CN110300124A - A kind of access control method, system, electronic equipment and readable medium - Google Patents
A kind of access control method, system, electronic equipment and readable medium Download PDFInfo
- Publication number
- CN110300124A CN110300124A CN201910693984.9A CN201910693984A CN110300124A CN 110300124 A CN110300124 A CN 110300124A CN 201910693984 A CN201910693984 A CN 201910693984A CN 110300124 A CN110300124 A CN 110300124A
- Authority
- CN
- China
- Prior art keywords
- resource
- access
- request
- information
- request body
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
It include: the resource access request for receiving the access resource that request body issues present disclose provides a kind of access control method;Based on resource access request, access rule is determined, and determine whether the request body has the permission of access resource according to access rule;Judge whether resource access request meets safety condition;In the case where request body has the permission of access resource and resource access request meets safety condition, request body is allowed to access resource, in the case where request body does not have the permission of access resource or resource access request is unsatisfactory for safety condition, refuse request body and accesses resource, in the case where request body has the permission of access resource but resource access request is unsatisfactory for safety condition, refusal request body accesses resource or request body is required to carry out the higher authentication measure of security intensity to meet safety condition.The disclosure additionally provides a kind of dynamic access control system, a kind of electronic equipment and a kind of computer readable storage medium.
Description
Technical field
This disclosure relates to be related to field of computer technology, a kind of specific method of access control, system, electronic equipment and can
Read medium.
Background technique
Existing access control technology is mostly network-centric, is based on network communication five-tuple (i.e. source IP address, source
Mouth, purpose IP address, destination port and transport layer protocol) formulate access control rule.Cloud computing is multiple technologies mixing evolution
As a result, modern electronic infrastructures tend to cloud and mobile since its maturity is higher, the communication based on five-tuple is difficult
To cope with the demand for control that cloud electronic infrastructures flexibly access.
In addition, the access control rule of the prior art is mostly static cost control, it can not be according to body attribute, object attribute and ring
Border attribute carries out dynamic change, lacks the ability for being perceived and being measured to risk, can not carry out the adaptive dynamic of risk and visit
Ask control.
Summary of the invention
The disclosure in view of the above problems, provides a kind of access control method, system, electronic equipment and readable medium.It is logical
It crosses and establishes digital identity for request body and resource, request body access resource is controlled based on digital identity, and according to
Risk assessment carries out dynamic adjustment to access control, to preferably meet the business access demand under novel I T environment.
An aspect of this disclosure provides a kind of access control method, and method includes: the visit for receiving request body and issuing
Ask the resource access request of resource;Based on the resource access request, access rule is obtained, and is determined according to the access rule
Whether the request body has the permission for accessing the resource;Judge whether the resource access request meets safety condition;?
In the case that the request body meets safety condition with the permission and the resource access request for accessing the resource, permit
Perhaps the described request body accesses the resource, in the case where the request body does not have the permission for accessing the resource, refuses
The request body described absolutely accesses the resource, has the permission for accessing the resource in the request body but the resource accesses
In the case that request is unsatisfactory for safety condition, refuses the request body and access the resource or request body is required to carry out safety
The higher authentication measure of intensity is to meet safety condition.
Optionally, described to be based on the resource access request, determine access rule, and determining according to the access rule should
It includes: to determine the resource access based on the resource access request that whether request body, which has the permission for accessing the resource,
The main body digital identity of request body and the resource digital identity of resource in request;According to the main body digital identity and the money
Source digital identity obtains the main information of the request body and the resource information of the resource respectively from digital identity library;
According to the main information and resource information, the access rule between the request body and resource is determined;And according to described
Access rule, determines whether the request body has the permission for accessing the resource.
Optionally, the method also includes the main information in response to getting a certain main body digital identity is changed
Message updates the main information of the main body digital identity in the digital identity library;And/or in response to getting a certain number of resources
The changed message of the resource information of body part updates the resource information of the resource digital identity in the digital identity library.
Optionally, the method also includes: obtain the main information and at least one resource of at least one request body
Resource information;The resource information of main information and each resource based on each request body, establishes the digital identity library.
Optionally, judge whether the resource access request meets safety condition and comprise at least one of the following: described in acquisition
The log information for requesting access to resource of request body, and judge whether the resource access request is full according to the log information
The foot safety condition;The main information of the request body is obtained, and judges that the resource accesses according to the main information
Whether request meets the safety condition;Or the environmental information of the request body local environment is obtained, and according to the ring
Border information judges whether the resource access request meets the safety condition, obtains the reliability rating letter of the request body
Breath, and judge whether the resource access request meets the safety condition according to the main body reliability rating information.
Optionally, the resource access request for receiving the access resource that request body issues includes: to receive from agency
Resource access request, it is described agency for receive request body sending access resource resource access request, wherein it is described
In the case where the request body has the permission for accessing the resource and the resource access request meets safety condition,
Allowing the request body to access the resource includes: to have the permission for accessing the resource and described in the request body
In the case that resource access request meets safety condition, the agency is notified to forward the resource access request, and by the generation
Reason receives the response results generated in response to the resource access request, and the response results are sent to the request
Main body.
On the other hand the disclosure additionally provides a kind of access control system, the system comprises: receiving module, for receiving
The resource access request for the access resource that request body issues;Determining module is determined and is visited for being based on the resource access request
It asks rule, and determines whether the request body has the permission for accessing the resource according to the access rule;Judgment module is used
In judging whether the resource access request meets safety condition;Authorization module, for there is access institute in the request body
It states the permission of resource and in the case that the resource access request meets safety condition, allows described in the request body accesses
Resource is refused described in the request body access in the case where the request body does not have the permission for accessing the resource
Resource is unsatisfactory for the feelings of safety condition in the request body with the permission but the resource access request for accessing the resource
Under condition, refuses the request body and access the resource or request body is required to carry out the higher authentication measure of security intensity
To meet safety condition.
Another aspect of the present disclosure provides a kind of electronic equipment, comprising: processor;And memory, it can for storing
It executes instruction, wherein when described instruction is executed by the processor, so that the processor executes above-mentioned method.
Another aspect of the present disclosure provides a kind of computer readable storage medium, is stored with computer executable instructions,
Described instruction is when executed for realizing method as described above.
Another aspect of the present disclosure provides a kind of computer program, and the computer program, which includes that computer is executable, to be referred to
It enables, described instruction is when executed for realizing method as described above.
Detailed description of the invention
In order to which the disclosure and its advantage is more fully understood, referring now to being described below in conjunction with attached drawing, in which:
Fig. 1 diagrammatically illustrate according to the embodiment of the present disclosure can be with the exemplary system frame of application access control method
Structure;
Fig. 2 diagrammatically illustrates the flow chart of the access control method according to the embodiment of the present disclosure;
Fig. 3 is diagrammatically illustrated according to the embodiment of the present disclosure based on resource access request, determines access rule, and according to
Access rule determines whether the request body has the flow chart of the permission of access resource;
Fig. 4 A diagrammatically illustrates the architecture diagram of the realization access control method according to another embodiment of the disclosure;
Fig. 4 B diagrammatically illustrates the schematic diagram of the access control method of the embodiment according to shown in disclosure Fig. 4 A;
Fig. 5 diagrammatically illustrates the flow chart of the dynamic accesses control method provided according to another embodiment of the disclosure;
Fig. 6 diagrammatically illustrates the block diagram of the access control system according to another embodiment of the disclosure;And
Fig. 7 diagrammatically illustrates the block diagram of the electronic equipment according to the embodiment of the present disclosure.
Specific embodiment
According in conjunction with attached drawing to the described in detail below of disclosure exemplary embodiment, other aspects, the advantage of the disclosure
Those skilled in the art will become obvious with prominent features.
In the disclosure, term " includes " and " containing " and its derivative mean including rather than limit;Term "or" is packet
Containing property, mean and/or.
In the present specification, following various embodiments for describing disclosure principle only illustrate, should not be with any
Mode is construed to limitation scope of disclosure.Referring to attached drawing the comprehensive understanding described below that is used to help by claim and its equivalent
The exemplary embodiment for the disclosure that object limits.Described below includes a variety of details to help to understand, but these details are answered
Think to be only exemplary.Therefore, it will be appreciated by those of ordinary skill in the art that without departing substantially from the scope of the present disclosure and spirit
In the case where, embodiment described herein can be made various changes and modifications.In addition, for clarity and brevity,
The description of known function and structure is omitted.In addition, running through attached drawing, same reference numbers are used for identity function and operation.
Fig. 1 diagrammatically illustrate according to the embodiment of the present disclosure can be with the exemplary system architecture of application access control method
100.It should be noted that being only the example that can apply the system architecture of the embodiment of the present disclosure shown in Fig. 1, to help this field
Technical staff understands the technology contents of the disclosure, but be not meant to the embodiment of the present disclosure may not be usable for other equipment, system,
Environment or scene.
As shown in Figure 1, system architecture 100 may include access control system 101, terminal device according to this embodiment
103 and server 105.
Various client applications can be for example installed, such as the application of shopping class, web browser are answered on terminal device 103
With (merely illustrative) such as, searching class application, instant messaging tools, mailbox client, social platform softwares.Terminal device 103 can
To be the various electronic equipments with display screen and supported web page browsing, including but not limited to smart phone, tablet computer, knee
Mo(u)ld top half portable computer and desktop computer etc..
The resource in the application access server 105 installed on terminal device 103 can be used for example in user.Access control
The permission that system 101 accesses resource to terminal device 103 controls.For example, terminal device 103 is to access control system 101
The request of the resource in access server 105 is issued, access control system 101 can be using the access according to the embodiment of the present disclosure
Control method determines the access authority of the access request.
It should be noted that control method provided by the embodiment of the present disclosure can generally be held by access control system 101
Row.
It includes: the access resource for receiving request body and issuing that embodiment of the disclosure, which provides a kind of access control method,
Resource access request;Based on the resource access request, access rule is determined, and request master is determined according to the access rule
Whether body has the permission for accessing the resource;Judge whether the resource access request meets safety condition;And described
In the case that request body meets safety condition with the permission and the resource access request for accessing the resource, allow institute
It states request body and accesses the resource.
Fig. 2 diagrammatically illustrates the flow chart of the access control method according to the embodiment of the present disclosure.
As shown in Fig. 2, this method includes operation S210~S240.
In operation S210, the resource access request for the access resource that request body issues is received.
In operation S220, it is based on the resource access request, determines access rule, and determining according to the access rule should
Whether request body has the permission for accessing the resource.
In operation S230, judge whether the resource access request meets safety condition.
In operation S240, there is the permission for accessing the resource in the request body and the resource access request is full
In the case where sufficient safety condition, the request body is allowed to access the resource, not had described in access in the request body
In the case where the permission of resource, refuses the request body and access the resource, have in the request body and access the money
In the case that the permission in source but the resource access request are unsatisfactory for safety condition, refuse the request body and access the resource
Or request body is required to carry out the higher authentication measure of security intensity to meet safety condition.
In accordance with an embodiment of the present disclosure, which judges whether request body has access by access rule
The permission of resource, and the security information of resource access request is judged when receiving resource access request in real time, thus real
Now dynamically determine whether that request body accesses resource.
In accordance with an embodiment of the present disclosure, in operation S210, such as scene shown in Fig. 1, such as it can be access control
System 101 processed receives the resource access request that terminal device 103 requests access to server 105.
In accordance with an embodiment of the present disclosure, in operation S220, access rule, which for example can be, to be defined main information and has
Mapping relations between the resource information for the resource that the request body of the main information is able to access that.Main information for example can wrap
Include the user name of user, the mailbox of user, the post of user, the model of equipment, the security level of main body etc..Resource information example
As may include the significance level of resource, the information of application program belonging to resource etc..In accordance with an embodiment of the present disclosure, such as
The main information of request body and the resource information of the resource requested access to, access control system are carried in resource access request
Judge whether the request body has the permission for accessing the resource according to access rule.
Fig. 3 is diagrammatically illustrated according to the embodiment of the present disclosure based on resource access request, determines access rule, and according to
Access rule determines whether the request body has the flow chart of the permission of access resource.
As shown in figure 3, this method includes operation S221~S224.
In operation S221, it is based on the resource access request, determines the main body of request body in the resource access request
The resource digital identity of digital identity and resource.
In operation S222, according to the main body digital identity and the resource digital identity, from digital identity library respectively
Obtain the main information of the request body and the resource information of the resource.
The visit between the request body and resource is determined according to the main information and resource information in operation S223
Ask rule.
Determine whether the request body has the power for accessing the resource according to the access rule in operation S224
Limit.
In accordance with an embodiment of the present disclosure, which is that request body and resource establish unique digital identity,
The attribute information of main body, the attribute information of resource are obtained according to digital identity, realize the attribute information hair when request body
When the attribute information for the resource that changing or request body request access to changes, access control system being capable of root in real time
Determine whether that request body accesses resource according to the attribute information of main body and resource, to realize dynamic access control.
In accordance with an embodiment of the present disclosure, can for example be carried in resource access request request body main body digital identity and
The resource digital identity of resource.In accordance with an embodiment of the present disclosure, main body digital identity for example can be in access control system
The mark that Identity Management subsystem issues main body according to the main information of main body, resource digital identity can be Identity Management
The mark that system issues resource according to the resource information of resource.It can determine unique request body and money according to digital identity
Source.
In accordance with an embodiment of the present disclosure, in operation S221, such as it can be access control system resolving resource access request,
So that it is determined that out in resource access request the main body digital identity of request body and resource resource digital identity.
In accordance with an embodiment of the present disclosure, in operation S222, such as it can be the Identity Management subsystem in access control system
Digital identity library is stored in system, record has the main body of each main body digital identity and the request body in the digital identity library
The resource information of information and each resource digital identity and the resource.In accordance with an embodiment of the present disclosure, S222 is being operated,
According to main body digital identity and resource digital identity, the main information and resource of acquisition request main body are distinguished from digital identity library
Resource information.
In accordance with an embodiment of the present disclosure, such as it can be and be stored with access rule in access control system, access rule example
It such as can be the mapping relations between the resource information for defining the resource that main information and the main information are able to access that.According to
Embodiment of the disclosure, in operation S223 in operation S224, the main information according to determined by resource access request and resource letter
Breath, the access rule in queried access control system, with determined according to access rule request body main information whether with ask
Ask between the resource of access that there are mapping relations.Mapping relations if it exists, then request body has the permission for accessing the resource,
Mapping relations if it does not exist, then request body does not have the permission for accessing the resource.
Referring back to Fig. 2, in operation S230, judge the resource access request whether meet safety condition may include with
Lower at least one: the log information for requesting access to resource of the request body is obtained, and institute is judged according to the log information
State whether resource access request meets the safety condition;The main information of the request body is obtained, and according to the main body
Information judges whether the resource access request meets the safety condition;Obtain the environment letter of the request body local environment
Breath, and judge whether the resource access request meets the safety condition according to the environmental information;Or it is asked described in obtaining
The reliability rating information of main body is sought, and judges whether the resource access request meets institute according to the main body reliability rating information
State safety condition.
In accordance with an embodiment of the present disclosure, access control system carries out real in the resource access request for receiving request body
When risk determine, in conjunction with risk determine and access rule determine jointly the request body whether have access the resource permission.
Specifically, it when receiving the resource access request of request body, acquires current between the request body and resource
Flow (i.e. flowing of access information) analyzes the flowing of access information based on data analysis technique and artificial intelligence technology,
The risk class of the resource access request is determined, to judge whether the resource access request meets safety condition;And/or acquisition
The main information (i.e. user information and facility information) of request body, based on data analysis technique and artificial intelligence technology to the master
Body information is analyzed, and determines the risk class of the resource access request, to judge whether the resource access request meets peace
Full condition;And/or environmental information (including the factors such as access time, addressing space, and asking of acquisition request body local environment
Seek the operation mode the etc. when behavior and request body operating terminal of principal access business), based on data analysis technique and manually
Intellectual technology analyzes the environmental information, determines the risk class of the resource access request, to judge that the resource accesses
Whether request meets safety condition;And/or the letter of the request body is obtained from the reliability rating list of the request body of maintenance
Appoint class information, to judge whether the resource access request meets safety condition according to reliability rating.It should be noted that can
Risk judgment is carried out based on any one of main information, environmental information, flowing of access information and reliability rating information, it can also base
Any two combinations or three kinds or four kinds of groups amount in main information, environmental information, flowing of access information and reliability rating information
With progress risk judgment.
It should be noted that the disclosure is not limited to carry out risk judgement using above-mentioned four kinds of modes, it is contemplated that
It is that can also be determined using the combination of other a variety of factors (user identity, equipment identities etc.).
In accordance with an embodiment of the present disclosure, in operation S240, such as scene shown in Fig. 1, have in terminal device 103
The resource access request that the permission of a certain resource and terminal device 103 issue in access server 105 meets safety condition
In the case of, allow terminal device 103 to access the resource, does not have the feelings for the permission for accessing the resource in terminal device 103
Under condition, refusal terminal device 103 accesses the resource, and accesses and ask with the permission but resource for accessing resource in request body
It asks in the case where being unsatisfactory for safety condition, refusal request body accesses resource or requires request body progress security intensity higher
Authentication measure is to meet safety condition.
In accordance with an embodiment of the present disclosure, access control method further includes the master in response to getting a certain main body digital identity
The changed message of body information updates the main information of the main body digital identity in the digital identity library.Such as it can be
Access control system receives the changed message in post of a user, updates the main body number body in digital identity library
Post in the corresponding main information of part.This method can timely update the main body letter of main body digital identity in digital identity library
Breath, to realize dynamic access control.
In accordance with an embodiment of the present disclosure, access control method further includes in response in response to getting a certain number of resources body
The changed message of resource information of part, updates the resource information of the resource digital identity in the digital identity library.Such as
It can be the message for getting the significance level variation of some resource, update the significance level of the resource in digital identity library.
In accordance with an embodiment of the present disclosure, access control method further include obtain at least one request body main information and
The resource information of at least one resource;And the resource information of the main information and each resource based on each request body, it builds
Stand the digital identity library.In accordance with an embodiment of the present disclosure, digital identity library for example can be established in advance, or can also
Be when request body sends resource access request to agency plant, agency plant inspection find do not include in resource access request
In the case where main body digital identity and/or resource digital identity, prompt information is issued, to prompt user to obtain recognizing for request body
Demonstrate,prove information.Such as agency plant can to request body send login page, so that user is logged in, Identity Management subsystem according to
The log-on message at family, obtains the attribute information of request body, and Identity Management subsystem establishes the request body according to attribute information
Digital identity.
The money for the access resource that request body issues is received in operation S210 according to the other embodiment of the disclosure
Source access request, which may is that, receives the resource access request from agency, and the agency is for receiving the visit of request body sending
It asks the resource access request of resource, and there is the permission for accessing the resource and resource access in the request body
In the case that request meets safety condition, the agency is notified to forward the resource access request, and received and rung by the agency
Resource access request described in Ying Yu and the response results generated, and the response results are sent to the request body.
Fig. 4 A diagrammatically illustrates the architecture diagram of the realization access control method according to another embodiment of the disclosure.
As shown in Figure 4 A, which may include that management subsystem, risk assessment subsystem and authorization are sentenced
Stator system.
Management subsystem, it may include Identity Management submodule and regulation management submodule.Identity Management submodule is for building
The main body digital identity of at least one request body is found, and establishes the resource digital identity of at least one resource, specifically, such as
User, equipment, interface of dynamic access control etc. can be such as participated in for request body and establish main body digital identity, be resource example
Such as may include using and data establish resource digital identity, and according to the digital body of the digital identity of request body and resource
Part forms unified digital identity library.Wherein, in digital identity library record have each main body digital identity main information and
The resource information of each resource.In accordance with an embodiment of the present disclosure, when Identity Management submodule gets a certain main body number body
The changed message of main information of part, updates the main information of the main body digital identity in the digital identity library, and/or
In response to getting the changed message of resource information of a certain resource digital identity, the money in the digital identity library is updated
The resource information of source digital identity.
Regulation management submodule is used for the access rule established between main information and resource information, according to the access of foundation
Rule generates authority library, defined to be managed to access rule, in access rule main information with access authority with
Mapping relations between resource information.
It, can main information according to request body, request body local environment in addition, in order to realize dynamic access control
Environmental information and flowing of access information to access rule carry out dynamic adjustment.Specifically, for any resource access request, root
According to the main information of request body, the environmental information of request body local environment and flowing of access information to the resource access request
Risk assessment is carried out, is asked when judging that the request body is accessed with the permission and the resource for accessing the resource according to access rule
It asks when being unsatisfactory for safety condition, needs to be adjusted the access rule between the request body and resource.
Risk assessment subsystem, for receiving the resource access request of any one request body sending when execution module
When, judge whether the resource access request meets safety condition, generates judging result, and the judging result is sent to authorization mould
Block, one of the foundation determined as authorization.
Specifically, when system receives the resource access request of request body, risk evaluation module acquires request master
Present flow rate (i.e. flowing of access information) between body and resource, based on data analysis technique and artificial intelligence technology to the access
Flow information is analyzed, and determines the risk class of the resource access request, to judge whether the resource access request meets
Safety condition;And/or the main information (i.e. user information and facility information) of acquisition request body, based on data analysis technique and
Artificial intelligence technology analyzes the main information, determines the risk class of the resource access request, to judge the resource
Whether access request meets safety condition;And/or acquisition request body local environment environmental information (including access time, visit
Ask the operation mode the etc. when factors such as space and request body access the behavior and request body operating terminal of business), it is based on
Data analysis technique and artificial intelligence technology analyze the environmental information, determine the risk class of the resource access request,
To judge whether the resource access request meets safety condition.It should be noted that risk evaluation module can be believed based on main body
Any one of breath, environmental information and flowing of access information carry out risk judgment, may be based on main information, environmental information and visit
Ask any two combinations or the common progress risk judgment of three kinds of combinations in flow information.
Authorization determines subsystem, for receiving the resource access request of any one request body sending when agency plant
When, after the authorization requests that Receiving Agent system issues, rule request (i.e. in request management module is issued to management subsystem
Access rule), and receive management module sending rule response (i.e. acquisition management module between the request body and resource
Access rule), and receive the judging result of risk evaluation module, this determined whether according to rule response and judging result
Request body accesses the resource, generates authorization response.
Specifically, when according to access rule judge the request body have access the resource permission, and the resource visit
When asking that request meets safety condition, authorization response is that the request body is allowed to access resource, and otherwise, authorization response is to refuse this to ask
Seek the principal access resource.
Agency plant sends authorization requests to awarding for receiving the resource access request of any one request body sending
Module is weighed, and receives the authorization response of authorization module, when authorization response is, and the request body is allowed to access the resource, executes mould
The resource access request is forwarded to the resource by block, and receives the resource response corresponding with resource access request of resource sending,
Then the resource response is forwarded to the request body;When authorization response is to refuse the request body to access the resource, execute
Module does not execute other operations, i.e., the resource access request is not forwarded to resource.
It is to be appreciated that agency plant can be a part in access control system, it is also possible to independently of access
Control system, agency plant for realizing receive resource access request and can with authorize and judge subsystem and resource where
Electronic equipment is communicated.
Fig. 4 B diagrammatically illustrates the schematic diagram of the access control method of the embodiment according to shown in disclosure Fig. 4 A.
As shown in Figure 4 B, the proxied system of resource access request that request body is sent intercepts, and agency plant is by the resource
Access request is sent to the dynamic authorization in the access control system according to the embodiment of the present disclosure and judges subsystem, such as executes
Operation S210 of the text with reference to Fig. 2 description.
In accordance with an embodiment of the present disclosure, dynamic authorization determines the number of the request body in sub-system analysis resource access request
The digital identity of body part and resource.In addition, in accordance with an embodiment of the present disclosure, dynamic authorization determines that subsystem is available to connecing
Receive environmental information when resource access request.Environmental information for example may include the temporal information of resource access request, network letter
Breath, regional information etc..
In accordance with an embodiment of the present disclosure, dynamic authorization determine subsystem according to main body digital identity and resource digital identity from
Identity Management submodule in management subsystem obtains main information and resource information.Dynamic authorization judges subsystem from management
The access rule of main information and resource information is obtained in regulation management submodule in system, to believe in conjunction with current main body
Breath, resource information and environmental factor, determine whether the request body has the permission for accessing the resource.Such as it can execute
Operation S220 of the text with reference to Fig. 2 description.
In accordance with an embodiment of the present disclosure, dynamic authorization determines that subsystem gets resource access from risk assessment subsystem and asks
The security assessment result asked.Such as the operation S230 described above with reference to Fig. 2 can be executed.
Dynamic authorization judges whether subsystem according to request body there is the permission for accessing the resource and resource access to ask
The risk evaluation result asked determines whether that the request body accesses the resource.Such as it can execute above with reference to Fig. 2
The operation S240 of description.
If dynamic authorization judges that subsystem is judged to allowing the request body to access the resource, agency plant is by the resource
Access request is sent to the electronic equipment for being stored with the resource, and electronic equipment sends resource in response to the resource access request
To agency plant, the resource is sent request body by agency plant.
In accordance with an embodiment of the present disclosure, resource access request is intercepted by agency, avoids access control system
It is bypassed, can guarantee that all resource access requests can decide whether pair according to the real-time judgment result of access control system
Access request is let pass.
Fig. 5 diagrammatically illustrates the flow chart of the dynamic accesses control method provided according to another embodiment of the disclosure.
As shown in figure 5, this method includes operation S510~S560.
In operation S510, such as it can be Identity Management submodule and establish at least one request body and at least one resource
Between access rule.
In operation s 510, such as it can be the digital identity that Identity Management submodule establishes at least one request body,
And the digital identity of at least one resource is established, this is to realize the premise that dynamic access control is carried out centered on identity.Specifically
Ground, including establishing digital identity for user, equipment, application, interface and the data of participation dynamic access control.
Digital identity refer to by true identity information compression be digital code, can by network, relevant device etc. inquire and
The public keys of identification, with the important function of representative capacity in internet.
Secondly, forming unified identity library according to the digital identity of the digital identity of request body and resource, and to all
Digital identity carries out life cycle management.
Then, the access rule between the main information of request body and the resource information of resource is established, according to foundation
Access rule generates authority library, to be managed to access rule.The request master with access authority is defined in access rule
Mapping relations between the main information of body and the resource information of resource.
Access rule is obtained when receiving the resource access request of any one request body sending in operation S520,
And judge whether the request body has the permission for accessing the resource according to the access rule, if so, operation S530 is executed, it is no
Then, operation S560 is executed.In operation S560, refusal request body accesses the resource.Such as it can be when according to access rule
When judging that request body is unsatisfactory for safety condition without the permission and/or the resource access request for accessing the resource, refusal
The request body accesses resource, i.e., the resource access request is forwarded to the resource by agency's refusal.
In the embodiments of the present disclosure, request body is not based on five-tuple access resource, but is built based on operating in S510
Vertical digital identity carries out resource access.
When receiving the resource access request of any one request body sending, which is solved
Analysis, the available digital identity for obtaining the digital identity of request body and resource in the resource access request;According to what is obtained
The main information (including user information, facility information and interface message) of the available request body of request body digital identity,
According to the resource information (including application message and data information) of the available resource of resource digital identity;According to obtained main body
Information and resource information, rule searching library can inquire the access rule between the request body and resource.
Judge whether the request body has the permission for accessing the resource according to the access rule, if the request body has
The permission of the resource is accessed, operation S530 is executed if the request body does not have the permission for accessing the resource and executes operation
S560。
In operation S530, judge whether the resource access request meets safety condition, if so, operation S540 is executed, otherwise,
Execute operation S550.
In order to realize dynamic access control, need to carry out real-time wind in the resource access request for receiving request body
Danger determines, determines in conjunction with risk and access rule determines whether the request body has the permission for accessing the resource jointly.
Specifically, it when receiving the resource access request of request body, acquires current between the request body and resource
Flow (i.e. flowing of access information) analyzes the flowing of access information based on data analysis technique and artificial intelligence technology,
The risk class of the resource access request is determined, to judge whether the resource access request meets safety condition;And/or acquisition
The main information (i.e. user information and facility information) of request body, based on data analysis technique and artificial intelligence technology to the master
Body information is analyzed, and determines the risk class of the resource access request, to judge whether the resource access request meets peace
Full condition;And/or environmental information (including the factors such as access time, addressing space, and asking of acquisition request body local environment
Seek the operation mode the etc. when behavior and request body operating terminal of principal access business), based on data analysis technique and manually
Intellectual technology analyzes the environmental information, determines the risk class of the resource access request, to judge that the resource accesses
Whether request meets safety condition.It should be noted that can be based on appointing in main information, environmental information and flowing of access information
A kind of carry out risk judgment may be based on any two combinations or three kinds of groups in main information, environmental information and flowing of access information
It amounts to progress risk judgment.
It should be noted that the disclosure is not limited to carry out risk judgement using above-mentioned three kinds of modes, it is contemplated that
It is that can also be determined using the combination of other a variety of factors (user identity, equipment identities etc.).
In operation S540, such as it can be to agency plant and send authorization response, so that agency plant asks resource access
Seek the electronic equipment where being sent to resource.
In operation S550, such as can be in the main information safeguarded in digital identity library and resource information includes that main body is believed
The security level of breath and the significance level of resource information are updated in the case where determining request body and being unsatisfactory for safety condition
The security level of the request body in digital identity library.Such as can be the security level of the request body is updated to it is " low
Grade ".
In the embodiments of the present disclosure, agency is provided with to take over to resource access request, and all resource access are asked
It asks and is all determined whether letting pass according to the result of dynamic access control real-time judgment to resource, to be asked to the access of all resources
Compulsory execution dynamic access control is sought, dynamic access control strategy is avoided to be bypassed.
Operation S540 in, when according to access rule judge request body have access the resource permission, and should
When resource access request meets safety condition, the request body is allowed to access resource, at this point, by acting on behalf of resource access request
It is forwarded to resource, and the corresponding resource response of resource access request is forwarded to request body by acting on behalf of.
It can also be further expanded in this operation S540, it can be according to the risk etc. of resource access request in operation S3
Grade, to allow request body to access different resources.For example, the risk class in resource access request meets higher safe item
When part, it can be enabled, which to access the corresponding higher resource of security level, can only similarly meet in the risk class of resource access request
When some lower safety conditions, then only allow its access fixation, the lower resource of security level.
In addition, the disclosure can also carry out constantly safety judgement, example during request body continuous access resource
As the process of repetitive operation S530 can immediately refuse request body access money if period determines with security risk
Source.Certainly, constantly safety determines the decision procedure that can be not limited to operation S530, can also be using other judgement sides
Formula, for example, passing through the habit (e.g., tapping the frequency of keyboard) of learning user operation equipment, in access process, system discovery is set
Standby mode of operation changes (not being same user), can determine that there are security risks.
In addition, disclosure digital identity as mentioned herein, it is multiple can be related to user, equipment, application program, interface etc.
Entity, it is to be understood that as long as participating in the entity in disclosure dynamic accesses control method process, the disclosure can be it
Digital identity is set, to facilitate the identification and operation in process, meanwhile, increase the safety of dynamic access control.
Fig. 6 diagrammatically illustrates the block diagram of the access control system 600 according to another embodiment of the disclosure.
As shown in fig. 6, the access control system 600 includes receiving module 610, determining module 620,630 and of judgment module
Authorization module 640.
Receiving module 610, such as the operation S210 described above with reference to Fig. 2 is executed, for receiving request body sending
Access the resource access request of resource.
Determining module 620, such as the operation S220 described above with reference to Fig. 2 is executed, for being asked based on resource access
It asks, determines access rule, and determine whether the request body has the permission for accessing the resource according to the access rule.
Judgment module 630, such as the operation S230 described above with reference to Fig. 2 is executed, for judging that the resource access is asked
Seeking Truth is no to meet safety condition.
Authorization module 640, such as the operation S240 described above with reference to Fig. 2 is executed, for having in the request body
It accesses the permission of the resource and in the case that the resource access request meets safety condition, the request body is allowed to visit
It asks the resource, in the case where the request body does not have the permission for accessing the resource, refuses the request body and visit
It asks the resource, there is the permission for accessing the resource in the request body but the resource access request is unsatisfactory for safe item
In the case where part, refuses the request body and access the resource or the request body progress higher identity of security intensity is required to test
Card measure is to meet safety condition.
In accordance with an embodiment of the present disclosure, determining module 620 includes: the first determining submodule, such as is executed above with reference to Fig. 3
The operation S221 of description determines the main body of request body in the resource access request for being based on the resource access request
The resource digital identity of digital identity and resource;Acquisition submodule, such as the operation S222 described above with reference to Fig. 3 is executed, it uses
According to the main body digital identity and the resource digital identity, the request body is obtained respectively from digital identity library
The resource information of main information and the resource;Second determines submodule, such as executes the operation described above with reference to Fig. 3
S223, for determining the access rule between the request body and resource according to the main information and resource information;Third
It determines submodule, such as executes operation S224 describe above with reference to Fig. 3, be used for according to the access rule, asked described in judgement
Ask whether main body has the permission for accessing the resource.
In accordance with an embodiment of the present disclosure, access control system can also include update module, in response to getting certain
The changed message of main information of one main body digital identity, updates the master of the main body digital identity in the digital identity library
Body information;And/or the changed message of resource information in response to getting a certain resource digital identity, update the number
The resource information of the resource digital identity in identity library.
In accordance with an embodiment of the present disclosure, access control system can also include: acquisition module, ask for obtaining at least one
Ask the main information of main body and the resource information of at least one resource;And module is established, for based on each request body
The resource information of main information and each resource establishes the digital identity library.
In accordance with an embodiment of the present disclosure, judging whether the resource access request meets safety condition includes following at least one
Kind: the log information for requesting access to resource of the request body is obtained, and judges that the resource is visited according to the log information
Ask whether request meets the safety condition;The main information of the request body is obtained, and is judged according to the main information
Whether the resource access request meets the safety condition;Or the environmental information of the request body local environment is obtained,
And judge whether the resource access request meets the safety condition according to the environmental information.
In accordance with an embodiment of the present disclosure, receiving module includes receiving submodule, for receiving the resource access from agency
Request, the resource access request of access resource of the agency for receiving request body sending, authorization module includes that authorization is sentenced
Stator modules, for there is the permission for accessing the resource and resource access request satisfaction safety in the request body
In the case where condition, the agency is notified to forward the resource access request, and received by the agency in response to the resource
Access request and the response results generated, and the response results are sent to the request body.
In module according to an embodiment of the present disclosure, submodule it is any number of or in which any number of at least partly
Function can be realized in a module.It can be with according to any one or more in the module of the embodiment of the present disclosure, submodule
Multiple modules are split into realize.It can be down to according to any one or more in the module of the embodiment of the present disclosure, submodule
It is implemented partly as hardware circuit, such as field programmable gate array (FPGA), programmable logic array (PLA), on piece less
The system in system, encapsulation, specific integrated circuit (ASIC) in system, substrate, or can by circuit carry out it is integrated or
The hardware or firmware of any other rational method of encapsulation realizes, or with three kinds of software, hardware and firmware implementations
In any one or several appropriately combined realized with wherein any.Alternatively, according to the module of the embodiment of the present disclosure, submodule
One or more of can at least be implemented partly as computer program module, when the computer program module is run
When, corresponding function can be executed.
For example, any number of in receiving module 610, determining module 620, judgment module 630 and authorization module 640 can be with
Merging is realized in a module or any one module therein can be split into multiple modules.Alternatively, these modules
In at least partly functions of one or more modules can be combined at least partly function of other modules, and in a mould
It is realized in block.In accordance with an embodiment of the present disclosure, receiving module 610, determining module 620, judgment module 630 and authorization module 640
At least one of can at least be implemented partly as hardware circuit, such as it is field programmable gate array (FPGA), programmable
Logic array (PLA), system on chip, the system on substrate, the system in encapsulation, specific integrated circuit (ASIC), or can lead to
Cross and the hardware such as any other rational method that is integrated or encapsulating or firmware carried out to realize to circuit, or with software, hardware with
And it any one in three kinds of implementations of firmware or several appropriately combined is realized with wherein any.Alternatively, receiving module
610, at least one of determining module 620, judgment module 630 and authorization module 640 can at least be implemented partly as counting
Calculation machine program module can execute corresponding function when the computer program module is run.
Fig. 7 diagrammatically illustrates the block diagram of the electronic equipment according to the embodiment of the present disclosure.Electronic equipment shown in Fig. 7 is only
Only an example, should not function to the embodiment of the present disclosure and use scope bring any restrictions.
As shown in fig. 7, electronic equipment 700 includes processor 710, computer readable storage medium 720.The electronic equipment
700 can execute the method according to the embodiment of the present disclosure.
Specifically, processor 710 for example may include general purpose microprocessor, instruction set processor and/or related chip group
And/or special microprocessor (for example, specific integrated circuit (ASIC)), etc..Processor 710 can also include using for caching
The onboard storage device on way.Processor 710 can be the different movements for executing the method flow according to the embodiment of the present disclosure
Single treatment unit either multiple processing units.
Computer readable storage medium 720, such as can be non-volatile computer readable storage medium, specific example
Including but not limited to: magnetic memory apparatus, such as tape or hard disk (HDD);Light storage device, such as CD (CD-ROM);Memory, such as
Random access memory (RAM) or flash memory;Etc..
Computer readable storage medium 720 may include computer program 721, which may include generation
Code/computer executable instructions execute processor 710 according to the embodiment of the present disclosure
Method or its any deformation.
Computer program 721 can be configured to have the computer program code for example including computer program module.Example
Such as, in the exemplary embodiment, the code in computer program 721 may include one or more program modules, for example including
721A, module 721B ....It should be noted that the division mode and number of module are not fixation, those skilled in the art can
To be combined according to the actual situation using suitable program module or program module, when these program modules are combined by processor 710
When execution, processor 710 is executed according to the method for the embodiment of the present disclosure or its any deformation.
According to an embodiment of the invention, in receiving module 610, determining module 620, judgment module 630 and authorization module 640
At least one can be implemented as with reference to Fig. 7 description computer program module, by processor 710 execute when, Ke Yishi
Existing corresponding operating described above.
The disclosure additionally provides a kind of computer readable storage medium, which can be above-mentioned reality
It applies included in equipment/device/system described in example;Be also possible to individualism, and without be incorporated the equipment/device/
In system.Above-mentioned computer readable storage medium carries one or more program, when said one or multiple program quilts
When execution, the method according to the embodiment of the present disclosure is realized.
In accordance with an embodiment of the present disclosure, computer readable storage medium can be non-volatile computer-readable storage medium
Matter, such as can include but is not limited to: portable computer diskette, hard disk, random access storage device (RAM), read-only memory
(ROM), erasable programmable read only memory (EPROM or flash memory), portable compact disc read-only memory (CD-ROM), light
Memory device, magnetic memory device or above-mentioned any appropriate combination.In the disclosure, computer readable storage medium can
With to be any include or the tangible medium of storage program, the program can be commanded execution system, device or device use or
Person is in connection.
Flow chart and block diagram in attached drawing are illustrated according to the system of the various embodiments of the disclosure, method and computer journey
The architecture, function and operation in the cards of sequence product.In this regard, each box in flowchart or block diagram can generation
A part of one module, program segment or code of table, a part of above-mentioned module, program segment or code include one or more
Executable instruction for implementing the specified logical function.It should also be noted that in some implementations as replacements, institute in box
The function of mark can also occur in a different order than that indicated in the drawings.For example, two boxes succeedingly indicated are practical
On can be basically executed in parallel, they can also be executed in the opposite order sometimes, and this depends on the function involved.Also it wants
It is noted that the combination of each box in block diagram or flow chart and the box in block diagram or flow chart, can use and execute rule
The dedicated hardware based systems of fixed functions or operations is realized, or can use the group of specialized hardware and computer instruction
It closes to realize.
It will be understood by those skilled in the art that the feature recorded in each embodiment and/or claim of the disclosure can
To carry out multiple combinations and/or combination, even if such combination or combination are not expressly recited in the disclosure.Particularly, exist
In the case where not departing from disclosure spirit or teaching, the feature recorded in each embodiment and/or claim of the disclosure can
To carry out multiple combinations and/or combination.All these combinations and/or combination each fall within the scope of the present disclosure.
Although the disclosure, art technology has shown and described referring to the certain exemplary embodiments of the disclosure
Personnel it should be understood that in the case where the spirit and scope of the present disclosure limited without departing substantially from the following claims and their equivalents,
A variety of changes in form and details can be carried out to the disclosure.Therefore, the scope of the present disclosure should not necessarily be limited by above-described embodiment,
But should be not only determined by appended claims, also it is defined by the equivalent of appended claims.
Claims (10)
1. a kind of access control method, comprising:
Receive the resource access request for the access resource that request body issues;
Based on the resource access request, access rule is determined, and determine whether the request body has according to the access rule
There is the permission for accessing the resource;
Judge whether the resource access request meets safety condition;And
Meet the feelings of safety condition with the permission and the resource access request for accessing the resource in the request body
Under condition, the request body is allowed to access the resource, does not have the feelings for the permission for accessing the resource in the request body
Under condition, refuse the request body and access the resource, there is the permission for accessing the resource but described in the request body
In the case that resource access request is unsatisfactory for safety condition, refuses the request body and access the resource or require request body
The higher authentication measure of security intensity is carried out to meet safety condition.
2. according to claim 1 prevent asking control method, wherein it is described to be based on the resource access request, determine access
Rule, and determine whether the request body there is the permission for accessing the resource to include: according to the access rule
Based on the resource access request, the main body digital identity and resource of request body in the resource access request are determined
Resource digital identity;
According to the main body digital identity and the resource digital identity, the request body is obtained respectively from digital identity library
Main information and the resource resource information;
According to the main information and resource information, the access rule between the request body and resource is determined;And
According to the access rule, determine whether the request body has the permission for accessing the resource.
3. access control method according to claim 2, further includes:
In response to getting the changed message of main information of a certain main body digital identity, update in the digital identity library
The main information of the main body digital identity;And/or
In response to getting the changed message of resource information of a certain resource digital identity, update in the digital identity library
The resource information of the resource digital identity.
4. access control method according to claim 2, further includes:
Obtain the main information of at least one request body and the resource information of at least one resource;And
The resource information of main information and each resource based on each request body, establishes the digital identity library.
5. access control method according to claim 1, wherein judge whether the resource access request meets safe item
Part comprises at least one of the following:
The log information for requesting access to resource of the request body is obtained, and judges that the resource is visited according to the log information
Ask whether request meets the safety condition;
The main information of the request body is obtained, and judges whether the resource access request meets according to the main information
The safety condition;
The environmental information of the request body local environment is obtained, and the resource access request is judged according to the environmental information
Whether the safety condition is met;Or
The reliability rating information of the request body is obtained, and judges that the resource accesses according to the main body reliability rating information
Whether request meets the safety condition.
6. access control method according to claim 1, wherein the money for receiving the access resource that request body issues
Source access request includes:
The resource access request from agency is received, the resource of access resource of the agency for receiving request body sending is visited
Ask request,
Wherein, described that there is the permission for accessing the resource and resource access request satisfaction safety in the request body
In the case where condition, allow the request body to access the resource to include:
Meet the feelings of safety condition with the permission and the resource access request for accessing the resource in the request body
Under condition, the agency is notified to forward the resource access request, and received by the agency in response to the resource access request
And the response results generated, and the response results are sent to the request body.
7. a kind of access control system, which is characterized in that the system comprises:
Receiving module, the resource access request of the access resource for receiving request body sending;
Determining module determines access rule, and determine that this is asked according to the access rule for being based on the resource access request
Ask whether main body has the permission for accessing the resource;
Judgment module, for judging whether the resource access request meets safety condition;
Authorization module, for there is the permission for accessing the resource and resource access request satisfaction in the request body
In the case where safety condition, the request body is allowed to access the resource, does not have in the request body and access the money
In the case that the permission in source and/or the resource access request are unsatisfactory for safety condition, refuse described in the request body access
Resource.
8. access control system according to claim 7, wherein the determining module includes:
First determines submodule, for being based on the resource access request, determines request body in the resource access request
The resource digital identity of main body digital identity and resource;
Acquisition submodule, for being distinguished from digital identity library according to the main body digital identity and the resource digital identity
Obtain the main information of the request body and the resource information of the resource;
Second determines submodule, for determining between the request body and resource according to the main information and resource information
Access rule;And
Third determines submodule, for determining whether the request body has the access resource according to the access rule
Permission.
9. a kind of electronic equipment, comprising:
Processor;And
Memory, for storing executable instruction, wherein when described instruction is executed by the processor, so that the processing
Device executes the method as described in claim 1~6 any one.
10. a kind of computer readable storage medium, is stored thereon with executable instruction, which makes to handle when being executed by processor
The method that device executes any one as described in claim 1~6.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910108754.1A CN109842625A (en) | 2019-02-02 | 2019-02-02 | A kind of dynamic accesses control method and system |
| CN2019101087541 | 2019-02-02 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110300124A true CN110300124A (en) | 2019-10-01 |
Family
ID=66884533
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910108754.1A Pending CN109842625A (en) | 2019-02-02 | 2019-02-02 | A kind of dynamic accesses control method and system |
| CN201910693984.9A Pending CN110300124A (en) | 2019-02-02 | 2019-07-29 | A kind of access control method, system, electronic equipment and readable medium |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910108754.1A Pending CN109842625A (en) | 2019-02-02 | 2019-02-02 | A kind of dynamic accesses control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN109842625A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111131235A (en) * | 2019-12-23 | 2020-05-08 | 杭州安恒信息技术股份有限公司 | Safety maintenance method, device, equipment and storage medium of business system |
| CN111181979A (en) * | 2019-12-31 | 2020-05-19 | 奇安信科技集团股份有限公司 | Access control method, device, computer equipment and computer readable storage medium |
| CN111371738A (en) * | 2020-02-10 | 2020-07-03 | 深信服科技股份有限公司 | Access control method, device, equipment and readable storage medium |
| CN111539006A (en) * | 2020-04-26 | 2020-08-14 | 北京思特奇信息技术股份有限公司 | Authority management and control method and device |
| CN112115484A (en) * | 2020-09-27 | 2020-12-22 | 中国工商银行股份有限公司 | Access control method, device, system and medium for application program |
| CN112272195A (en) * | 2020-12-25 | 2021-01-26 | 北京安泰伟奥信息技术有限公司 | Dynamic detection authentication system and method thereof |
| CN112600801A (en) * | 2020-12-03 | 2021-04-02 | 深圳奥哲网络科技有限公司 | Flow access control method, equipment and storage medium |
| CN113254994A (en) * | 2021-05-27 | 2021-08-13 | 平安普惠企业管理有限公司 | Database access method and device, storage medium and computer equipment |
| CN113676455A (en) * | 2021-07-22 | 2021-11-19 | 中国科学院深圳先进技术研究院 | Self-adaptive cross-domain access authentication method, system, terminal and storage medium |
| CN114629719A (en) * | 2022-04-08 | 2022-06-14 | 中国移动通信集团陕西有限公司 | Resource access control method and resource access control system |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111935165B (en) * | 2020-08-14 | 2022-09-20 | 中国工商银行股份有限公司 | Access control method, device, electronic device and medium |
| CN113852592A (en) * | 2021-07-13 | 2021-12-28 | 天翼智慧家庭科技有限公司 | Big data security operation and maintenance control method and system based on dynamic access control strategy |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103795688A (en) * | 2012-10-31 | 2014-05-14 | 中国航天科工集团第二研究院七○六所 | Attribute-based fuzzy access control calculation method |
| CN104484617A (en) * | 2014-12-05 | 2015-04-01 | 中国航空工业集团公司第六三一研究所 | Database access control method on basis of multi-strategy integration |
| CN104917761A (en) * | 2015-05-29 | 2015-09-16 | 西安电子科技大学 | General access control method and device |
| CN106161566A (en) * | 2015-04-24 | 2016-11-23 | 中兴通讯股份有限公司 | A kind of cloud computation data center access management method and cloud computation data center |
| CN106973031A (en) * | 2016-01-13 | 2017-07-21 | 电信科学技术研究院 | A kind of resource access control method, apparatus and system |
| CN110012016A (en) * | 2019-04-10 | 2019-07-12 | 山东师创云服务有限公司 | Mix the method and system of resources accessing control in cloud environment |
-
2019
- 2019-02-02 CN CN201910108754.1A patent/CN109842625A/en active Pending
- 2019-07-29 CN CN201910693984.9A patent/CN110300124A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103795688A (en) * | 2012-10-31 | 2014-05-14 | 中国航天科工集团第二研究院七○六所 | Attribute-based fuzzy access control calculation method |
| CN104484617A (en) * | 2014-12-05 | 2015-04-01 | 中国航空工业集团公司第六三一研究所 | Database access control method on basis of multi-strategy integration |
| CN106161566A (en) * | 2015-04-24 | 2016-11-23 | 中兴通讯股份有限公司 | A kind of cloud computation data center access management method and cloud computation data center |
| CN104917761A (en) * | 2015-05-29 | 2015-09-16 | 西安电子科技大学 | General access control method and device |
| CN106973031A (en) * | 2016-01-13 | 2017-07-21 | 电信科学技术研究院 | A kind of resource access control method, apparatus and system |
| CN110012016A (en) * | 2019-04-10 | 2019-07-12 | 山东师创云服务有限公司 | Mix the method and system of resources accessing control in cloud environment |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111131235A (en) * | 2019-12-23 | 2020-05-08 | 杭州安恒信息技术股份有限公司 | Safety maintenance method, device, equipment and storage medium of business system |
| CN111131235B (en) * | 2019-12-23 | 2022-02-22 | 杭州安恒信息技术股份有限公司 | Safety maintenance method, device, equipment and storage medium of business system |
| CN111181979A (en) * | 2019-12-31 | 2020-05-19 | 奇安信科技集团股份有限公司 | Access control method, device, computer equipment and computer readable storage medium |
| CN111181979B (en) * | 2019-12-31 | 2022-06-07 | 奇安信科技集团股份有限公司 | Access control method, device, computer equipment and computer readable storage medium |
| CN112653714A (en) * | 2020-02-10 | 2021-04-13 | 深信服科技股份有限公司 | Access control method, device, equipment and readable storage medium |
| CN111371738A (en) * | 2020-02-10 | 2020-07-03 | 深信服科技股份有限公司 | Access control method, device, equipment and readable storage medium |
| CN111539006A (en) * | 2020-04-26 | 2020-08-14 | 北京思特奇信息技术股份有限公司 | Authority management and control method and device |
| CN112115484A (en) * | 2020-09-27 | 2020-12-22 | 中国工商银行股份有限公司 | Access control method, device, system and medium for application program |
| CN112115484B (en) * | 2020-09-27 | 2023-11-21 | 中国工商银行股份有限公司 | Access control method, device, system and medium for application program |
| CN112600801A (en) * | 2020-12-03 | 2021-04-02 | 深圳奥哲网络科技有限公司 | Flow access control method, equipment and storage medium |
| CN112272195B (en) * | 2020-12-25 | 2021-07-20 | 北京安泰伟奥信息技术有限公司 | Dynamic detection authentication system and method thereof |
| CN112272195A (en) * | 2020-12-25 | 2021-01-26 | 北京安泰伟奥信息技术有限公司 | Dynamic detection authentication system and method thereof |
| CN113254994A (en) * | 2021-05-27 | 2021-08-13 | 平安普惠企业管理有限公司 | Database access method and device, storage medium and computer equipment |
| CN113676455A (en) * | 2021-07-22 | 2021-11-19 | 中国科学院深圳先进技术研究院 | Self-adaptive cross-domain access authentication method, system, terminal and storage medium |
| CN113676455B (en) * | 2021-07-22 | 2022-08-19 | 中国科学院深圳先进技术研究院 | Self-adaptive cross-domain access authentication method, system, terminal and storage medium |
| CN114629719A (en) * | 2022-04-08 | 2022-06-14 | 中国移动通信集团陕西有限公司 | Resource access control method and resource access control system |
| CN114629719B (en) * | 2022-04-08 | 2024-05-07 | 中国移动通信集团陕西有限公司 | Resource access control method and resource access control system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109842625A (en) | 2019-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110300124A (en) | A kind of access control method, system, electronic equipment and readable medium | |
| US10740411B2 (en) | Determining repeat website users via browser uniqueness tracking | |
| CN101517557B (en) | Methods and apparatuses for managing resources within a virtual room | |
| CN108141450A (en) | Control device cloud | |
| CN108494703A (en) | A kind of access frequency control method, device and storage medium | |
| CN113468511B (en) | Data processing method and device, computer readable medium and electronic equipment | |
| US9473355B2 (en) | Inferring application inventory | |
| CN107343041A (en) | A kind of accurate poverty alleviation management system and method based on cloud computing | |
| WO2019071506A1 (en) | Experiment instrument device management system and method | |
| US11222272B2 (en) | Methods and systems for advanced content cacheability determination | |
| US20200250587A1 (en) | Framework for multi-tenant data science experiments at-scale | |
| CN113221163B (en) | Model training method and system | |
| CN109669719A (en) | Using gray scale dissemination method, device, equipment and readable storage medium storing program for executing | |
| CN110677494B (en) | Access response method and device | |
| Zhuoyi et al. | Research and development of the long distance coach management system based on ASP. net technology | |
| CN115086321B (en) | Multi-cluster traffic forwarding method and device and electronic equipment | |
| US20140280872A1 (en) | Inventory service for distributed infrastructure | |
| CN110445670A (en) | A kind of server accelerates the test method and system of service effectiveness | |
| CN115564332B (en) | Government risk analysis method and system based on big data | |
| CN109218437A (en) | Office management system | |
| JP7281030B1 (en) | Information processing device, information system, program, and storage medium | |
| CN116760640B (en) | Access control method, device, equipment and storage medium | |
| JP6706701B1 (en) | Information processing apparatus, information processing method, and information processing program | |
| US20230359951A1 (en) | Seat-assignment based resource tracking | |
| CN108717417A (en) | Map retrieval inputs reminding method and its system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191001 |