CN119066050A - Database management method, device, equipment and medium - Google Patents
Database management method, device, equipment and medium Download PDFInfo
- Publication number
- CN119066050A CN119066050A CN202411253250.6A CN202411253250A CN119066050A CN 119066050 A CN119066050 A CN 119066050A CN 202411253250 A CN202411253250 A CN 202411253250A CN 119066050 A CN119066050 A CN 119066050A
- Authority
- CN
- China
- Prior art keywords
- user
- database
- authority
- group
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Bioethics (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Data Mining & Analysis (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
本申请实施例提供了数据库管理方法、装置、设备及介质;通过根据第一用户的属性为第一用户分配数据库权限;将第一用户添加至用户组,将第一用户的数据库权限分配至用户组;响应于接收第一用户的创建用户命令,创建第二用户;将第二用户添加至所述第一用户用户组,将用户组的数据库权限分配至所述第二用户;解决了数据库权限过于集中、权力滥用和数据不安全的问题;利用用户集合概念实现用户分组特征,避免角色权限赋值出错难规避的问题。
The embodiments of the present application provide a database management method, apparatus, device and medium; by allocating database permissions to the first user according to the attributes of the first user; adding the first user to a user group, and allocating the database permissions of the first user to the user group; creating a second user in response to receiving a create user command from the first user; adding the second user to the first user group, and allocating the database permissions of the user group to the second user; solving the problems of excessive concentration of database permissions, abuse of power and data insecurity; using the concept of user sets to realize user grouping features, avoiding the problem of difficult-to-avoid errors in role permission assignment.
Description
Technical Field
The present application relates to the field of database technologies, and in particular, to a method, an apparatus, a device, and a medium for database management.
Background
The financial enterprise database stores a large amount of key information of enterprises, including enterprise strategy, economic service, technical secret, customer information, transaction information and the like, and rights management is a key link for protecting data resources and systems, and is of great importance to user rights management of the database. The reasonable configuration and accurate control of the user's data access rights can effectively prevent unauthorized access, data leakage and improper operation. In the current partial database authority management system, authorities have no opposite relation, the authority of a database manager user is concentrated, and if the database manager user leaks, serious threat is caused to the database security.
Disclosure of Invention
The embodiment of the application mainly aims to provide a database management method, a device, equipment and a medium, and realizes a database authority separation function.
To achieve the above object, a first aspect of an embodiment of the present application provides a database management method, including:
Acquiring the attribute of a first user;
distributing database rights to the first user according to the attribute of the first user;
adding the first user to a user group, and distributing the database authority of the first user to the user group;
Creating a second user in response to receiving a create user command of the first user;
And adding the second user to the user group where the first user is located, and distributing the database permission of the user group to the second user.
In some embodiments, before the creating the second user in response to receiving the create user command of the first user, the method further comprises:
and receiving a user creating command of the first user when the attribute of the first user meets the user creating condition.
In some embodiments, the creating a second user in response to receiving a create user command of the first user comprises:
and in response to receiving a user creation command of the first user, creating a second user when the attribute of the second user in the user creation command meets the condition of being added to the user group where the first user is located, and adding the second user to the user group where the first user is located.
In some embodiments, the method further comprises:
receiving an execution statement command of a third user, wherein the execution statement command comprises a target statement;
Consulting database rights of a user group where the third user is located;
and executing the target sentence when the database authority of the user group where the third user is located contains the authority for executing the target sentence.
In some embodiments, after said consulting the database rights of the user group in which said third user is located, said method further comprises:
And intercepting the target sentence when the database authority of the user group where the third user is located contains the authority for executing the target sentence.
In some embodiments, the target sentence is backup target material, and the database authority of the user group where the third user is located includes authority to execute the target sentence, and executing the target sentence includes:
When the database authority of the user group where the third user is located contains the authority for executing the backup target data, the backup target data is backed up.
In some embodiments, the target sentence is a restore target material, and the database authority of the user group where the third user is located includes authority to execute the target sentence, and executing the target sentence includes:
And when the database authority of the user group where the third user is located contains the authority for executing the restoring target data, restoring the target data.
To achieve the above object, a second aspect of an embodiment of the present application provides a database management apparatus, including:
The attribute consulting module is used for acquiring the attribute of the first user;
the permission distribution module is used for distributing database permissions to the first user according to the attribute of the first user;
a user group module for adding the first user to a user group and distributing the database authority of the first user to the user group;
A new user creation module for creating a second user in response to receiving a create user command of the first user;
And the new user permission module is used for adding the second user to the user group where the first user is located and distributing the database permission of the user group to the second user.
To achieve the above object, a third aspect of the embodiments of the present application provides an electronic device, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the database management method according to the first aspect of the embodiments of the present application when executing the computer program.
To achieve the above object, a fourth aspect of the embodiments of the present application is a computer-readable storage medium storing a computer program that, when executed by a processor, implements the database management method according to the first aspect of the embodiments of the present application.
The database management method, the device, the equipment and the medium solve the problems of too centralized authority, abuse of authority and unsafe data of the database, and realize the grouping characteristic of users by utilizing the concept of user set. The method has the advantages that the authority roles do not need to be newly added, the problem that the authority assignment of the roles is easy to be misplaced and difficult to avoid is avoided, the authority discrete switch is set, the security level and the switch authority discrete function can be adjusted according to the actual service requirements, the authority discrete categories and the grouping number can be customized according to the service conditions of the user, the data of each grouping is backed up and restored by the manager of each grouping in the backup and restoration of the data, the backup cannot be carried out across the grouping, and the data is prevented from being acquired and abused by other groupings.
Drawings
FIG. 1 is a step diagram of a database management method provided by an embodiment of the present application;
FIG. 2 is a sub-step diagram of step S400 provided by an embodiment of the present application;
FIG. 3 is a sub-step diagram of step S600 provided by an embodiment of the present application;
fig. 4 is a step diagram of step S710 provided by an embodiment of the present application;
FIG. 5 is a step diagram of step S720 provided by an embodiment of the present application;
FIG. 6 is a block diagram of a database management apparatus according to an embodiment of the present application;
Fig. 7 is a block diagram of an electronic device provided by an embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
It should be noted that although functional block division is performed in a device diagram and a logic sequence is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the block division in the device, or in the flowchart. The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the application only and is not intended to be limiting of the application.
The financial enterprise database stores a large amount of key information of enterprises, including enterprise strategy, economic service, technical secret, customer information, transaction information and the like, and rights management is a key link for protecting data resources and systems, and is of great importance to user rights management of the database. The reasonable configuration and accurate control of the user's data access rights can effectively prevent unauthorized access, data leakage and improper operation. In the current partial database authority management system, authorities have no opposite relation, the authority of a database manager user is concentrated, and if the database manager user leaks, serious threat is caused to the database security.
In order to solve the problems, the embodiment of the application provides a database management method, a device, equipment and a medium, which realize the authority separation of a database and avoid the excessive concentration of the authority of the database.
The embodiment of the application can acquire and process the related data based on the artificial intelligence technology. Wherein artificial intelligence (ART IFICIA L I NTE L L I GENCE, AI) is the theory, method, technique, and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend, and expand human intelligence, sense the environment, acquire knowledge, and use knowledge to obtain optimal results.
Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.
The embodiment of the application provides a database management method, device, equipment and medium, relating to the technical field of artificial intelligence. The database management method provided by the embodiment of the application can be applied to the terminal, the server side and software running in the terminal or the server side. In some embodiments, the terminal may be a smart phone, a tablet computer, a notebook computer, a desktop computer, etc., the server may be configured as an independent physical server, may be configured as a server cluster or a distributed system formed by a plurality of physical servers, and may be configured as a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, and basic cloud computing services such as big data and artificial intelligent platforms, and the software may be an application for implementing a database management method, but is not limited to the above form.
The application is operational with numerous general purpose or special purpose computer system environments or configurations. Such as a personal computer, a server computer, a hand-held or portable device, a tablet device, a multiprocessor system, a microprocessor-based system, a set top box, a programmable consumer electronics, a network PC, a minicomputer, a mainframe computer, a distributed computing environment that includes any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
In the embodiments of the present application, when related processing is required according to user information, user behavior data, user history data, user location information, and other data related to user identity or characteristics, permission or agreement of the user is obtained first, and the collection, use, processing, and the like of the data comply with related regulations. In addition, when the embodiment of the application needs to acquire the sensitive personal information of the user, the independent permission or independent consent of the user is acquired through popup or jump to a confirmation page and the like, and after the independent permission or independent consent of the user is definitely acquired, the necessary relevant data of the user for enabling the embodiment of the application to normally operate is acquired.
The embodiment of the application provides a database management method, a device, equipment and a medium. The database management method in the embodiment of the present application will be described first, specifically by the following embodiment.
The embodiment of the application provides a database management method.
Referring to fig. 1, the database management method includes the steps of:
Step S100, obtaining the attribute of a first user;
Step S200, distributing database rights to the first user according to the attribute of the first user;
step S300, adding the first user to the user group, and distributing the database authority of the first user to the user group;
step S400, in response to receiving a user creation command of a first user, creating a second user;
step S500, adding the second user to the user group where the first user is located, and distributing the database authority of the user group to the second user.
The database management method realizes the authority separation function of the database and avoids the excessive centralization of the management function of the database.
When initializing the database, a database administrator (Database Admin i strator, DBA) user is initialized and the password of the database administrator user is set. And assigning the authority of the initialization object to a database manager user, and ensuring that all objects can access the initialization data.
Setting the switch of the authority separation function of the database, wherein the switch of the authority separation function of the database is defaulted to be true, and the switch of the authority separation function of the database is true to indicate the opening of the authority separation function, and the switch of the authority separation function of the database is false to indicate the closing of the authority separation function. The switch of the authority separation function of the database can be configured by modifying the configuration file before the database is started.
In step S100 of some embodiments, an attribute of the first user is obtained. The first user is a user of the database.
The attributes of the first user include:
A user name (Username), a unique identifier of the user in the database;
Password (Password) credentials for verifying the identity of the user;
Roles (Ro l es) a user can be assigned one or more roles;
Schema (Schema) database Schema accessible by the user;
Default tablespaces (Defau l t Tab l espace) are tablespaces that are used by a user by default when creating a table or index;
Quota (Quotas) in some database systems, a user may have a quota limit on the resources used;
Session attributes (Sess i on Attr i butes) such as settings during the user session, e.g., time zone, language, etc.;
Connection attributes (Connect i on Attr i butes) defining attributes such as port number, client address, etc. when the user connects to the database;
Encryption settings (Encrypt ion Sett i ngs) for defining encryption requirements for the user connection;
An authentication method (Authent icat ion Method) defining how the user is authenticated, e.g., by a password, certificate, or other external authentication service;
Account locked state (Account Lock Status) whether the account is locked, and the reason and duration of the locking;
expiration policy (Expi rat ion Po l icy) expiration policy for passwords and accounts;
user configuration User Configurat ion user specific configuration options such as notification settings, interface preferences, etc.
Resource Usage (Resource Usage) is statistical information of resources such as CPU, memory, I/O and the like used by the user.
It should be noted that the above user attributes are exemplified. User attributes that may be supported by different database systems vary somewhat depending on the type and version of the database.
In step S200 of some embodiments, a database permission is assigned to the first user according to the attribute of the first user. Illustratively, the first user is assigned database rights according to the role of the first user.
For example, the first user may be in the role of a policeman and may be assigned database permissions for user account management, permission control, database structure management, data manipulation, backup and restore, performance monitoring and optimization, database maintenance, configuration management, security management, troubleshooting, data migration, system monitoring, data migration, disaster recovery, and the like.
Specifically, a policeman can create, modify and delete user accounts, grant or revoke access rights of users to databases, tables, views, storage processes and the like, create, modify and delete database objects such as tables, indexes, views, storage processes, triggers and the like, perform add-delete-modify-check operations on data in the databases, regularly backup the databases and restore the data when needed, monitor database performance, analyze query efficiency, optimize indexes and queries, perform database maintenance tasks such as updating statistical information, rebuilding indexes, shrinking the databases and the like, configure database parameters such as memory allocation, storage configuration and the like, implement security policies including data encryption, audit and access control, diagnose and solve problems in database operation, monitor the operation state and resource use conditions of database systems, migrate data between different database systems or servers, design and implement high availability solutions and disaster recovery plans of the databases.
The first user has the role of an auditor, and the first user is assigned with the following database rights of accessing audit logs, audit analysis, data access audit, audit policy management, audit record content, starting and closing of audit functions, audit information storage, audit report and the like.
The audit log can be checked and analyzed by an auditor to detect potential safety risks and illegal behaviors in the database, an audit analysis tool is used for helping to find abnormal behaviors including any potential safety threats and taking corresponding actions, data access audit is authorized to be carried out, abnormality is found and actions are taken to ensure the integrity and confidentiality of data, the audit log of the database is responsible for formulating and implementing the audit policy of the database, including determining the range and level of audit objects and audit events, the audit log comprises information such as time, place, type, subject, object and result of event occurrence, the audit function is responsible for starting and closing, including audit of user addition, modification and deletion and authority change, storage safety of the audit log is responsible for ensuring and alarming when the storage space is full, audit reports are generated, audit results and problems are provided, and the data structure and system are helped to be improved.
The first user has the role of a backup manager and distributes the following database rights for the first user, such as backup task management, backup right control, backup medium management, system and data recovery, monitoring and maintenance of a backup system and the like.
Specifically, the backup manager may create and manage a backup task, including setting a backup plan, selecting a backup object and a backup type, granting the user or the role the authority required for executing the backup operation, for example, in MySQL, the backup user may need the authority of SELECT, showv I EW, TRI GGER, EVENT, LOCK TABLES, RELOAD, REPL I CAT ION CL I ENT, PROCESS, and the like, take charge of storage and archiving management of the backup medium, ensure the security of the backup medium, execute a data recovery operation when needed, ensure that data can be recovered from the backup timely and effectively, and periodically check the hardware device and the running state of the backup system, and ensure the normal and stable operation of the backup server.
In step S300 of some embodiments, a first user is added to the user group and the database rights of the first user are assigned to the user group.
Illustratively, the first user is a strategic agent, the first user is added to the user group 1, the database authority of the strategic agent is distributed to the user group 1, and the database authority of the user group 1 comprises user account management, authority control, database structure management, data operation, backup and recovery, performance monitoring and optimization, database maintenance, configuration management, security management, troubleshooting, data migration, system monitoring, data migration, disaster recovery and the like.
The first user is an auditor, the first user is added to the user group 2, the database authority of the auditor is distributed to the user group 2, and the database authority of the user group 2 comprises access audit logs, audit analysis, data access audit, audit policy management, audit record content, starting and closing of audit functions, audit information storage, audit report and the like.
The first user is a backup manager, the first user is added to the user group 3, the database authority of the backup manager is distributed to the user group 3, and the database authority of the user group 3 comprises backup task management, backup authority control, backup medium management, system and data recovery, monitoring and maintenance of a backup system and the like.
In step S400 of some embodiments, the database system creates a second user in response to receiving a create user command of the first user.
Referring to fig. 2, illustratively, step S410, receiving a create user command of a first user when the attribute of the first user satisfies the create user condition, and step S420, in response to receiving the create user command of the first user, creating a second user when the attribute of the second user satisfies the condition of being added to the user group of the first user in the create user command, and adding the second user to the user group of the first user.
Specifically, a first user is a strategic member, the first user sends a user creation command to a database system, the database system receives the user creation command of the first user, the database system judges whether the attribute of the first user meets the user creation condition, the attribute of the first user meets the user creation condition if the authority in the attribute of the first user contains the authority of the user creation, the database system judges that the attribute of a second user in the user creation command meets the condition of being added to a user group where the first user is located, when the attribute of the second user in the user creation command meets the condition of being added to the strategic member user group, the second user is created, and the second user is added to the strategic member user group.
The method comprises the steps that a first user is an auditor, the first user sends a user creation command to a database system, the database system receives the user creation command of the first user, the database system judges whether the attribute of the first user meets the user creation condition, the authority in the attribute of the first user comprises the authority of the user creation, the attribute of the first user meets the user creation condition, the database system judges that the attribute of a second user in the user creation command meets the condition of being added to a user group where the first user is located, and when the attribute of the second user in the user creation command meets the condition of being added to the auditor user group, the second user is created, and the second user is added to the auditor user group.
The method comprises the steps that a first user is a backup manager, the first user sends a user creation command to a database system, the database system receives the user creation command of the first user, the database system judges whether the attribute of the first user meets the user creation condition, the attribute of the first user meets the user creation condition if the authority in the attribute of the first user contains the authority of the user creation, the database system judges that the attribute of a second user in the user creation command meets the condition of being added to a user group where the first user is located, when the attribute of the second user in the user creation command meets the condition of being added to the user group of the backup manager, the second user is created, and the second user is added to the user group of the backup manager.
In step S500 of some embodiments, the second user is added to the user group in which the first user is located, and the database rights of the user group are assigned to the second user.
Specifically, the first user is a strategic agent, the database system adds the second user to the strategic agent user group, and distributes the database rights of the strategic agent user group to the second user, so that the second user has the same database rights as the first user, and the second user has the database rights of the strategic agent. The second user may create, modify and delete user accounts, grant or revoke access rights to databases, tables, views, stored procedures, etc., create, modify, delete database objects, such as tables, indexes, views, stored procedures, triggers, etc., perform add-delete-retrieve operations on data in the database, periodically backup the database and restore the data when needed, monitor database performance, analyze query efficiency, optimize indexes and queries, perform database maintenance tasks, such as updating statistics, rebuilding indexes, contracting the database, etc., configure database parameters, such as memory allocation, storage configuration, etc., implement security policies, including data encryption, auditing, and access control, diagnose and solve problems in database operation, monitor the operational status and resource usage of database systems, migrate data between different database systems or servers, design and implement high availability solutions and recovery plans for databases.
The first user is an auditor, the database system adds the second user to the auditor user group, and the database authority of the auditor user group is distributed to the second user, so that the second user has the same database authority as the first user, and the second user has the database authority of the auditor. The second user may view and analyze the audit log to detect potential security risks and violations in the database, use audit analysis tools to help discover abnormal behavior, including any potential security threats, and take corresponding actions, have access to data access audits to discover anomalies and take actions to ensure data integrity and confidentiality, be responsible for formulating and enforcing database audit policies, including determining audit objects, scope and level of audit events, be responsible for opening and closing audit functions, including audits for user additions, modifications and deletions, and rights changes, be responsible for ensuring storage security of audit records and alerting when storage space will be full, generate audit reports, provide audit results and questions, help to improve data structures and systems.
The first user is a backup manager, the database system adds the second user to the backup manager user group, and the database authority of the backup manager user group is distributed to the second user, so that the second user has the same database authority as the first user, and the second user has the database authority of the backup manager. The second user can create and manage the backup task, including setting backup plan, selecting backup object and backup type, granting the user or role the authority to execute backup operation, ensuring the safety of backup medium, executing data restoring operation to ensure the timely and effective restoring of data from backup, checking the hardware equipment and running state of the backup system regularly and ensuring the normal and stable operation of the backup server.
It should be noted that the database system limits the rights of the database user, and the database user cannot create and manage the lower level user with the opposite rights, and cannot view and modify the data of the lower level user with the opposite rights, so as to implement rights limit management.
Referring to FIG. 3, the database system also requires statement execution restriction management. The database management method further comprises the following steps:
step S610, receiving an execution sentence command of a third user;
step S620, consulting the database authority of the user group where the third user is located;
Step S630, when the database authority of the user group where the third user is located contains the authority for executing the target sentence, executing the target sentence;
in step S640, when the query result is that the database authority of the user group where the third user is located contains the authority to execute the target sentence, the database system intercepts the target sentence.
The database user sends an execute statement command to the database system, i.e. the database user is the third user. The database system receives an execution statement command of a third user. The database system queries the database permission of the user group where the third user is located. When the query result is that the database authority of the user group where the third user is located contains the authority for executing the target sentence, the database system executes the target sentence. When the query result is that the database authority of the user group where the third user is located contains the authority for executing the target sentence, the database system intercepts the target sentence.
Illustratively, the third user is a policyholder. The strategic personnel sends the execution statement command related to the data operation to the database system, the database system receives the execution statement command related to the data operation, and the database system inquires the database authority of the user group where the strategic personnel are located. When the query result is that the database authority of the user group where the strategic personnel is located contains the authority of the target statement related to the execution data operation, the database system executes the target statement related to the data operation.
And the strategic personnel sends an execution statement command related to data audit to the database system, the database system receives the execution statement command related to the audit, and the database system inquires the database authority of the user group where the strategic personnel are located. When the query result is that the database authority of the user group where the strategic personnel is located does not contain the authority for executing the statement executing command related to the data audit, the database system intercepts the target statement related to the data audit.
It will be appreciated that users of different user groups can only review data that the user group in which they are located has authority to review. The data, policies, etc. of the respective groupings are backed up by the group leader of the different user groups.
Referring to FIG. 4, the target sentence is a backup target material, and when the database authority of the user group of the third user includes the authority to execute the target sentence, the target sentence is executed, including the steps of S710, when the database authority of the user group of the third user includes the authority to execute the backup target material, backing up the target material.
Illustratively, the third user is an auditor, the auditor sends an execution statement command of the backup audit data to the database system, the database system receives the execution statement command of the backup audit data, and the database system inquires the database authority of the user group where the auditor is located. When the query result is that the authority of the database of the user group where the auditor is located contains the authority of the execution statement command for executing the backup audit data, the database system executes the backup audit data and adds a limit to the backup audit data, so that only the user group where the auditor is located can operate the backup audit data.
Referring to FIG. 5, the target sentence is a restore target material, and when the database authority of the user group of the third user includes the authority to execute the target sentence, the target sentence is executed, including the steps of S720, when the database authority of the user group of the third user includes the authority to execute the restore target material, restoring the target material.
Illustratively, the third user is an auditor, the auditor sends an execution statement command for restoring the audit data to the database system, the database system receives the execution statement command for restoring the audit data, and the database system inquires the database authority of the user group where the auditor is located. When the query result is that the authority of the database of the user group where the auditor is located contains the authority of the execution statement command for executing the restoration audit data, the database system executes the restoration audit data.
It will be appreciated that database data is attributed to the user of the backup data following the rights to restore the data.
In the embodiment, the database management method solves the problem that the authority of the database is too centralized, solves the problem that the authority of the database manager is abused and the data is unsafe because the database manager has super authority and can manage all objects, and realizes the user grouping characteristic by utilizing the user aggregation concept. The method has the advantages that the role of authority does not need to be newly added, the problem that the authority assignment of the role is easy to be misplaced and difficult to avoid is avoided, the authority discrete switch is set, the security level and the switch authority discrete function can be adjusted according to the actual service requirement, the category and the grouping number of the authority discrete can be customized according to the service condition of the user, in the backup and restoration of data, the data of each grouping is backed up and restored by the manager of each grouping, the backup can not be carried out across the grouping, and the data is prevented from being acquired and abused by other groupings.
The embodiment of the application also provides a database management device which is applied to the database system.
Referring to fig. 6, the database management apparatus includes an attribute review module 810, a right assignment module 820, a user group module 830, a new user creation module 840, and a new user right module 850.
The attribute review module 810 is configured to obtain an attribute of a first user, the permission assignment module 820 is configured to assign database permissions to the first user according to the attribute of the first user, the user group module 830 is configured to add the first user to the user group and assign the database permissions of the first user to the user group, the new user creation module 840 is configured to create a second user in response to receiving a user creation command of the first user, and the new user permission module 850 is configured to add the second user to the user group where the first user is located and assign the database permissions of the user group to the second user.
The database management device realizes the authority separation function of the database, and avoids the excessive centralization of the management function of the database.
When initializing the database, initializing a database manager user and setting the password of the database manager user. And assigning the authority of the initialization object to a database manager user, and ensuring that all objects can access the initialization data.
Setting the switch of the authority separation function of the database, wherein the switch of the authority separation function of the database is defaulted to be true, and the switch of the authority separation function of the database is true to indicate the opening of the authority separation function, and the switch of the authority separation function of the database is false to indicate the closing of the authority separation function. The switch of the authority separation function of the database can be configured by modifying the configuration file before the database is started.
The attribute review module 810 obtains the attributes of the first user. The first user is a user of the database.
The first user's attributes include a user name, password, role, mode, default tablespace, quota, session attributes, connection attributes, encryption settings, authentication method, account locking status, expiration policy, user configuration, resource usage, etc.
It should be noted that the above user attributes are exemplified. User attributes that may be supported by different database systems vary somewhat depending on the type and version of the database.
The rights assignment module 820 assigns database rights to the first user based on the attributes of the first user. Illustratively, the first user is assigned database rights according to the role of the first user.
For example, the first user may be in the role of a policeman and may be assigned database permissions for user account management, permission control, database structure management, data manipulation, backup and restore, performance monitoring and optimization, database maintenance, configuration management, security management, troubleshooting, data migration, system monitoring, data migration, disaster recovery, and the like.
Specifically, a policeman can create, modify and delete user accounts, grant or revoke access rights of users to databases, tables, views, storage processes and the like, create, modify and delete database objects such as tables, indexes, views, storage processes, triggers and the like, perform add-delete-modify-check operations on data in the databases, regularly backup the databases and restore the data when needed, monitor database performance, analyze query efficiency, optimize indexes and queries, perform database maintenance tasks such as updating statistical information, rebuilding indexes, shrinking the databases and the like, configure database parameters such as memory allocation, storage configuration and the like, implement security policies including data encryption, audit and access control, diagnose and solve problems in database operation, monitor the operation state and resource use conditions of database systems, migrate data between different database systems or servers, design and implement high availability solutions and disaster recovery plans of the databases.
The first user has the role of an auditor, and the first user is assigned with the following database rights of accessing audit logs, audit analysis, data access audit, audit policy management, audit record content, starting and closing of audit functions, audit information storage, audit report and the like.
The audit log can be checked and analyzed by an auditor to detect potential safety risks and illegal behaviors in the database, an audit analysis tool is used for helping to find abnormal behaviors including any potential safety threats and taking corresponding actions, data access audit is authorized to be carried out, abnormality is found and actions are taken to ensure the integrity and confidentiality of data, the audit log of the database is responsible for formulating and implementing the audit policy of the database, including determining the range and level of audit objects and audit events, the audit log comprises information such as time, place, type, subject, object and result of event occurrence, the audit function is responsible for starting and closing, including audit of user addition, modification and deletion and authority change, storage safety of the audit log is responsible for ensuring and alarming when the storage space is full, audit reports are generated, audit results and problems are provided, and the data structure and system are helped to be improved.
The first user has the role of a backup manager and distributes the following database rights for the first user, such as backup task management, backup right control, backup medium management, system and data recovery, monitoring and maintenance of a backup system and the like.
The backup manager can create and manage backup tasks, including setting backup plans, selecting backup objects and backup types, granting users or roles the authority required by executing backup operation, taking charge of storage and archiving management of backup media, ensuring the safety of the backup media, executing data recovery operation when needed, ensuring that data can be timely and effectively recovered from backup, and periodically checking hardware equipment and running states of a backup system, and ensuring normal and stable operation of a backup server.
The user group module 830 adds the first user to the user group and assigns the database rights of the first user to the user group.
Illustratively, the first user is a strategic agent, the first user is added to the user group 1, the database authority of the strategic agent is distributed to the user group 1, and the database authority of the user group 1 comprises user account management, authority control, database structure management, data operation, backup and recovery, performance monitoring and optimization, database maintenance, configuration management, security management, troubleshooting, data migration, system monitoring, data migration, disaster recovery and the like.
The first user is an auditor, the first user is added to the user group 2, the database authority of the auditor is distributed to the user group 2, and the database authority of the user group 2 comprises access audit logs, audit analysis, data access audit, audit policy management, audit record content, starting and closing of audit functions, audit information storage, audit report and the like.
The first user is a backup manager, the first user is added to the user group 3, the database authority of the backup manager is distributed to the user group 3, and the database authority of the user group 3 comprises backup task management, backup authority control, backup medium management, system and data recovery, monitoring and maintenance of a backup system and the like.
The new user creation module 840 creates the second user in response to receiving a create user command from the first user.
Illustratively, a create user command for the first user is received when the attribute of the first user satisfies the create user condition. And in response to receiving a user creation command of the first user, creating the second user when the attribute of the second user in the user creation command meets the condition of being added to the user group where the first user is located, and adding the second user to the user group where the first user is located.
Specifically, the first user is a strategic member, the first user sends a create user command to the new user creating module 840, the new user creating module 840 receives the create user command of the first user, the new user creating module 840 determines whether the attribute of the first user satisfies the create user condition, the authority in the attribute of the first user includes the authority of the create user, the attribute of the first user satisfies the create user condition, the new user creating module 840 determines that the attribute of the second user in the create user command satisfies the condition added to the user group where the first user is located, when the attribute of the second user in the create user command satisfies the condition added to the strategic member user group, the second user is created, and the second user is added to the strategic member user group.
The first user is an auditor, the first user sends a creating user command to the new user creating module 840, the new user creating module 840 receives the creating user command of the first user, the new user creating module 840 judges whether the attribute of the first user meets the creating user condition, the authority in the attribute of the first user comprises the authority of the creating user, the attribute of the first user meets the creating user condition, the new user creating module 840 judges that the attribute of the second user in the creating user command meets the condition of being added to the user group where the first user is located, when the attribute of the second user in the creating user command meets the condition of being added to the auditor user group, the second user is created, and the second user is added to the auditor user group.
The first user is a backup administrator, the first user sends a create user command to the new user creation module 840, the new user creation module 840 receives the create user command of the first user, the new user creation module 840 judges whether the attribute of the first user meets the create user condition, the authority in the attribute of the first user contains the authority of the create user, the attribute of the first user meets the create user condition, the new user creation module 840 judges that the attribute of the second user in the create user command meets the condition of being added to the user group where the first user is located, when the attribute of the second user in the create user command meets the condition of being added to the backup administrator user group, the second user is created, and the second user is added to the backup administrator user group.
The new user rights module 850 adds the second user to the user group in which the first user is located and assigns the database rights of the user group to the second user.
Specifically, the first user is a policyholder, the new user permission module 850 adds a second user to the policyholder user group, and assigns the database permission of the policyholder user group to the second user, the second user having the same database permission as the first user, the second user having the database permission of the policyholder. The second user may create, modify, and delete user accounts, grant or revoke user access rights to databases, tables, views, stored procedures, etc., create, modify, delete database objects, such as tables, indexes, views, stored procedures, triggers, etc., perform add-delete-retrieve operations on data in the database, periodically backup the database and restore the data when needed, monitor database performance, analyze query efficiency, optimize indexes and queries, perform database maintenance tasks, such as updating statistics, rebuilding indexes, contracting the database, etc., configure database parameters, such as memory allocation, storage configuration, etc., implement security policies, including data encryption, auditing, and access control, diagnose and solve problems in database operation, monitor the operational status and resource usage of the new user rights module 850, migrate data between different new user rights modules 850 or servers, design and implement high availability solutions and disaster recovery plans for the database.
The first user is an auditor, the new user authority module 850 adds the second user to the auditor user group, and assigns the database authority of the auditor user group to the second user, and the second user has the same database authority as the first user, and the second user has the database authority of the auditor. The second user may view and analyze the audit log to detect potential security risks and violations in the database, use audit analysis tools to help discover abnormal behavior, including any potential security threats, and take corresponding actions, have access to data access audits to discover anomalies and take actions to ensure data integrity and confidentiality, be responsible for formulating and enforcing database audit policies, including determining audit objects, scope and level of audit events, be responsible for opening and closing audit functions, including audits for user additions, modifications and deletions, and rights changes, be responsible for ensuring storage security of audit records and alerting when storage space will be full, generate audit reports, provide audit results and questions, help to improve data structures and systems.
The first user is a backup administrator, the new user authority module 850 adds a second user to the backup administrator user group, and assigns the database authority of the backup administrator user group to the second user, and the second user has the same database authority as the first user, and the second user has the database authority of the backup administrator. The second user can create and manage the backup task, including setting backup plan, selecting backup object and backup type, granting the user or role the authority to execute backup operation, ensuring the safety of backup medium, executing data restoring operation to ensure the timely and effective restoring of data from backup, checking the hardware equipment and running state of the backup system regularly and ensuring the normal and stable operation of the backup server.
It should be noted that the database system limits the rights of the database user, and the database user cannot create and manage the lower level user with the opposite rights, and cannot view and modify the data of the lower level user with the opposite rights, so as to implement rights limit management.
The database management device also performs statement execution restriction management through the authority management module 860. The authority management module 860 receives the command of executing the sentence of the third user, refers to the database authority of the user group where the third user is located, and executes the target sentence when the database authority of the user group where the third user is located contains the authority of executing the target sentence.
The database user sends an execute statement command to rights management module 860, i.e., the database user is the third user. The rights management module 860 receives the execution statement command of the third user. The rights management module 860 queries the database rights of the user group in which the third user is located. When the query result is that the database authority of the user group where the third user is located contains the authority to execute the target sentence, the authority management module 860 executes the target sentence. When the query result is that the database authority of the user group where the third user is located contains the authority for executing the target sentence, the authority management module 860 intercepts the target sentence.
Illustratively, the third user is a policyholder. The strategic person sends an execution statement command related to the data operation to the authority management module 860, the authority management module 860 receives the execution statement command related to the data operation, and the authority management module 860 inquires the database authority of the user group where the strategic person is located. When the query result is that the database authority of the user group where the strategic personnel is located contains the authority of the target statement related to the execution of the data operation, the authority management module 860 executes the target statement related to the data operation.
The strategic personnel sends an execution statement command related to data audit to the authority management module 860, the authority management module 860 receives the execution statement command related to the audit, and the authority management module 860 inquires the database authority of the user group where the strategic personnel are located. When the query result is that the database authority of the user group where the strategic personnel is located does not contain the authority for executing the data audit related execution statement command, the authority management module 860 intercepts the data audit related target statement.
It will be appreciated that users of different user groups can only review data that the user group in which they are located has authority to review. The data, policies, etc. of the respective groupings are backed up by the group leader of the different user groups.
The target sentence is backup target data, and when the database authority of the user group where the third user is located contains the authority of executing the backup target data, the backup target data.
Illustratively, the third user is an auditor, the auditor sends an execution statement command of the backup audit data to the authority management module 860, the authority management module 860 receives the execution statement command of the backup audit data, and the authority management module 860 inquires about the database authority of the user group where the auditor is located. When the query result is that the authority of the database of the user group where the auditor is located contains the authority of the execution statement command for executing the backup audit data, the authority management module 860 executes the backup audit data and adds a limit to the backup audit data, so that only the user group where the auditor is located can operate on the backup audit data.
The target sentence is the restoration target data, and when the database authority of the user group where the third user is located contains the authority for executing the restoration target data, the restoration target data is restored.
Illustratively, the third user is an auditor, the auditor sends an execution statement command for restoring the audit data to the authority management module 860, the authority management module 860 receives the execution statement command for restoring the audit data, and the authority management module 860 inquires about the database authority of the user group where the auditor is located. When the query result is that the database authority of the user group where the auditor is located contains the authority of the execution statement command for executing the restoration audit data, the authority management module 860 executes the restoration audit data.
It will be appreciated that database data is attributed to the user of the backup data following the rights to restore the data.
In the embodiment, the database management device solves the problem that the authority of the database is too centralized, solves the problem that the authority of the database manager is abused and the data is unsafe because the database manager has super authority and can manage all objects, and realizes the user grouping characteristic by utilizing the user aggregation concept. The method has the advantages that the role of authority does not need to be newly added, the problem that the authority assignment of the role is easy to be misplaced and difficult to avoid is avoided, the authority discrete switch is set, the security level and the switch authority discrete function can be adjusted according to the actual service requirement, the category and the grouping number of the authority discrete can be customized according to the service condition of the user, in the backup and restoration of data, the data of each grouping is backed up and restored by the manager of each grouping, the backup can not be carried out across the grouping, and the data is prevented from being acquired and abused by other groupings.
The embodiment of the application also provides electronic equipment. Referring to fig. 7, the electronic device includes a memory 902 and a processor 901, the memory 902 storing a computer program, and the processor 901 implements the database management method described above when executing the computer program. The electronic equipment can be any intelligent terminal including a tablet personal computer, a vehicle-mounted computer and the like.
The processor 901 may be implemented by a general-purpose CPU (Centra l Process i ngUn it ), a microprocessor, an application specific integrated circuit (App l i cat ionSpeci FIC I NTEGRATEDCI rcuit, asic), or one or more integrated circuits, etc. for executing relevant programs to implement the technical solutions provided by the embodiments of the present application, and the memory 902 may be implemented by a read-only memory (ReadOn lyMemory, ROM), a static storage device, a dynamic storage device, or a random access memory (RandomAccessMemory, RAM), etc. The memory 902 may store an operating system and other application programs, and when the technical solutions provided in the embodiments of the present disclosure are implemented by software or firmware, relevant program codes are stored in the memory 902, and the processor 901 invokes a database management method for performing the embodiments of the present disclosure.
The input/output interface 903 is used to input and output information, the communication interface 904 is used to implement communication interaction between the device and other devices, communication can be implemented through wired mode (such as USB, network cable, etc.), communication can also be implemented through wireless mode (such as mobile network, WI F I, bluetooth, etc.), the bus 905 transmits information between each component of the device (such as the processor 901, the memory 902, the input/output interface 903 and the communication interface 904), wherein the processor 901, the memory 902, the input/output interface 903 and the communication interface 904 implement communication connection between each other inside the device through the bus 905.
The embodiment of the application also provides a computer readable storage medium, which stores a computer program, and the computer program realizes the database management method when being executed by a processor.
The memory, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The embodiments described in the embodiments of the present application are for more clearly describing the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application, and those skilled in the art can know that, with the evolution of technology and the appearance of new application scenarios, the technical solutions provided by the embodiments of the present application are equally applicable to similar technical problems.
It will be appreciated by persons skilled in the art that the embodiments of the application are not limited by the illustrations, and that more or fewer steps than those shown may be included, or certain steps may be combined, or different steps may be included.
The above described apparatus embodiments are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Those of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.
The terms "first," "second," "third," "fourth," and the like in the description of the application and in the above figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that in the present application, "at least one (item)" means one or more, and "a plurality" means two or more. "and/or" is used to describe an association relationship of an associated object, and indicates that three relationships may exist, for example, "a and/or B" may indicate that only a exists, only B exists, and three cases of a and B exist simultaneously, where a and B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one of a, b or c may represent a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the above-described division of units is merely a logical function division, and there may be another division manner in actual implementation, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including multiple instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method of the various embodiments of the present application. The storage medium includes various media capable of storing programs, such as a USB flash disk, a removable hard disk, a Read-only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk.
The preferred embodiments of the present application have been described above with reference to the accompanying drawings, and are not thereby limiting the scope of the claims of the embodiments of the present application. Any modifications, equivalent substitutions and improvements made by those skilled in the art without departing from the scope and spirit of the embodiments of the present application shall fall within the scope of the claims of the embodiments of the present application.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411253250.6A CN119066050A (en) | 2024-09-06 | 2024-09-06 | Database management method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411253250.6A CN119066050A (en) | 2024-09-06 | 2024-09-06 | Database management method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119066050A true CN119066050A (en) | 2024-12-03 |
Family
ID=93644516
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411253250.6A Pending CN119066050A (en) | 2024-09-06 | 2024-09-06 | Database management method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119066050A (en) |
-
2024
- 2024-09-06 CN CN202411253250.6A patent/CN119066050A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110543464B (en) | Big data platform applied to intelligent park and operation method | |
| US8307404B2 (en) | Policy-management infrastructure | |
| US12236440B1 (en) | Compliance management system | |
| CN106534362B (en) | Software resource sharing method and device based on cloud platform | |
| US8732856B2 (en) | Cross-domain security for data vault | |
| US9720999B2 (en) | Meta-directory control and evaluation of events | |
| JP2006500657A (en) | Server, computer memory, and method for supporting security policy maintenance and distribution | |
| US20080086473A1 (en) | Computerized management of grouping access rights | |
| US11640476B2 (en) | Methods for big data usage monitoring, entitlements and exception analysis | |
| EP3065077B1 (en) | Gap analysis of security requirements against deployed security capabilities | |
| CN114422197A (en) | Permission access control method and system based on policy management | |
| US9880757B1 (en) | Copy data management with data security | |
| CN110719298A (en) | Method and device for supporting user-defined change of privileged account password | |
| CN111177480A (en) | Block chain directory file system | |
| CN105933300A (en) | Safety management method and device | |
| Alouane et al. | Security, privacy and trust in cloud computing: A comparative study | |
| Bhardwaj et al. | Case study of Azure and Azure security practices | |
| Dakic et al. | Linux Security in Physical, Virtual, and Cloud Environments | |
| CN119066050A (en) | Database management method, device, equipment and medium | |
| CN119293821A (en) | A multi-module software hierarchical authorization management method, device and computer equipment | |
| CN110995425A (en) | Database based on quantum key distribution and data access channel fusion of QKD (quantum key distribution) protocol | |
| Al-Fedaghi et al. | Events classification in log audit | |
| Zhang et al. | Why do migrations fail and what can we do about it? | |
| Ajay et al. | Why, how cloud computing how not and cloud security issues | |
| Sun et al. | Construction of situation assessment indicator system based on latitude and longitude lines of information security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |