CN108900484B - Access right information generation method and device - Google Patents

Access right information generation method and device Download PDF

Info

Publication number
CN108900484B
CN108900484B CN201810621380.9A CN201810621380A CN108900484B CN 108900484 B CN108900484 B CN 108900484B CN 201810621380 A CN201810621380 A CN 201810621380A CN 108900484 B CN108900484 B CN 108900484B
Authority
CN
China
Prior art keywords
user
authority information
access authority
resource group
user identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810621380.9A
Other languages
Chinese (zh)
Other versions
CN108900484A (en
Inventor
王国利
孙京京
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201810621380.9A priority Critical patent/CN108900484B/en
Publication of CN108900484A publication Critical patent/CN108900484A/en
Application granted granted Critical
Publication of CN108900484B publication Critical patent/CN108900484B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Abstract

The embodiment of the application provides a method and a device for generating access authority information, which can receive a login request sent by a first terminal, wherein the login request carries a first user identifier and a first user attribute, and judge whether the first user identifier exists in preset access authority information. If the first user identification does not exist in the preset access authority information, determining a first resource group corresponding to the first user identification from the corresponding relation between the preset user attributes and the resource groups according to the first user attributes, and adding the first user identification and the first resource group into the preset access authority information to generate the access authority information corresponding to the first user identification. Based on the processing, the access authority information corresponding to the user identification can be automatically generated, and the generation efficiency of the access authority information can be improved.

Description

Access right information generation method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for generating access right information.
Background
A VPN (Virtual Private Network) technology based on SSL (Secure Sockets Layer) utilizes certificate-based authentication, data encryption and message integrity verification mechanisms provided by SSL protocols to establish Secure connection for communication between application layers. Based on the SSL VPN technology, the staff of the enterprise can access the internal network of the enterprise safely through the Internet by using the terminal to access the resources of the internal network.
However, the access rights of different employees are different, and each employee needs to be assigned a resource that the employee can access. In the prior art, a technician needs to manually configure corresponding access authority information for each employee in advance, where the access authority information may include a correspondence between a user identifier of the employee and a resource group allowed to be accessed by the employee. When an employee needs to access a resource, a terminal can be used to send a login request to a gateway device, where the login request carries a certificate of the terminal, and the certificate carries a user identifier of the employee, where the user identifier of the employee is usually a user name of the employee. The gateway device may determine, according to the user identifier in the login request certificate, the resource group corresponding to the user identifier in the local access authority information, so as to determine the resource that the employee can access.
Technical staff needs to manually configure a resource group which can be accessed for each staff to generate access authority information of the staff, if the number of the staff of an enterprise is large, a great amount of time is consumed for technical staff, and the generation efficiency of the access authority information is not high.
Disclosure of Invention
The embodiment of the application aims to provide a method and a device for generating access authority information so as to improve the generation efficiency of the access authority information. The specific technical scheme is as follows:
in a first aspect, to achieve the above object, an embodiment of the present application discloses a method for generating access permission information, where the method includes:
receiving a login request sent by a first terminal, wherein the login request carries a first user identifier and a first user attribute;
judging whether the first user identification exists in preset access authority information or not, wherein the preset access authority information comprises the corresponding relation between the user identification and the resource group;
if the first user identification does not exist in the preset access authority information, determining a first resource group corresponding to the first user identification from the corresponding relation between the preset user attributes and the resource groups according to the first user attributes;
and adding the first user identification and the first resource group into the preset access authority information to generate the access authority information corresponding to the first user identification.
Optionally, the method further includes:
receiving a logout message sent by a second terminal, wherein the logout message carries a second user identifier;
and deleting the second user identification and the corresponding second resource group from the preset access authority information so as to delete the access authority information corresponding to the second user identification.
Optionally, the method further includes:
and if the first user identification exists in the preset access authority information, determining the resource included in the resource group corresponding to the first user identification in the preset access authority information as the resource which is allowed to be accessed by the first user corresponding to the first user identification.
Optionally, the method further includes:
receiving an adding instruction input by a user, wherein the adding instruction carries a third user identifier and a third resource group;
and adding the third user identifier and the third resource group into the preset access authority information to generate the access authority information corresponding to the third user identifier.
Optionally, the method further includes:
receiving a deletion instruction input by a user, wherein the deletion instruction carries a fourth user identifier;
and deleting the fourth user identification and the corresponding fourth resource group from the preset access authority information so as to delete the access authority information corresponding to the fourth user identification.
Optionally, the preset access permission information includes a correspondence between a service type, a user identifier, and a resource group, and adding the first user identifier and the first resource group to the preset access permission information includes:
and determining a first service type corresponding to the login request, and adding the first user identifier, the first resource group and the corresponding relation of the first service type into the access authority information corresponding to the first user identifier.
In a second aspect, to achieve the above object, an embodiment of the present application further discloses an apparatus for generating access right information, where the apparatus includes:
the system comprises a receiving module, a sending module and a sending module, wherein the receiving module is used for receiving a login request sent by a first terminal, and the login request carries a first user identifier and a first user attribute;
the judging module is used for judging whether the first user identifier exists in preset access authority information or not, wherein the preset access authority information comprises the corresponding relation between the user identifier and the resource group;
a first determining module, configured to determine, according to the first user attribute and from a correspondence between a preset user attribute and a resource group, a first resource group corresponding to the first user identifier if the first user identifier does not exist in the preset access permission information;
and the generating module is used for adding the first user identifier and the first resource group into the preset access authority information so as to generate the access authority information corresponding to the first user identifier.
Optionally, the apparatus further comprises:
the logout module is used for receiving a logout message sent by a second terminal, wherein the logout message carries a second user identifier;
and deleting the second user identification and the corresponding second resource group from the preset access authority information so as to delete the access authority information corresponding to the second user identification.
Optionally, the apparatus further comprises:
and a second determining module, configured to determine, if the first user identifier exists in the preset access permission information, a resource included in a resource group corresponding to the first user identifier in the preset access permission information as a resource which is allowed to be accessed by the first user corresponding to the first user identifier.
Optionally, the apparatus further comprises:
the adding module is used for receiving an adding instruction input by a user, wherein the adding instruction carries a third user identifier and a third resource group;
and adding the third user identifier and the third resource group into the preset access authority information to generate the access authority information corresponding to the third user identifier.
Optionally, the apparatus further comprises:
the deleting module is used for receiving a deleting instruction input by a user, wherein the deleting instruction carries a fourth user identifier;
and deleting the fourth user identification and the corresponding fourth resource group from the preset access authority information so as to delete the access authority information corresponding to the fourth user identification.
Optionally, the preset access permission information includes a correspondence between a service type, a user identifier, and a resource group, and the generating module is specifically configured to determine a first service type corresponding to the login request, and add the correspondence between the first user identifier, the first resource group, and the first service type to the access permission information corresponding to the first user identifier.
In a third aspect, to achieve the above object, an embodiment of the present application further discloses an electronic device, including a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions executable by the processor, and the processor is caused by the machine-executable instructions to: the method steps of the first aspect are implemented.
In a fourth aspect, to achieve the above object, embodiments of the present application further disclose a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: the method steps of the first aspect are implemented.
The method and the device for generating access permission information provided by the embodiment of the application can receive a login request sent by a first terminal, wherein the login request can carry a first user identifier and a first user attribute, judge whether the first user identifier exists in preset access permission information, determine a first resource group corresponding to the first user identifier from a preset corresponding relationship between the user attribute and the resource group according to the first user attribute if the first user identifier does not exist in the preset access permission information, and add the first user identifier and the first resource group into the preset access permission information to generate the access permission information corresponding to the first user identifier. Based on the processing, the access authority information corresponding to the user identification can be automatically generated, and the generation efficiency of the access authority information can be improved.
Of course, it is not necessary for any product or method of the present application to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a structural diagram of a networking framework according to an embodiment of the present application;
fig. 2 is a flowchart of a method for generating access right information according to an embodiment of the present disclosure;
fig. 3 is a flowchart of an example of a method for generating access right information according to an embodiment of the present application;
fig. 4 is a flowchart of an example of a method for generating access right information according to an embodiment of the present application;
fig. 5 is a structural diagram of an access right information generation apparatus according to an embodiment of the present application;
fig. 6 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application provides a method and a device for generating access authority information, which can be applied to network equipment, wherein the network equipment can be a router, firewall equipment or other gateway equipment. Referring to fig. 1, fig. 1 is a structural diagram of a networking framework according to an embodiment of the present application. The networking includes: network equipment, a server and a plurality of terminals. The server may store resources, and the network device may store preset access right information. When a certain user needs to access a resource, a login request can be sent to the network device through the terminal, the login request can carry a certificate of the terminal, and a first user identifier and a first user attribute are recorded in the certificate of the terminal. When the first user identifier does not exist in the preset access authority information, the network device may determine, according to the first user attribute, a first resource group corresponding to the first user identifier from a correspondence between the preset user attribute and the resource group, determine a resource included in the first resource group as a resource that the user can access, and at the same time, add the first user identifier and the first resource group to the preset access authority information to generate the access authority information corresponding to the first user identifier.
Therefore, the embodiment of the application can automatically register the new user when the user logs in for the first time, and the equipment administrator does not need manual configuration and repeated operation, so that the labor cost is saved.
Referring to fig. 2, fig. 2 is a flowchart of a method for generating access permission information according to an embodiment of the present application, and the method may be applied to a network device, where the network device may be a router, a firewall device, or another gateway device, and the gateway device may be an SSLVPN gateway device, and the like. The method may include the following steps.
S201: and receiving a login request sent by the first terminal.
Wherein the login request may be sent by the first user via the first terminal. The login request comprises a certificate used by the first terminal, and the certificate used by the first terminal comprises a first user identifier and a first user attribute. The first terminal may acquire the certificate through a ukey (electronic key) or a mobile phone SIM (Subscriber identity Module) card.
The first user identifier is a user identifier of the first user, and may be a user name or other identifier for distinguishing the user, for example, a job number of an employee.
The user attributes are used to determine the first user's right to access the resource. For example, for the case where the employee uses the terminal to access the resource of the enterprise server, since the authority of the employee to access the resource may be generally determined by the department to which the employee belongs and the company to which the department belongs, accordingly, the user attribute in the certificate of the terminal may include the department identifier of the department to which the employee belongs and the company identifier of the company to which the department belongs.
In implementation, when a certain user needs to access the resource of the server, the terminal may be used to send a login request carrying a certificate to the network device. The network device can receive the login request and perform handshake connection with the terminal according to the certificate carried in the login request.
S202: and judging whether the first user identification exists in the preset access authority information.
The network device can locally store preset access authority information, and the preset access authority information comprises a corresponding relation between a user identifier and a resource group. The preset access authority information may be preset by a technician, or may be generated by the network device according to a login request sent by the terminal last received. A resource group may include one resource or may include a plurality of resources.
In implementation, after the network device receives the login request, the network device may parse the login request to obtain a certificate of the first terminal carried in the login request, and then the network device may parse the certificate to obtain a user identifier (i.e., a first user identifier) carried in the certificate, and perform an inquiry in the preset access permission information to determine whether the first user identifier exists.
S203: and if the first user identification does not exist in the preset access authority information, determining a first resource group corresponding to the first user identification from the corresponding relation between the preset user attributes and the resource groups according to the first user attributes.
The network device can locally store the corresponding relation between the preset user attribute and the resource group, and the corresponding relation between the user attribute and the resource group can be set by technical personnel according to business requirements. For example, for the case where the employee uses the terminal to access the resource of the enterprise server, the correspondence between the user attribute and the resource group may refer to table (1).
Watch (1)
Company logo Department identification Resource group
H3C Secure pgroup1
UNIS Secure pgroup2
UNIS Big data pgroup3
The user attributes in the table (1) comprise company identifications and department identifications, and the corresponding relation between the user attributes and the resource groups in the table (1) is the corresponding relation between the company identifications, the department identifications and the resource groups. As can be seen from table (1), if a certain employee is an employee of the security department of company H3C, that employee can access the resources comprised by the resource group pgroup 1; if an employee is an employee of the security department of UNIS, then the employee may access the resources included in the resource group pgroup 2; if an employee is an employee of the big data department of UNIS, then the employee may access the resources that the resource group pgroup3 includes.
In implementation, when the network device determines that the first user identifier does not exist in the preset access right information, the network device may query the correspondence between the local user attribute and the resource group according to the user attribute (i.e., the first user attribute) in the certificate, and determine the resource group (i.e., the first resource group) corresponding to the first user attribute.
S204: and adding the first user identification and the first resource group into preset access authority information to generate access authority information corresponding to the first user identification.
In implementation, after the network device determines the first resource group, the first user identifier may be added to preset access permission information, and the corresponding resource group is set as the first resource group, so as to generate access permission information corresponding to the first user identifier, so that when the network device next receives a login request which is sent by the first user through the terminal and carries a certificate of the terminal, the network device may query in the preset access permission information according to the first user identifier carried in the certificate, and directly determine the first resource group corresponding to the first user identifier, so as to confirm that the first user may access resources included in the first resource group. Here, the first user identifies a corresponding user for the first user.
Optionally, the network device may also directly determine the resources that the user may access. Specifically, the method may further include the steps of: if the first user identification exists in the preset access authority information, determining the resources included in the resource group corresponding to the first user identification in the preset access authority information as the resources which are allowed to be accessed by the first user corresponding to the first user identification.
In an implementation, when the network device determines that the first user identifier exists in the preset access authority information, the network device may determine, in the preset access authority information, a resource group corresponding to the first user identifier, and determine a resource included in the resource group as a resource that can be accessed by the first user, where the resource is determined as a resource that can be accessed by the first user using the first terminal. The network device may also send the resource to the first terminal so that the first user may browse the resource using the first terminal.
Optionally, the network device may further update the local access right information, and specifically, the following manner may be adopted.
Receiving a logout message sent by a second terminal in a first mode; and deleting the second user identification and the corresponding second resource group from the preset access authority information so as to delete the access authority information corresponding to the second user identification.
The logout message comprises a certificate used by the second terminal, and the certificate used by the second terminal comprises the second user identification.
In implementation, a user may delete the corresponding access right information using a terminal, and specifically, a technician may set a logout button in a login page of the server. When a user needs to delete the corresponding access right information, the user can use a terminal (i.e., a second terminal) to click a logout button in a login page, the network device can receive a logout message carrying a certificate of the second terminal, then parse the logout message to obtain the certificate of the second terminal, and obtain a user identifier (i.e., a second user identifier) carried in the certificate, and then the network device can delete the second user identifier and a corresponding second resource group from the preset access right information to delete the access right information corresponding to the second user identifier.
Receiving an adding instruction input by a user; and adding the third user identification and the third resource group into preset access authority information to generate access authority information corresponding to the third user identification.
And the adding instruction carries the third user identifier and the third resource group.
In implementation, when a technician needs to add access right information, for example, when an enterprise has a new employee to enter a job, the technician may input an addition instruction to the network device through an input component of the network device, and the network device may receive the addition instruction and analyze the addition instruction to obtain a third user identifier corresponding to the employee and a third resource group accessible to the employee, and then the network device may add the third user identifier to preset access right information and set the corresponding resource group as the third resource group to generate access right information corresponding to the third user identifier.
Receiving a deleting instruction input by a user; and deleting the fourth user identification and the corresponding fourth resource group from the preset access authority information so as to delete the access authority information corresponding to the fourth user identification.
And the deleting instruction carries the fourth user identifier.
In implementation, when a technician needs to delete access right information, for example, when an employee leaves an enterprise, the technician may input a deletion instruction to the network device through an input component of the network device, and the network device may receive the deletion instruction and analyze the deletion instruction to obtain a fourth user identifier corresponding to the employee, and then the network device may delete the fourth user identifier and a corresponding fourth resource group from preset access right information to delete the access right information corresponding to the fourth user identifier.
Optionally, the network device may further set a corresponding service type. Specifically, the preset access right information includes a corresponding relationship between a service type, a user identifier, and a resource group, and correspondingly, step S204 may include the following processing procedures: and determining a first service type corresponding to the login request, and adding the first user identifier, the first resource group and the corresponding relation of the first service type into the access authority information corresponding to the first user identifier.
The service type may be SSLVPN, PPP (Point to Point Protocol), Portal, IKE (Internet Key Exchange), or other service types.
In implementation, the network device may parse the login request, determine a service type (i.e., a first service type) corresponding to the login request, and add a correspondence between the first service type, the first user identifier, and the first resource group to the access right information corresponding to the first user identifier. For example, the network device analyzes the login request, determines that the service type corresponding to the login request is SSLVPN, and the network device may set the service type corresponding to the first user identifier and the first resource group as SSLVPN in the preset access right information to generate a local user of the SSLVPN service type.
As can be seen from the above, the network device may also configure the generated local user according to the service type corresponding to the login request, so as to support the login request of different service types sent by the user using the terminal.
In addition, when the network device needs to perform local authentication on the terminal (for example, the network device authenticates the terminal according to the self-signed certificate of the terminal), the network device may also perform authentication on the terminal according to the generated local user.
Referring to fig. 3, fig. 3 is a flowchart of an example of a method for generating access permission information according to an embodiment of the present application, where the method may be applied to a network device, which may be a router, a firewall device, or another gateway device, and the method may include the following steps.
S301: the network equipment receives a login request sent by the first terminal.
The login request comprises a certificate used by the first terminal, and the certificate used by the first terminal comprises a first user identifier and a first user attribute.
S302: the network device determines whether the first user identifier exists in the preset access authority information, if the first user identifier does not exist in the preset access authority information, S303-S304 is executed, and if the first user identifier exists in the preset access authority information, S305 is executed.
The preset access authority information comprises a corresponding relation between a user identifier and a resource group.
S303: and the network equipment determines a first resource group corresponding to the first user identifier from the corresponding relation between the preset user attribute and the resource group according to the first user attribute.
S304: the network equipment adds the first user identification and the first resource group into preset access authority information to generate access authority information corresponding to the first user identification.
S305: and the network equipment determines the resources included in the resource group corresponding to the first user identification in the preset access authority information as the resources which are allowed to be accessed by the first user corresponding to the first user identification.
Referring to fig. 4, fig. 4 is a flowchart of an example of a method for generating access right information according to an embodiment of the present application, where this embodiment takes a case that a user "zhang san" uses a first terminal to log in for the first time, and the method may be applied to a network device, where the network device may be a router, a firewall device, or another gateway device, and the first terminal accesses the network device through an SSLVPN, and the method may include the following steps. It should be understood that the access service types may also include Portal, PPP, IKE, etc., which are described herein using SSLVPN as an example.
S401: the network equipment receives a login request sent by the first terminal.
The login request is sent by using the first terminal by Zhang III, and the login request comprises a certificate used by the first terminal. The certificate used by the first terminal includes a first user identification (i.e., user name "zhang san") and a first user attribute (company identification "H3C" of a company to which zhang san belongs and department identification "security" of a department to which zhang belongs). Specifically, the login request is an SSL message, and a certificate carried by the SSL message includes an OU field and an O field, where the OU field is a field carrying a company identifier, and the O field is a field carrying a department identifier. The certificate also includes a CN field carrying a user identity.
S402: the network device judges that the first user identification (Zhang III) does not exist in the preset access authority information.
The preset access authority information comprises the corresponding relation of the service type, the user identification and the resource group. The preset access right information may be as shown in table (2).
Watch (2)
User identification Type of service Resource group
Li Si SSLVPN pgroup2
Zhao Wu SSLVPN pgroup3
S403: the network equipment determines a first resource group (pgroup1) corresponding to the first user identifier (Zhang III) from the preset corresponding relationship between the user attributes and the resource groups according to the first user attributes (company identifier H3C and department identifier safety).
The preset correspondence between the user attributes and the resource groups may be as shown in table (3).
Watch (3)
Company logo Department identification Resource group
H3C Secure pgroup1
UNIS Secure pgroup3
UNIS Big data Pgroup3
Therefore, when a certain user uses the terminal to send a login request for the first time, and the network device performs authentication according to the certificate of the terminal, the access right information corresponding to the user can be generated (that is, the local user corresponding to the user is generated).
S404: the network device adds the service type SSLVPN, the first user identifier (zhang san) and the first resource group (pgroup1) to the preset access authority information to generate the access authority information corresponding to the first user identifier.
Specifically, the access right information shown in table (4) can be obtained from table (2).
Watch (4)
User identification Type of service Resource group
Li Si SSLVPN pgroup2
Zhao Wu SSLVPN pgroup3
Zhang San SSLVPN pgroup1
Therefore, the network equipment automatically creates a new user Zhang III of the SSLVPN type, the first login authentication and authorization of the new user Zhang III are realized, and a new user is generated by registration.
S405: when the network device receives the login request sent by the first terminal again, the network device judges that the first user identification (Zhang III) exists in the preset access authority information.
S406: the network device determines the resource included in the resource (pgroup1) corresponding to the first user identifier (zhang) in the preset access right information as the resource which is allowed to be accessed by the first user (zhang).
The applicant found that: at present, when a user is registered based on the SSLVPN, an authorized resource group cannot be confirmed, so that a method for registering the user is temporarily absent. According to the method and the device, the authorized resource group is determined through the characteristic values (such as the user identification and the user attribute) of the certificate, when the user logs in for the first time, the network equipment automatically registers to generate a new user (a local user), when the user logs in again, the network equipment can automatically authenticate the user according to the local user, the certificate authentication of the terminal used by the user does not need to be obtained again, the authentication speed is higher, and the authentication efficiency can be improved.
Therefore, the embodiment of the application can automatically register the new user when the user logs in for the first time, and the equipment administrator does not need manual configuration and repeated operation, so that the labor cost is saved. The authentication speed is higher when logging in again, and the authentication efficiency can be improved. And, for the created new user, the service related to the user can be processed by using the new user. For example, the network device may locally authenticate the user according to the generated local user.
In addition, the user created in the embodiment of the present application may not only be used for SSLVPN authentication, but also be used after simply configuring the type of the access service if other access services are required, where the other access services include Portal, PPP, IKE, and the like, and table (2) may be as shown in table (5) below.
Watch (5)
User identification Type of service Resource group
Li Si SSLVPN、Portal、PPP、IKE pgroup2
Zhao Wu SSLVPN、Portal、PPP、IKE pgroup3
Based on the method for generating access permission information in the embodiment of the application, the network device may receive a login request sent by the first terminal, where the login request carries the first user identifier and the first user attribute. The network device may determine whether the first user identifier exists in the preset access right information. If the first user identifier does not exist in the preset access authority information, the network device may determine, according to the first user attribute, a first resource group corresponding to the first user identifier from a correspondence between the preset user attribute and the resource group, and add the first user identifier and the first resource group to the preset access authority information to generate the access authority information corresponding to the first user identifier. Based on the processing, the network device can automatically generate the access authority information corresponding to the user identification, and further, the generation efficiency of the access authority information can be improved.
Corresponding to the method embodiment of fig. 2, referring to fig. 5, fig. 5 is a device for generating access right information according to an embodiment of the present application, where the device may include:
a receiving module 501, configured to receive a login request sent by a first terminal, where the login request carries a first user identifier and a first user attribute;
a determining module 502, configured to determine whether the first user identifier exists in preset access permission information, where the preset access permission information includes a correspondence between a user identifier and a resource group;
a first determining module 503, configured to determine, according to the first user attribute, a first resource group corresponding to the first user identifier from a correspondence between a preset user attribute and the resource group if the first user identifier does not exist in the preset access permission information;
a generating module 504, configured to add the first user identifier and the first resource group to the preset access permission information, so as to generate access permission information corresponding to the first user identifier.
Optionally, the apparatus further comprises:
the logout module is used for receiving a logout message sent by a second terminal, wherein the logout message carries a second user identifier;
and deleting the second user identification and the corresponding second resource group from the preset access authority information so as to delete the access authority information corresponding to the second user identification.
Optionally, the apparatus further comprises:
and a second determining module, configured to determine, if the first user identifier exists in the preset access permission information, a resource included in a resource group corresponding to the first user identifier in the preset access permission information as a resource which is allowed to be accessed by the first user corresponding to the first user identifier.
Optionally, the apparatus further comprises:
the adding module is used for receiving an adding instruction input by a user, wherein the adding instruction carries a third user identifier and a third resource group;
and adding the third user identifier and the third resource group into the preset access authority information to generate the access authority information corresponding to the third user identifier.
Optionally, the apparatus further comprises:
the deleting module is used for receiving a deleting instruction input by a user, wherein the deleting instruction carries a fourth user identifier;
and deleting the fourth user identification and the corresponding fourth resource group from the preset access authority information so as to delete the access authority information corresponding to the fourth user identification.
Optionally, the preset access permission information includes a correspondence between a service type, a user identifier, and a resource group, and the generating module 504 is specifically configured to determine a first service type corresponding to the login request, and add the correspondence between the first user identifier, the first resource group, and the first service type to the access permission information corresponding to the first user identifier.
As can be seen from the above, the access right information generation device according to the embodiment of the application may receive a login request sent by a first terminal, where the login request carries a first user identifier and a first user attribute. And judging whether the first user identification exists in the preset access authority information. If the first user identification does not exist in the preset access authority information, determining a first resource group corresponding to the first user identification from the corresponding relation between the preset user attributes and the resource groups according to the first user attributes, and adding the first user identification and the first resource group into the preset access authority information to generate the access authority information corresponding to the first user identification. Based on the processing, the network device can automatically generate the access authority information corresponding to the user identification, and further, the generation efficiency of the access authority information can be improved.
The embodiment of the present application further provides an electronic device, as shown in fig. 6, which includes a processor 601, a communication interface 602, a memory 603, and a communication bus 604, where the processor 601, the communication interface 602, and the memory 603 complete mutual communication through the communication bus 604,
a memory 603 for storing a computer program;
the processor 601 is configured to, when executing the program stored in the memory 603, cause the electronic device to perform the following steps, where the steps include:
receiving a login request sent by a first terminal, wherein the login request carries a first user identifier and a first user attribute;
judging whether the first user identification exists in preset access authority information or not, wherein the preset access authority information comprises the corresponding relation between the user identification and the resource group;
if the first user identification does not exist in the preset access authority information, determining a first resource group corresponding to the first user identification from the corresponding relation between the preset user attributes and the resource groups according to the first user attributes;
and adding the first user identification and the first resource group into the preset access authority information to generate the access authority information corresponding to the first user identification.
Optionally, the above steps further include:
receiving a logout message sent by a second terminal, wherein the logout message carries a second user identifier;
and deleting the second user identification and the corresponding second resource group from the preset access authority information so as to delete the access authority information corresponding to the second user identification.
Optionally, the above steps further include:
and if the first user identification exists in the preset access authority information, determining the resource included in the resource group corresponding to the first user identification in the preset access authority information as the resource which is allowed to be accessed by the first user corresponding to the first user identification.
Optionally, the above steps further include:
receiving an adding instruction input by a user, wherein the adding instruction carries a third user identifier and a third resource group;
and adding the third user identifier and the third resource group into the preset access authority information to generate the access authority information corresponding to the third user identifier.
Optionally, the above steps further include:
receiving a deletion instruction input by a user, wherein the deletion instruction carries a fourth user identifier;
and deleting the fourth user identification and the corresponding fourth resource group from the preset access authority information so as to delete the access authority information corresponding to the fourth user identification.
Optionally, the preset access permission information includes a correspondence between a service type, a user identifier, and a resource group, and adding the first user identifier and the first resource group to the preset access permission information includes:
and determining a first service type corresponding to the login request, and adding the first user identifier, the first resource group and the corresponding relation of the first service type into the access authority information corresponding to the first user identifier.
The machine-readable storage medium may include a RAM (Random Access Memory) and may also include a NVM (Non-Volatile Memory), such as at least one disk Memory. Additionally, the machine-readable storage medium may be at least one memory device located remotely from the aforementioned processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also a DSP (Digital Signal Processing), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
As can be seen from the above, in the embodiment of the present application, a login request sent by a first terminal may be received, where the login request carries a first user identifier and a first user attribute, and it is determined whether the first user identifier exists in preset access permission information. If the first user identification does not exist in the preset access authority information, determining a first resource group corresponding to the first user identification from the corresponding relation between the preset user attributes and the resource groups according to the first user attributes, and adding the first user identification and the first resource group into the preset access authority information to generate the access authority information corresponding to the first user identification. Based on the processing, the access authority information corresponding to the user identification can be automatically generated, and the generation efficiency of the access authority information can be improved.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the embodiments of the apparatus, the electronic device, and the machine-readable storage medium, since they are substantially similar to the embodiments of the method, the description is simple, and in relation to the embodiments, reference may be made to the partial description of the embodiments of the method.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (10)

1. A method for generating access right information, the method comprising:
receiving a login request sent by a first terminal, wherein the login request carries a first user identifier and a first user attribute; the first user identification and the first user attribute are contained in a certificate used by the first terminal in the login request;
judging whether the first user identification exists in preset access authority information or not, wherein the preset access authority information comprises the corresponding relation between the user identification and the resource group;
if the first user identification does not exist in the preset access authority information, determining a first resource group corresponding to the first user identification from the corresponding relation between the preset user attributes and the resource groups according to the first user attributes;
adding the first user identification and the first resource group into the preset access authority information to generate access authority information corresponding to the first user identification; and the access authority information corresponding to the first user identification is used for authenticating the user.
2. The method of claim 1, further comprising:
receiving a logout message sent by a second terminal, wherein the logout message carries a second user identifier;
and deleting the second user identification and the corresponding second resource group from the preset access authority information so as to delete the access authority information corresponding to the second user identification.
3. The method of claim 1, further comprising:
and if the first user identification exists in the preset access authority information, determining the resource included in the resource group corresponding to the first user identification in the preset access authority information as the resource which is allowed to be accessed by the first user corresponding to the first user identification.
4. The method of claim 1, further comprising:
receiving an adding instruction input by a user, wherein the adding instruction carries a third user identifier and a third resource group;
and adding the third user identifier and the third resource group into the preset access authority information to generate the access authority information corresponding to the third user identifier.
5. The method of claim 1, further comprising:
receiving a deletion instruction input by a user, wherein the deletion instruction carries a fourth user identifier;
and deleting the fourth user identification and the corresponding fourth resource group from the preset access authority information so as to delete the access authority information corresponding to the fourth user identification.
6. The method according to claim 1, wherein the preset access right information includes a correspondence relationship between a service type, a user identifier and a resource group, and the adding the first user identifier and the first resource group to the preset access right information includes:
and determining a first service type corresponding to the login request, and adding the first user identifier, the first resource group and the corresponding relation of the first service type into the access authority information corresponding to the first user identifier.
7. An apparatus for generating access right information, the apparatus comprising:
the system comprises a receiving module, a sending module and a sending module, wherein the receiving module is used for receiving a login request sent by a first terminal, and the login request carries a first user identifier and a first user attribute; the first user identification and the first user attribute are contained in a certificate used by the first terminal in the login request;
the judging module is used for judging whether the first user identifier exists in preset access authority information or not, wherein the preset access authority information comprises the corresponding relation between the user identifier and the resource group;
a first determining module, configured to determine, according to the first user attribute and from a correspondence between a preset user attribute and a resource group, a first resource group corresponding to the first user identifier if the first user identifier does not exist in the preset access permission information;
the generating module is used for adding the first user identifier and the first resource group into the preset access authority information to generate access authority information corresponding to the first user identifier; and the access authority information corresponding to the first user identification is used for authenticating the user.
8. The apparatus of claim 7, further comprising:
and a second determining module, configured to determine, if the first user identifier exists in the preset access permission information, a resource included in a resource group corresponding to the first user identifier in the preset access permission information as a resource which is allowed to be accessed by the first user corresponding to the first user identifier.
9. The apparatus of claim 7, wherein the preset access permission information includes a correspondence between a service type, a user identifier, and a resource group, and the generation module is specifically configured to determine a first service type corresponding to the login request, and add the correspondence between the first user identifier, the first resource group, and the first service type to the access permission information corresponding to the first user identifier.
10. An electronic device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 6.
CN201810621380.9A 2018-06-15 2018-06-15 Access right information generation method and device Active CN108900484B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810621380.9A CN108900484B (en) 2018-06-15 2018-06-15 Access right information generation method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810621380.9A CN108900484B (en) 2018-06-15 2018-06-15 Access right information generation method and device

Publications (2)

Publication Number Publication Date
CN108900484A CN108900484A (en) 2018-11-27
CN108900484B true CN108900484B (en) 2021-05-25

Family

ID=64345189

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810621380.9A Active CN108900484B (en) 2018-06-15 2018-06-15 Access right information generation method and device

Country Status (1)

Country Link
CN (1) CN108900484B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109614778B (en) * 2018-12-12 2021-07-06 思必驰科技股份有限公司 Dynamic configuration method, gateway and system for user permission
CN110516452A (en) * 2019-08-07 2019-11-29 浙江大搜车软件技术有限公司 RBAC access authorization for resource distribution method, device, electronic equipment and storage medium
CN110661817B (en) * 2019-10-25 2022-08-26 新华三大数据技术有限公司 Resource access method and device and service gateway
CN111931140A (en) * 2020-07-31 2020-11-13 支付宝(杭州)信息技术有限公司 Authority management method, resource access control method and device and electronic equipment
CN113992476B (en) * 2021-11-18 2023-03-24 北京自如信息科技有限公司 SSLVPN opening method and device
CN114915453A (en) * 2022-04-14 2022-08-16 浙江网商银行股份有限公司 Access response method and device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105488383A (en) * 2014-09-17 2016-04-13 北大方正集团有限公司 Permission management method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8060932B2 (en) * 2006-11-03 2011-11-15 Microsoft Corporation Modular enterprise authorization solution

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105488383A (en) * 2014-09-17 2016-04-13 北大方正集团有限公司 Permission management method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
RBAC模型在J2EE平台下的实现与应用;安伟莲;《中国优秀硕士学位论文全文数据库信息科技辑》;20081115;第2.3、3.3、4.3、4.4节 *

Also Published As

Publication number Publication date
CN108900484A (en) 2018-11-27

Similar Documents

Publication Publication Date Title
CN108900484B (en) Access right information generation method and device
CN109286932B (en) Network access authentication method, device and system
US10708276B2 (en) Authentication system and method
US7913080B2 (en) Setting information distribution apparatus, method, program, and medium, authentication setting transfer apparatus, method, program, and medium, and setting information reception program
CN108881308B (en) User terminal and authentication method, system and medium thereof
US8914520B2 (en) System and method for providing enterprise integration in a network environment
CN111769939B (en) Business system access method and device, storage medium and electronic equipment
EP3017390B1 (en) Method and system related to authentication of users for accessing data networks
CN101986598B (en) Authentication method, server and system
US20130283050A1 (en) Wireless client authentication and assignment
CN101599967A (en) Authority control method and system based on the 802.1x Verification System
CN111132305B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN107864475A (en) The quick authentication methods of WiFi based on Portal+ dynamic passwords
CN103067337A (en) Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
CN113347072A (en) VPN resource access method, device, electronic equipment and medium
CN114697963A (en) Terminal identity authentication method and device, computer equipment and storage medium
US20090271852A1 (en) System and Method for Distributing Enduring Credentials in an Untrusted Network Environment
CN108834146A (en) A kind of Bidirectional identity authentication method between terminal and authentication gateway
CN111093196B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
KR100819942B1 (en) Method for access control in wire and wireless network
CN106537962B (en) Wireless network configuration, access and access method, device and equipment
CN112395586A (en) File access control method, device, system, storage medium and electronic device
WO2011131002A1 (en) Method and system for identity management
CN104581723A (en) Application method and device for networking information data of client equipment
CN113784354A (en) Request conversion method and device based on gateway

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant