[go: up one dir, main page]

CN116561803A - Security policy information processing method, device, equipment and storage medium - Google Patents

Security policy information processing method, device, equipment and storage medium Download PDF

Info

Publication number
CN116561803A
CN116561803A CN202310565603.5A CN202310565603A CN116561803A CN 116561803 A CN116561803 A CN 116561803A CN 202310565603 A CN202310565603 A CN 202310565603A CN 116561803 A CN116561803 A CN 116561803A
Authority
CN
China
Prior art keywords
security policy
policy information
information
type
target field
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310565603.5A
Other languages
Chinese (zh)
Inventor
金慧敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202310565603.5A priority Critical patent/CN116561803A/en
Publication of CN116561803A publication Critical patent/CN116561803A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The disclosure provides a security policy information processing method, a device, equipment and a storage medium, which can be applied to the technical field of data processing and the technical field of finance. Comprising the following steps: responding to a received security policy information processing request aiming at a first database and a second database, and acquiring first security policy information of the first database and second security policy information of the second database; the method comprises the steps of obtaining the type of first security policy information and the type of second security policy information by identifying a policy type field of the first security policy information and a policy type field of the second security policy information; generating a processing policy by comparing the first security policy information and the second security policy information under the condition that the type of the first security policy information and the type of the second security policy information are determined to be the same; and performing a processing operation on the first security policy information and the second security policy information based on the processing policy.

Description

Security policy information processing method, device, equipment and storage medium
Technical Field
The present disclosure relates to the field of data processing technology and the field of financial technology, and in particular, to a security policy information processing method, apparatus, device, medium, and program product.
Background
Security policies are typically stored in RACF databases, RACF (RESOURCE ACCESS CONTROL FACILITY) being a security management product for large server operating systems. In the process of integrating information of different data processing environments, if the information is simply and directly combined, the problems of strategy redundancy, deletion and the like can occur.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a security policy information processing method, apparatus, device, medium, and program product.
According to a first aspect of the present disclosure, there is provided a security policy information processing method including:
and responding to the received security policy information processing request aiming at the first database and the second database, and acquiring the first security policy information of the first database and the second security policy information of the second database, wherein the service data processing environments of the first database and the second database are different. And obtaining the type of the first security policy information and the type of the second security policy information by identifying the policy type field of the first security policy information and the policy type field of the second security policy information. And generating a processing policy by comparing the first security policy information and the second security policy information under the condition that the type of the first security policy information and the type of the second security policy information are determined to be the same. And performing a processing operation on the first security policy information and the second security policy information based on the processing policy.
According to an embodiment of the present disclosure, generating a processing policy by comparing first security policy information and second security policy information includes:
and determining the position of the first target field according to the policy type. And extracting a first target field from the first security policy information and extracting a second target field from the second security policy information according to the first target field position. And under the condition that the first target field is determined to be the same as the second target field, generating a first processing strategy according to the attribute type of the first target field. And generating a second processing strategy under the condition that the first target field is determined to be different from the second target field.
According to an embodiment of the present disclosure, generating a first processing policy according to an attribute type of a first target field includes:
in the case where the attribute type of the first target field is determined to be the first attribute, the first processing policy is an information deletion policy. In the case where the attribute type of the first target field is determined to be the second attribute, the second target field location is determined. And generating a third processing policy by comparing the first security policy information with the second security policy information according to the second target field location.
According to an embodiment of the present disclosure, generating a third processing policy by comparing the first security policy information and the second security policy information according to the second target field position includes:
and extracting a third target field from the first security policy information and extracting a fourth target field from the second security policy information according to the second target field position. In the case that the first target field is determined to be the same as the second target field, the third processing policy is an information deletion policy. And the third processing strategy is an information change strategy under the condition that the first target field is determined to be different from the second target field.
According to an embodiment of the present disclosure, in a case where it is determined that the first target field is not identical to the second target field, generating the second processing policy includes:
and generating a change authorization policy under the condition that the first target field is determined to be different from the second target field.
According to an embodiment of the present disclosure, obtaining a type of first security policy information and a type of second security policy information by identifying a policy type field of the first security policy information and a policy type field of the second security policy information includes:
according to a predetermined data structure, a first policy type field is extracted from the first security policy information and a second policy type field is extracted from the second security policy information. And according to the first strategy type field, obtaining the type of the first security strategy information by inquiring the data structure information table. And obtaining the type of the second security policy information by querying the data structure information table according to the second policy type field.
According to an embodiment of the present disclosure, the above method further includes:
and under the condition that the type of the first security policy information and the type of the second security policy information are both the type of the authorized object, determining the information to be deleted according to the processing requirement. And executing the deleting operation on the information to be deleted.
A second aspect of the present disclosure provides a security policy information processing apparatus including: the device comprises an acquisition module, an identification module, a generation module and an execution module.
The acquisition module is used for responding to the received security policy information processing request aiming at the first database and the second database, and acquiring the first security policy information of the first database and the second security policy information of the second database, wherein the service data processing environments of the first database and the second database are different. The identification module is used for obtaining the type of the first security policy information and the type of the second security policy information by identifying the policy type field of the first security policy information and the policy type field of the second security policy information. The generation module is used for generating a processing strategy by comparing the first security strategy information and the second security strategy information under the condition that the type of the first security strategy information and the type of the second security strategy information are the same. And the execution module is used for executing processing operation on the first security policy information and the second security policy information based on the processing policy.
According to an embodiment of the present disclosure, the generation module includes a determination sub-module, a first extraction sub-module, a first generation sub-module, and a second generation sub-module. And the determining submodule is used for determining the position of the first target field according to the policy type. The first extraction sub-module is used for extracting a first target field from the first security policy information and extracting a second target field from the second security policy information according to the first target field position. The first generation sub-module is used for generating a first processing strategy according to the attribute type of the first target field under the condition that the first target field is determined to be the same as the second target field. And the second generation sub-module is used for generating a second processing strategy under the condition that the first target field is determined to be different from the second target field.
According to an embodiment of the present disclosure, the first generation sub-module includes a first determination unit, a second determination unit, and a generation unit. And the first determining unit is used for determining that the first processing strategy is an information deleting strategy in the case that the attribute type of the first target field is determined to be the first attribute. And a second determining unit configured to determine a second target field position in the case where the attribute type of the first target field is determined to be the second attribute. And the generating unit is used for generating a third processing strategy by comparing the first security strategy information with the second security strategy information according to the second target field position.
According to an embodiment of the present disclosure, the generating unit comprises an extracting subunit, a first determining subunit and a second determining subunit. And the extraction subunit is used for extracting a third target field from the first security policy information and extracting a fourth target field from the second security policy information according to the position of the second target field. The first determining subunit is configured to determine that the third processing policy is an information deletion policy when the first target field is determined to be the same as the second target field. And the second determining subunit is used for determining that the third processing strategy is an information change strategy when the first target field is different from the second target field.
According to an embodiment of the present disclosure, the second generation submodule comprises a third determination unit. And the third determining unit is used for generating a change authorization policy under the condition that the first target field is determined to be different from the second target field.
According to an embodiment of the present disclosure, the identification module includes a second extraction sub-module, a first query sub-module, and a second query sub-module. And the second extraction sub-module is used for extracting the first strategy type field from the first safety strategy information and extracting the second strategy type field from the second safety strategy information according to the preset data structure. And the first query sub-module is used for obtaining the type of the first security policy information by querying the data structure information table according to the first policy type field. And the second query sub-module is used for obtaining the type of the second security policy information by querying the data structure information table according to the second policy type field.
According to an embodiment of the disclosure, the apparatus further includes a determining module and a deleting module. The determining module is used for determining the information to be deleted according to the processing requirement under the condition that the type of the first security policy information and the type of the second security policy information are both the type of the authorized object. And the deleting module is used for executing deleting operation on the information to be deleted.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method described above.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described method.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above method.
According to the security policy information processing method, the device, the equipment, the medium and the program product, the first security policy information of the first database and the second security policy information of the second database are obtained by responding to the received security policy information processing request aiming at the first database and the second database, wherein the service data processing environments of the first database and the second database are different. And then the type of the first security policy information and the type of the second security policy information are obtained by identifying the policy type field of the first security policy information and the policy type field of the second security policy information. And generating a processing policy by comparing the first security policy information and the second security policy information under the condition that the type of the first security policy information and the type of the second security policy information are determined to be the same. And finally, based on the processing strategy, executing processing operation on the first security strategy information and the second security strategy information. Because the strategy types of the strategy information in the two databases are identified, the information of the same strategy type is compared, and the completely same information is deleted; and modifying or changing the different information, so that the problems of strategy redundancy, deletion and the like are at least partially solved, and the accuracy and the integrity of the strategy are improved.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of a security policy information processing method, apparatus, device, medium and program product according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a security policy information processing method according to an embodiment of the disclosure;
FIG. 3 schematically illustrates a personal RACF database and an integration schematic for a public RACF database according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a process policy flow diagram for generating in a security policy information processing method according to an embodiment of the disclosure;
fig. 5 schematically illustrates a block diagram of a security policy information processing apparatus according to an embodiment of the present disclosure; and
fig. 6 schematically illustrates a block diagram of an electronic device adapted to implement a security policy information processing method according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In the technical scheme of the disclosure, the related data (such as including but not limited to personal information of a user) are collected, stored, used, processed, transmitted, provided, disclosed, applied and the like, all conform to the regulations of related laws and regulations, necessary security measures are adopted, and the public welcome is not violated.
The security policy generally exists in the RACF database, and in the process of integrating information of different data processing environments, if the information is simply and directly combined, the problems of policy redundancy, deletion and the like can occur.
In view of this, an embodiment of the present disclosure provides a security policy information processing method, which obtains first security policy information of a first database and second security policy information of a second database in response to a received security policy information processing request for the first database and the second database, where service data processing environments of the first database and the second database are different. And obtaining the type of the first security policy information and the type of the second security policy information by identifying the policy type field of the first security policy information and the policy type field of the second security policy information. And generating a processing policy by comparing the first security policy information and the second security policy information under the condition that the type of the first security policy information and the type of the second security policy information are determined to be the same. And performing a processing operation on the first security policy information and the second security policy information based on the processing policy.
Fig. 1 schematically illustrates an application scenario diagram of security policy information processing according to an embodiment of the present disclosure.
As shown in fig. 1, an application scenario 100 according to this embodiment may include a first terminal device 101, a second terminal device 102, a third terminal device 103, a network 104, and a server 105. The network 104 is a medium used to provide a communication link between the first terminal device 101, the second terminal device 102, the third terminal device 103, and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 through the network 104 using at least one of the first terminal device 101, the second terminal device 102, the third terminal device 103, to receive or send messages, etc. Various communication client applications, such as a shopping class application, a web browser application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only) may be installed on the first terminal device 101, the second terminal device 102, and the third terminal device 103.
The first terminal device 101, the second terminal device 102, the third terminal device 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by the user using the first terminal device 101, the second terminal device 102, and the third terminal device 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that, a security policy information processing method provided by the embodiments of the present disclosure may be generally executed by the server 105. Accordingly, a security policy information processing apparatus provided by an embodiment of the present disclosure may be generally provided in the server 105. A security policy information processing method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and/or the server 105. Accordingly, a security policy information processing apparatus provided by an embodiment of the present disclosure may also be provided in a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and/or the server 105.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
A security policy information processing method of the disclosed embodiment will be described in detail below with reference to fig. 2 to 4 based on the scenario described in fig. 1.
Fig. 2 schematically illustrates a flowchart of a security policy information processing method according to an embodiment of the present disclosure.
As shown in fig. 2, a security policy information processing method of this embodiment includes operations S210 to S240.
In operation S210, first security policy information of the first database and second security policy information of the second database are acquired in response to the received security policy information processing request for the first database and the second database.
In operation S220, the type of the first security policy information and the type of the second security policy information are obtained by identifying the policy type field of the first security policy information and the policy type field of the second security policy information.
In operation S230, in case it is determined that the type of the first security policy information and the type of the second security policy information are the same, a processing policy is generated by comparing the first security policy information and the second security policy information.
In operation S240, a processing operation is performed on the first security policy information and the second security policy information based on the processing policy.
According to an embodiment of the present disclosure, the first database may be a personal RACF database and the second database may be a public RACF database.
According to an embodiment of the present disclosure, the first database is different from the business data processing environment of the second database.
According to embodiments of the present disclosure, the security policy information processing request for the first database and the second database may be data integration, for example: integration of the RACF database is a collection of different environments files, where files are the data store for each account. As shown in fig. 3, the personal RACF database and the integration of the public RACF database are schematically represented. The personal RACF database contains A, B, C and E 1 These four types of information. For the public RACF database comprises A, D and E 2 The three information are integrated to obtain A, B, C, D and E 3 These five kinds of information.
According to an embodiment of the present disclosure, the first security policy information may be security policy information contained in a personal RACF database. For example: the personal RACF database contains at least one of group, user, data set and universal resource information, can be 0100 GPBD/0120 GPO # # 0400DS $ $ $ $ $ $ $ $ $ $ $ $.
According to an embodiment of the present disclosure, the second security policy information may be security policy information contained in the public RACF database. For example: the public RACF database contains at least one of group, user, data set and general resource information.
According to embodiments of the present disclosure, the policy type field may be specific type field information of its security policy information. For example: the security policy information may be information in the personal RACF database, specifically, the type field information is 0500& & & & ×, that is, the security policy information is that the policy type field of the universal resource in the personal RACF database is 0500& & ×.
According to embodiments of the present disclosure, the type of security policy information may be known from the policy type field. For example: the security policy information includes a policy type field 0500& & & & gt, and bits 1 to 4 of the policy type field are 0500, and the security policy type is generic resource basic data.
According to embodiments of the present disclosure, security policy types may include users, groups, data sets, and generic resources.
According to the embodiment of the disclosure, when the type of the first security policy information and the type of the second security policy information are the same, the processing policy is generated after comparing the first security policy information and the second security policy information. For example: the type of the first security policy information is a universal resource in the personal RACF database; the type of second security policy information is a generic resource to the public RACF database. By comparison, the type of the first security policy information and the type of the second security policy information are obtained as universal resources, and then a processing policy is generated.
According to the embodiment of the disclosure, the first security policy information and the second security policy information are processed through the processing policy.
According to the embodiment of the disclosure, the first security policy information of the first database and the second security policy information of the second database are acquired by responding to the received security policy information processing request for the first database and the second database, wherein the service data processing environments of the first database and the second database are different. And then the type of the first security policy information and the type of the second security policy information are obtained by identifying the policy type field of the first security policy information and the policy type field of the second security policy information. And generating a processing policy by comparing the first security policy information and the second security policy information under the condition that the type of the first security policy information and the type of the second security policy information are determined to be the same. And finally, based on the processing strategy, executing processing operation on the first security strategy information and the second security strategy information. The strategy type of the strategy information in the two databases is identified, so that the information of the same strategy type is compared, and the identical information is deleted to process the strategy; and for different information, processing strategies such as modification or change are carried out, so that the problems of strategy redundancy, deletion and the like are at least partially solved, and the accuracy and the integrity of the strategies are improved.
Fig. 4 schematically illustrates a flowchart of generating a processing policy in a security policy information processing method according to an embodiment of the present disclosure.
As shown in fig. 4, generating a processing policy in a security policy information processing method of this embodiment includes operations S410 to S440.
In operation S410, a first target field location is determined according to a policy type.
In operation S420, a first target field is extracted from the first security policy information and a second target field is extracted from the second security policy information according to the first target field location.
In operation S430, in case it is determined that the first target field is identical to the second target field, a first processing policy is generated according to the attribute type of the first target field.
In operation S440, in case it is determined that the first target field is not identical to the second target field, a second processing policy is generated.
According to an embodiment of the present disclosure, the first target field and the second target field are related to a policy type, the different policy type having different first target field and second target field.
For example: the first target field may be bits 1-4 of the group in the personal RACF database of the policy type and the second target field may be bits 1-4 of the group in the public RACF database of the policy type.
According to an embodiment of the present disclosure, the attribute type of the first target field refers to the record type it represents. For example: 0100 is a record type with respect to group basic data, 0101 is a record type with respect to subgroup, 0200 is a record type with respect to user basic data, etc.
For example: the attribute type of 0220 for both the first and second target fields is 0220, and 0220 is other data about the user, since the first target field and the second target field are identical, a first processing policy is generated. If the first target field is different from the second target field, a second processing policy is generated.
According to the embodiment of the disclosure, since the first target field position is determined according to the policy type, the first target field can be extracted from the first security policy information according to the first target field position, and the second target field can be extracted from the second security policy information. And finally, generating different processing strategies according to whether the first target field and the second target field are the same. The security policy information is accurately extracted, the processing policy is selected according to the situation, and the integrity of the policy is improved.
According to an embodiment of the present disclosure, generating a first processing policy according to an attribute type of a first target field includes:
In the case where the attribute type of the first target field is determined to be the first attribute, the first processing policy is an information deletion policy. In the case where the attribute type of the first target field is determined to be the second attribute, the second target field location is determined. And generating a third processing policy by comparing the first security policy information with the second security policy information according to the second target field location.
For example: the attribute type of the first target field is a first attribute for the group. Then the first processing policy is an information deletion policy and the record in the personal RACF database will be deleted. Bits 1-4 of the first target field are determined to be 0100, which is the first attribute for the group, then the records in the personal RACF database are compared one by one with each record in the public RACF database. If bits 6-13 are the same, the record in the personal RACF database is deleted. A delete group execution statement is then generated.
For example: the second attribute may be the base data of the subgroup in determining that the attribute type of the first target field is a second attribute about the group. Then the location of the second target field is determined to be bits 6-13 and a third processing policy is generated by comparing the first security policy information with the second security policy information.
According to the embodiment of the disclosure, corresponding processing strategies are adopted according to different attribute types, so that the integration efficiency is improved, and the strategy integrity is improved.
According to an embodiment of the present disclosure, generating a third processing policy by comparing the first security policy information and the second security policy information according to the second target field position includes:
and extracting a third target field from the first security policy information and extracting a fourth target field from the second security policy information according to the second target field position. In the case that the first target field is determined to be the same as the second target field, the third processing policy is an information deletion policy. And the third processing strategy is an information change strategy under the condition that the first target field is determined to be different from the second target field.
According to an embodiment of the present disclosure, the second target field location may be a second attribute of the first target field. And extracting a fourth target field corresponding to the position from the second security policy information. If the first target field is the same as the second target field, then the third processing policy is an information deletion policy. If the first target field is not the same as the second target field, the third processing policy is an information modification policy.
For example: the attribute types of the first target field and the second target field, which are 1 st to 4 th bits, are 0400 in the data set, and records in the personal RACF database are compared with each record in the public RACF database one by one. The third target field is 6-49 bits of the first security policy information, and the fourth target field corresponding to the third target field is extracted from the second security policy information. If the 6-49 bits are the same, deleting the record, generating a deleting data set command statement and storing the deleting data set command statement in a corresponding file. If the first target field is different from the second target field, the third processing policy is an information modification policy, and the information modification policy may be to generate a data set command statement and store the data set command statement in a corresponding file.
According to an embodiment of the present disclosure, according to the second target field position, a third target field may be extracted from the first security policy information, and a fourth target field may be extracted from the second security policy information. And selecting different processing strategies according to different conditions. The data integration process is further refined, so that the strategy is more complete and accurate.
According to an embodiment of the present disclosure, in a case where it is determined that the first target field is not identical to the second target field, generating the second processing policy includes:
And generating a change authorization policy under the condition that the first target field is determined to be different from the second target field.
For example: the first target field and the second year target field being different may be 67-74 bits different from the first security policy information and the second security policy information, indicating that the access rights of the personal RACF database and the authorized user to the public RACF database are different, and generating the change authorization policy.
For example: and if 58-65 bits of the first security policy information are different from 58-65 bits of the second security policy information, generating an authorization statement for different authorized user groups.
For example: and if the first security policy information is different from the second security policy information by 6-49 bits, generating an authorization statement for the unique file set policy of the personal RACF database.
According to the embodiment of the present disclosure, since a plurality of data types are included, each data type represents a different meaning. The change authorization strategy is needed to be provided for the unique file set strategy of the RACF database. The method is compatible with the security policy of the common database, has pertinence, and improves the integrity of the policy.
For example: according to the method, the type of the first security policy information and the type of the second security policy confidence are obtained as universal resources according to the policy type field of the first security policy information and the policy type field of the second security policy information. The first target field position is 1-4 bits, and the first target field for extracting the first security policy information is 0500, then the records in the personal RACF database are compared with each record in the public RACF database one by one. If the bits 6-251 are the same, the 253-260 bits are continuously compared. If the second target field position is 253 th to 260 th bits, the bits 253 th to 260 th bits are the same after comparison, and an information deletion strategy is generated, which can be to delete the record in the personal RACF database and generate a deletion resource file execution statement. If the second target field position is 253 th to 260 th bits, the information of the 253 th to 260 th bits is different after comparison, and the generation of the information change strategy can be the generation of a resource class definition statement. If the second target field position is the 6 th bit to the 25 th bit, the 6 th bit to the 25 th bit information is different after comparison, and a change authorization policy is generated, which may be a change authorization definition statement.
According to an embodiment of the present disclosure, obtaining a type of first security policy information and a type of second security policy information by identifying a policy type field of the first security policy information and a policy type field of the second security policy information includes:
according to a predetermined data structure, a first policy type field is extracted from the first security policy information and a second policy type field is extracted from the second security policy information. And according to the first strategy type field, obtaining the type of the first security strategy information by inquiring the data structure information table. And obtaining the type of the second security policy information by querying the data structure information table according to the second policy type field.
According to an embodiment of the present disclosure, the predetermined data structure is that data is stored in the database according to an ordered rule. The relevant content may be extracted from the data information according to certain rules.
According to an embodiment of the present disclosure, the data structure information table sets forth the type, type field, field location, and meaning of each security policy.
For example: bits 1-4 are known to be the type of security policy information according to a predetermined data structure. The first policy type field 0100 is extracted from the first security policy information and the second policy type field 0100 is extracted from the second security policy information according to bits 1-4 being 0100. By referring to the data structure information table, it is known that the type of the first security policy information and the type of the first security policy information are groups.
According to the embodiment of the disclosure, corresponding information can be queried through the data structure information table, so that data can be rapidly queried and processed, and the integration speed is greatly improved.
According to an embodiment of the present disclosure, the above method further includes:
and under the condition that the type of the first security policy information and the type of the second security policy information are both the type of the authorized object, determining the information to be deleted according to the processing requirement. And executing the deleting operation on the information to be deleted.
According to embodiments of the present disclosure, the authorization object type may be a user.
For example: all authorized-object-type file lists may be listed first, with "LU x" representing all authorized-object-type files listed. The dataset of the authorized object type and the file of the authorized object type are then deleted. Because each authorized object type has a corresponding authorized object type dataset, specifically named "authorized object". X ", the corresponding program statement may be used for deletion.
According to the embodiment of the disclosure, for the security policy information processing of the related authorized object types, the data volume of subsequent integration is reduced, and the integration risk is reduced.
Based on the above-mentioned method for processing the security policy information, the present disclosure also provides a device for processing the security policy information. The device will be described in detail below in connection with fig. 5.
Fig. 5 schematically illustrates a block diagram of a security policy information processing apparatus according to an embodiment of the present disclosure.
As shown in fig. 5, a security policy information processing apparatus 500 of this embodiment includes an acquisition module 510, an identification module 520, a generation module 530, and an execution module 540.
The obtaining module 510 is configured to obtain, in response to a received security policy information processing request for the first database and the second database, first security policy information of the first database and second security policy information of the second database. In an embodiment, the obtaining module 510 may be configured to perform the operation S210 described above, which is not described herein.
The identification module 520 is configured to obtain a type of the first security policy information and a type of the second security policy information by identifying a policy type field of the first security policy information and a policy type field of the second security policy information. In an embodiment, the identification module 520 may be used to perform the operation S220 described above, which is not described herein.
The generating module 530 is configured to generate a processing policy by comparing the first security policy information and the second security policy information when it is determined that the type of the first security policy information and the type of the second security policy information are the same. In an embodiment, the generating module 530 may be configured to perform the operation S230 described above, which is not described herein.
The execution module 540 is configured to perform a processing operation on the first security policy information and the second security policy information based on the processing policy. In an embodiment, the execution module 540 may be configured to execute the operation S240 described above, which is not described herein.
According to an embodiment of the present disclosure, the generation module includes a determination sub-module, a first extraction sub-module, a first generation sub-module, and a second generation sub-module. And the determining submodule is used for determining the position of the first target field according to the policy type. The first extraction sub-module is used for extracting a first target field from the first security policy information and extracting a second target field from the second security policy information according to the first target field position. The first generation sub-module is used for generating a first processing strategy according to the attribute type of the first target field under the condition that the first target field is determined to be the same as the second target field. And the second generation sub-module is used for generating a second processing strategy under the condition that the first target field is determined to be different from the second target field.
According to an embodiment of the present disclosure, the first generation sub-module includes a first determination unit, a second determination unit, and a generation unit. And the first determining unit is used for determining that the first processing strategy is an information deleting strategy in the case that the attribute type of the first target field is determined to be the first attribute. And a second determining unit configured to determine a second target field position in the case where the attribute type of the first target field is determined to be the second attribute. And the generating unit is used for generating a third processing strategy by comparing the first security strategy information with the second security strategy information according to the second target field position.
According to an embodiment of the present disclosure, the generating unit comprises an extracting subunit, a first determining subunit and a second determining subunit. And the extraction subunit is used for extracting a third target field from the first security policy information and extracting a fourth target field from the second security policy information according to the position of the second target field. The first determining subunit is configured to determine that the third processing policy is an information deletion policy when the first target field is determined to be the same as the second target field. And the second determining subunit is used for determining that the third processing strategy is an information change strategy when the first target field is different from the second target field.
According to an embodiment of the present disclosure, the second generation submodule comprises a third determination unit. And the third determining unit is used for generating a change authorization policy under the condition that the first target field is determined to be different from the second target field.
According to an embodiment of the present disclosure, the identification module includes a second extraction sub-module, a first query sub-module, and a second query sub-module. And the second extraction sub-module is used for extracting the first strategy type field from the first safety strategy information and extracting the second strategy type field from the second safety strategy information according to the preset data structure. And the first query sub-module is used for obtaining the type of the first security policy information by querying the data structure information table according to the first policy type field. And the second query sub-module is used for obtaining the type of the second security policy information by querying the data structure information table according to the second policy type field.
According to an embodiment of the disclosure, the apparatus further includes a determining module and a deleting module. The determining module is used for determining the information to be deleted according to the processing requirement under the condition that the type of the first security policy information and the type of the second security policy information are both the type of the authorized object. And the deleting module is used for executing deleting operation on the information to be deleted.
Any of the plurality of modules of the acquisition module 510, the identification module 520, the generation module 530, and the execution module 540 may be combined in one module to be implemented, or any of the plurality of modules may be split into a plurality of modules, according to embodiments of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. At least one of the acquisition module 510, the identification module 520, the generation module 530, and the execution module 540 may be implemented, at least in part, as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware, such as any other reasonable way of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware, according to embodiments of the present disclosure. Alternatively, at least one of the acquisition module 510, the identification module 520, the generation module 530, and the execution module 540 may be at least partially implemented as a computer program module, which when executed, may perform the corresponding functions.
Fig. 6 schematically illustrates a block diagram of an electronic device adapted to implement a security policy information processing method according to an embodiment of the disclosure.
As shown in fig. 6, an electronic device 600 according to an embodiment of the present disclosure includes a processor 601 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. The processor 601 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 601 may also include on-board memory for caching purposes. The processor 601 may comprise a single processing unit or a plurality of processing units for performing different actions of the method flows according to embodiments of the disclosure.
In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 600 are stored. The processor 601, the ROM 602, and the RAM 603 are connected to each other through a bus 604. The processor 601 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 602 and/or the RAM 603. Note that the program may be stored in one or more memories other than the ROM 602 and the RAM 603. The processor 601 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, the electronic device 600 may also include an input/output (I/O) interface 605, the input/output (I/O) interface 605 also being connected to the bus 604. The electronic device 600 may also include one or more of the following components connected to an input/output (I/O) interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to an input/output (I/O) interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 602 and/or RAM 603 and/or one or more memories other than ROM 602 and RAM 603 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to implement the item recommendation method provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 601. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of signals over a network medium, and downloaded and installed via the communication section 609, and/or installed from the removable medium 611. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 601. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (11)

1. A security policy information processing method, comprising:
responding to a received security policy information processing request aiming at a first database and a second database, and acquiring first security policy information of the first database and second security policy information of the second database, wherein the service data processing environments of the first database and the second database are different;
The type of the first security policy information and the type of the second security policy information are obtained by identifying the policy type field of the first security policy information and the policy type field of the second security policy information;
generating a processing policy by comparing the first security policy information and the second security policy information under the condition that the type of the first security policy information and the type of the second security policy information are determined to be the same; and
and executing processing operation on the first security policy information and the second security policy information based on the processing policy.
2. The method of claim 1, wherein the generating a processing policy by comparing the first security policy information and the second security policy information comprises:
determining a first target field position according to the strategy type;
extracting a first target field from the first security policy information and extracting a second target field from the second security policy information according to the first target field position;
generating a first processing strategy according to the attribute type of the first target field under the condition that the first target field is determined to be the same as the second target field;
And generating a second processing strategy under the condition that the first target field is determined to be different from the second target field.
3. The method of claim 2, wherein the generating a first processing policy according to the attribute type of the first target field comprises:
in the case that the attribute type of the first target field is determined to be a first attribute, the first processing policy is an information deletion policy;
determining a second target field position under the condition that the attribute type of the first target field is determined to be a second attribute; and
and generating a third processing strategy by comparing the first security strategy information with the second security strategy information according to the second target field position.
4. A method according to claim 3, wherein said generating a third processing policy by comparing said first security policy information with said second security policy information according to said second target field location comprises:
extracting a third target field from the first security policy information and a fourth target field from the second security policy information according to the second target field position;
the third processing policy is an information deletion policy if it is determined that the first target field is the same as the second target field; and
The third processing policy is an information modification policy if it is determined that the first target field is not identical to the second target field.
5. The method of claim 2, wherein the generating a second processing policy if the first target field is determined to be different from the second target field comprises:
and generating a change authorization policy under the condition that the first target field is determined to be different from the second target field.
6. The method of claim 1, wherein the deriving the type of the first security policy information and the type of the second security policy information by identifying a policy type field of the first security policy information and a policy type field of the second security policy information comprises:
extracting a first policy type field from the first security policy information and extracting a second policy type field from the second security policy information according to a predetermined data structure;
according to the first policy type field, obtaining the type of the first security policy information by inquiring a data structure information table; and
and according to the second strategy type field, obtaining the type of the second security strategy information by inquiring a data structure information table.
7. The method of claim 1, further comprising:
under the condition that the type of the first security policy information and the type of the second security policy information are both the type of the authorized object, determining the information to be deleted according to the processing requirement; and
and executing deleting operation on the information to be deleted.
8. A security policy information processing apparatus comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for responding to a received security policy information processing request aiming at a first database and a second database to acquire first security policy information of the first database and second security policy information of the second database, wherein the service data processing environments of the first database and the second database are different;
the identification module is used for obtaining the type of the first security policy information and the type of the second security policy information by identifying the policy type field of the first security policy information and the policy type field of the second security policy information;
the comparison module is used for generating a processing strategy by comparing the first security strategy information and the second security strategy information under the condition that the type of the first security strategy information and the type of the second security strategy information are the same; and
And the processing module is used for executing processing operation on the first security policy information and the second security policy information based on the processing policy.
9. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-7.
11. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 7.
CN202310565603.5A 2023-05-18 2023-05-18 Security policy information processing method, device, equipment and storage medium Pending CN116561803A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310565603.5A CN116561803A (en) 2023-05-18 2023-05-18 Security policy information processing method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310565603.5A CN116561803A (en) 2023-05-18 2023-05-18 Security policy information processing method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116561803A true CN116561803A (en) 2023-08-08

Family

ID=87501556

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310565603.5A Pending CN116561803A (en) 2023-05-18 2023-05-18 Security policy information processing method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116561803A (en)

Similar Documents

Publication Publication Date Title
US11561972B2 (en) Query conversion for querying disparate data sources
CN107798038B (en) Data response method and data response equipment
CN109522751B (en) Access right control method and device, electronic equipment and computer readable medium
CN114218254B (en) Report generation method, device, equipment and storage medium
US20230367829A1 (en) Indexing Native Application Data
EA038063B1 (en) Intelligent control system for cyberthreats
CN116594683A (en) Code annotation information generation method, device, equipment and storage medium
CN117009397A (en) Data query method, data query device, electronic equipment and storage medium
CN113590554B (en) File processing method, device, electronic device and storage medium
CN109086414B (en) Method, apparatus and storage medium for searching blockchain data
CN119248799B (en) Database multi-transaction processing method, device, equipment and storage medium
CN110110184B (en) Information inquiry method, system, computer system and storage medium
CN119149558B (en) Distributed database shard key update method, device, equipment and medium
CN117033383B (en) Data detection method, device, equipment and storage medium
CN116049238B (en) Node information query method, device, equipment, medium and program product
CN116561803A (en) Security policy information processing method, device, equipment and storage medium
CN113515713B (en) Webpage caching strategy generation method and device and webpage caching method and device
US12001458B2 (en) Multi-cloud object store access
CN116702752A (en) File data processing method, device, equipment and storage medium
CN117520671A (en) Data query method, device, equipment and storage medium
CN117493443A (en) Data processing method and device, electronic equipment and readable storage medium
CN115130135A (en) Authority determining method, device, electronic equipment and medium
US20210349902A1 (en) Database query processing
CN118972403B (en) Data sharing method, device and system
CN119226332B (en) Data processing method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination