CN104660599A - Role-based access control method - Google Patents
Role-based access control method Download PDFInfo
- Publication number
- CN104660599A CN104660599A CN201510078062.9A CN201510078062A CN104660599A CN 104660599 A CN104660599 A CN 104660599A CN 201510078062 A CN201510078062 A CN 201510078062A CN 104660599 A CN104660599 A CN 104660599A
- Authority
- CN
- China
- Prior art keywords
- role
- authority
- user
- request
- mandate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a role-based access control method. The method comprises steps as follows: an access control model which is based on roles supporting request authorization and set according to all mechanisms is established, the model comprises roles and permissions, the roles comprise one or more roles, the permissions comprise one or more different permissions, each role corresponds to one or more permissions, each user in each mechanism is associated with one or more roles, the users in the first mechanism can send access requests to another mechanism, and after the access requests are permitted by another mechanism, the users in the first mechanism can access resources in another mechanism.
Description
Technical field
The application relates to the rights management techniques field in access control, particularly relates to a kind of access control method based on RBAC.
Background technology
Along with the develop rapidly of information technology, the particularly development of Internet, deepening continuously of data message, information object exponentially increases, medical institutions span mechanism, interdepartmental share and multiplexing more and more extensive, application safety and data security have received great challenge, security issues become increasingly urgent for IT, day by day be subject to the attention of related personnel, resolution system safety problem makes up although can carry out discovery by modes such as safety afterwards and Audit controls, but better mode controls from source, prevents trouble before it happens.
Access control is for the defensive measure using resource of going beyond one's commission, and elementary object is to ensure the rationally effectively access of user to system resource.
Mainly there are two models in early stage access control: self contained navigation (DAC) and forced symmetric centralization (MAC).
DAC is a kind of method that tissue based on subject identity or main body place controls to object access, in self contained navigation, the access rights of main object are determined by the owner of object, that is system allows main body (owner of object) can go that whom formulates according to the wish of oneself and with which kind of access module go to access this object, although the rights propagation thought of DACD has good flexibility and scalability, but itself has security breaches, be difficult to the system requirements meeting high security.
By the contrast level of security of main body and the level of security of object, MAC determines whether main body has the authority of accessing object, advantage is that management is concentrated, and fail safe is high, is applicable to the systems very high to fail safe such as military affairs and uses, shortcoming is that specific implementation workload is too large, is not easy to management.
At present, in access control field, modal model is Role-based access control model (RBAC), RBAC achieves the logical separation of user and authority by the concept introducing role, support being separated of technical staff and business personnel's responsibility, user obtains authority by acquisition role and operates object, thus realizes rights management and control.This is the access control model of a kind of policy independence, non-self principal mode, and Shortcomings in the application system of mechanism of complex organization, a large number of users, is mainly manifested in: (1) user passively can only accept authority, and initiatively can not authorize other people by authority; (2) for complication system, when there is a large amount of object, to object and relevant management with organize constant; (3) be static models, dynamic need in particular cases can not be met.
Usually; data security in the medical field and privacy concern are important; but; the protection of foundation to medical data of the medical records digitlization of rising in recent years and the Health database in individual health care field proposes new challenge; compared with other field; the data of medical field can not bear leaking data or by the cost abused, once be disclosed about the sensitive information of personal health problem, can cause the injury that cannot retrieve.
In addition; medical information data has some special feature; such as; people's access that medical data should be authorized to; these people are such as omni-doctor, emergency physicians, nurse etc., and be assigned with the people of certain role at medical field, this is different from the system for the protection of data; in the system of these protected datas, usually provide access based on Human To Human's principle.
And in the face of current medical data various, how more safely the present situation that medical information and Sharing degree increase day by day, managed care data, simultaneously between healthcare structure, sharing doctor, medical data and other information of patient is more easily problem demanding prompt solutions.Traditional RBAC model, in right assignment and role assignments, can not meet authority well with the situation of related organization, can not meet the system authorization demand of complexity flexibly, can not support mandate easily and effectively.
Summary of the invention
In view of this, the application provides a kind of access control based roles method and apparatus, to integrate the access control right of medical information system between the respective multiple medical system of multiple healthcare structure and multiple medical platform.
The application provides a kind of role-base access control method, and described method comprises step:
Asking the access control model of the role authorized to carry out modeling based on supporting the setting according to each mechanism, comprising role set and authority set; Wherein:
One or more role is comprised in role set;
The authority that one or more are different is comprised in authority set;
Each role corresponds respectively to and one or more authority;
By each user in each mechanism respectively with one or more role association;
The user of the first mechanism can send access request in another mechanism;
After described access request obtains the permission of another mechanism, the resource in another mechanism of the user-accessible of the first mechanism.
According in the application one specific embodiment, described access request comprises the mandate that request obtains a role in another mechanism.
According in the application one specific embodiment, role set in the described access control model supporting the role of request mandate is by general role set and authorize role set jointly to form, general role set has Role hierarchy, and authorize role set there is no Role hierarchy, by authority-role's configuration, general Role Users obtains the authority that general role has, some general Role Users makes it have the authority creating and authorize role by configuration, by granted rights, the authority by role can be assigned to mandate role.
According in the application one specific embodiment, the process that described request authorizes role in another mechanism must meet all RBAC constraints of system manager's setting.
According in the application one specific embodiment, the described authority by role being assigned to by granted rights authorizes role can authorize role for all authorities of role being assigned to, and also the part authority of role can be assigned to and authorize role.
According in the application one specific embodiment, the described authority by role being assigned to by granted rights authorizes role can also comprise the life cycle information arranging and authorize role.
According in the application one specific embodiment, the life cycle information of described mandate role can comprise initial time and deadline.
According in the application one specific embodiment, described mandate role can be permanent mandate.
According in the application one specific embodiment, when each mechanism described be the first mechanism and the second mechanism time, licensing process comprises:
The user of (1) first mechanism sends request, and certain role that request is authorized in the second mechanism and some authority, also can comprise the life cycle information of this mandate role;
After receiving request in (2) second mechanisms, resolve this solicited message, analyze should the user with authorization privilege of solicited message, by this request forward to the respective user place with authorization privilege;
(3) whether the user with authorization privilege audits this request, determine to authorize; Authorize if agree to, this looks in the second mechanism creating and authorizes role, and the authority that configuration authorizes role to have, and the life cycle of this mandate role;
After authorization message is fed back to the user of the first mechanism by (4) second trains of mechanism, activate this mandate role authorizing the time started of role's life cycle;
After the user of (5) first mechanisms receives authorization message, associative operation can be carried out by the authority of authorizing after the time started of life cycle;
(6) when arriving the deadline of life cycle, the system manager of the second mechanism, cancels this authorized user, and notifies the first mechanism.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present application or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, the accompanying drawing that the following describes is only some embodiments recorded in the application, for those of ordinary skill in the art, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the RBAC model that the application supports user to ask and authorizes;
Fig. 2 is the application's role-base access control schematic diagram;
Fig. 3 is the flow chart of the application based on the access control method of RBAC.
Embodiment
Technical scheme in the application is understood better in order to make those skilled in the art, below in conjunction with the accompanying drawing in the embodiment of the present application, technical scheme in the embodiment of the present application is clearly and completely described, obviously, described embodiment is only some embodiments of the present application, instead of whole embodiments.Based on the embodiment in the application, the every other embodiment that those of ordinary skill in the art obtain, all should belong to the scope of the application's protection.
The application's specific implementation is further illustrated below in conjunction with illustrations.
Along with the develop rapidly of network technology, the cooperation between different medical structure is more and more closer, sharing of medical resource, as: doctor shares, checkout facility is shared, medical data is shared.And how to solve sharing between different institutions better, be a problem demanding prompt solution.For this reason, the application also based on existing RBAC model, improves, and adds request and authorization.
Based on the design philosophy of RBAC model, the RBAC model set up support user request as shown in Figure 1 and authorize.With general RBAC model unlike, support request and authorize RBAC model in role.General role set has Role hierarchy, and authorizes role set not have Role hierarchy.As mentioned above, configured by role, each user in medical institutions has role, and the user having role forms Role Users collection, and by authority-role's configuration, Role Users obtains the authority that role has, thus defines role-security collection.Role Users for some level makes it be possessed of power by configuration and creates mandate role, the role-security of Role Users is assigned to by granted rights role and authorizes role, then requestor is assigned to by user-mandate role, granted rights role assigns and in subscriber authorisation role appointment process, must meet all RBAC constraints of system manager's setting.
The RBAC model that definition is supported user's request and authorized:
User, authority, general role, session, RBAC constraint define completely the same with RBAC.
Role Users: the user having role, only has Role Users just can become requestor, also only has Role Users qualifiedly could become bailee.
Role-security: the authority being assigned to role, the role-security that requestor can only ask requested person to have, can refer to all authorities of this role, be called as role-security group with role name.Do not deposit real authority in role-security, and be in operation and automatically form an authority set according to role's actual authority.Role-security group can participate in request with an overall form and authorize.
Authorize role: authorize role different from general role, by requester requests, the user having establishment authority through specifying creates, the initial time attribute of the life cycle that it has, end time attribute and activate attribute, authorize role to be only in life cycle and be activated, authorizing role could use its authority.Only have having of specifying to create to authorize the user of role-security can supervisor authority role, but also can arrange system manager carry out unified management and change the activation attribute of authorizing role.
User collects (U, Users): the set of user in system.
Authority set (P, Permission): the set of System Privileges.
General role set (GR, General Roles): the set of general role.
Authority-role configures (PA, permission-role-assignment): the relation of the appointment authority band traditional role of a multi-to-multi, PA belongs to P × GP.
User role configuration (UA, users-role-assignment): relation user being configured to general role of a multi-to-multi, UA belongs to U × GP.
Role hierarchy (RH, roles-hierarchy): the division of different levels in a role, RH belongs to GR × GR, is a partial ordering relation of GR.
Role Users collection (RU, Role-Users): the set of Role Users.
Role-security collection (RP, Role-Permission): the role-security set being assigned to role, the authority of user presses role group automatically, can with role-security group and independent authority two kinds of mode rights of using.
Authorize role set (AR, Authorization-roles): the set of authorizing role, between arbitrary two mandate roles, there is not comparativity.
Granted rights role assigns (PAA, permission-authorization-roles-assignment): the appointment Role Users authority of a multi-to-multi is to the relation of authorizing role, be assigned to and authorize the authority of role different from general role in use, could must use after checked requestor possesses this authority, PAA belongs to RP × AR.
Subscriber authorisation role assigns (UAA, User-authorization-roles-assignment): the appointment Role Users of a multi-to-multi is to the relation of authorizing role, and UAA belongs to RU × AR.
Role set (R, Roles): R=GR × AR.
Authorize constraint set (Authorization Constraints): the set of authorizing constraint, constraint is authorized to be formulated by the management organization of medical institutions, the system manager specified by the management organization of medical institutions creates, for the constraint of all kinds of request Authorized operation, be used for the act of authorization of specification request authorized person.
Authorize role assignment AC collection (Authorization Role Constraints): the set of authorizing role assignment AC, authorize role assignment AC to be specially for the constraint of authorizing role to create, the condition of authorized person's rights of using can be set with it.
Session collection (S, Session): cross the session aggregation that role obtains authority for user Ou Nuo.
The RBAC model improved adds a request-authorization module on traditional RBAC model basis, this module is managed by requestor, authorized person and system manager's co-operate, request user can ask establishment one to authorize role, request has gives certain authority to this mandate orange, the user then with authorization privilege determines whether give requestor this role through examination & verification, if agree to, this creates authorized user and also gives the authority of asking, thus the operation completing request and authorize.The management of authorized user and authority is in charge of by the user with authorization privilege, and safety officer can carry out the specification request act of authorization by creating mandate constraint of overall importance.
The application by with regard to the medical data in medical field and be recorded as example to be described, but it is obvious to those skilled in the art that the application can be applicable to limit the access to the intrasystem any class record of the electronical record alarm of any type.
In a healthcare structure, can according to the constraint of all kinds of personnel in healthcare structure, intrinsic diagnosis and treatment flow process and data access, be divided three classes entity: user, role, authority., but when mechanism is complicated, also comprise the mechanism such as Role hierarchy and role assignment AC in addition.Basic thought is exactly divide role according to the different task that medical system will complete, and the access rights of data are packaged in different roles, and user indirectly realizes the access to data by appointment role.In this access control, each user can be awarded multiple role, and each role also can be awarded multiple user.A same role can have multinomial authority, and an authority can distribute to multiple role.As shown in Figure 2, role and user, be all the relation of multi-to-multi between role and authority.
For the model of several simple medical institutions, medical institutions can comprise several section office, as: the departments of section office such as emergency department, internal medicine, surgery, gynemetrics, pharmacy, laboratory test department, image department, some doctors and nurse can be comprised again section indoor, comprise the roles such as pharmacists in pharmacy, certainly also comprise this role of patient.But a class role, as: doctor, can mark off different Role hierarchy again, as: institute leader, section directors, archiater, deputy director doctor, the doctor in charge, intern; Nurse also can mark off different Role hierarchy, as: institute leader, charge nurse, senior nursing sister, general duty nurse, probationer nurse, instruct nurse etc.
Certain class role is had and can configure different authorities according to different Role hierarchy, for doctor, be divided into: institute leader, section directors, archiater, deputy director doctor, the doctor in charge, intern, instruct the role of 6 levels such as doctor, configured different authorities successively:
Intern: the authority of the patient that sees and treat patients, can prescription, all kinds of checklist, but after needing to instruct doctor to agree to by it, its prescription just can come into force; The authority of consultation of doctor is instructed in request; Submit to intern hold a consultation reconsideration authority etc.
Instruct doctor: the authority of approval intern prescription, intern's request of holding a consultation, submit to intern to hold a consultation the authority of reconsideration.
Archiater, deputy director doctor, the doctor in charge: the authority of the patient that sees and treat patients, direct prescription.The authority checked; The authority etc. of the request section chamber interior consultation of doctors;
Section directors: the authority that approval section office hold a consultation, the authority etc. submitting the request of holding a consultation across section office to;
President: write instructions and transfer the authority etc. across section office's consultation of doctors.
One doctor can be configured to archiater, section directors simultaneously, instruct the authorities such as doctor.
In like manner, those skilled in the art are also known can arrange the role of other different role levels in medical institutions and the authority of each role as required.
And any personnel in medical institutions are users in model, a user can be configured to different roles and be endowed different authorities, as: a doctor can be configured to: as: institute leader, section directors, archiater, deputy director doctor, the doctor in charge, intern, instruct doctor etc. or several roles to be configured different authorities simultaneously; Or institute leader, charge nurse, senior nursing sister, general duty nurse, probationer nurse can be configured to by a nurse, instruct nurse etc. or several roles to be configured different authorities simultaneously.
When needs realize between different medical mechanism that medical data is shared, doctor shares and check resource-sharing, just need based on supporting that the modified model RBAC model of request-authorize arranges request authorization module.And as required different authorization privileges is configured for different users.
When adopting the RBAC model of the improvement of support request-mandate to operate, concrete licensing process can be:
The user U1 of (1) first mechanism sends request, and certain role that request is authorized in the second mechanism and some authority, also can comprise the life cycle information of this mandate role.
After receiving request in (2) second mechanisms, resolve this solicited message, analyze should the user with authorization privilege of solicited message, by this request forward to the respective user place with authorization privilege.
(3) whether the user with authorization privilege audits this request, determine to authorize.Authorize if agree to, this looks in the second mechanism creating and authorizes role, and the authority that configuration authorizes role to have, and the life cycle of this mandate role.
After authorization message is fed back to the user U1 of the first mechanism by (4) second trains of mechanism, activate this mandate role authorizing the time started of role's life cycle.
After the user U1 of (5) first mechanisms receives authorization message, associative operation can be carried out by the authority of authorizing after the time started of life cycle.
(6) when arriving the deadline of life cycle, the system manager of the second mechanism, cancels this authorized user, and notifies the first mechanism.
Certainly, in this course, institute's Prescribed Properties must be met, comprise and authorize role assignment AC, mandate constraint, other relevant RBAC to retrain.
In addition, the mandate of asking in the first mechanism can be the mandate of whole authorities of whole role in request second mechanism, as: whole authorities of the doctor in charge; Also can be the mandate of the part authority of certain role in request second mechanism, as: the case history access right of the request doctor in charge.
Equally, there is in second mechanism the user of authorization privilege, both the whole requests in asking can have been agreed to, also the mandate of fine-grained part authority can be supported, that is: a part of authority in request is authorized, be easy to learn by the definition of model, authority granularity in this model is consistent with the authority granularity of RBAC model, therefore, the application both can support minimum authority granularity, that is the necessary authority completing specific function only can be given requestor by authorized person, meets principle of least privilege completely.
In addition, when present medical institutions' resource-sharing is day by day close, the cooperation between some medical institutions is long-term most probably also may be interim initiation.
The application also supports that interim request is authorized respectively and authorizes with permanent.
Interim request mandate is a kind of provisional action, at some in particular cases, requestor wishes that within a certain period some authority is authorized in acquisition, the user having authorization privilege of namely above-mentioned the application, when authorizing, must set the survival period of authorizing role, only in effective survival period, the authority that grantee could use principal to give, once exceed the survival period of authorizing role, authorizes the authority in role can not be used by bailee.
If certain mechanism needs certain user in another mechanism forever to have a certain or some authority, can be set to have permanent authority of authorizing by system manager, as long as arrange enough large survival period, just can complete trust.
Still for above-mentioned two simple medical institutions, suppose that a medical institutions A is community hospital, another medical institutions B is large-scale three grades of first-class general hospital.If have a patient after B is in hospital a period of time, leave hospital and go home, need mechanism A to prescribe medicine.If allow patient's rechecking, understand to the unnecessary economy of patient and waste of time, but do not understand the patient's condition and the case history of patient the doctor of mechanism A, when case history is day by day electronic, use above-mentioned request-authorization just can efficiently solve the problem easily.
In the mandate tied mechanism that medical control department formulates, following constraint can be comprised: the agreement needing to obtain patient and mechanism patient B physician.In the case, the doctor of mechanism A, the rights management mechanism can set up based on the RBAC model of the improvement supporting request-mandate, after acquisition patient authorizes, as: patient inputs the user ID of oneself case history and/or the patient's password after encrypting, to authorized user message be comprised and ask the request of the authority of obtaining the authorization to be sent in the system of mechanism B, mechanism A analysis request, obtain the patient ID comprised in request, search the corresponding physician of this patient at mechanism B, by this request forward to this physician place, this physician configured in advance is to authorize the case history access rights after patient agrees to.If the physician of mechanism B sees the rear grant access case history of request, this can create the Doctor's role user right of one authorized user-mechanism A, for the attitude be responsible for for patient, the authority of authorized user can also be set, such as, prescription needs the doctor of mechanism B to agree to just come into force, and in patient history, increases the information and prescription information etc. of this time seeking medical advice, with the integrality of the drug safety and case history that ensure patient.Equally, the physician of mechanism B, when agreeing to authorize, can arrange the life cycle of this authorized user, but after life cycle starts, the doctor of mechanism A can access case history and medication history, the transmission prescription of patient, increase patient history record; After life cycle deadline, the doctor of mechanism A all cancels in all authorities of mechanism B.
Another embodiment, conveniently patient goes to a doctor, and some well-known doctor can be flowed and be paid a home visit, in several medical institutions, namely have the authority of the Doctor's role of certain level, and this mandate can be long-term or permanent.Can by wishing that each mechanism of this tools for doctor home visit sends authorization requests to medical authorities, under the condition that satisfied mandate role assignment AC and mandate retrain, forever or for a long time authorize this doctor the Doctor's role of certain level in some mechanisms, as: archiater.
An embodiment again, certain community hospital is limited to checkout facility and limits, need to preengage a certain inspection for certain patient in certain three grades of first-class general hospital, then can be authorized this authority of the reservation inspection in the doctor in charge by temporary Authorization request to the request of these three grades first-class general hospital.
Certainly, the arbitrary technical scheme implementing the application must not necessarily need to reach above all advantages simultaneously.
It will be understood by those skilled in the art that the embodiment of the application can be provided as method, device (equipment) or computer program.Therefore, the application can adopt the form of complete hardware embodiment, completely software implementation or the embodiment in conjunction with software and hardware aspect.And the application can adopt in one or more form wherein including the upper computer program implemented of computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) of computer usable program code.
The application describes with reference to according to the flow chart of the method for the embodiment of the present application, device (equipment) and computer program and/or block diagram.Should understand can by the combination of the flow process in each flow process in computer program instructions realization flow figure and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame.These computer program instructions can being provided to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, making the instruction performed by the processor of computer or other programmable data processing device produce device for realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be stored in can in the computer-readable memory that works in a specific way of vectoring computer or other programmable data processing device, the instruction making to be stored in this computer-readable memory produces the manufacture comprising command device, and this command device realizes the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices is provided for the step realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
Although described the preferred embodiment of the application, those skilled in the art once obtain the basic creative concept of cicada, then can make other change and amendment to these embodiments.So claims are intended to be interpreted as comprising preferred embodiment and falling into all changes and the amendment of the application's scope.Obviously, those skilled in the art can carry out various change and modification to the application and not depart from the spirit and scope of the application.Like this, if these amendments of the application and modification belong within the scope of the application's claim and equivalent technologies thereof, then the application is also intended to comprise these change and modification.
Claims (9)
1. a role-base access control method, described method comprises step:
Asking the access control model of the role authorized to carry out modeling based on supporting the setting according to each mechanism, comprising role set and authority set; Wherein:
One or more role is comprised in role set;
The authority that one or more are different is comprised in authority set;
Each role corresponds respectively to and one or more authority;
By each user in each mechanism respectively with one or more role association;
The user of the first mechanism can send access request in another mechanism;
After described access request obtains the permission of another mechanism, the resource in another mechanism of the user-accessible of the first mechanism.
2. method according to claim 1, is characterized in that, described access request is the mandate that request obtains a role in another mechanism.
3. method according to claim 1, it is characterized in that, role set in the described access control model supporting the role of request mandate is by general role set and authorize role set jointly to form, general role set has Role hierarchy, and authorize role set there is no Role hierarchy, by authority-role's configuration, general Role Users obtains the authority that general role has, some general Role Users makes it have the authority creating and authorize role by configuration, by granted rights, the authority by role can be assigned to mandate role.
4. method according to claim 3, is characterized in that process that described request authorizes role in another mechanism must meet all RBAC constraints of system manager's setting.
5. method according to claim 4, is characterized in that, the described authority by role being assigned to by granted rights authorizes role can authorize role for all authorities of role being assigned to, and also the part authority of role can be assigned to and authorize role.
6. method according to claim 5, is characterized in that, the described authority by role being assigned to by granted rights authorizes role can also comprise the life cycle information arranging and authorize role.
7. method according to claim 6, is characterized in that, the life cycle information of described mandate role can comprise initial time and deadline.
8. method according to claim 5, is characterized in that, described mandate role can be permanent mandate.
9. method according to claim 1, is characterized in that, when each mechanism described be the first mechanism and the second mechanism time, licensing process comprises:
The user of (1) first mechanism sends request, and certain role that request is authorized in the second mechanism and some authority, also can comprise the life cycle information of this mandate role;
(2) second step: after receiving request in the second mechanism, resolves this solicited message, analyzes should the user with authorization privilege of solicited message, by this request forward to the respective user place with authorization privilege;
(3) whether the user with authorization privilege audits this request, determine to authorize; Authorize if agree to, this looks in the second mechanism creating and authorizes role, and the authority that configuration authorizes role to have, and the life cycle of this mandate role;
After authorization message is fed back to the user of the first mechanism by (4) second trains of mechanism, activate this mandate role authorizing the time started of role's life cycle;
After the user of (5) first mechanisms receives authorization message, associative operation can be carried out by the authority of authorizing after the time started of life cycle;
(6) when arriving the deadline of life cycle, the system manager of the second mechanism, cancels this authorized user, and notifies the first mechanism.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510078062.9A CN104660599B (en) | 2015-02-14 | 2015-02-14 | A kind of access control based roles method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510078062.9A CN104660599B (en) | 2015-02-14 | 2015-02-14 | A kind of access control based roles method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104660599A true CN104660599A (en) | 2015-05-27 |
| CN104660599B CN104660599B (en) | 2016-02-10 |
Family
ID=53251302
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510078062.9A Active CN104660599B (en) | 2015-02-14 | 2015-02-14 | A kind of access control based roles method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104660599B (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104899485A (en) * | 2015-07-02 | 2015-09-09 | 三星电子(中国)研发中心 | User management method and device |
| CN106161467A (en) * | 2016-08-31 | 2016-11-23 | 成都九鼎瑞信科技股份有限公司 | Water utilities data access method and device |
| CN106302435A (en) * | 2016-08-11 | 2017-01-04 | 上海泛微网络科技股份有限公司 | A kind of based on grouping of the world economy classification decentralized management system |
| CN107566375A (en) * | 2017-09-08 | 2018-01-09 | 郑州云海信息技术有限公司 | Access control method and device |
| CN107770173A (en) * | 2017-10-20 | 2018-03-06 | 国信嘉宁数据技术有限公司 | Subscriber Management System, related identification information creation method and request method of calibration |
| US20180159862A1 (en) * | 2016-12-02 | 2018-06-07 | Asia University | CBR-Based Negotiation RBAC Method for Enhancing Ubiquitous Resources Management |
| CN108600793A (en) * | 2018-04-08 | 2018-09-28 | 北京奇艺世纪科技有限公司 | a kind of hierarchical control method and device |
| CN108875324A (en) * | 2017-07-04 | 2018-11-23 | 成都牵牛草信息技术有限公司 | List authorization method based on list time property field |
| CN108900534A (en) * | 2017-08-03 | 2018-11-27 | 成都牵牛草信息技术有限公司 | The method of the operating time section of mailbox contents and instant messaging content is set in system |
| CN108920940A (en) * | 2017-07-11 | 2018-11-30 | 成都牵牛草信息技术有限公司 | The method authorized by field value of third party's field to form fields |
| CN109104425A (en) * | 2017-08-14 | 2018-12-28 | 成都牵牛草信息技术有限公司 | The setting method of permission is checked in operation note based on the period |
| CN110086841A (en) * | 2018-01-26 | 2019-08-02 | 广东亿迅科技有限公司 | Construct the method and device of MPP public cloud and local private clound |
| CN110659465A (en) * | 2019-09-25 | 2020-01-07 | 四川长虹电器股份有限公司 | RBAC-based personalized authority management method |
| CN112182525A (en) * | 2020-09-15 | 2021-01-05 | 南京国电南自电网自动化有限公司 | RBAC model authority management method based on attribute management and control |
| CN113297550A (en) * | 2021-06-17 | 2021-08-24 | 中国农业银行股份有限公司 | Authority control method, device, equipment, storage medium and program product |
| CN113723769A (en) * | 2021-08-11 | 2021-11-30 | 中核武汉核电运行技术股份有限公司 | Contractor authorization device and method for power plant |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286845B (en) * | 2008-05-12 | 2011-02-09 | 华中科技大学 | Control system for access between domains based on roles |
| CN102571821A (en) * | 2012-02-22 | 2012-07-11 | 浪潮电子信息产业股份有限公司 | Cloud security access control model |
| CN103491093B (en) * | 2013-09-25 | 2016-08-03 | 国网重庆市电力公司 | A kind of smart power grid user access authorization methods |
-
2015
- 2015-02-14 CN CN201510078062.9A patent/CN104660599B/en active Active
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104899485A (en) * | 2015-07-02 | 2015-09-09 | 三星电子(中国)研发中心 | User management method and device |
| CN106302435A (en) * | 2016-08-11 | 2017-01-04 | 上海泛微网络科技股份有限公司 | A kind of based on grouping of the world economy classification decentralized management system |
| CN106161467A (en) * | 2016-08-31 | 2016-11-23 | 成都九鼎瑞信科技股份有限公司 | Water utilities data access method and device |
| US20180159862A1 (en) * | 2016-12-02 | 2018-06-07 | Asia University | CBR-Based Negotiation RBAC Method for Enhancing Ubiquitous Resources Management |
| US10419441B2 (en) * | 2016-12-02 | 2019-09-17 | Asia University | CBR-based negotiation RBAC method for enhancing ubiquitous resources management |
| CN108875324A (en) * | 2017-07-04 | 2018-11-23 | 成都牵牛草信息技术有限公司 | List authorization method based on list time property field |
| US11775687B2 (en) | 2017-07-11 | 2023-10-03 | Chengdu Qianniucao Information Technology Co., Ltd. | Method for authorizing field value of form field by means of third party field |
| CN108920940A (en) * | 2017-07-11 | 2018-11-30 | 成都牵牛草信息技术有限公司 | The method authorized by field value of third party's field to form fields |
| CN108900534B (en) * | 2017-08-03 | 2022-02-01 | 成都牵牛草信息技术有限公司 | Method for setting operation time period of mailbox content and instant communication content in system |
| CN108900534A (en) * | 2017-08-03 | 2018-11-27 | 成都牵牛草信息技术有限公司 | The method of the operating time section of mailbox contents and instant messaging content is set in system |
| CN109104425A (en) * | 2017-08-14 | 2018-12-28 | 成都牵牛草信息技术有限公司 | The setting method of permission is checked in operation note based on the period |
| CN109104425B (en) * | 2017-08-14 | 2022-02-01 | 成都牵牛草信息技术有限公司 | Method for setting operation record viewing authority based on time period |
| US11586747B2 (en) | 2017-08-14 | 2023-02-21 | Chengdu Qianniucao Information Technology Co., Ltd. | Method for setting operating record viewing right based on time period |
| CN107566375A (en) * | 2017-09-08 | 2018-01-09 | 郑州云海信息技术有限公司 | Access control method and device |
| CN107770173A (en) * | 2017-10-20 | 2018-03-06 | 国信嘉宁数据技术有限公司 | Subscriber Management System, related identification information creation method and request method of calibration |
| CN110086841A (en) * | 2018-01-26 | 2019-08-02 | 广东亿迅科技有限公司 | Construct the method and device of MPP public cloud and local private clound |
| CN108600793A (en) * | 2018-04-08 | 2018-09-28 | 北京奇艺世纪科技有限公司 | a kind of hierarchical control method and device |
| CN110659465A (en) * | 2019-09-25 | 2020-01-07 | 四川长虹电器股份有限公司 | RBAC-based personalized authority management method |
| CN112182525A (en) * | 2020-09-15 | 2021-01-05 | 南京国电南自电网自动化有限公司 | RBAC model authority management method based on attribute management and control |
| CN113297550A (en) * | 2021-06-17 | 2021-08-24 | 中国农业银行股份有限公司 | Authority control method, device, equipment, storage medium and program product |
| CN113723769A (en) * | 2021-08-11 | 2021-11-30 | 中核武汉核电运行技术股份有限公司 | Contractor authorization device and method for power plant |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104660599B (en) | 2016-02-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104660599B (en) | A kind of access control based roles method | |
| Ferreira et al. | How to break access control in a controlled manner | |
| Blobel | Authorisation and access control for electronic health record systems | |
| CN101473627B (en) | The method and apparatus of the access control of the advanced person of medical ad hoc body sensor networks | |
| US20110082794A1 (en) | Client-centric e-health system and method with applications to long-term health and community care consumers, insurers, and regulators | |
| Alhaqbani et al. | Access control requirements for processing electronic health records | |
| CN104657928B (en) | A kind of medical coordination system | |
| Nortey et al. | Privacy module for distributed electronic health records (EHRs) using the blockchain | |
| US10586299B2 (en) | HIPAA-compliant third party access to electronic medical records | |
| TW200809564A (en) | Policy driven access to electronic healthcare records | |
| WO2021237345A1 (en) | Human-centric health record system and related methods | |
| KR20070115107A (en) | Method for providing medical information and apparatus, system for employing the method | |
| Sánchez et al. | Achieving RBAC on RESTful APIs for mobile apps using FHIR | |
| CA2886577A1 (en) | Electronic health record system with customizable compliance policies | |
| Russello et al. | Consent-based workflows for healthcare management | |
| Abomhara et al. | Towards an Access Control Model for Collaborative Healthcare Systems. | |
| Dong et al. | COC: An ontology for capturing semantics of circle of care | |
| Tasali et al. | Controlled BTG: toward flexible emergency override in interoperable medical systems | |
| Habibi | Consent based privacy for eHealth systems | |
| Koufi et al. | An event-based, role-based authorization model for healthcare workflow systems | |
| Bergmann et al. | An eConsent-based system architecture supporting cooperation in integrated healthcare networks | |
| Jerry et al. | Implementation of an efficient digital health care delivery system in Nigeria | |
| Peña et al. | Security model to protect patient data in mHealth systems through a Blockchain network | |
| US20230385450A1 (en) | Human-centric health record system and related methods | |
| Dong | Blockchain-enabled Secure and Trusted Personalized Health Record |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |