CN111274595A - Resource access control method and device - Google Patents
Resource access control method and device Download PDFInfo
- Publication number
- CN111274595A CN111274595A CN202010067699.9A CN202010067699A CN111274595A CN 111274595 A CN111274595 A CN 111274595A CN 202010067699 A CN202010067699 A CN 202010067699A CN 111274595 A CN111274595 A CN 111274595A
- Authority
- CN
- China
- Prior art keywords
- resource
- target
- target user
- access
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a device for controlling resource access, wherein the control method comprises the following steps: receiving a signal that a target user accesses a target resource; generating a safety reference value according to historical access data of a target user, historical access data of other users and a preset safety rule; and setting the authority of the target user for accessing the target resource according to the security reference value and the resource security level of the target resource. The invention solves the problem that the service requirement and the system safety can not be obtained at the same time in the prior art, and the system safety is not required to be sacrificed to meet the service requirement.
Description
Technical Field
The invention relates to the technical field of financial judicial science and technology application, in particular to a resource access control method and device.
Background
In the internet era, many internet companies have their own internal operation management systems, and with the development of enterprises, the increase of personnel and resources, a set of authority management system is established, which is an important guarantee for system information security, data security and operation security. The existing authority management system can only control the resources that a user can access or cannot access a certain system, which results in large authority control granularity and two polarizations of results. Once the authority is allocated to a user, the user can access the resources at any time and any place without limit, and cannot perform refined and diversified access control on some important resources, so that the user can operate system resources even in an abnormal state, and system safety hazards are very likely to exist.
Disclosure of Invention
The embodiment of the invention provides a method and a device for controlling resource access, which aim to solve the following problems in the prior art: the business requirements and the system security are not compatible, and the system security is often sacrificed to meet the business requirements.
In order to solve the above technical problem, a first technical solution adopted in the embodiments of the present invention is as follows:
a method of controlling access to a resource, comprising: receiving a signal that a target user accesses a target resource; generating a safety reference value according to historical access data of a target user, historical access data of other users and a preset safety rule; and setting the authority of the target user for accessing the target resource according to the security reference value and the resource security level of the target resource.
Optionally, the generating a security reference value according to the historical access data of the target user, the historical access data of other users, and a preset security rule includes: and when the current access time, the access place and the access frequency of the target user are consistent with/partially consistent with/completely inconsistent with the historical record access record of the target user, setting the safety reference value as a high safety value/a medium safety value/a low safety value.
Optionally, the setting, according to the security reference value and the resource security level of the target resource, the right of the target user to access the target resource includes: sending the security reference value and the target resource to a designated verifier for verification; and setting the authority of the target user for accessing the target resource according to the verification result returned by the appointed verifier.
Optionally, the setting, according to the verification result returned by the specified verifier, the right of the target user to access the target resource includes: judging whether the verification result is that the target user is allowed to access the target resource or not; and if so, accepting the target user to access the target resource, and recording the target user to access the target resource.
Optionally, if the verification result is that the target user is not allowed to access the target resource, the target user is denied access to the target resource.
Optionally, the setting, according to the verification result returned by the specified verifier, the right of the target user to access the target resource includes: judging whether the verification result requires identity verification of the target user or not; if so, performing identity authentication on the target user according to a preset authentication rule and obtaining an identity authentication result, wherein the preset authentication rule is formulated before a signal that the target user accesses the target resource is received; and setting the authority of the target user for accessing the target resource according to the identity verification result.
Optionally, according to a preset verification rule, performing identity verification on the target user and obtaining an identity verification result, including: determining a verification mode for the target user according to the resource security level and the security reference value of the target resource; performing identity authentication on the target user according to the determined authentication mode to obtain an identity authentication result; when the resource security level of the target resource is low and the security reference value is in a low-risk range, the verification mode adopts graphic verification code verification; when the resource safety level of the target resource is high or the safety reference value is in a high-risk range, the verification mode adopts short message verification code verification; and when the resource safety level of the target resource is high and the safety reference value is in a high-risk range, adopting an approval verification mode.
In order to solve the above technical problem, a second technical solution adopted in the embodiments of the present invention is as follows:
an apparatus for controlling access to a resource, comprising: the signal receiving module is used for receiving a signal of a target user for accessing a target resource; the safety value generation module is used for generating a safety reference value according to the historical access data of the target user, the historical access data of other users and a preset safety rule; and the authority setting module is used for setting the authority of the target user for accessing the target resource according to the security reference value and the resource security level of the target resource.
In order to solve the above technical problem, a third technical solution adopted in the embodiments of the present invention is as follows:
a computer-readable storage medium, on which a computer program is stored, which, when executed, implements the method of controlling access to a resource as described above.
In order to solve the above technical problem, a fourth technical solution adopted in the embodiments of the present invention is as follows:
a computer apparatus comprising a processor, a memory and a computer program stored on the memory and executable on the processor, the processor implementing the method of controlling access to resources as described above when executing the computer program.
The embodiment of the invention has the beneficial effects that: different from the situation in the prior art, the embodiment of the present invention generates the security reference value by receiving the signal that the target user accesses the target resource, according to the historical access data of the target user, the historical access data of other users, and the preset security rule, and then sets the authority of the target user to access the target resource according to the security reference value and the resource security level of the target resource, thereby solving the following problems in the prior art: the business requirements and the system security are not compatible, and the system security is often sacrificed to meet the business requirements.
Drawings
Fig. 1 is a flowchart of an implementation of an embodiment of a method for controlling resource access according to a first embodiment of the present invention;
FIG. 2 is a partial block diagram of an embodiment of a resource access control device according to a second embodiment of the present invention;
FIG. 3 is a partial structural framework diagram of an embodiment of a computer-readable storage medium according to a third embodiment of the present invention;
fig. 4 is a partial structural framework diagram of an embodiment of a computer device according to a fourth embodiment of the present invention.
Detailed Description
Example one
Referring to fig. 1, fig. 1 is a flowchart illustrating an implementation of a method for controlling resource access according to an embodiment of the present invention, which can be obtained by referring to fig. 1, where the method for controlling resource access according to the present invention includes:
step S101: a signal is received that a target user accesses a target resource.
Step S102: and generating a safety reference value according to the historical access data of the target user, the historical access data of other users and a preset safety rule.
Step S103: and setting the authority of the target user for accessing the target resource according to the security reference value and the resource security level of the target resource.
In this embodiment, optionally, the generating a security reference value according to the historical access data of the target user, the historical access data of other users, and a preset security rule includes:
and when the current access time, the access place and the access frequency of the target user are consistent with/partially consistent with/completely inconsistent with the historical record access record of the target user, setting the safety reference value as a high safety value/a medium safety value/a low safety value. The coincidence refers to the current visit time, the visit place and the visit frequency of the target user, which are completely the same as the historical record visit record of the target user, the partial coincidence refers to the current visit time, the visit place and the visit frequency of the target user, which are mostly the same as the historical record visit record of the target user, and the complete non-coincidence refers to the current visit time, the visit place and the visit frequency of the target user, which are completely different from the historical record visit record of the target user.
In this embodiment, optionally, the setting, according to the security reference value and the resource security level of the target resource, the right of the target user to access the target resource includes:
firstly, the security reference value and the target resource are sent to a designated verifier for verification. The verifier can be selected as one who manages and controls the access resource authority, and can decide to release the user access, refuse the user access and let the user perform some kind of security verification according to the verification result.
Secondly, setting the authority of the target user for accessing the target resource according to the verification result returned by the appointed verifier.
In this embodiment, optionally, the setting, according to the verification result returned by the specified verifier, the right of the target user to access the target resource includes:
firstly, judging whether the verification result is that the target user is allowed to access the target resource.
Secondly, if the verification result is that the target user is allowed to access the target resource, the target user is accepted to access the target resource, and the target user is recorded to access the target resource.
In this embodiment, optionally, if the verification result is that the target user is not allowed to access the target resource, the target user is denied access to the target resource. In this embodiment, even if the target user has the access right, if it is determined that the access of the target user is an abnormal operation, the behavior of the target user may be controlled according to the security reference value, that is, the access operation of the target user is denied.
In this embodiment, optionally, the setting, according to the verification result returned by the specified verifier, the right of the target user to access the target resource includes:
firstly, judging whether the verification result requires identity verification of the target user.
Secondly, if the verification result requires identity verification of the target user, performing identity verification on the target user according to a preset verification rule and obtaining an identity verification result, wherein the preset verification rule is already established before a signal that the target user accesses the target resource is received.
Thirdly, setting the authority of the target user to access the target resource according to the identity verification result.
In this embodiment, optionally, performing identity authentication on the target user according to a preset authentication rule to obtain an identity authentication result, including:
firstly, determining a verification mode for the target user according to the resource security level and the security reference value of the target resource.
Secondly, identity authentication is carried out on the target user according to the determined authentication mode, and an identity authentication result is obtained. Optionally, when the resource security level of the target resource is low and the security reference value is within a low-risk range, the verification mode adopts a graphic verification code for verification; when the resource safety level of the target resource is high or the safety reference value is in a high-risk range, the verification mode adopts short message verification code verification; and when the resource safety level of the target resource is high and the safety reference value is in a high-risk range, adopting an approval verification mode.
In this embodiment, optionally, the accepting that the target user accesses the target resource and recording that the target user accesses the target resource includes:
and setting a specified time range for the target user to access the target resource, and allowing the target user to access the target resource without obstacles in the specified time range.
In this embodiment, optionally, after the rejecting the target user to access the target resource, the method includes:
and feeding back the operation record of the refused target resource access of the target user to the target user and the personnel associated with the target user.
According to the embodiment of the invention, the signal that the target user accesses the target resource is received, the safety reference value is generated according to the historical access data of the target user, the historical access data of other users and the preset safety rule, and the authority of the target user to access the target resource is set according to the safety reference value and the resource safety level of the target resource, so that the following problems in the prior art are solved: the service requirement and the system safety can not be obtained at the same time, and the system safety is always required to be sacrificed to meet the service requirement.
Example two
Referring to fig. 2, fig. 2 is a partial structural framework diagram of a resource access control device according to an embodiment of the present invention, which can be obtained by combining fig. 2, and a resource access control device 100 according to the present invention includes:
the signal receiving module 110 is configured to receive a signal that a target user accesses a target resource.
And the security value generation module 120 is configured to generate a security reference value according to the historical access data of the target user, the historical access data of other users, and a preset security rule.
And the permission setting module 130 is configured to set a permission of the target user for accessing the target resource according to the security reference value and the resource security level of the target resource.
According to the embodiment of the invention, the signal that the target user accesses the target resource is received, the safety reference value is generated according to the historical access data of the target user, the historical access data of other users and the preset safety rule, and the authority of the target user to access the target resource is set according to the safety reference value and the resource safety level of the target resource, so that the following problems in the prior art are solved: the service requirement and the system safety can not be obtained at the same time, and the system safety is always required to be sacrificed to meet the service requirement.
EXAMPLE III
Referring to fig. 3, a computer-readable storage medium 10 according to an embodiment of the present invention can be seen, where the computer-readable storage medium 10 includes: ROM/RAM, magnetic disks, optical disks, etc., on which a computer program 11 is stored, which computer program 11, when executed, implements a method of controlling access to resources as described in one embodiment. Since the control method of resource access has already been described in detail in the first embodiment, the description is not repeated here.
In the method for controlling resource access implemented in the embodiments of the present invention, a signal that a target user accesses a target resource is received, a security reference value is generated according to historical access data of the target user, historical access data of other users, and a preset security rule, and then an authority of the target user to access the target resource is set according to the security reference value and a resource security level of the target resource, so that the following problems in the prior art are solved: the service requirement and the system safety can not be obtained at the same time, and the system safety is always required to be sacrificed to meet the service requirement.
Example four
Referring to fig. 4, a computer device 20 according to an embodiment of the present invention includes a processor 21, a memory 22, and a computer program 221 stored in the memory 22 and capable of running on the processor 21, where the processor 21 executes the computer program 221 to implement the method for controlling resource access according to an embodiment. Since the control method of resource access has already been described in detail in the first embodiment, the description is not repeated here.
In the method for controlling resource access implemented in the embodiments of the present invention, a signal that a target user accesses a target resource is received, a security reference value is generated according to historical access data of the target user, historical access data of other users, and a preset security rule, and then an authority of the target user to access the target resource is set according to the security reference value and a resource security level of the target resource, so that the following problems in the prior art are solved: the service requirement and the system safety can not be obtained at the same time, and the system safety is always required to be sacrificed to meet the service requirement.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes performed by the present specification and drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A method for controlling access to a resource, comprising:
receiving a signal that a target user accesses a target resource;
generating a safety reference value according to historical access data of a target user, historical access data of other users and a preset safety rule;
and setting the authority of the target user for accessing the target resource according to the security reference value and the resource security level of the target resource.
2. The method for controlling resource access according to claim 1, wherein the generating a security reference value according to the historical access data of the target user, the historical access data of other users, and a preset security rule comprises:
and when the current access time, the access place and the access frequency of the target user are consistent with/partially consistent with/completely inconsistent with the historical record access record of the target user, setting the safety reference value as a high safety value/a medium safety value/a low safety value.
3. The method for controlling resource access according to claim 1, wherein the setting of the right of the target user to access the target resource according to the security reference value and the resource security level of the target resource comprises:
sending the security reference value and the target resource to a designated verifier for verification;
and setting the authority of the target user for accessing the target resource according to the verification result returned by the appointed verifier.
4. The method according to claim 3, wherein the setting of the right of the target user to access the target resource according to the verification result returned by the specified verifier comprises:
judging whether the verification result is that the target user is allowed to access the target resource or not;
and if so, accepting the target user to access the target resource, and recording the target user to access the target resource.
5. The method according to claim 4, wherein if the verification result indicates that the target user is not allowed to access the target resource, the target user is denied access to the target resource.
6. The method according to claim 3, wherein the setting of the right of the target user to access the target resource according to the verification result returned by the specified verifier comprises:
judging whether the verification result requires identity verification of the target user or not;
if so, performing identity authentication on the target user according to a preset authentication rule and obtaining an identity authentication result, wherein the preset authentication rule is formulated before a signal that the target user accesses the target resource is received;
and setting the authority of the target user for accessing the target resource according to the identity verification result.
7. The method for controlling resource access according to claim 6, wherein authenticating the target user according to a preset authentication rule and obtaining an authentication result comprises:
determining a verification mode for the target user according to the resource security level and the security reference value of the target resource;
performing identity authentication on the target user according to the determined authentication mode to obtain an identity authentication result;
when the resource security level of the target resource is low and the security reference value is in a low-risk range, the verification mode adopts graphic verification code verification; when the resource safety level of the target resource is high or the safety reference value is in a high-risk range, the verification mode adopts short message verification code verification; and when the resource safety level of the target resource is high and the safety reference value is in a high-risk range, adopting an approval verification mode.
8. An apparatus for controlling access to a resource, comprising:
the signal receiving module is used for receiving a signal of a target user for accessing a target resource;
the safety value generation module is used for generating a safety reference value according to the historical access data of the target user, the historical access data of other users and a preset safety rule;
and the authority setting module is used for setting the authority of the target user for accessing the target resource according to the security reference value and the resource security level of the target resource.
9. A computer-readable storage medium, having stored thereon a computer program which, when executed, implements the method of controlling access to a resource of any one of claims 1 to 7.
10. A computer device comprising a processor, a memory, and a computer program stored on the memory and executable on the processor, wherein the processor implements the method for controlling resource access according to any one of claims 1 to 7 when executing the computer program.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010067699.9A CN111274595A (en) | 2020-01-20 | 2020-01-20 | Resource access control method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010067699.9A CN111274595A (en) | 2020-01-20 | 2020-01-20 | Resource access control method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111274595A true CN111274595A (en) | 2020-06-12 |
Family
ID=71001970
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010067699.9A Pending CN111274595A (en) | 2020-01-20 | 2020-01-20 | Resource access control method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111274595A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113900882A (en) * | 2021-08-20 | 2022-01-07 | 北京安天网络安全技术有限公司 | System resource management method and device, electronic equipment and storage medium |
CN116821869A (en) * | 2023-03-07 | 2023-09-29 | 北京火山引擎科技有限公司 | Resource access control method, device, medium and electronic equipment |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102761555A (en) * | 2012-07-26 | 2012-10-31 | 郑州信大捷安信息技术股份有限公司 | Mandatory access control system and control method based on access history |
CN104426847A (en) * | 2013-08-22 | 2015-03-18 | 腾讯科技(深圳)有限公司 | Method, system and server for securely accessing and verifying an Internet service |
US20160012213A1 (en) * | 2014-07-10 | 2016-01-14 | Paul Fergus Walsh | Methods and systems for verifying the security level of web content that is embedded within a mobile application and the identity of web application owners field of the disclosure |
CN105827645A (en) * | 2016-05-17 | 2016-08-03 | 北京优炫软件股份有限公司 | Method, device and system for access control |
CN109274683A (en) * | 2018-10-30 | 2019-01-25 | 国网安徽省电力有限公司信息通信分公司 | A kind of combined crosswise Verification System and its authentication method |
CN109657429A (en) * | 2018-09-27 | 2019-04-19 | 深圳壹账通智能科技有限公司 | Video resource management method, equipment, system and computer readable storage medium |
CN109886005A (en) * | 2019-01-29 | 2019-06-14 | 南京邮电大学 | A kind of authorized user's methods of risk assessment and system for Web collaboration |
-
2020
- 2020-01-20 CN CN202010067699.9A patent/CN111274595A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102761555A (en) * | 2012-07-26 | 2012-10-31 | 郑州信大捷安信息技术股份有限公司 | Mandatory access control system and control method based on access history |
CN104426847A (en) * | 2013-08-22 | 2015-03-18 | 腾讯科技(深圳)有限公司 | Method, system and server for securely accessing and verifying an Internet service |
US20160012213A1 (en) * | 2014-07-10 | 2016-01-14 | Paul Fergus Walsh | Methods and systems for verifying the security level of web content that is embedded within a mobile application and the identity of web application owners field of the disclosure |
CN105827645A (en) * | 2016-05-17 | 2016-08-03 | 北京优炫软件股份有限公司 | Method, device and system for access control |
CN109657429A (en) * | 2018-09-27 | 2019-04-19 | 深圳壹账通智能科技有限公司 | Video resource management method, equipment, system and computer readable storage medium |
CN109274683A (en) * | 2018-10-30 | 2019-01-25 | 国网安徽省电力有限公司信息通信分公司 | A kind of combined crosswise Verification System and its authentication method |
CN109886005A (en) * | 2019-01-29 | 2019-06-14 | 南京邮电大学 | A kind of authorized user's methods of risk assessment and system for Web collaboration |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113900882A (en) * | 2021-08-20 | 2022-01-07 | 北京安天网络安全技术有限公司 | System resource management method and device, electronic equipment and storage medium |
CN116821869A (en) * | 2023-03-07 | 2023-09-29 | 北京火山引擎科技有限公司 | Resource access control method, device, medium and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110096857B (en) | Authority management method, device, equipment and medium for block chain system | |
CN109510849B (en) | Cloud-storage account authentication method and device | |
US20210243037A1 (en) | Method for information processing in digital asset certificate inheritance transfer, and related device | |
CN110069911B (en) | Access control method, device, system, electronic equipment and readable storage medium | |
GB2599273A (en) | Fine-grained token based access control | |
CN111526111B (en) | Control method, device and equipment for logging in light application and computer storage medium | |
CN111292174A (en) | Tax payment information processing method and device and computer readable storage medium | |
CN114417287B (en) | Data processing method, system, device and storage medium | |
CN110650216A (en) | Cloud service request method and device | |
CN111274595A (en) | Resource access control method and device | |
KR20160018554A (en) | Roaming internet-accessible application state across trusted and untrusted platforms | |
US11947657B2 (en) | Persistent source values for assumed alternative identities | |
CN114244568A (en) | Security access control method, device and equipment based on terminal access behavior | |
CN103559430B (en) | application account management method and device based on Android system | |
CN111339507A (en) | Method, system, equipment and readable storage medium for processing access request | |
CN111030816A (en) | Authentication method and device for access platform of evidence obtaining equipment and storage medium | |
CN115879156A (en) | Dynamic desensitization method, device, electronic equipment and storage medium | |
CN112417403B (en) | Automatic system authentication and authorization processing method based on GitLab API | |
US20070079116A1 (en) | Method, system and computer program product for access control | |
CN114598520A (en) | Method, device, equipment and storage medium for resource access control | |
CN112187725A (en) | Cloud computing resource access method and device, service line service and gateway | |
CN111064695A (en) | Authentication method and authentication system | |
CN116506229B (en) | Data access method and device and electronic equipment | |
CN116561741B (en) | Data modeling method, system and related equipment | |
CN111683092B (en) | Workflow submitting method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200612 |
|
RJ01 | Rejection of invention patent application after publication |