CN106973031B

CN106973031B - Resource access control method, device and system

Info

Publication number: CN106973031B
Application number: CN201610022213.3A
Authority: CN
Inventors: 周巍
Original assignee: China Academy of Telecommunications Technology CATT
Current assignee: China Academy of Telecommunications Technology CATT
Priority date: 2016-01-13
Filing date: 2016-01-13
Publication date: 2020-07-03
Anticipated expiration: 2036-01-13
Also published as: CN106973031A; WO2017121240A1

Abstract

The invention discloses a resource access control method, a device and a system. In the method, an access control decision request sent by a PEP is received, wherein the access control decision request comprises a target object requesting access, and the target object comprises a resource attribute and/or a sub-resource; acquiring an access control strategy for judging the access authority of the access control decision request; wherein, the access control policy comprises a rule for judging the access authority of the target object; and judging the access authority of the access control decision request according to the acquired access control strategy, and returning an access authority judgment result to the PEP. By the method, the access of the initiator to the target resource can be controlled, and the access to the target resource can be more finely controlled, namely the specific attribute and the specific sub-resource of the access target resource can be controlled.

Description

Resource access control method, device and system

Technical Field

The present invention relates to the field of communications, and in particular, to a method, an apparatus, and a system for controlling access to a resource.

Background

The internet of things standardization organization oneM2M is dedicated To developing a series of specifications for constructing a common M2M (Machine-To-Machine) service layer. The core of oneM2M is data sharing, specifically, through sharing of data items on resource trees defined within oneM2M CSE (Common Services Entity).

oneM2M enables sharing and interaction of service layer resources by operating on a standardized resource tree, which oneM2M resource tree resides in a Common Service Entity (CSE) defined by the oneM2M system. The form of oneM2M resource tree is shown in FIG. 1, according to the definition in the oneM2M Functional Architecture specification (oneM2M TS-0001: "Functional Architecture"). Create (Create), query (Retrieve), modify (Update), and Delete (Delete) operations may be performed on oneM2M resources.

The resource related to authorization in the resources defined by oneM2M is an Access Control Policy resource < Access Control Policy > for storing an Access Control Policy (ACP). < accessControlPolicy > the resource is uniquely identified by the resource ID, and other resources specify the access control policy applicable to the resource by the accessControlPolicyIDs attribute in the resource. The privileges attribute in < accessControlPolicy > resource is used to store a specific access control policy, and the selefpivileges attribute is used to store an access control policy that maintains < accessControlPolicy > resource. The access control policy stored in the privilees or selfprivilees attributes is composed of a series of access control rules.

The structure of the access control policy is 3 tuples, which are accesscontrolorizers, accessControlContexts and accessControlOperations, respectively. Wherein, the accesscontrolorigins are the initiator of the access, and can be application entity identification (AE-ID), public service entity identification (CSE-ID) or the resource identification of the group; accessControlContexts are context conditions such as time, location, or IP address; the accesscontrol operations requests operations, such as create, query, update, delete, etc., for the initiator to act on the target resource.

Access control policy resource < accessControlPolicy > may be assigned to the target resource directly or indirectly through an accessControlPolicyIDs attribute, from which oneM2M access control system determines the access control policy applicable to the target resource.

oneM2M currently defines more than 20 resources that may have < accesscontrolPolicy > resources or accesscontrolPolicyIDs attributes. However, for those resources with more complex structures, the access control for the target resource is too coarse to meet the actual requirement.

Disclosure of Invention

The embodiment of the invention provides a resource access control method, a resource access control device and a resource access control system, which are used for controlling access of target resources in a finer granularity.

The resource access control method provided by the embodiment of the invention comprises the following steps:

receiving an access control decision request sent by a Policy Enforcement Point (PEP), wherein the access control decision request comprises a target object requesting access, and the target object comprises a resource attribute and/or a sub-resource;

acquiring an access control strategy for judging the access authority of the access control decision request; wherein, the access control policy comprises a rule for judging the access authority of the target object;

and judging the access authority of the access control decision request according to the acquired access control strategy, and returning an access authority judgment result to the PEP.

Specifically, the determining the access right of the access control decision request according to the obtained access control policy includes:

if the resource attribute requested to be accessed is not in the resource attribute allowed to be accessed by the rule for judging the access authority of the resource attribute of the target resource, judging that the target resource is not accessed, wherein the target resource is the target resource requested to be accessed by the access control decision request; alternatively, the first and second electrodes may be,

and if the sub-resource requested to be accessed is not in the sub-resources allowed to be accessed by the rule for judging the access permission of the sub-resource of the target resource, judging that the target resource is not accessed, wherein the target resource is the target resource requested to be accessed by the access control decision request.

Specifically, the rule for determining the access right of the resource attribute includes a resource attribute list allowing access, where the resource attribute list allowing access includes one of the following contents:

one or more resource attributes allowed to be accessed or indication information of the resource attributes;

indication information for indicating that all resource attributes are allowed to be accessed;

and indication information for indicating that all resource attributes are not allowed to be accessed.

Specifically, if the rule for determining the access permission of the resource attribute does not include the resource attribute list allowed to be accessed, the rule indicates that all the resource attributes are not allowed to be accessed.

Specifically, the rule for determining the access right of the sub-resource includes a sub-resource list, where the sub-resource list includes one of the following contents:

one or more of the child resources allowed to be accessed or indication information of the child resources;

indication information for indicating that all the child resources are allowed to be accessed;

and indication information for indicating that all the child resources are not allowed to be accessed.

Specifically, if the child resource list is not included in the rule for determining the access permission of the child resource, the rule indicates that all the child resources are not allowed to be accessed.

Optionally, the access control decision request further includes indication information of a target resource requested to be accessed;

the access control strategy for making the access authority decision on the access control decision request also comprises a target resource list allowing access;

the performing permission judgment on the access control decision request according to the obtained access control policy includes:

and if the indication information of the target resource in the access control decision request is not in the target resource list allowing access, determining that the target resource requested by the access control decision request is denied to be accessed.

Optionally, the access control decision request further includes a provision suggestion instruction;

the method further comprises the following steps:

if the decision is that the access to the target resource requested by the access control decision request is denied, a target object list for suggesting the request for access is obtained according to the suggestion providing indication, and the resource attribute and/or the sub-resource contained in the list can be accessed by the initiator of the access control decision request;

and sending the target object list which is recommended to request to access to the PEP.

Preferably, the access control decision request further includes: the method comprises the steps that an initiator identifier and operation type indication information are used for indicating the operation type of a request acting on a target resource;

the access control policy for making an access right decision for the access control decision request further includes: a list of allowed access initiators, a list of allowed operations to act on the target resource, and a list of context conditions;

the access permission judgment of the access control decision request according to the obtained access control strategy comprises the following steps:

and if one of the following conditions is met, determining that the target resource requested by the access control decision request is denied access:

the initiator identification is not in the allowed access initiator list;

the operation type indicated by the operation type indication information is not in the operation list allowed to act on the target resource;

the access control decision request does not satisfy a context condition in the list of context conditions.

The policy decision point device provided by the embodiment of the invention comprises:

the system comprises a receiving module, a Policy Enforcement Point (PEP) and a processing module, wherein the receiving module is used for receiving an access control decision request sent by the PEP, the access control decision request comprises a target object which requests to access, and the target object comprises a resource attribute and/or a sub-resource;

an obtaining module, configured to obtain an access control policy for performing an access permission decision on the access control decision request; wherein, the access control policy comprises a rule for judging the access authority of the target object;

and the judging module is used for judging the access authority of the access control decision request according to the obtained access control strategy and returning an access authority judgment result to the PEP.

Specifically, the decision module is specifically configured to:

the judgment module is specifically configured to:

the apparatus further comprises a suggestion module to:

The resource access control system provided by the embodiment of the invention comprises: a policy enforcement point PEP and a policy decision point PDP;

the PEP is used for receiving a resource access request and sending an access control decision request to the PDP according to the resource access request, wherein the access control decision request comprises a target object which requests to access, and the target object comprises a resource attribute and/or a sub-resource;

the PDP is used for acquiring an access control policy used for making an access right decision on the access control decision request, wherein the access control policy comprises a rule used for making the access right decision on the target object; and judging the access authority of the access control decision request according to the obtained access control strategy, and returning an access authority judgment result to the PEP.

Specifically, the PDP is specifically configured to:

if the resource attribute requested to be accessed is not in the resource attribute allowed to be accessed by the rule for judging the access authority of the target resource, judging that the target resource is not accessed, wherein the target resource is the target resource requested to be accessed by the access control decision request; alternatively, the first and second electrodes may be,

and indicating information for indicating that all resource attributes are not allowed to be accessed.

and indicating information for indicating that all the child resources are not allowed to be accessed.

the PDP is specifically configured to:

In the above embodiment of the present invention, on one hand, the access control decision request includes a target object of a target resource that is requested to be accessed, where the target object includes a resource attribute and/or a sub-resource of the target resource, and on the other hand, the access control policy for performing access permission decision on the access control decision request includes a rule for performing access permission decision on the target object of the target resource, so that when the access control decision request is decided according to the rule, it may be implemented to perform more detailed control on access to the target resource, that is, to control a specific attribute and a specific sub-resource of the access target resource.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.

FIG. 1 is a prior art oneM2M resource tree;

FIG. 2 is a diagram illustrating a prior art architecture for resource access control;

fig. 3 is a schematic flowchart of a resource access control method according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of a resource access control apparatus according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of another resource access control apparatus according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The resource access control architecture given in oneM2M Security solution specification (oneM2M TS-0003: Security Solutions), as shown in fig. 2, requires components including:

policy Enforcement Point (PEP): the PEP coexists with an application system needing access control and is called by the application system, the PEP generates a corresponding access control request according to the access request of an initiator and sends the access control request to a policy decision point, and then whether the access request is executed or not is determined according to an access control response of the policy decision point.

Policy Decision Point (PDP): the PDP is responsible for judging whether to grant access to the target resource requested by the access control request sent by the PEP according to the access control strategy and returning the judgment result to the PEP through the access control response.

Policy Retrieval Point (PRP): the PRP acquires an applicable access control policy according to a policy request provided by the PDP, and returns the acquired access control policy to the PDP.

Policy Information Point (PIP): the PIP acquires attributes related to the user, the resource or the environment, such as an IP address of an access user, a creator of the resource, a current time, etc., according to a request of the PDP, and then returns the acquired various attributes to the PDP.

The basic resource access control flow of oneM2M is as follows:

1) the initiator sends a resource Access Request (Access Request) to the PEP.

2) The PEP sends an access control decision request (DecisionRequest) to the PDP according to the resource access request of the user.

3) The PDP sends an access control policy request (PolicyRequest) to the PRP according to the access control decision request of the PEP.

4) The PRP returns an access control Policy Response (Policy Response) including the access control Policy to the PDP.

5) The PDP analyzes and judges the access control decision request and the content contained in the access control strategy; when analyzing and judging, if other attributes are needed, sending an access control Attribute Request (Attribute Request) to the PIP, otherwise, executing step 7.

6) The PIP sends an access control attribute response to the PDP, the access control attribute response including the access control related attribute obtained according to the access control attribute request.

7) The PDP sends an access control Decision Response (Decision Response) to the PEP, which includes the Decision result.

8) And the PEP determines whether to execute the access of the initiator or not according to the judgment result in the access control decision response.

The embodiment of the invention expands the content contained in the access control decision request and the rule contained in the access control strategy in the process, and improves the analysis and judgment processes of the PDP aiming at the expanded content, thereby realizing the control of the access of the target resource with finer granularity and further realizing the more detailed control of the access of the target resource.

Wherein, in the access control decision request, one or a combination of the following two kinds of information is added:

(1) resource Attribute Access List (Access Attribute List, ATL): the list includes information about the resource attribute requested to be accessed, such as an attribute name.

(2) Sub resource Access List (ASL): the list includes information about the child resource requested to be accessed, such as the name of the child resource.

Optionally, on this basis, in the access control decision request, there may be further added:

(3) provide Advice indication (ar): for indicating whether the PDP provides its suggested resource attribute access list and/or sub-resource access list. The resource attributes contained in the suggested resource attribute access list are accessible to the originator of the access control decision request, and the sub-resources contained in the suggested sub-resource access list are accessible to the originator of the access control decision request. The offer advice indication may be represented by a binary value, for example: 0 means that no suggestion needs to be provided, and 1 means that a suggestion is requested to be provided.

Preferably, all of the three information may be added to the access control decision request, so that the three information existing in the access control decision request are combined to form the hexahydric group information in the access control decision request. Wherein, the three kinds of information existing in the access control decision request include:

(1) indication information of the target resource: the "to" parameter, indicating the target resource for which access is requested;

(2) the initiator identification: the "fr" parameter, which indicates the originator of the access control decision request;

(3) operation type indication information: i.e., an "op" parameter, indicating the type of operation requested to act on the target resource, which may be one of create, query, update, delete.

In the access control policy, one or a combination of the following two rules is added:

(1) list of resource properties allowed to be accessed (permittedAttributes): from this list, the resource attributes that are allowed to be accessed can be obtained. The list of resource attributes allowed to be accessed includes one of the following:

-one or more resource attributes allowed to be accessed or indication information of resource attributes, wherein the indication information of resource attributes may specifically be resource attribute names;

indication information indicating that ALL resource attributes are allowed to be accessed, e.g. with "ALL" indicating that ALL resource attributes are allowed to be accessed;

indication information indicating that all resource attributes are not allowed to be accessed, e.g. with "NULL" indicating that all resource attributes are not allowed to be accessed.

In some embodiments, the "list of resource attributes allowed to be accessed" may not be included in the access control policy, in which case the access control policy indicates that all resource attributes are not allowed to be accessed.

(2) List of child resources allowed to be accessed (permissitedsubresources): from this list, the child resources that are allowed to be accessed can be obtained. The list of allowed sub-resources includes one of the following:

-one or more allowed sub-resources or indication information of sub-resources, wherein the indication information of sub-resources may specifically be names of sub-resources;

indication information indicating that ALL child resources are allowed to be accessed, e.g. with "ALL" indicating that ALL child resources are allowed to be accessed;

indication information indicating that all sub-resources are not allowed to be accessed, e.g. with "NULL" indicating that all sub-resources are not allowed to be accessed.

In some embodiments, the "list of child resources allowed to be accessed" may not be included in the access control policy, in which case the access control policy indicates that all child resources are not allowed to be accessed.

Optionally, in the access control policy, there may be further added:

(3) list of target resources allowed to be accessed (accessControlResources): the list may contain the address or identification of the target resource that is allowed to be accessed.

Preferably, all the three rules can be added to the access control policy, and the three rules existing in the access control policy are added to form a 6-tuple access control policy. Wherein, the three rules in the access control decision include:

(1) allowed access initiators list (accesscontrolorigins): the list contains information about the initiator who is allowed to initiate access to the target resource, for example, the resource ID may be AE-ID, CSE-ID or a group;

(2) list of operations allowed to act on the target resource (accesscontrol operations): the list contains operation type indication information allowed to act on the target resource, for example, the operation type may be one of creation, acquisition, update, deletion and notification;

(3) context condition list (accessControlContexts): the list contains context conditions that limit the scope of applicability of the rule, such as time of access, location and IP address of the initiator, etc.

According to the six-tuple rule, when the context restriction condition described in the accesscontrolvents is satisfied, the allowed access initiator described in the accesscontrolaligners can perform the operation described in accessControlOperations on the resource attribute described by permittedAttributes and/or the sub-resource described by permittedSubResources in the resource described in the accessControlResources.

In the embodiment of the present application, one access control policy includes a "resource attribute list allowed to be accessed" and/or a "sub-resource list allowed to be accessed". The "resource attribute list allowed to access" in one access control policy is applicable to the access permission decision for the target resource having the same attribute and the same operation type for each attribute, and the "sub-resource list allowed to access" in one access control policy is applicable to the access permission decision for the target resource having the same sub-resource and the same operation type for each sub-resource.

Based on the resource access control architecture shown in fig. 2 and the extension of the rules included in the access control decision request and the access control policy, fig. 3 shows a resource access control method provided in an embodiment of the present invention.

Referring to fig. 3, a schematic flowchart of a resource access control method provided in an embodiment of the present invention is shown, where as shown in the drawing, the method includes:

step 301: the initiator sends a resource access request to the PEP.

The resource access request may include: indication information of the target resource (such as an address or an identifier of the target resource), an identifier of the initiator, indication information of the operation type, and the like. The resource access request may further include a content parameter, which may include a resource attribute and/or a name or an identifier of the sub-resource.

Step 302: and the PEP sends an access control decision request to the PDP after receiving the resource access request sent by the initiator.

Wherein, the access control decision request comprises a target object of a target resource which is requested to be accessed. The target object includes the resource attributes of the target resource, or includes the sub-resources of the target resource, or includes the resource attributes and sub-resources of the target resource.

The PEP may determine the target object of the target resource according to the resource access request sent by the initiator. Specifically, the target object of the target resource can be determined in two ways:

mode 1: the PEP determines a target object of the target resource according to a content parameter in the resource access request sent by the initiator. The content parameter may include a resource attribute and/or a name or an identifier of the sub-resource, and the PEP may determine the corresponding resource attribute and/or the sub-resource as the target object according to the resource attribute and/or the name or the identifier of the sub-resource included in the content parameter.

Mode 2: the PEP determines which resource attributes and/or sub-resources are determined as target objects according to target resources in the resource access request sent by the initiator. For example, if the resource access request is for requesting to create a child resource in the target resource, the child resource to be created may be determined as the target object; for another example, if the resource access request is used to request to query the target resource, the resource attribute and/or the sub-resource of the target resource to be queried may be determined as the target object.

The access control decision request may further include indication information of a target resource requested to be accessed (such as an address or an identifier of the target resource), an identifier of an initiator requested to be accessed, and information of an operation type requested to act on the target resource.

Step 303: after receiving an access control decision request sent by a PEP, a PDP acquires an access control strategy for judging access permission of the access control decision request; the access control policy includes a rule for determining access right to a target object of a target resource.

In the above steps, the PDP may send an access control policy request to the PRP according to the access control decision request, and further obtain a corresponding access control policy from the PRP; or acquiring a corresponding access control policy from a cache region of the PDP according to the access control decision request.

In the above process, when the PDP obtains the access control policy, the corresponding access control policy may be obtained according to the target resource in the access control decision request, or the corresponding access control policy may be obtained according to the target resource and the initiator in the access control decision request.

Further, the access control policy for making an access right decision on the access control decision request may further include a list of target resources allowed to be accessed.

Furthermore, the access control policy for making an access right decision for the access control decision request may further include: a list of allowed access initiators, a list of allowed operations to act on the target resource, and a list of context conditions.

Step 304: and the PDP judges the access authority of the access control decision request according to the acquired access control strategy and returns an access authority judgment result to the PEP.

In the step 304, when the access control decision request is subjected to the access right decision, the decision is performed for each rule in the access control policy, which may specifically include the following cases:

case 1: the access control decision request comprises a resource attribute access list "

For this case, if the resource attribute of the target resource requested to be accessed listed in the "resource attribute access list" in the access control decision request is not in the "resource attribute list allowed to be accessed" in the access control policy, it is determined that the target resource requested by the access control decision request is denied access. If the resource attribute of the target resource requested to be accessed listed in the resource attribute access list in the access control decision request is in the resource attribute list allowed to be accessed in the access control policy, the decision can be further made by combining other rules in the access control policy.

Case 2: the access control decision request comprises a sub-resource access list "

For this case, if the child resources of the target resource requested to be accessed listed in the "child resource access list" in the access control decision request are not in the "child resource list allowed to be accessed" in the access control policy, it is determined that the target resource requested by the access control decision request is denied access. If the child resources of the target resource requested to be accessed listed in the "child resource access list" in the access control decision request are in the "child resource list allowed to be accessed" in the access control policy, a decision can be further made in combination with other rules in the access control policy.

Case 3: the access control decision request includes 'indication information of target resource'

In this case, if the target resource requested to be accessed, which is indicated by the "target resource indication information" in the access control decision request, is not in the "target resource list allowed to be accessed" in the access control policy, it is determined that the access to the target resource requested by the access control decision request is denied. If the target resource requested to be accessed, which is indicated by the "indication information of the target resource" in the access control decision request, is in the "target resource list allowed to be accessed" in the access control policy, the decision can be further made in combination with other rules in the access control policy.

Case 4: inclusion of an "initiator identification" in an access control decision request "

For this case, if the initiator requesting access indicated by the "initiator identifier" in the access control decision request is not in the "allowed access initiator list" in the access control policy, it is determined to deny access to the target resource requested by the access control decision request. If the initiator requesting access indicated by the "initiator identification" in the access control decision request is in the "allowed access initiator list" in the access control policy, a decision may be made further in connection with other rules in the access control policy.

Case 5: the access control decision request includes 'operation type indication information'

In this case, if the operation type requested to act on the target resource indicated by the "operation type indication information" in the access control decision request is not in the "operation list allowed to act on the target resource" in the access control policy, it is determined that access to the target resource requested by the access control decision request is denied. If the operation type requested to act on the target resource indicated by the "operation type indication information" in the access control decision request is in the "operation list allowed to act on the target resource" in the access control policy, a decision may be further made in combination with other rules in the access control policy.

Case 6: the access control policy includes a "context condition list"

For this situation, if the access control decision request does not satisfy the context condition included in the "context condition list" in the access control policy, it is determined to deny access to the target resource requested by the access control decision request. If the access control decision request meets the context condition contained in the "context condition list" in the access control policy, the decision can be further made in combination with other rules in the access control policy.

In some embodiments, in step 301, the access control decision request sent by the PEP may include "provide suggestion indication"; accordingly, in step 304, the PDP obtains a list of target objects that are suggested to be accessed, the resource attributes and/or sub-resources included in the list of target objects suggested to be accessed can be accessed by the initiator of the access control decision request, and sends the list of target objects suggested to be accessed to the PEP. The resource attribute in the resource attribute list which is proposed to request access may be a resource attribute which is allowed to be accessed, or may be an intersection of the resource attribute which is allowed to be accessed and the resource attribute which is requested to be accessed; the child resources in the child resource property list for which access is proposed may be child resources allowed to be accessed, or may be intersections of the child resources allowed to be accessed and the child resources requested to be accessed. The resource attribute and/or the sub-resource of the target resource which is suggested to request for access may be included in the decision result and sent to the PEP, or may be sent to the PEP separately, which is not limited in the present invention.

I.e. requesting to provide resource attributes and/or sub-resources suggesting a target resource for access, to modify the access control decision request such that the modified access control decision request is allowed to access the requested target resource

In order to more clearly understand the above embodiments of the present invention, a specific implementation process of the above embodiments of the present invention is described below by taking a specific application scenario as an example.

The first embodiment is as follows: without the need to provide a recommendation indication

CSE1 represents one common service entity in oneM2M system, AE1, AE2, AE3 represent three application entities in oneM2M system, respectively.

After AE1 registered with CSE1, the resource allocated by CSE1 to AE1 is denoted by < AE1 >.

The < ACP1> represents an access control policy resource. The < ACP1> contains an access control policy set ACP 1. ACP1 contains two strategies, RULE1 and RULE 2. Each strategy comprises the following in sequence: the method comprises the following steps of allowing an access target resource list, allowing an access resource attribute list, allowing an access sub-resource list, allowing an access initiator list, allowing an operation list and a context condition list to act on a target resource, wherein the middle of each list is separated by a semicolon.

The contents of RULE1 are:

[(<AE1>)；(pointOfAccess，ontologyRef)；(ALL)；(AE1)；(Create， Retrieve，Update，Delete)；()]

wherein, (< AE1>) indicates that the target resource allowed to be accessed only contains < AE1 >; (pointoOfAccess, ontologyRef) indicates that the resource attribute allowed to be accessed comprises a pointoOfAccess attribute and an ontologyRef attribute; (ALL) represents ALL child resources that are allowed to access the target resource; (AE1) indicates AE1 is allowed to initiate access; (Create, Retrieve, Update, Delete) indicates that operations allowed to act on the target resource include Create, query, modify, and Delete; () Meaning there is no limitation of the context condition.

The contents of RULE2 are:

[(<AE1>)；(appName，App-ID，AE-ID，nodeLink)；(<container>，<group>)；(AE1，AE2，AE3)；(Retrieve)；()]

wherein, (< AE1>) indicates that the target resource allowed to be accessed only contains < AE1 >; (appName, App-ID, AE-ID, nodeLink) indicates that the resource attributes allowed to be accessed include appName attribute, App-ID attribute, AE-ID attribute, and nodeLink attribute; (< container >, < group >) indicates that the child resources of the target resource with the type container and group are allowed to be accessed; (AE1, AE2, AE3) indicates that AE1, AE2, and AE3 are allowed to initiate access; (Retrieve) indicates that the operation allowed to act on the target resource includes only the query; () Meaning there is no limitation of the context condition.

The resource access flow of the access request 1 may include:

the initiator AE1 initiates a resource access request to the PEP, where the content of the resource access request is:

(to＝“<AE1>”；fr＝“AE1”；op＝“Create”；“resourceType＝“container”；content＝“resourceName＝“CONTAINER1”；maxByteSize＝“1024””)

where to ═ AE1> "indicates that the target resource requested to be accessed is < AE1>, fr ═ AE 1" indicates that the initiator of the request is AE1, op ═ Create "indicates that the type of operation requested to act on the target resource is to establish a child resource," resource type ═ CONTAINER "indicates that the type of child resource requested to be established is CONTAINER, content ═ resourceName ═ content r 1" maxbytsize ═ 1024 "indicates that the name of child resource requested to be established is CONTAINER1, and the child resource occupies 1024 bits.

After receiving the resource access request sent by AE1, the PEP sends an access control decision request to the PDP according to the resource access request. The access control policy request comprises the following contents:

(to＝“<AE1>”；fr＝“AE1”；op＝“Create”；ASL＝“container””)

the target resource to which the "AE 1> is requested to be accessed is < AE1>, fr-AE 1" indicates that the initiator of the request is AE1, op-Create indicates that the operation type of the request acting on the target resource is the establishment of the child resource, and asl-container indicates that the child resource of the type container in the child resource of < AE1> is accessed.

After receiving an access control decision request sent by a PEP, a PDP sends an access control policy request to a PRP, the PRP returns an ACP1 to the PDP according to the request, and the PDP judges the access control decision request according to the ACP1 according to the following steps:

firstly, whether the policy in the ACP1 is applicable to the access control decision request is determined according to the to parameter and the fr parameter in the access control decision request. Because the to parameter in the access control decision request indicates a request access < AE1>, the fr parameter indicates the initiator is AE 1; both the RULE1 and RULE2 in the ACP1 allow access < AE1> and the allowed access initiators include AE1, so the results of the determinations are true for RULE1 and RULE 2.

Second, it is determined whether the access control decision request satisfies the context conditions in RULE1 and RULE 2. Since there is no restriction on the context conditions in neither RULE1 nor RULE2, the determination is that the access control decision request satisfies the context conditions in RULE1 and RULE 2.

Then, it is determined whether the operation type requested to act on the target resource in the access control decision request is allowed according to the operation lists allowed to act on the target resource in RULE1 and RULE 2. Since the type of operation requested to act on the target resource in the access control decision request is create, while RULE1 allows the create operation on the target resource, but RULE2 does not allow the create operation on the target resource, the determination continues only with RULE1 for the access control decision request.

Finally, it is determined whether all the requested sub-resources are included in the list of sub-resources allowed to be accessed in RULE 1. Since the child resources permitted to be accessed by the initiator in RULE1 are all child resources, the content in the child resource list permitted to be accessed by the initiator in RULE1 includes all child resources requested to be accessed as a result of the determination.

After the above-mentioned judging step, the decision result of the PDP for the access control decision request is to allow the access control decision request to be executed. Therefore, the PDP sends an access control decision response to the PEP, the content of which is (precision ═ Permit ").

The resource access flow of the access request 2 may include:

the initiator AE2 initiates a resource access request to the PEP, where the content of the resource access request is:

(to＝“<AE1>”；fr＝“AE2”；op＝“Create”；“resourceType＝“container”；content＝“resourceName＝“CONTAINER1”；maxByteSize＝“1024””)

where to ═ AE1> "indicates that the target resource requested to be accessed is < AE1>, fr ═ AE 2" indicates that the initiator of the request is AE2, op ═ Create "indicates that the type of operation requested to act on the target resource is to establish a child resource," resource type ═ CONTAINER "indicates that the type of child resource requested to be established is CONTAINER, content ═ resourceName ═ content r 1" maxbytsize ═ 1024 "indicates that the name of child resource requested to be established is CONTAINER1, and the child resource occupies 1024 bits.

After receiving the resource access request sent by AE2, the PEP sends an access control decision request to the PDP according to the resource access request. The access control policy request comprises the following contents:

(to＝“<AE1>”；fr＝“AE2”；op＝“Create”；asl＝“container””)

the target resource to which the "AE 1> is requested to be accessed is < AE1>, fr-AE 2" indicates that the initiator of the request is AE2, op-Create indicates that the operation type of the request acting on the target resource is the establishment of the child resource, and asl-container indicates that the child resource of the type container in the child resource of < AE1> is accessed.

first, whether the policy in the ACP1 is applicable to the access control decision request is determined according to the to parameter and the fr parameter in the access control decision request. Because the to parameter in the access control decision request indicates a request access < AE1>, the fr parameter indicates the initiator is AE 2; however, both of RULE1 and RULE2 in ACP1 allow access < AE1>, but only the access initiator allowed by RULE2 includes AE2, and therefore the determination result is that only RULE2 is applicable.

Second, it is determined whether the access control decision request satisfies the context condition in RULE 2. Since there is no context condition restriction in RULE2, the result of the determination is that the access control decision request satisfies the context condition in RULE 2.

Then, it is determined whether the operation type requested to act on the target resource in the access control decision request is allowed or not, based on the operation list allowed to act on the target resource in RULE 2. Because the type of operation requested to act on the target resource in the access control decision request is create, RULE2 does not allow a create operation to be performed on the target resource.

After the above-mentioned determination step, the PDP determines that the access control decision request is not allowed to be executed. Therefore, the PDP sends an access control decision response to the PEP, and the content of the access control decision response is (precision ═ Not Permit).

Example two: in case of need to provide a recommendation indication

The < ACP2> represents an access control policy resource. The < ACP2> contains an access control policy set ACP 2. ACP2 contains policy RULE 3. The strategy comprises the following steps in sequence: the method comprises the following steps of allowing an access target resource list, allowing an access resource attribute list, allowing an access sub-resource list, allowing an access initiator list, allowing an operation list and a context condition list to act on a target resource, wherein the middle of each list is separated by a semicolon.

< NODE1> represents < AE1> a < NODE > resource associated with a nodeLink attribute through < AE1> resource.

The contents of RULE3 are:

[(<NODE1>)；(ALL)；(memory；battery；firmware；software；deviceInfo)； (AE2，AE3)；(Retrieve)；()]

wherein, (< NODE1>) indicates that the target resource allowed to be accessed only contains < NODE1 >; (ALL) indicates that access to ALL resource attributes is allowed; (memory; base; firmware; software; deviceInfo) indicates permission to access the memory sub-resource, the base sub-resource, the firmware sub-resource, the software sub-resource, and the deviceInfo sub-resource; (AE2, AE3) indicates AE2, AE3 are allowed to initiate access; (Retrieve) indicates that only operations acting on the target resource are allowed to be query operations; () Meaning there is no limitation of the context condition.

The resource access flow of the access request 3 may include:

(to＝“<NODE1>”；fr＝“AE2”；op＝“Retrieve”)

wherein, to ═ NODE1> "indicates that the target resource requested to be accessed is < NODE1>, fr ═ AE 2" indicates that the initiator of the request is AE2, and op ═ Retrieve "indicates that the operation of the request acting on the target resource is the query.

(to＝“<NODE1>”；fr＝“AE2”；op＝“Retrieve”；ar＝“yes”)

wherein, to "< NODE1 >" requests the target resource of access to be < NODE1>, fr ═ AE2 "indicates that the initiator of the request is AE2, op ═ Retrieve" indicates that the operation of the request on the target resource is the query, and ar ═ yes "indicates that the request provides suggestion indication.

After receiving an access control decision request sent by a PEP, a PDP sends an access control policy request to a PRP, the PRP returns an ACP2 to the PDP according to the request, and the PDP judges the access control decision request according to the ACP2 according to the following steps:

first, whether the policy in the ACP2 is applicable to the access control decision request is determined according to the to parameter and the fr parameter in the access control decision request. Because the to parameter in the access control decision request indicates that access < NODE1> is requested, the fr parameter indicates that the initiator is AE 2; the RULE3 in the ACP2 allows the access < NODE1> and the allowed access initiator includes AE2, so the result of the determination is RULE 3.

Second, it is determined whether the access control decision request satisfies the context condition in RULE 3. Since there is no restriction on the context condition in RULE3, the result of the determination is that the access control decision request satisfies the context condition in RULE 3.

Then, it is determined whether the operation requested to act on the target resource in the access control decision request is allowed or not, based on the list of operations allowed to act on the target resource in RULE 3. Since the operation of the request in the access control decision request on the target resource is a query, and the RULE3 allows the query operation on the target resource, the result is determined that the operation in the access control decision request is allowed.

And finally, acquiring a target object list of the target resource which is recommended to be accessed according to the recommendation indication requested to be provided in the access control decision request. Since the initiator is allowed to access all resource attributes in the RULE3, and the memory sub-resource, the battery sub-resource, the firmware sub-resource, the software sub-resource and the deviceInfo sub-resource of the target resource are allowed to be accessed, whether all the child resources of the container type of the target resource requested to be accessed are included in the list is included. Since the child resources of the target resource allowed to be accessed by the initiator in the RULE1 are all child resources, the target object list suggested to be accessed includes all resource attributes and memory child resources, basic child resources, firmware child resources, software child resources and deviceInfo child resources.

Through the above steps, the decision result sent by the PDP to the PEP is (precision ═ permission determination "; pal ═ ALL; (psl:" memory; (battery; (firmware;); (software; (deviceInfo)). Wherein the decision "permission with permission" indicates that the access control decision request can access the target resource requested by the access control decision request, but the access is subject to a limitation condition; ALL indicates that the access control decision request can access ALL resource attributes of the target resource requested by the access control decision request; psl is "memory; battery; firmware; software; deviceInfo "indicates that the access control decision request can access a memory sub-resource, a battery sub-resource, a firmware sub-resource, a software sub-resource, and deviceInfo sub-resources of a target resource requested by the access control decision request.

According to the same technical concept, the embodiment of the present invention also provides a policy decision point apparatus, as shown in fig. 4, the apparatus includes a receiving module 401, an obtaining module 402 and a deciding module 403, and further, the apparatus may further include a suggesting module 304.

The receiving module 401 is configured to receive an access control decision request sent by the PEP, where the access control decision request includes a target object requesting access, and the target object includes a resource attribute, a child resource, or a resource attribute and a child resource.

An obtaining module 402, configured to obtain an access control policy for performing an access permission decision on an access control decision request; wherein, the access control strategy comprises a rule for the target object to judge the access authority;

the decision module 403 is configured to perform access permission decision on the access control decision request according to the obtained access control policy, and return an access permission decision result to the PEP.

Specifically, the following 6 situations are included when the decision module makes an access permission decision for the access control decision request:

Case 6: the access control policy includes a "context condition list"

Specifically, the rule for determining the access right of the resource attribute includes a resource attribute list, where the resource attribute list includes one of the following contents:

-one or more resource attributes allowed to be accessed or indication information of resource attributes

-indication information indicating that all resource attributes are allowed to be accessed

-indication information indicating that all resource attributes are not allowed to be accessed

If the rule for judging the access right of the resource attribute does not contain the resource attribute list, the rule indicates that all the resource attributes are not allowed to be accessed.

-one or more allowed sub-resources or indications of sub-resources

-indication information indicating that all sub-resources are allowed to access

-indication information for indicating that all sub-resources are not allowed to be accessed

If the child resource list is not included in the rule for judging the access permission of the child resources, the rule indicates that all the child resources are not allowed to be accessed.

Further, the access control decision request may further include a provision suggestion indication, and the apparatus further includes a suggestion module, configured to, when the decision made by the decision module 303 is to deny access to the target resource requested by the access control decision request, obtain, according to the provision suggestion indication, a target object list for which access is suggested to be requested, where resource attributes and/or sub-resources included in the list can be accessed by an initiator of the access control decision request; and sending a target object list suggesting the target resource requested to be accessed to the PEP.

Based on the same technical concept, the embodiment of the invention also provides a policy decision point device, and the device can realize the flow of resource access control in the embodiment of the invention.

Referring to fig. 5, a schematic structural diagram of a policy decision point apparatus provided in an embodiment of the present invention is shown, where the apparatus may include: a processor 501, a memory 502, a transceiver 503, and a bus interface.

The processor 501 is responsible for managing the bus architecture and general processing, and the memory 502 may store data used by the processor 501 in performing operations. The transceiver 503 is used to receive and transmit data under the control of the processor 501.

The bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by processor 501, and various circuits, represented by memory 502, being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 503 may be a number of elements, including a transmitter and a transceiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 501 is responsible for managing the bus architecture and general processing, and the memory 502 may store data used by the processor 501 in performing operations.

The resource access control flow disclosed in the embodiment of the present invention may be applied to the processor 501, or implemented by the processor 501. In implementation, the steps of the flow of resource access control may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 501. The processor 501 may be a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof that may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in the processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 502, and the processor 501 reads the information in the memory 502 and completes the steps of the resource access control flow in combination with the hardware thereof.

Specifically, the processor 501, configured to read the program in the memory 502, executes the following processes:

and receiving an access control decision request sent by the PEP, wherein the access control decision request comprises a target object requesting access, and the target object comprises resource attributes, sub-resources or resource attributes and sub-resources.

Acquiring an access control strategy for judging access authority of the access control decision request; wherein, the access control strategy comprises a rule for the target object to judge the access authority;

Specifically, the following 6 cases are included when the access authority decision is made for the access control decision request:

Case 6: the access control policy includes a "context condition list"

Specifically, the rule for resource attribute to perform access right decision includes a resource attribute list, where the attribute list includes one of the following contents:

-one or more allowed sub-resources or indications of sub-resources

-indication information indicating that all sub-resources are allowed to access

Further, the access control decision request may further include a provision suggestion indication, and when it is determined that access to the target resource requested by the access control decision request is denied, a target object list for suggesting the request for access is obtained according to the provision suggestion indication, and the resource attribute and/or the sub-resource included in the list can be accessed by the initiator of the access control decision request; and sending a target object list suggesting the target resource requested to be accessed to the PEP.

According to the same technical concept, the embodiment of the invention also provides a resource access control system, which can be shown in fig. 2 and comprises a PEP and a PDP.

The PEP is used for receiving the resource access request and sending an access control decision request to the PDP according to the resource access request.

The PDP is used for receiving an access control decision request sent by the PEP, wherein the access control decision request comprises a target object of a target resource which is requested to be accessed, and the target object comprises a resource attribute, a sub-resource or a resource attribute and a sub-resource of the target resource. Acquiring an access control strategy for judging access authority of the access control decision request; wherein, the access control strategy comprises a rule for judging the access authority of the target object of the target resource; and judging the access authority of the access control decision request according to the acquired access control strategy, and returning an access authority judgment result to the PEP.

Specifically, when the PDP determines the access permission of the access control decision request, it determines each rule in the access control policy, which may include the following cases:

Case 6: the access control policy includes a "context condition list"

Specifically, the rule for determining the access right of the resource attribute of the target resource includes a resource attribute list, where the resource attribute list includes one of the following contents:

-one or more resource attributes allowed to be accessed or indication information of resource attributes;

-indication information indicating that all resource attributes are allowed to be accessed;

-indication information indicating that all resource attributes are not allowed to be accessed.

If the rule for judging the access authority of the resource attribute of the target resource does not contain the resource attribute list, the rule indicates that all the resource attributes are not allowed to be accessed.

Specifically, the rule for determining the access right of the sub-resource of the target resource includes a sub-resource list, where the sub-resource list includes one of the following contents:

-one or more allowed sub-resources or indications of sub-resources to be accessed;

-indication information indicating that all sub-resources are allowed to access;

-indication information indicating that all child resources are not allowed to be accessed.

If the child resource list is not included in the rule for judging the access permission of the child resources of the target resource, the rule indicates that all the child resources are not allowed to be accessed.

Further, the access control decision request may further include a suggestion providing instruction, and the PDP is further configured to: if the decision is that the access to the target resource requested by the access control decision request is refused, acquiring a target object list of the target resource requested to be accessed according to the provided suggestion indication, wherein the target object of the target resource contained in the list can be accessed by an initiator of the access control decision request; and sending the target object list of the target resource which is recommended to be requested to be accessed to the PEP.

Specifically, the PEP determines the target object according to a content parameter in the resource access request, where the content parameter includes a resource attribute and/or a sub-resource requested to be accessed; or, the target object is determined according to the target resource in the resource access request and the operation of the request acting on the target resource.

The system may further include a PRP, wherein the PRP is configured to store an access control policy for making an access permission decision for the access control decision request.

The PDP may obtain an access control policy for making an access right decision for the access control decision request from the PRP according to the access control decision request.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. A method for controlling access to resources, comprising:

receiving an access control decision request sent by a Policy Enforcement Point (PEP), wherein the access control decision request comprises a target object requesting access, and the target object comprises a resource attribute access list of a target resource requesting access and/or a sub-resource access list of the target resource;

acquiring an access control strategy for judging the access authority of the access control decision request; wherein, the access control policy includes a rule for making an access right decision for the target object, and the rule includes a resource attribute access list allowing access and/or a sub-resource access list allowing access;

2. The method of claim 1, wherein the performing the access right decision on the access control decision request according to the obtained access control policy comprises:

3. The method of claim 1, wherein the access-allowed resource attribute access list includes one of:

4. The method as claimed in claim 3, wherein if the rule for making the access right decision for the resource attribute does not include the resource attribute access list allowing access, the rule indicates that all resource attributes are not allowed to be accessed.

5. The method of claim 1, wherein the child resource access list includes one of:

6. The method as claimed in claim 5, wherein if the rule for making the access right decision on the child resource does not include the access list of the child resource, the rule indicates that all the child resources are not allowed to be accessed.

7. The method of claim 1, wherein the access control decision request further includes information indicative of a target resource requested for access;

8. The method of claim 1, wherein the access control decision request further comprises providing a recommendation indication;

the method further comprises the following steps:

9. The method of any of claims 1 to 8, wherein the access control decision request further comprises: the method comprises the steps that an initiator identifier and operation type indication information are used for indicating the operation type of a request acting on a target resource;

the initiator identification is not in the allowed access initiator list;

10. A policy decision point apparatus, comprising:

the system comprises a receiving module and a processing module, wherein the receiving module is used for receiving an access control decision request sent by a Policy Enforcement Point (PEP), the access control decision request comprises a target object requesting access, and the target object comprises a resource attribute access list of a target resource requesting access and/or a sub-resource access list of the target resource;

an obtaining module, configured to obtain an access control policy for performing an access permission decision on the access control decision request; wherein, the access control policy includes a rule for making an access right decision for the target object, and the rule includes a resource attribute access list allowing access and/or a sub-resource access list allowing access;

11. The apparatus of claim 10, wherein the decision module is specifically configured to:

12. The apparatus of claim 10, wherein the access-allowed resource attribute access list includes one of:

13. The apparatus of claim 12, wherein the rule for determining the access right of the resource attribute indicates that all resource attributes are not allowed to be accessed if the rule does not include a resource attribute access list allowed to be accessed.

14. The apparatus of claim 10, wherein the child resource access list includes one of:

15. The apparatus of claim 14, wherein the rule for making the access right decision on the child resource indicates that all child resources are not allowed to be accessed if the rule does not include the access list of the child resource.

16. The apparatus of claim 10, wherein the access control decision request further includes information indicative of a target resource for which access is requested;

the decision module is specifically configured to:

17. The apparatus of claim 10, wherein the access control decision request further comprises providing a recommendation indication;

the apparatus further comprises a suggestion module to:

18. A resource access control system, comprising: a policy enforcement point PEP and a policy decision point PDP;

the PEP is used for receiving a resource access request and sending an access control decision request to the PDP according to the resource access request, wherein the access control decision request comprises a target object which requests to access, and the target object comprises a resource attribute access list of a target resource which requests to access and/or a sub-resource access list of the target resource;

the PDP is used for acquiring an access control policy used for making an access right decision on the access control decision request, wherein the access control policy comprises a rule used for making the access right decision on the target object, and the rule comprises a resource attribute access list allowing access and/or a sub-resource access list allowing access; and judging the access authority of the access control decision request according to the obtained access control strategy, and returning an access authority judgment result to the PEP.

19. The system of claim 18, wherein the PDP is specifically configured to:

20. The system of claim 18, wherein the access-allowed resource attribute access list includes one of:

21. The system of claim 20, wherein the rule for making the access right decision for the resource attribute indicates that all resource attributes are not allowed to be accessed if the rule does not include a resource attribute access list allowed to be accessed.

22. The system of claim 18, wherein the child resource access list includes one of:

23. The system of claim 22, wherein the rule for making the access right decision on the child resource indicates that all child resources are not allowed to be accessed if the rule does not include the access list of the child resource.

24. The system of claim 18, wherein the access control decision request further includes information indicative of a target resource for which access is requested;

the PDP is specifically configured to: