CN106302492A - A kind of access control method and system - Google Patents
A kind of access control method and system Download PDFInfo
- Publication number
- CN106302492A CN106302492A CN201610707925.9A CN201610707925A CN106302492A CN 106302492 A CN106302492 A CN 106302492A CN 201610707925 A CN201610707925 A CN 201610707925A CN 106302492 A CN106302492 A CN 106302492A
- Authority
- CN
- China
- Prior art keywords
- authorized
- instances
- authorized instances
- business scenario
- resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application provides a kind of access control method and system, large enterprise's level system usually contains at least one business scenario, each business scenario can comprise at least one application example, on the basis of RBAC model, new model object authorized instances is added based on this application method, wherein authorized instances is corresponding with the concrete application example of business scenario in operation system, i.e. authorized instances exists corresponding relation with the resource collection of the respective application example offer of corresponding service scene.By authorized instances, the application can realize that by each business scenario, operation system is carried out more fine-grained authorization resources and divide, and then the multiple candidate roles corresponding to different rights can be respectively provided with in control of authority aspect for each business scenario, to realize carrying out more fine-grained access control based on set role by business scenario, visible the application overcomes the problem that prior art exists, and can effectively meet the more fine-grained control requirement for different business scene of large enterprise's level system.
Description
Technical field
The invention belongs to the control of authority technical field of application system/operation system, particularly relate to a kind of access controlling party
Method and system.
Background technology
The basic function that the software system that authorization access control is general all has, the most classical is the access of based role
Control (RBAC, Role-Based Access Control), RBAC model generally comprises: user's (main body), role, resource (as
Menu, function, uniform resource position mark URL) etc., wherein, (m, n, q are nature to user, role and resource specifically m:n:q
Number) relation, i.e. one user can have multiple role, and a role has multiple resource.Which dish one user has
Singly, which function (operation) can be used, can determine according to these three layers of relations.
Access control scheme based on RBAC model is the most single, and it cannot meet large enterprise's level system for the most of the same trade or business
The more fine-grained control requirement of business scene, as assumed, certain system includes the business scenarios such as engineering, archives, information bank, for work
Journey scene, it is desirable to authorize by engineering on the basis of RBAC model, such as certain user are able to access that the construction day of engineering A
Will, can be added the builder's diary of engineering A, revises, the operation such as deletion;But the builder's diary to engineering B, Zhi Nengcha
See, it is impossible to add, revise or delete;The most all functions of builder's diary and data to engineering C are the most invisible, and another user is then
Having engineering A, the full powers access rights (check, newly-built, revise, delete) etc. of B, C, RBAC model is due to control mode more
Single, then cannot realize more fine-grained authorization control according to business scenario.
Under traditional approach, for large enterprise's level system for the control requirement of different business scene, typically system is pressed
Different business scene, splits into different subsystems such as above engineering, archives, information bank etc., and for each subsystem, root
In service layer, its access control policy being customized exploitation by hard coded mode according to business demand, this kind of mode exists out
Sending out efficiency big drawback low, random, and lack system-level standard control logic, the control strategy between each subsystem may
Inconsistent, cause affecting system architecture and stablize and user operation experience.
Summary of the invention
In view of this, it is an object of the invention to provide a kind of access control method and system, it is intended to solve prior art
The problem that exists of control mode, support the different business scene of operation system is carried out more fine-grained control of authority.
To this end, the present invention is disclosed directly below technical scheme:
A kind of access control method, including:
Intercepting and capturing the service request that user sends to operation system, described service request includes first user mark, authorizes in fact
Example mark and resource identification;Wherein, described operation system includes at least one business scenario, and each business scenario correspondence one is corresponding
Authorized instances set, a respective application example of each authorized instances in described authorized instances set and corresponding service scene
The resource collection provided is corresponding;The target resource that described resource identification is corresponding belongs to the resource set that target authorized instances is corresponding
Closing, described target authorized instances is the authorized instances that described authorized instances mark is corresponding;
Based on described first user mark, described authorized instances mark, described resource identification and the mandate pass prestored
Coefficient evidence, verifies whether described user has the authority of the described target resource accessed under described target authorized instances;
If it has, then send described service request to described operation system so that described operation system responds described industry
Business request;If do not had, then carry out predetermined fault processing.
Said method, it is preferred that the corresponding corresponding authorized domain of each business scenario in described operation system, each
The corresponding authorized instances set of described authorized domain and candidate role set;Each candidate angle in described candidate role set
The part or all of resource that color is corresponding with at least one authorized instances under corresponding authorized domain is corresponding;Described mandate relation
Data include ID and authorize the corresponding relation between role, and described mandate role belongs to described candidate role set;
Then described based on described first user mark, described authorized instances mark, described resource identification and prestore
Authorize relation data, verify whether described user has the authority bag of the described target resource accessed under described target authorized instances
Include:
According to the ID of authorized user and authorize the corresponding relation between role, and each candidate role with award accordingly
Corresponding relation between power example and resource, verifies described first user mark and described target authorized instances and described target resource
Whether mate;
If it does, then described user has the authority of the described target resource accessed under described target authorized instances;As
Fruit does not mates, and the most described user does not have the authority of the described target resource accessed under described target authorized instances.
Said method, it is preferred that the corresponding overall situation authorized domain of described operation system, described overall situation authorized domain corresponding and
An only corresponding system-level authorized instances, resource collection corresponding to described system-level authorized instances is to be by described operation system
The set of irrespective of size resource composition.
Said method, it is preferred that also include:
When the application example that the business scenario of described operation system is corresponding changes, to the application example changed
Carry out the authorized instances information updating synchronized.
Said method, it is preferred that when the described application example corresponding when the business scenario of described operation system changes,
The authorized instances information updating synchronizing the application example changed includes:
When business scenario produces newly-increased application example, it is that described business scenario is newly-increased by default sync cap
Application example produces corresponding authorized instances;
When the application example that business scenario is corresponding occurs amendment, by described sync cap, described business scenario is occurred
The authorized instances that the application example of amendment is corresponding carries out corresponding information amendment;
When the application example that business scenario is corresponding is deleted, removed the application example being deleted by described sync cap
Corresponding authorized instances.
A kind of access control system, including:
Interception module, for intercepting and capturing the service request that user sends to operation system, described service request includes the first use
Family mark, authorized instances mark and resource identification;Wherein, described operation system includes at least one business scenario, each business
The corresponding corresponding authorized instances set of scene, each authorized instances in described authorized instances set and corresponding service scene
The resource collection that one respective application example provides is corresponding;The target resource that described resource identification is corresponding belongs to target authorized instances
Corresponding resource collection, described target authorized instances is the authorized instances that described authorized instances mark is corresponding;
Authentication module, for based on described first user mark, described authorized instances mark, described resource identification and in advance
The mandate relation data of storage, verifies whether described user has the described target resource under the described target authorized instances of access
Authority;
Control module, for when being verified, then sends described service request to described operation system so that described industry
Business system responds described service request;Obstructed out-of-date in checking, carry out predetermined fault processing.
Said system, it is preferred that the corresponding corresponding authorized domain of each business scenario in described operation system, each
The corresponding authorized instances set of described authorized domain and candidate role set;Each candidate angle in described candidate role set
The part or all of resource that color is corresponding with at least one authorized instances under corresponding authorized domain is corresponding;Described mandate relation
Data include ID and authorize the corresponding relation between role, and described mandate role belongs to described candidate role set;
The most described authentication module includes:
Authentication unit, the corresponding relation between the ID and mandate role of foundation authorized user, and respectively wait
Corresponding relation between color and the corresponding authorized instances of selecting the role and resource, verifies described first user mark and described target authorized instances
And whether described target resource mates;
Determine unit, for when coupling, determine that described user has the described mesh accessed under described target authorized instances
The authority of mark resource;Do not mating, determining that described user does not have the described target resource accessed under described target authorized instances
Authority.
Said system, it is preferred that also include:
Synchronized update module is for when the application example that the business scenario of described operation system is corresponding changes, right
The application example changed carries out the authorized instances information updating synchronized.
Said system, it is preferred that described synchronized update module includes:
First lock unit, for when business scenario produces newly-increased application example, by default sync cap being
The application example that described business scenario increases newly produces corresponding authorized instances;
Second lock unit, when the application example corresponding at business scenario occurs amendment, by described sync cap
The authorized instances that the application example revised is corresponding is occurred to carry out corresponding information amendment described business scenario;
3rd lock unit is for when the application example that business scenario is corresponding is deleted, clear by described sync cap
Except the authorized instances corresponding to application example being deleted.
In sum, large-scale enterprise-level operation system usually contains at least one business scenario, each business scenario meeting
Correspondence comprises at least one application example, and based on this, the application method, on the basis of RBAC model, adds new model pair
As authorized instances, wherein, authorized instances is corresponding, namely with the concrete application example of business scenario in operation system
Say, all corresponding corresponding authorized instances set of each business scenario that operation system comprises, each in authorized instances set
The resource collection that authorized instances provides with a respective application example of corresponding service scene is corresponding.As can be seen here, the application side
Method, by newly-increased model object authorized instances, can realize by each business scenario, operation system is carried out more fine-grained awarding
Power resource divides, when applying the application, can be based on this more fine-grained authorization resources dividing condition, and in control of authority aspect
It is respectively provided with under this scene the multiple candidate roles corresponding to different resource authority for each business scenario, i.e. achieves by industry
Business scene carries out the candidate role under scene and arranges, follow-up when user accesses system, the business scenario can having based on user
Under role, it is carried out more fine-grained access privilege control by business scenario, it is seen that the application overcomes prior art and deposits
Problem, can effectively meet the more fine-grained control requirement for different business scene of large enterprise's level system.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only this
Inventive embodiment, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to according to
The accompanying drawing provided obtains other accompanying drawing.
Fig. 1 is the access control method flow chart that the embodiment of the present invention one provides;
Fig. 2 is the access control method flow chart that the embodiment of the present invention two provides;
Fig. 3-Fig. 4 is the structural representation of the access control system that the embodiment of the present invention three provides.
Detailed description of the invention
For the sake of quoting and understanding, the technical term that is used below, write a Chinese character in simplified form or summary of abridging is explained as follows:
Resource: the functional resources information that system has, is a tree, including the menu of system, function (button),
Service or interface IP address etc..
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Describe, it is clear that described embodiment is only a part of embodiment of the present invention rather than whole embodiments wholely.Based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under not making creative work premise
Embodiment, broadly falls into the scope of protection of the invention.
Embodiment one
The embodiment of the present application one provides a kind of access control method, and the method is applicable to large enterprise's level system by business
Scene carries out more fine-grained authorization control, and with reference to the access control method flow chart shown in Fig. 1, the method can include following
Step:
S101: intercept and capture the service request that user sends to operation system, described service request includes first user mark, awards
Power instance identification and resource identification;Wherein, described operation system includes at least one business scenario, each business scenario correspondence one
Corresponding authorized instances set, each authorized instances in described authorized instances set and a respective application of corresponding service scene
The resource collection that example provides is corresponding;The target resource that described resource identification is corresponding belongs to the resource that target authorized instances is corresponding
Set, described target authorized instances is the authorized instances that described authorized instances mark is corresponding.
S102: based on described first user mark, described authorized instances mark, described resource identification and awarding of prestoring
Power relation data, verifies whether described user has the authority of the described target resource accessed under described target authorized instances.
S103: if it has, then send described service request to described operation system so that described operation system responds institute
State service request.
S104: if do not had, then carry out predetermined fault processing.
Next the application scheme is realized process to be described in detail.
Large-scale enterprise-level operation system usually contains at least one business scenario, such as industry such as engineering, archives and information bank
Business scene, each business scenario correspondence can comprise at least one application example, and as a example by engineering, it can include engineering A, engineering
The application example such as B, engineering C, each application example provides corresponding resource collection respectively, such as menu, function and/or URL
Various resources such as (Uniform Resoure Locator, URLs).The pin existed based on large enterprise's level system
More fine-grained demand for control to different business scene, the application method, on the basis of RBAC model, adds new mould
Type Object Authorization example, wherein, authorized instances is corresponding, the most just with the concrete application example of business scenario in operation system
It is to say, all corresponding corresponding authorized instances set of each business scenario that operation system comprises, every in authorized instances set
The resource collection that one authorized instances provides with a respective application example of corresponding service scene is corresponding.
The application is simultaneous for the business scenario of operation system increases this object of authorized domain, and wherein authorized domain is used for
By different business scene, operation system is carried out field during authorization control divide, it is assumed that operation system include engineering, archives and
The different scene such as information bank, then corresponding can be divided into system regions, engineering field, archives field by the authorized domain of operation system
And each authorized domain such as information bank field, a corresponding business scenario of authorized domain, and for system regions, then its tool
Body is corresponding with whole operation system, is system-level authorized domain.
Reality under each authorized instances corresponding to a certain business scenario specifically authorized domain corresponding to this business scenario
Example, the authorized domain that i.e. one business scenario is corresponding correspondence can comprise a corresponding authorized instances set, with project scenarios be still
Example, under the authorized domain i.e. engineering field that this scene is corresponding, can correspondence include engineering A authorized instances, engineering B authorized instances,
Engineering C authorized instances etc., wherein, authorized instances is specially and by business scenario, operation system is carried out more fine-grained mandate control
Time processed, required some association base data for business scenario application example, the most described engineering A authorized instances specifically may be used
To include that the job number of engineering A, responsible person and/or account information etc. are for being associated with engineering A in operation system
Some basic datas, and for archives authorized instances, then it specifically can include the classification of documents number, such as engineering archive number, finance
File numbers etc., the association base data of some necessity by comprising, authorized instances can realize and corresponding service in operation system
Respective application example under scene is associated, and then a series of resources that can realize providing with respective application example are associated.
And system regions only one of which example, it represents whole system itself, and the resource that this example is corresponding is specially system
Resource outside the resource that in the resource of rank, i.e. operation system, each business scenario is provided.Thus, in the application, business
Some resource that system provides necessarily belongs to some authorized domain, specifically belongs to system level resources or scene level by this resource
Resource is corresponding respectively belongs to system regions or authorized domain corresponding to corresponding service scene.
On the basis of increasing authorized domain and two objects of authorized instances, the application utilizes authorized domain and authorization object
By business scenario, operation system is carried out more fine-grained authorization resources divide, specifically, can be in control of authority aspect for industry
Business scenario that business system includes builds authorized domain, the business such as the engineering that such as includes for operation system, archives, information bank
Scene, builds the authorized domain such as corresponding engineering, archives, information bank, and under each authorized domain, by corresponding service scene bag
The application example contained, builds the authorized instances set under this authorized domain, is simultaneous for each authorized instances, corresponding for its association
The resource information of the resource collection that application example provides.Claim control plane created comprise authorized domain, authorized instances,
The three-level structure of resource information, it is achieved that operation system is carried out more fine-grained authorization resources by business scenario and divides.
Afterwards, separate role can be carried out for each authorized domain and arrange, for a certain authorized domain, specifically may be used
Practical business demand according to this field is respectively provided with the multiple candidate roles corresponding to different access authority/resource claim, often
The one candidate role part or all of resource corresponding with at least one authorized instances under corresponding authorized domain is corresponding;With work
As a example by journey field, multiple authorized instances such as engineering A that can comprise for engineering field, engineering B, engineering C, and each authorizes real
The different resource information that example is corresponding, arranges multiple candidate roles such as role 1, role 2, role 3, and each candidate role has not
With access rights, such as role 1 can carry out full powers access (check, additions and deletions such), angle to engineerings all under engineering field
Color 2 is able to access that the builder's diary of engineering A, can be added the builder's diary of engineering A, revises, the operation such as deletion;But it is right
The builder's diary of engineering B, can only check, it is impossible to adds, revise or deletes;Builder's diary the most all functions sum to engineering C
According to the most invisible etc..Analogously, for the authorized domain such as archives, information bank, can pre-set by its business demand equally
The candidate role of the most corresponding a series of different access authorities.
On this basis, can be real by the role needed for distributing for it under the authorized domain that it is required for each user
Now pressing business scenario for each user and configure corresponding access rights/access authorization for resource, same user can be at multiple business scenarios/award
The multiple roles matched are had respectively under power field, thus, this user can pass through its phase having under multiple business scenarios
Answering role, the resource that multiple business scenarios carry out corresponding authority accesses.Such as, it is assumed that Director-General Of Works has angle at engineering field
Color x, this role x can carry out full powers access to all engineering resources of engineering field, and it has role y in archives field,
This role y is only capable of carrying out the associated profiles that engineering archive number is corresponding full powers access, and for corresponding being correlated with of financial affairs archive number
Archives the most only have checks authority etc., thus Director-General Of Works can be based on described role x, role y respectively to project scenarios and archives
Scene carries out the access of corresponding authority.
By described above, the application by mandate model extension for comprising user, authorized instances, role, resource etc.
Model object, and described each model object: between user, authorized instances, role, resource, there is the relation of m:n:q:r, wherein, m,
N, q, r are natural number, by the mandate model of this extension, can effectively meet large enterprise's level system for different business field
The more fine-grained control requirement of scape.
Building mandate model and be on the basis of user distributes corresponding role based on authorizing model, can be to user to business
The access process of system carries out corresponding access privilege control.
Specifically, when user sends service request to operation system, as user is sent to operation system by client
During service request, intercepting the service request of user, this service request includes the first user mark of described user, authorized instances mark
Knowing and resource identification (such as ID, authorized instances ID, resource ID etc.), wherein, the target resource that this resource identification is corresponding belongs to
The resource collection that target authorized instances is corresponding, described target authorized instances is the authorized instances that described authorized instances mark is corresponding.
Afterwards, close in the mandate safeguarded based on described first user mark, described authorized instances mark, described resource identification
Match query item in coefficient evidence, if the match is successful, is then verified, otherwise verifies and do not pass through.Specifically, inquiry can be first passed through
Corresponding relation data between the ID authorized and mandate role, determine that described first user identifies whether that existence matches
Mandate role, if it is present continue to inquire about the corresponding relation data between each candidate role and corresponding authorized instances and resource,
Determine whether these corresponding relation data exist and authorize role (the mandate role that first user mark is corresponding), described mesh with described
The occurrence that mark authorized instances, described target resource are corresponding, if there is corresponding occurrence, then characterizes this user and exists institute
State the authority that the described target resource under target authorized instances conducts interviews, thus be verified;Otherwise, the most do not possess accordingly
Accessing claim, checking is not passed through.
When being verified, the customer service request intercepted can be let pass, send it to described operation system, from
And make described operation system perform to respond operation accordingly based on this service request;If checking is not passed through, then return to user
Return error message, access unsuccessfully.
When being embodied as the present invention, mandate model construction and authority control that the application provides can be realized on the application server
Process processed, and as an infrastructure component of large-scale application system, this infrastructure component is for each business field of operation system
Scape can provide consistent system-level control strategy, the development process of control strategy provided herein and industry in operation system
The development process of business scene is separate, thus with prior art in for each business scenario, according to business demand by hard
There is essence difference in the mode that its access control policy is customized developing by coded system in service layer, therefore applies this Shen
Scheme please can effectively ensure that the system architecture of operation system is stable, the operating experience of user can be promoted.
As can be seen here, the application method, by newly-increased model object authorized instances, can realize pressing operation system
Each business scenario carries out more fine-grained authorization resources and divides, when applying the application, and can be based on this more fine-grained mandate
Resource dividing condition, is respectively provided with under this scene corresponding to different resource authority for each business scenario in control of authority aspect
Multiple candidate roles, i.e. achieve and carry out candidate role's setting by business scenario, follow-up when user accesses system, can base
Role under the business scenario that user has, carries out more fine-grained access privilege control to it by business scenario, it is seen that this
Application overcomes the problem that prior art exists, and can effectively meet large enterprise's level system more particulate for different business scene
The control requirement of degree.
Embodiment two
In the present embodiment two, with reference to the flow chart of the access control method shown in Fig. 2, described method can also include following
Step:
S105: when the application example that the business scenario of described operation system is corresponding changes, should to change
The authorized instances information updating synchronized is carried out with example.
Specifically, when business scenario produces newly-increased application example, awarded corresponding by default sync cap
It is that described newly-increased application example produces corresponding authorized instances under power field;Such as, in project scenarios, if newly-increased
Engineering D, then generate, by described sync cap, the authorized instances that engineering D is corresponding under engineering field, as generated the engineering of engineering D
Numbering, responsible person etc.;
When the application example that business scenario is corresponding occurs amendment, by described sync cap in corresponding authorized domain
Under authorized instances corresponding to application example that amendment occurs is carried out corresponding information amendment;As the responsible person when engineering A sends out
During changing, then by described sync cap, specifically the director's information in authorized instances to engineering A is updated;
When the application example that business scenario is corresponding is deleted, by described sync cap under corresponding authorized domain
Remove the authorized instances corresponding to application example being deleted, such as, when engineering B is deleted in operation system, then pass through
Described sync cap carries out synchronization removal to the authorized instances of engineering B under engineering field.
Follow-up, corresponding management personnel, the management personnel such as system-level management personnel or business scenario level/authorized domain level can
Delineation of power or the mandate of role is carried out based on the new authorized instances information after synchronized update.
It should be noted that system regions only one of which example, it represents whole system itself, it is not necessary to be updated same
Step.Also, it should be noted the priority execution order of step S105 of the present embodiment and above step S101-S104 is not limited to
Order shown in Fig. 2, wherein, the renewal of authorized instances information is the corresponding data change produced with business scenario in operation system
Synchronization is carried out, and i.e. when operation system produces corresponding data change, data-interface in real time, synchronously updates corresponding mandate
Example information, therefore in actual application, the execution of this step S105 is not limited to the implementation status of step S101-S104, in step
S101-S104 be not carried out or perform during all can data situation based on operation system, authorized instances information is carried out
Required real-time update.
The present embodiment, by when the data of operation system occur to become, utilizes the mandate that sync cap synchronized update is corresponding real
Example information, can effectively safeguard the concordance of control of authority section information and service layer information, and then can effectively guarantee business system
The high degree of accuracy of system access privilege control.
Embodiment three
The open one of the present embodiment three accesses control system, access control method phase disclosed in this system and above example
Corresponding.
Corresponding to embodiment one, with reference to the structural representation of the access control system shown in Fig. 3, this system can include cutting
Obtain module 100, authentication module 200 and control module 300.
Interception module 100, for intercepting and capturing the service request that user sends to operation system, described service request includes first
ID, authorized instances mark and resource identification;Wherein, described operation system includes at least one business scenario, Mei Geye
The corresponding corresponding authorized instances set of business scene, each authorized instances in described authorized instances set and corresponding service scene
One respective application example provide resource collection corresponding;It is real that the target resource that described resource identification is corresponding belongs to target mandate
The resource collection that example is corresponding, described target authorized instances is the authorized instances that described authorized instances mark is corresponding.
Authentication module 200, for based on described first user mark, described authorized instances mark, described resource identification and
The mandate relation data prestored, verifies whether described user has the described target money accessed under described target authorized instances
The authority in source.
Described authentication module 200 includes authentication unit and determines unit.
Authentication unit, the corresponding relation between foundation ID and mandate role, and each candidate role are with corresponding
Corresponding relation between authorized instances and resource, verifies described first user mark and described target authorized instances and described target money
Whether source mates;
Determine unit, for when coupling, determine that described user has the described mesh accessed under described target authorized instances
The authority of mark resource;Do not mating, determining that described user does not have the described target resource accessed under described target authorized instances
Authority.
Control module 300, for when being verified, then sends described service request to described operation system so that institute
State operation system and respond described service request;Obstructed out-of-date in checking, carry out predetermined fault processing.
Corresponding to embodiment two, with reference to the structural representation of the access control system shown in Fig. 4, described system can also be wrapped
Including synchronized update module 400, this module includes the first lock unit, the second lock unit and the 3rd lock unit.
First lock unit, for when business scenario produces newly-increased application example, by default sync cap being
Described newly-increased application example produces corresponding authorized instances;
Second lock unit, when the application example corresponding at business scenario occurs amendment, by described sync cap
The authorized instances that the application example that amendment occurs is corresponding is carried out corresponding information amendment;
3rd lock unit is for when the application example that business scenario is corresponding is deleted, clear by described sync cap
Except the authorized instances corresponding to application example being deleted.
For access control system disclosed for the embodiment of the present invention three, owing to it is public with embodiment one to embodiment two
The access control method opened is corresponding, so describe is fairly simple, relevant similarity refers to embodiment one to embodiment
In two, the explanation of access control method part, the most no longer describes in detail.
It should be noted that each embodiment in this specification all uses the mode gone forward one by one to describe, each embodiment weight
Point explanation is all the difference with other embodiments, and between each embodiment, identical similar part sees mutually.
For convenience of description, it is divided into various module or unit to be respectively described with function when describing system above or device.
Certainly, the function of each unit can be realized in same or multiple softwares and/or hardware when implementing the application.
As seen through the above description of the embodiments, those skilled in the art it can be understood that to the application can
The mode adding required general hardware platform by software realizes.Based on such understanding, the technical scheme essence of the application
On the part that in other words prior art contributed can embody with the form of software product, this computer software product
Can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., including some instructions with so that a computer equipment
(can be personal computer, server, or the network equipment etc.) performs some of each embodiment of the application or embodiment
Method described in part.
Finally, in addition it is also necessary to explanation, in this article, the relational terms of such as first, second, third and fourth or the like
It is used merely to separate an entity or operation with another entity or operating space, and not necessarily requires or imply these
Relation or the order of any this reality is there is between entity or operation.And, term " includes ", " comprising " or it is any
Other variants are intended to comprising of nonexcludability, so that include the process of a series of key element, method, article or equipment
Not only include those key elements, but also include other key elements being not expressly set out, or also include for this process, side
The key element that method, article or equipment are intrinsic.In the case of there is no more restriction, statement " including ... " limit
Key element, it is not excluded that there is also other identical element in including the process of described key element, method, article or equipment.
The above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For Yuan, under the premise without departing from the principles of the invention, it is also possible to make some improvements and modifications, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (9)
1. an access control method, it is characterised in that including:
Intercepting and capturing the service request that user sends to operation system, described service request includes first user mark, authorized instances mark
Know and resource identification;Wherein, described operation system includes that at least one business scenario, each business scenario correspondence one are awarded accordingly
Power example collection, each authorized instances in described authorized instances set provides with a respective application example of corresponding service scene
Resource collection corresponding;The target resource that described resource identification is corresponding belongs to the resource collection that target authorized instances is corresponding, institute
State the authorized instances that target authorized instances is described authorized instances mark correspondence;
Based on described first user mark, described authorized instances mark, described resource identification and the mandate pass coefficient prestored
According to, verify whether described user has the authority of the described target resource accessed under described target authorized instances;
If it has, then send described service request to described operation system so that described operation system responds described business please
Ask;If do not had, then carry out predetermined fault processing.
Method the most according to claim 1, it is characterised in that the corresponding phase of each business scenario in described operation system
The authorized domain answered, the corresponding authorized instances set of each described authorized domain and candidate role set;Described candidate role
The part or all of resource that each candidate role in set is corresponding with at least one authorized instances under corresponding authorized domain
Corresponding;Described mandate relation data includes ID and authorizes the corresponding relation between role, and described mandate role belongs to institute
State candidate role's set;
Based on described first user mark, described authorized instances mark, described resource identification and the mandate prestored described in then
Relation data, verifies whether described user has the authority of the described target resource accessed under described target authorized instances and include:
According to the ID of authorized user and authorize the corresponding relation between role, and each candidate role with authorize reality accordingly
Corresponding relation between example and resource, verifies whether are described first user mark and described target authorized instances and described target resource
Coupling;
If it does, then described user has the authority of the described target resource accessed under described target authorized instances;If no
Coupling, the most described user does not have the authority of the described target resource accessed under described target authorized instances.
Method the most according to claim 2, it is characterised in that the corresponding overall situation authorized domain of described operation system, described
Corresponding and the only corresponding system-level authorized instances of overall situation authorized domain, resource collection corresponding to described system-level authorized instances is
The set being made up of the system level resources of described operation system.
4. according to the method described in claim 1-3 any one, it is characterised in that also include:
When the application example that the business scenario of described operation system is corresponding changes, the application example changed is carried out
The authorized instances information updating synchronized.
Method the most according to claim 4, it is characterised in that described when corresponding the answering of the business scenario of described operation system
When changing with example, the authorized instances information updating synchronizing the application example changed includes:
When business scenario produces newly-increased application example, it is the application that described business scenario increases newly by default sync cap
Example produces corresponding authorized instances;
When the application example that business scenario is corresponding occurs amendment, by described sync cap, described business scenario is revised
Authorized instances corresponding to application example carry out corresponding information amendment;
When the application example that business scenario is corresponding is deleted, removed the application example institute being deleted by described sync cap right
The authorized instances answered.
6. one kind accesses control system, it is characterised in that including:
Interception module, for intercepting and capturing the service request that user sends to operation system, described service request includes first user mark
Know, authorized instances identifies and resource identification;Wherein, described operation system includes at least one business scenario, each business scenario
A corresponding corresponding authorized instances set, a phase of each authorized instances in described authorized instances set and corresponding service scene
The resource collection answering application example to provide is corresponding;It is corresponding that the target resource that described resource identification is corresponding belongs to target authorized instances
Resource collection, described target authorized instances is the authorized instances that described authorized instances mark is corresponding;
Authentication module, is used for based on described first user mark, described authorized instances mark, described resource identification and prestores
Mandate relation data, verify whether described user has the power of the described target resource accessed under described target authorized instances
Limit;
Control module, for when being verified, then sends described service request to described operation system so that described business system
System responds described service request;Obstructed out-of-date in checking, carry out predetermined fault processing.
System the most according to claim 6, it is characterised in that the corresponding phase of each business scenario in described operation system
The authorized domain answered, the corresponding authorized instances set of each described authorized domain and candidate role set;Described candidate role
The part or all of resource that each candidate role in set is corresponding with at least one authorized instances under corresponding authorized domain
Corresponding;Described mandate relation data includes ID and authorizes the corresponding relation between role, and described mandate role belongs to institute
State candidate role's set;
The most described authentication module includes:
Authentication unit, the corresponding relation between the ID and mandate role of foundation authorized user, and each candidate angle
Corresponding relation between color and corresponding authorized instances and resource, verifies described first user mark and described target authorized instances and institute
State whether target resource mates;
Determine unit, for when coupling, determine that described user has the described target money accessed under described target authorized instances
The authority in source;Do not mating, determining that described user does not have the power of the described target resource accessed under described target authorized instances
Limit.
8. according to the system described in claim 6-7 any one, it is characterised in that also include:
Synchronized update module, for when the application example that the business scenario of described operation system is corresponding changes, to generation
The application example of change carries out the authorized instances information updating synchronized.
System the most according to claim 8, it is characterised in that described synchronized update module includes:
First lock unit, when the application example newly-increased in business scenario generation, is described by default sync cap
The application example that business scenario increases newly produces corresponding authorized instances;
Second lock unit, when the application example corresponding at business scenario occurs amendment, by described sync cap to institute
Stating business scenario occurs the authorized instances that the application example revised is corresponding to carry out corresponding information amendment;
3rd lock unit, for when the application example that business scenario is corresponding is deleted, removes quilt by described sync cap
The authorized instances corresponding to application example deleted.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610707925.9A CN106302492A (en) | 2016-08-23 | 2016-08-23 | A kind of access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610707925.9A CN106302492A (en) | 2016-08-23 | 2016-08-23 | A kind of access control method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106302492A true CN106302492A (en) | 2017-01-04 |
Family
ID=57614820
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610707925.9A Pending CN106302492A (en) | 2016-08-23 | 2016-08-23 | A kind of access control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106302492A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108521411A (en) * | 2018-04-02 | 2018-09-11 | 中国银行股份有限公司 | Access control method, apparatus and system based on access control policy |
| CN109241727A (en) * | 2018-08-15 | 2019-01-18 | 腾讯科技(深圳)有限公司 | Authority setting method and device |
| CN109617926A (en) * | 2019-01-28 | 2019-04-12 | 广东淘家科技有限公司 | Control method, device and the storage medium of service authority |
| CN110196853A (en) * | 2019-05-29 | 2019-09-03 | 深圳图为技术有限公司 | A kind of method, apparatus and scene workbench browsing model |
| CN110708298A (en) * | 2019-09-23 | 2020-01-17 | 广州海颐信息安全技术有限公司 | Method and device for centralized management of dynamic instance identity and access |
| CN111026963A (en) * | 2019-12-04 | 2020-04-17 | 贝壳技术有限公司 | Data query method and device, and configuration information setting method and device |
| CN111339507A (en) * | 2020-02-24 | 2020-06-26 | 杭州数梦工场科技有限公司 | Method, system, equipment and readable storage medium for processing access request |
| CN112100585A (en) * | 2020-08-19 | 2020-12-18 | 北京小米移动软件有限公司 | Authority management method, device and storage medium |
| CN112464212A (en) * | 2020-03-30 | 2021-03-09 | 上海汇招信息技术有限公司 | Data authority control reconstruction method based on mature complex service system |
| CN115174177A (en) * | 2022-06-27 | 2022-10-11 | 广东美云智数科技有限公司 | Authority management method, device, electronic apparatus, storage medium and program product |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101448002A (en) * | 2008-12-12 | 2009-06-03 | 北京大学 | Method and device for accessing digital resources |
| CN102231693A (en) * | 2010-04-22 | 2011-11-02 | 北京握奇数据系统有限公司 | Method and apparatus for managing access authority |
| CN102377589A (en) * | 2010-08-12 | 2012-03-14 | 华为终端有限公司 | Right management control method and terminal |
| US20130310003A1 (en) * | 2012-05-17 | 2013-11-21 | Cellco Partnership D/B/A Verizon Wireless | Systems and methods for authenticating applications for access to secure data using identity modules |
| CN105100051A (en) * | 2015-05-29 | 2015-11-25 | 北京京东尚科信息技术有限公司 | Method and system for realizing data resource access right control |
| CN105721420A (en) * | 2015-12-11 | 2016-06-29 | 中国地质调查局发展研究中心 | Access authority control method and reverse agent server |
-
2016
- 2016-08-23 CN CN201610707925.9A patent/CN106302492A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101448002A (en) * | 2008-12-12 | 2009-06-03 | 北京大学 | Method and device for accessing digital resources |
| CN102231693A (en) * | 2010-04-22 | 2011-11-02 | 北京握奇数据系统有限公司 | Method and apparatus for managing access authority |
| CN102377589A (en) * | 2010-08-12 | 2012-03-14 | 华为终端有限公司 | Right management control method and terminal |
| US20130310003A1 (en) * | 2012-05-17 | 2013-11-21 | Cellco Partnership D/B/A Verizon Wireless | Systems and methods for authenticating applications for access to secure data using identity modules |
| CN105100051A (en) * | 2015-05-29 | 2015-11-25 | 北京京东尚科信息技术有限公司 | Method and system for realizing data resource access right control |
| CN105721420A (en) * | 2015-12-11 | 2016-06-29 | 中国地质调查局发展研究中心 | Access authority control method and reverse agent server |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108521411A (en) * | 2018-04-02 | 2018-09-11 | 中国银行股份有限公司 | Access control method, apparatus and system based on access control policy |
| CN109241727A (en) * | 2018-08-15 | 2019-01-18 | 腾讯科技(深圳)有限公司 | Authority setting method and device |
| CN109617926A (en) * | 2019-01-28 | 2019-04-12 | 广东淘家科技有限公司 | Control method, device and the storage medium of service authority |
| CN110196853A (en) * | 2019-05-29 | 2019-09-03 | 深圳图为技术有限公司 | A kind of method, apparatus and scene workbench browsing model |
| CN110708298A (en) * | 2019-09-23 | 2020-01-17 | 广州海颐信息安全技术有限公司 | Method and device for centralized management of dynamic instance identity and access |
| CN111026963A (en) * | 2019-12-04 | 2020-04-17 | 贝壳技术有限公司 | Data query method and device, and configuration information setting method and device |
| CN111339507A (en) * | 2020-02-24 | 2020-06-26 | 杭州数梦工场科技有限公司 | Method, system, equipment and readable storage medium for processing access request |
| CN112464212A (en) * | 2020-03-30 | 2021-03-09 | 上海汇招信息技术有限公司 | Data authority control reconstruction method based on mature complex service system |
| CN112100585A (en) * | 2020-08-19 | 2020-12-18 | 北京小米移动软件有限公司 | Authority management method, device and storage medium |
| CN115174177A (en) * | 2022-06-27 | 2022-10-11 | 广东美云智数科技有限公司 | Authority management method, device, electronic apparatus, storage medium and program product |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106302492A (en) | A kind of access control method and system | |
| CN111709056B (en) | Data sharing method and system based on block chain | |
| US11611560B2 (en) | Systems, methods, and apparatuses for implementing consensus on read via a consensus on write smart contract trigger for a distributed ledger technology (DLT) platform | |
| US11431486B2 (en) | System or method to implement consensus on read on distributed ledger/blockchain | |
| CN108830601B (en) | Smart city information safe use method and system based on block chain | |
| US11063744B2 (en) | Document flow tracking using blockchain | |
| US10491633B2 (en) | Access requests at IAM system implementing IAM data model | |
| CN102947797B (en) | The online service using directory feature extending transversely accesses and controls | |
| US9639594B2 (en) | Common data model for identity access management data | |
| CN109460413B (en) | Method and system for establishing account across block chains | |
| CN112765245A (en) | Electronic government affair big data processing platform | |
| EP1625691B1 (en) | System and method for electronic document security | |
| US20070214144A1 (en) | System and method for managing user profiles | |
| CN109213790B (en) | Block chain-based data circulation analysis method and system | |
| US9495380B2 (en) | Access reviews at IAM system implementing IAM data model | |
| US20140181913A1 (en) | Verifying Separation-of-Duties at IAM System Implementing IAM Data Model | |
| CN104112085A (en) | Data permission control method and device for application system clusters | |
| US20140181914A1 (en) | Reconciling Access Rights at IAM System Implementing IAM Data Model | |
| US7152108B1 (en) | Data transfer system and method with secure mapping of local system access rights to global identities | |
| Qian et al. | A method of exchanging data in smart city by blockchain | |
| CN112597544A (en) | Block chain-based industrial internet data security management system and method | |
| CN115081001A (en) | Data asset active management system, computing equipment and storage medium | |
| CN114422197A (en) | Permission access control method and system based on policy management | |
| CN115130124A (en) | Data asset management method and data asset active management system | |
| CN111859411B (en) | Method and system for blockchains in a blockchain network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20191217 Address after: Room 04, floor 16, unit 1, building 11, Qingdu New Territories, Taigu City, Huitong, No. 63, Fengcheng 12th Road, Xi'an Economic and Technological Development Zone, 710000 Shaanxi Province Applicant after: Xi'an fanxi Intelligent Information Technology Co.,Ltd. Address before: 063000 Tangshan City Road, North Wing Road, east of the south side of the source road, Hebei Tong Tong Building Applicant before: TANGSHAN XINZHIDIAN TECHNOLOGY Co.,Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170104 |