3. Logical isolation processing: For data objects that are still within the controlled storage area of ​​the park, the data objects are moved to the isolation area, or the data objects are removed from the normal business index, so that the data objects are no longer referenced by normal business processes.

[0230] E4. Deletion Processing: For data objects that are allowed to be directly deleted according to the park's control policy, perform physical deletion or logical deletion.

[0231] E5, the derivation chain continues to be blocked. If the derived data object corresponding to the node to be reclaimed still has downstream dependent nodes, the blocking and failure propagation will continue to be performed downwards along the derivation relationship graph until all successor nodes of the current node to be reclaimed have been processed.

[0232] E6. Outgoing record retention processing: For data objects that have exceeded the controlled storage range of the park, physical deletion will no longer be performed, but outgoing records, failure markers and upstream qualification failure information will be retained, and the current data object will be prohibited from participating in new derivation processing as an upstream source again.

[0233] It should be noted that the reverse link breakage recovery process does not trace back from the latest downstream result, but starts from the qualification root node corresponding to the original qualification root identifier upstream, and disconnects all subsequent links layer by layer down the dependency graph, so that all data chains that were originally attached to the qualification root node lose their eligibility to continue to be used.

[0234] Furthermore, after completing the reverse chain breakage recovery, the park's data control processing program records the results of this recovery execution.

[0235] The results of the recycling process include, but are not limited to, the enterprise identifier, the current business item identifier, the original entry qualification root identifier, the new entry qualification root identifier, the node identifier in the set of nodes to be recycled, the recycling action type corresponding to each node, the recycling action execution time, and the recycling action execution result.

[0236] This embodiment also provides a data security control system based on the entry of enterprises into the park, including:

[0237] The closure judgment module is responsible for collecting original evidence data for enterprise onboarding matters, performing evidence closure judgment based on the necessary evidence node set and node dependencies of the current onboarding matter, and generating a valid evidence node status table, a set of business matters with completed evidence closure, and an onboarding qualification root identifier. The view template module is responsible for mapping each business matter to a minimum necessary data atom set based on the set of business matters with completed evidence closure, and generating a data view template for the current business matter in conjunction with the park's direct management boundary and third-party boundary. The view release module is responsible for receiving single data access requests, reading the current business matter status, and performing release judgment according to the status transition rules. When the release judgment is passed, a one-time data view is generated based on the onboarding qualification root identifier, request message digest, and data view template, and the current business matter status is updated. The reverse link break module is responsible for establishing a derivation relationship graph based on the one-time data view, regenerating the onboarding qualification root identifier when the valid evidence node status table changes, and performing reverse link break recovery along the derivation relationship graph when the regenerated onboarding qualification root identifier is inconsistent with the original onboarding qualification root identifier.

[0238] In summary, this invention achieves dynamic binding of permissions and evidence validity through evidence closure determination and entry qualification root identifier generation, improving the fine-grainedness and adaptability of permission control; through the minimum necessary data atom set and data view template, combined with the boundary constraints of the park and third parties, it achieves pre-emptive precise trimming of the data access scope, reducing the risk of excessive data sharing and cross-boundary leakage; through the derivation relationship graph and reverse chain breakage retrieval, it achieves precise positioning and closed-loop retrieval of downstream derived data after upstream evidence becomes invalid, solving the problem of data diffusion being difficult to trace.

[0239] It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to limit it. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, and all such modifications or substitutions should be covered within the scope of the claims of the present invention.

Claims

1. A data security control method based on park enterprise entry, characterized in that, include: Collect original evidence data for enterprise entry matters, determine evidence closure based on the necessary evidence node set and node dependency relationship of the current entry matters, and generate a valid evidence node status table, a set of business matters that have completed evidence closure, and entry qualification root identifier; Based on the set of business items for which evidence closure has been completed, each business item is mapped to a set of minimum necessary data atoms, and a data view template for the current business item is generated by combining the direct management boundary of the park and the third-party boundary. Receive a single data access request, read the current business item status, make a release judgment according to the status transition rules, and when the release judgment is passed, generate a one-time data view based on the entry qualification root identifier, request message digest and data view template, and update the current business item status. A derivation graph is established based on a one-time data view. When the status table of valid evidence nodes changes, the entry qualification root identifier is regenerated. When the regenerated entry qualification root identifier is inconsistent with the original entry qualification root identifier, a reverse chain break and recycling is performed along the derivation graph.

2. The data security control method based on the entry of enterprises into the park as described in claim 1, characterized in that, The original evidence data includes: enterprise registration data, legal representative identity data, authorization data, intended use data, proposed park resource data, entry agreement data, and third-party cooperation relationship data.

3. The data security control method based on the entry of enterprises into the park as described in claim 2, characterized in that, The evidence closure determination includes: Perform format verification, authenticity verification, and timeliness verification on the original evidence data, generate evidence nodes, and write the evidence nodes in the valid state into the valid evidence node status table; Based on the current entry matters, retrieve the necessary set of evidence nodes and the set of node dependencies, and extract the set of valid evidence nodes from the valid evidence node status table; When the set of necessary evidence nodes is contained in the set of valid evidence nodes, and the preceding node in the node dependency relationship set is in a valid state before the subsequent node, the evidence closure of the current entry matter is determined to be valid. When the evidence closure is established, the current entry item will be added to the set of business items for which evidence closure has been completed; The necessary evidence node summary values ​​for the current entry item are concatenated in chronological order and then processed by a hash function to generate the entry qualification root identifier.

4. The data security control method based on the entry of enterprises into the park as described in claim 1, characterized in that, The minimum necessary set of data atoms includes: Obtain the set of business items for which evidence closure has been completed, and determine the current business item; Retrieve the established mapping rules between business items and data objects to determine the set of data object identifiers for the current business item; Data objects are split according to the principles of independent invocation, independent control, and indivisibility to obtain multiple data atoms related to the current business transaction; Based on the processing requirements of the current business matter, the minimum necessary data atom required to complete the current business matter is selected from multiple data atoms, and the minimum necessary data atom set of the current business matter is generated. Based on the set of business items for which evidence closure has been completed, the minimum necessary data atom set for each business item is summarized to generate the current candidate set of data atoms that can be applied for.

5. The data security control method based on the entry of enterprises into the park as described in claim 1 or 4, characterized in that, The data view template related to the current business transaction includes: Obtain the complete set of data atoms directly managed by the park, and identify the data atoms that the park can directly control and issue. Read the set of data atoms involving third-party boundaries and identify those data atoms that cannot be directly output without additional authorization; The intersection of the current set of candidate data atoms that can be applied for and the complete set of data atoms directly managed by the park is processed, and data atoms involving third-party boundaries are removed to generate the current set of data atoms that can be issued. Generate a data view template for the current business transaction based on the currently available set of data atoms; Write the set of data atoms that can be called, the rules for the combination of data atoms, the identifiers of data atoms that are only allowed to participate in the calculation and not allowed to be output in plaintext, the identifiers of data atoms that are prohibited from being exported, and the validity period of the template in the generated data view template; Data view template generates a data view template identifier.

6. The data security control method based on the entry of enterprises into the park as described in claim 1, characterized in that, The release determination based on the state transition rule includes: Receive a single data access request initiated by an enterprise for the current business matter, and extract the enterprise identifier, business matter identifier, request action identifier, requested data atom identifier, terminal identifier, and time slice identifier from the single data access request; Generate a request message digest based on the enterprise identifier, business item identifier, request action identifier, request data atom identifier, terminal identifier, and time slice identifier; Read the business item status record table based on the enterprise identifier and business item identifier to obtain the current business item status; Retrieve the state transition rules corresponding to the current business item and the set of allowed prerequisite states corresponding to the request action identifier based on the business item identifier; Determine whether the current business transaction status belongs to the set of allowed preceding states, and determine whether the request action flag is executed under the current business transaction status and whether the transaction is transferred to the corresponding new status according to the status transition rules. If the current business transaction status belongs to the set of allowed prerequisite statuses and is transferred to the corresponding new status, the current single data access request is deemed to pass the approval decision.

7. The data security control method based on the entry of enterprises into the park as described in claim 6, characterized in that, The process of generating a one-time data view based on the entry qualification root identifier, request message digest, and data view template upon approval, and updating the current business status, includes the following steps: After the approval is granted, the entry qualification root identifier and data view template corresponding to the current business matter are read; Obtain the current request random number and the current time slice, and generate a one-time data view identifier based on the entry qualification root identifier, request message digest, current request random number, and current time slice; Based on the set of allowed data atoms configured in the data view template, filter the data atoms corresponding to this single data access request; Based on the atomic combination rules, computation participation rules, and export restriction rules configured in the data view template, generate a one-time data view that is only valid for this request; After the one-time data view is generated, the current business transaction status will be updated to the new status corresponding to the status transition rule; Write the updated status of the current business transaction back to the business transaction status record table.

8. The data security control method based on the entry of enterprises into the park as described in claim 1, characterized in that, The establishment of the derivation relationship graph includes: Read the one-time data view identifier, the one-time data view, and the output event record; map the original entry qualification root identifier to the qualification root node; map the one-time data view identifier to the view node; and establish a directed dependency relationship between the qualification root node and the view node. The system detects downstream usage behavior generated based on a one-time data view, generates corresponding derived event records, maps derived result objects to derived data object nodes, and establishes directed dependency relationships between view nodes and derived data object nodes to form a derivation relationship graph.

9. The data security control method based on the entry of enterprises into the park as described in claim 8, characterized in that, The reverse chain break recycling along the derivation graph includes: When a change in the status of an evidence node in the valid evidence node status table is detected, the evidence nodes that are in a valid state under the current business matter are re-extracted, and the entry qualification root identifier is regenerated based on the necessary evidence node set and node dependency relationship. The newly generated entry qualification root identifier is compared with the original entry qualification root identifier. If they are inconsistent, the qualification root node corresponding to the original entry qualification root identifier is taken as the starting node, and all successor nodes in the derivation relationship graph are traversed to obtain the set of nodes to be recycled. The system performs at least one of the following recycling processes on data objects in the set of nodes to be recycled: invalidation marking, access blocking, logical isolation, and deletion. Data objects that are outside the controlled storage range of the park retain outgoing records and invalidation markings, and are prohibited from participating in new derived processes as upstream data sources again.

10. A data security control system based on the entry of enterprises into a park, based on the data security control method based on the entry of enterprises into a park as described in any one of claims 1 to 9, characterized in that, include: The closure determination module is responsible for collecting original evidence data of enterprise entry matters, making evidence closure determination based on the necessary evidence node set and node dependency relationship of the current entry matter, and generating a valid evidence node status table, a set of business matters that have completed evidence closure, and entry qualification root identifier. The view template module is responsible for mapping each business item to a minimum necessary set of data atoms based on the set of business items for which evidence closure has been completed, and generating a data view template for the current business item by combining the direct management boundary of the park and the third-party boundary. The view release module is responsible for receiving single data access requests, reading the current business item status, making a release judgment according to the status transition rules, and generating a one-time data view based on the entry qualification root identifier, request message digest and data view template when the release judgment is passed, and updating the current business item status. The reverse chain break module is responsible for building a derivation graph based on the one-time data view, regenerating the entry qualification root identifier when the status table of valid evidence nodes changes, and performing reverse chain break recovery along the derivation graph when the regenerated entry qualification root identifier is inconsistent with the original entry qualification root identifier.