CN111935131A - SaaS resource access control method based on resource authority tree - Google Patents
SaaS resource access control method based on resource authority tree Download PDFInfo
- Publication number
- CN111935131A CN111935131A CN202010781030.6A CN202010781030A CN111935131A CN 111935131 A CN111935131 A CN 111935131A CN 202010781030 A CN202010781030 A CN 202010781030A CN 111935131 A CN111935131 A CN 111935131A
- Authority
- CN
- China
- Prior art keywords
- resource
- authority
- tree
- access control
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 20
- 238000013507 mapping Methods 0.000 claims description 6
- 230000007246 mechanism Effects 0.000 claims description 6
- 238000011217 control strategy Methods 0.000 claims description 5
- 238000004458 analytical method Methods 0.000 claims description 4
- 238000013475 authorization Methods 0.000 claims description 4
- 230000006872 improvement Effects 0.000 claims description 3
- 235000019580 granularity Nutrition 0.000 abstract description 3
- 238000007726 management method Methods 0.000 description 15
- 238000012423 maintenance Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000013070 change management Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a SaaS resource access control method based on a resource authority tree, which comprises the following steps: firstly, designing a SaaS access control theoretical model based on a resource authority tree, namely an H-RRBAC model for short, by combining an H-RBAC model and an ABAC model; and then carrying out resource authority distribution and access control based on the H-RRBAC model, which specifically comprises the following steps: registering SaaS platform resources, and automatically generating directed original subtrees of the resources; generating a resource directed tree; constructing a resource authority tree of roles; generating a resource authority tree of a user; and when the user accesses the service, the user performs access control on the resource based on the resource authority tree of the user. The method can adapt to different authority management scenes of different tenants in the SaaS mode, realize the authority distribution with high efficiency and low complexity, and simultaneously meet the authority access control requirements of different tenants on different granularities and dynamic changes of attributes of resources.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a SaaS resource access control method based on a resource authority tree.
Background
SaaS is an abbreviated name of Software-as-a-Service, meaning Software as a Service, that is, providing a Software Service through a network. SaaS is used as a software application mode of cloud computing, software is definitely defined as service, a reproducible standardized service scheme is provided for customers, the problems of software construction, operation and maintenance cost, management cost and the like in customer information construction are solved, and the SaaS is particularly popular with small and medium-sized enterprises. Although SaaS has many advantages, there still exist many problems, and among them, the problem of SaaS security has become a primary problem restricting the development of SaaS model. In order to reduce service use cost, a service provider mostly designs SaaS by adopting a single-instance multi-tenant mode and a data storage model of a shared database table, but needs to solve the data security problem in the design mode at the same time, and access control is one of key technologies for solving the problem and mainly comprises two parts, namely permission allocation and access control.
RBAC is an abbreviation of Role-Based Access Control, namely, the RBAC model provides strong and flexible Access Control capability, simultaneously reduces the complexity of user authority distribution and the workload of managers, still takes the RBAC model as a main model of SaaS Access Control in practical application, takes an H-RBAC model improved Based on RBAC as a representative, takes the H-RBAC as the abbreviation of hierarchy Role-Based Access Control, takes the H-RBAC model as a Role-Based Access Control model divided according to levels, and is mainly characterized in that the Access Control in the SaaS is divided into two layers of a SaaS software platform-level Access Control layer and a tenant-level Access Control layer, and each layer carries out Access Control Based on the RBAC model. However, the RBAC model has limitations in fine-grained access control, and cannot adapt to the situation of multi-factor constraint user rights in the SaaS mode. The ABAC model is a credible relation access control model for solving industry distributed application, can make up for the defect and has strong flexibility and expandability, but the ABAC model has the problems of large authority allocation workload, lack of context environment difficulty in formulating access rules and the like, and the problems are more prominent in the SaaS mode. At present, attempts are made to realize access control by combining a RBAC model and an ABAC model, but complexity of permission allocation is ignored, and in order to ensure data privacy of tenants in a SaaS mode, access permissions of users in the tenants to resources are generally distributed autonomously by tenant administrators, and if the complexity of permission allocation is too high, SaaS use and popularization are directly affected. Therefore, it is necessary to provide a method for realizing efficient and low-complexity authority allocation and flexible and fine-grained access control in the SaaS mode by fully utilizing the advantages of the RBAC and ABAC models.
Disclosure of Invention
The present invention aims to solve the above problems and provide a SaaS resource access control method based on a resource authority tree, so as to implement efficient and low-complexity authority allocation and flexible and fine-grained access control in a SaaS mode.
The invention realizes the purpose through the following technical scheme:
a SaaS resource access control method based on a resource authority tree comprises the following steps:
step 1, designing a SaaS access control theoretical model based on a resource authority tree, namely an H-RRBAC model for short, by combining an H-RBAC model and an ABAC model;
step 2, carrying out resource authority distribution and access control based on the H-RRBAC model, comprising the following steps:
step 2.1, registering SaaS platform resources, and automatically generating a resource oriented original sub-tree by taking the resource representing the minimum service unit as a root node;
step 2.2, the platform administrator combines the resource directed original subtrees as required to generate a resource directed tree;
step 2.3, the platform administrator distributes resource access permission to the tenant by taking the resource directed tree as a unit, and the tenant administrator distributes the resource permission of the role by taking the resource directed tree which is permitted to be accessible as a unit to construct a resource permission tree of the role;
step 2.4, the tenant administrator establishes the relationships of user-user group, user group-role and user-role, and generates a resource authority tree of the user;
and 2.5, when the user accesses the service, controlling the access of the user to the resource based on the resource authority tree of the user.
Preferably, in the step 1, the H-RRBAC model is improved based on the H-RBAC model and the ABAC model, and the improvement comprises the following steps:
1.1, introducing a resource directed tree between roles and resources of an H-RBAC model, and performing authority distribution based on the resource directed tree, wherein 1 resource directed tree represents a service scene, clear service boundaries exist between the trees, the inherent incidence relation between the resources in the tree determines the implication relation of the authority of parent and child resource nodes, when a certain resource node is authorized, the child node automatically inherits the authority of the parent node, and when the access control strategies of the same service scene are the same, the authority distribution is only performed on the root node;
1.2, performing access control based on a resource authority tree, fusing the advantages of RBAC and ABAC, and determining the access authority of a role to resources by resource-operation authority and resource-ABAC rules;
1.3, taking the access authority of the main body to the data resource and the non-data resource as an organic whole for unified nano management through a resource authority tree, wherein the access authority of the main body to the data resource is determined by a service, and the service context is presented in a resource oriented tree form, so that when the access control requirement changes or an access control authority configuration error/conflict occurs, the access control authority can be quickly positioned and efficiently handled;
the resource authority tree is a directed tree formed by a plurality of resource nodes, and the resource nodes are represented by four-tuple of resource node IDs, resource information, distributed operation authority and access control rules, wherein the resource node IDs are used for uniquely identifying the resource directed tree and the positions of the nodes; the resource information is represented by quintuple of a resource ID, a resource name, a resource type, a resource attribute and a supported operation authority, wherein the resource ID is used for uniquely identifying the resource, the resource name is automatically obtained, the resource type is divided into types including but not limited to a menu, a page control and data, the resource attribute is an attribute set of the resource, and the supported operation authority is determined by the resource type; the distributed operation authority is an authority set selected from the supported operation authorities; the access control rule is a rule set constructed based on attribute information of users, resources and context environments; the relationship between resource nodes is determined by business logic predefined by the SaaS software code.
In the step 2.1, the resource represents a minimum service unit to the original subtree, and the resources related to the service are automatically associated and organized according to the logic relation predefined by the SaaS software codes; the leaf nodes of the resource directed original subtrees are data type resources; duplicate resource nodes are not allowed within the same tree.
In the step 2.2, 1 resource directed tree is generated by combining 1 or more resource directed atomic trees according to the needs of the service scenario, where the 1 resource directed tree represents a complete service scenario, and generally corresponds to a service opened by SaaS to a customer, and the corresponding access control policies have similarities and are entry points for reducing the workload of authority allocation.
In the step 2.3, a many-to-many mapping relationship is formed between the role and the resource permission tree, a one-to-many relationship is formed between the resource directed tree and the resource permission tree, according to a generation rule of the resource directed tree, an inclusion relationship exists in the permissions of parent nodes and child nodes of the resource permission tree, and the child nodes inherit all the permissions of the parent nodes in a default mode, but can be redefined under the condition that conflict constraint conditions are not violated, so that the permission allocation workload is reduced, and the flexibility of permission allocation is guaranteed.
In the step 2.3, by identifying attribute information of users, resources and context environment and based on an ABAC model, an access control rule based on attributes is established, and fine-grained control of the authority is performed on resource nodes in a resource authority tree; the user attribute information comprises but is not limited to a user ID, a tenant to which the user belongs, a department to which the user belongs, a mechanism to which the user belongs, a post, a job level, a security level and an authorization area, the resource attribute comprises but is not limited to a resource provider ID, a tenant to which the user belongs, a department to which the user belongs, a mechanism to which the user belongs and a security level, the context environment comprises but is not limited to a user login place and login time, the attribute information is customized as required according to the service characteristics of SaaS, access control rules corresponding to resources of the same resource ID in the tenant do not allow conflict, and the resource authority tree child nodes inherit the access control rules of.
In the step 2.4, users with a plurality of same roles are organized in a user group mode, and the resource authority tree of the users is prevented from being repeatedly generated; the user and the user group, the user group and the role, and the user and the role are all in a many-to-many mapping relationship, 1 user can actually correspond to a plurality of roles so as to correspond to a plurality of resource permission trees, a plurality of resource permission trees corresponding to the same resource directed tree and the permission of the same resource quoted by the resource permission trees are merged and conflict eliminated, and finally a plurality of effective resource permission trees corresponding to the user dynamic state are obtained.
In the step 2.5, the user attribute information, the resource attribute information and the context environment are obtained in real time, the 'distributed operation authority' and 'access control rule' of the resource node are obtained from the resource authority tree set of the user according to the resource node ID associated with the resource, whether the resource has the access authority or not is determined through rule analysis and authority matching, and a corresponding result is returned to realize access control.
The invention has the beneficial effects that:
the method can adapt to different authority management scenes of different tenants in the SaaS mode, realize the authority distribution with high efficiency and low complexity, and simultaneously meet the authority access control requirements of different tenants on different granularities and dynamic change of attributes of resources, and has the following specific advantages:
1. the authority is distributed based on the resource directed tree, the authority distribution workload is greatly reduced, the flexibility of the authority distribution is kept, and the method can adapt to different authority management scenes of different tenants;
2. access control is carried out based on the resource authority tree, and the system has the advantages of RBAC and ABAC, and can meet the authority access control requirements of different tenants on different granularities and dynamic change of attributes of resources;
3. the access rights of the data resources and the non-data resources are managed as an organic whole through the resource rights tree, compared with the traditional isolated management of the data resources and the non-data resources, the complexity of management is reduced, and particularly when the access control requirements change or the configuration of the access control rights is wrong, the management can be quickly positioned and efficiently dealt with.
Drawings
FIG. 1 is a schematic representation of the H-RRBAC model of the present invention;
FIG. 2 is a schematic diagram of the steps of resource right allocation and access control based on H-RRBAC model according to the present invention;
FIG. 3 is a schematic diagram of the structure of the resource authority tree in the H-RRBAC model according to the present invention.
Detailed Description
The invention will be further described with reference to the accompanying drawings in which:
the invention discloses a SaaS resource access control method based on a resource authority tree, which comprises the following steps:
step 1, designing a SaaS access control theoretical model based on a resource authority tree, namely an H-RRBAC model for short, by combining an H-RBAC model and an ABAC model.
As shown in fig. 1, in this step, the H-rrabac model is improved based on the H-RBAC model and the ABAC model, and the improvement comprises:
1.1, introducing a resource directed tree between roles and resources of an H-RBAC model, and performing authority distribution based on the resource directed tree, wherein 1 resource directed tree represents a service scene, clear service boundaries exist between the trees, the inherent incidence relation between the resources in the tree determines the implication relation of the authority of parent and child resource nodes, when a certain resource node is authorized, the child node automatically inherits the authority of the parent node, and when the access control strategies of the same service scene are the same, the authority distribution is only performed on the root node.
And 1.2, performing access control based on the resource authority tree, fusing the advantages of the RBAC and the ABAC, and determining the access authority of the role to the resource by the resource-operation authority and the resource-ABAC rule.
And 1.3, taking the access authority of the main body to the data resource and the non-data resource as an organic whole for unified nano management through the resource authority tree, wherein the access authority of the main body to the data resource is determined by a service, the service context is presented in a resource oriented tree form, and when the access control requirement changes or an access control authority configuration error/conflict occurs, the access control authority can be quickly positioned and efficiently coped with.
As shown in fig. 3, the resource authority tree is a directed tree formed by a plurality of resource nodes, and the resource nodes are represented by four tuples of resource node IDs, resource information, assigned operation authority, and access control rules, where the resource node IDs are used to uniquely identify the resource directed tree and the location where the node is located; the resource information is represented by quintuple of a resource ID, a resource name, a resource type, a resource attribute and a supported operation authority, wherein the resource ID is used for uniquely identifying the resource, the resource name is automatically obtained, the resource type is divided into types including but not limited to a menu, a page control and data, the resource attribute is an attribute set of the resource, and the supported operation authority is determined by the resource type; the distributed operation authority is an authority set selected from the supported operation authorities; the access control rule is a rule set constructed based on attribute information of users, resources and context environments; the relationship between resource nodes is determined by service logic predefined by the SaaS software code, and there may be relationships including, operation triggering, reference and the like, for example, a menu may include a plurality of submenus, a menu operation may trigger a page, a page may be composed of a plurality of subpages, and a page includes data, controls and the like.
Step 2, as shown in fig. 2, the resource right allocation and access control is performed based on the H-RRBAC model, which includes the following steps:
and 2.1, registering the SaaS platform resources, and automatically generating a resource oriented original sub-tree by taking the resource representing the minimum service unit as a root node.
In the step, the resource represents a minimum service unit to the original subtree, and the resources related to the service are automatically associated and organized according to the logic relation predefined by the SaaS software code; the leaf nodes of the resource directed original subtrees are data type resources; duplicate resource nodes are not allowed within the same tree.
And 2.2, combining the resource directed original subtrees by the platform administrator according to the needs to generate a resource directed tree.
In this step, 1 or more resource-oriented atomic trees are combined to generate 1 resource-oriented tree according to the needs of a service scenario, where the 1 resource-oriented tree represents a complete service scenario, and generally corresponds to a service opened by SaaS to a customer, and the corresponding access control policies have similarities and are entry points for reducing the workload of authority allocation.
And 2.3, the platform administrator allocates resource access permission to the tenant by taking the resource directed tree as a unit, and the tenant administrator performs resource permission allocation of roles by taking the resource directed tree which is allowed to be accessible as a unit to construct a resource permission tree of the roles.
In the step, a many-to-many mapping relation is formed between the role and the resource authority tree, a one-to-many relation is formed between the resource directed tree and the resource authority tree, according to the generation rule of the resource directed tree, the authority of the parent node and the child node of the resource authority tree has an implication relation, the child node inherits all the authority of the parent node in a default mode, but can be redefined under the condition that conflict constraint conditions are not violated, and therefore the flexibility of authority allocation is guaranteed while the workload of authority allocation is reduced.
Furthermore, in the step, by identifying the attribute information of the user, the resource and the context environment, based on the ABAC model, an access control rule based on the attribute is established, and fine-grained control of the authority is performed on the resource nodes in the resource authority tree; the user attribute information comprises but is not limited to a user ID, a tenant, a department, a mechanism, a post, a job level, a security level and an authorization area, the resource attribute comprises but is not limited to a resource provider ID, a tenant, a department, a mechanism and a security level, the context environment comprises but is not limited to a user login place and login time, the attribute information is customized according to the service characteristics of SaaS, access control rules corresponding to the resources of the same resource ID in the tenant do not allow conflict, and the resource authority tree child nodes inherit the access control rules of the parent node by default without one-to-one configuration; in order to avoid the situation that the same access control rule is repeatedly configured in all resource authority trees, a global rule in a tenant is introduced, and all the resource authority trees automatically inherit the global rule of the corresponding tenant.
And 2.4, the tenant administrator establishes the relationships of user-user group, user group-role and user-role, and generates a resource authority tree of the user.
In the step, users with a plurality of same roles are organized in a user group mode, and the resource authority tree of the users is prevented from being repeatedly generated; the user and the user group, the user group and the role, and the user and the role are all in a many-to-many mapping relationship, 1 user can actually correspond to a plurality of roles so as to correspond to a plurality of resource permission trees, a plurality of resource permission trees corresponding to the same resource directed tree and the permission of the same resource quoted by the resource permission trees are merged and conflict eliminated, and finally a plurality of effective resource permission trees corresponding to the user dynamic state are obtained.
And 2.5, when the user accesses the service, controlling the access of the user to the resource based on the resource authority tree of the user.
In this step, user attribute information, resource attribute information and context environment are acquired in real time, an "allocated operation authority" and an "access control rule" of a resource node are acquired from a resource authority tree set of a user according to a resource node ID associated with the resource, whether the resource has an access authority or not is determined through rule analysis and authority matching, and a corresponding result is returned to realize access control.
Description of the drawings: the above-mentioned contents are not necessarily identical to the contents of the drawings in the specification, but correspond to each other for the convenience of drawing expression.
To facilitate understanding of the embodiments of the present invention and the effects thereof, a specific application example is given below. It will be understood by those skilled in the art that this example is merely for the purpose of facilitating an understanding of the present invention and that any specific details thereof are not intended to limit the invention in any way.
Application example:
take the SaaS platform for operation and maintenance management inside a certain group M as an example. The platform is deployed in a group headquarter, and each subsidiary company under the group accesses the platform in a tenant mode. When the platform is initialized, the platform resource registration is automatically completed, and the resource directed original subtree is generated. The platform administrator divides services provided by the platform to the outside into asset management (basic version), asset management (full version), resource operation monitoring, work order management, change management, resource configuration management and the like which are selected by tenants (supporting services tightly coupled with the tenants are automatically selected), completes construction of a resource directed tree corresponding to the services based on the resource directed atomic tree, and completes configuration of a subject and object access control strategy applicable to a whole group based on the resource directed tree.
After a certain existing subsidiary company X applies for opening asset management (full version), work order management, change management service and payment on a platform, a platform administrator allocates tenant roles for the subsidiary company X and completes corresponding access permission authorization. An administrator (tenant administrator) of a subsidiary company X firstly completes configuration of basic data (such as an organization, an operation and maintenance area, an operation and maintenance organization and the like of the company), then performs adjustment based on an initial resource authority tree, wherein the adjustment comprises roles, operation authorities, ABAC rules and the like, and maps the roles to users or user groups (optional) and maps the users to the user groups (optional), so that a resource authority tree of the users is generated, and configuration of an internal personalized access control strategy of the company is completed. When a user of a subsidiary company X needs to access a service, firstly, identity authentication is carried out based on an identity authentication module of a platform, user attribute information, resource attribute information and a context environment are obtained after the authentication is passed, distributed operation authority and access control rules of resource nodes are obtained from a resource authority tree set of the user according to resource node IDs associated with the resources, whether the resources have access authorities or not is determined through rule analysis and authority matching, and a corresponding result is returned.
The above embodiments are only preferred embodiments of the present invention, and are not intended to limit the technical solutions of the present invention, so long as the technical solutions can be realized on the basis of the above embodiments without creative efforts, which should be considered to fall within the protection scope of the patent of the present invention.
Claims (8)
1. A SaaS resource access control method based on a resource authority tree is characterized in that: the method comprises the following steps:
step 1, designing a SaaS access control theoretical model based on a resource authority tree, namely an H-RRBAC model for short, by combining an H-RBAC model and an ABAC model;
step 2, carrying out resource authority distribution and access control based on the H-RRBAC model, comprising the following steps:
step 2.1, registering SaaS platform resources, and automatically generating a resource oriented original sub-tree by taking the resource representing the minimum service unit as a root node;
step 2.2, the platform administrator combines the resource directed original subtrees as required to generate a resource directed tree;
step 2.3, the platform administrator distributes resource access permission to the tenant by taking the resource directed tree as a unit, and the tenant administrator distributes the resource permission of the role by taking the resource directed tree which is permitted to be accessible as a unit to construct a resource permission tree of the role;
step 2.4, the tenant administrator establishes the relationships of user-user group, user group-role and user-role, and generates a resource authority tree of the user;
and 2.5, when the user accesses the service, controlling the access of the user to the resource based on the resource authority tree of the user.
2. The SaaS resource access control method based on the resource authority tree of claim 1, wherein: in the step 1, the H-RRBAC model is improved based on the H-RBAC model and the ABAC model, and the improvement content comprises the following steps:
1.1, introducing a resource directed tree between roles and resources of an H-RBAC model, and performing authority distribution based on the resource directed tree, wherein 1 resource directed tree represents a service scene, clear service boundaries exist between the trees, the inherent incidence relation between the resources in the tree determines the implication relation of the authority of parent and child resource nodes, when a certain resource node is authorized, the child node automatically inherits the authority of the parent node, and when the access control strategies of the same service scene are the same, the authority distribution is only performed on the root node;
1.2, performing access control based on a resource authority tree, fusing the advantages of RBAC and ABAC, and determining the access authority of a role to resources by resource-operation authority and resource-ABAC rules;
1.3, taking the access authority of the main body to the data resource and the non-data resource as an organic whole for unified nano management through a resource authority tree, wherein the access authority of the main body to the data resource is determined by a service, and the service context is presented in a resource oriented tree form, so that when the access control requirement changes or an access control authority configuration error/conflict occurs, the access control authority can be quickly positioned and efficiently handled;
the resource authority tree is a directed tree formed by a plurality of resource nodes, and the resource nodes are represented by four-tuple of resource node IDs, resource information, distributed operation authority and access control rules, wherein the resource node IDs are used for uniquely identifying the resource directed tree and the positions of the nodes; the resource information is represented by quintuple of a resource ID, a resource name, a resource type, a resource attribute and a supported operation authority, wherein the resource ID is used for uniquely identifying the resource, the resource name is automatically obtained, the resource type is divided into types including but not limited to a menu, a page control and data, the resource attribute is an attribute set of the resource, and the supported operation authority is determined by the resource type; the distributed operation authority is an authority set selected from the supported operation authorities; the access control rule is a rule set constructed based on attribute information of users, resources and context environments; the relationship between resource nodes is determined by business logic predefined by the SaaS software code.
3. The SaaS resource access control method based on resource authority tree according to claim 1 or 2, characterized in that: in the step 2.1, the resource represents a minimum service unit to the original subtree, and the resources related to the service are automatically associated and organized according to the logic relation predefined by the SaaS software codes; the leaf nodes of the resource directed original subtrees are data type resources; duplicate resource nodes are not allowed within the same tree.
4. The SaaS resource access control method based on resource authority tree according to claim 1 or 2, characterized in that: in the step 2.2, 1 resource directed tree is generated by combining 1 or more resource directed atomic trees according to the needs of the service scenario, where the 1 resource directed tree represents a complete service scenario, and generally corresponds to a service opened by SaaS to a customer, and the corresponding access control policies have similarities and are entry points for reducing the workload of authority allocation.
5. The SaaS resource access control method based on resource authority tree according to claim 1 or 2, characterized in that: in the step 2.3, a many-to-many mapping relationship is formed between the role and the resource permission tree, a one-to-many relationship is formed between the resource directed tree and the resource permission tree, according to a generation rule of the resource directed tree, an inclusion relationship exists in the permissions of parent nodes and child nodes of the resource permission tree, and the child nodes inherit all the permissions of the parent nodes in a default mode, but can be redefined under the condition that conflict constraint conditions are not violated, so that the permission allocation workload is reduced, and the flexibility of permission allocation is guaranteed.
6. The SaaS resource access control method based on resource authority tree according to claim 1 or 2, characterized in that: in the step 2.3, by identifying attribute information of users, resources and context environment and based on an ABAC model, an access control rule based on attributes is established, and fine-grained control of the authority is performed on resource nodes in a resource authority tree; the user attribute information comprises but is not limited to a user ID, a tenant to which the user belongs, a department to which the user belongs, a mechanism to which the user belongs, a post, a job level, a security level and an authorization area, the resource attribute comprises but is not limited to a resource provider ID, a tenant to which the user belongs, a department to which the user belongs, a mechanism to which the user belongs and a security level, the context environment comprises but is not limited to a user login place and login time, the attribute information is customized as required according to the service characteristics of SaaS, access control rules corresponding to resources of the same resource ID in the tenant do not allow conflict, and the resource authority tree child nodes inherit the access control rules of.
7. The SaaS resource access control method based on resource authority tree according to claim 1 or 2, characterized in that: in the step 2.4, users with a plurality of same roles are organized in a user group mode, and the resource authority tree of the users is prevented from being repeatedly generated; the user and the user group, the user group and the role, and the user and the role are all in a many-to-many mapping relationship, 1 user can actually correspond to a plurality of roles so as to correspond to a plurality of resource permission trees, a plurality of resource permission trees corresponding to the same resource directed tree and the permission of the same resource quoted by the resource permission trees are merged and conflict eliminated, and finally a plurality of effective resource permission trees corresponding to the user dynamic state are obtained.
8. The SaaS resource access control method based on resource authority tree according to claim 1 or 2, characterized in that: in the step 2.5, the user attribute information, the resource attribute information and the context environment are obtained in real time, the 'distributed operation authority' and 'access control rule' of the resource node are obtained from the resource authority tree set of the user according to the resource node ID associated with the resource, whether the resource has the access authority or not is determined through rule analysis and authority matching, and a corresponding result is returned to realize access control.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010781030.6A CN111935131B (en) | 2020-08-06 | SaaS resource access control method based on resource authority tree |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010781030.6A CN111935131B (en) | 2020-08-06 | SaaS resource access control method based on resource authority tree |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111935131A true CN111935131A (en) | 2020-11-13 |
| CN111935131B CN111935131B (en) | 2024-06-07 |
Family
ID=
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112633764A (en) * | 2020-12-31 | 2021-04-09 | 北京捷通华声科技股份有限公司 | Intelligent customer service system and customer service method |
| CN112800413A (en) * | 2021-02-26 | 2021-05-14 | 上海派拉软件股份有限公司 | Authority information pushing method, device, equipment and storage medium |
| CN112818309A (en) * | 2021-03-04 | 2021-05-18 | 重庆度小满优扬科技有限公司 | Method and device for controlling data access authority and storage medium |
| CN112861087A (en) * | 2021-03-08 | 2021-05-28 | 山东高速信息集团有限公司 | Authority distribution management method and system based on multiple parks and multiple units |
| CN112966292A (en) * | 2021-05-19 | 2021-06-15 | 北京仁科互动网络技术有限公司 | Metadata access authority control method, system, electronic equipment and storage medium |
| CN113190348A (en) * | 2021-04-28 | 2021-07-30 | 深圳市鹰硕云科技有限公司 | Cross-platform virtual resource allocation method, device, equipment and storage medium |
| CN113204427A (en) * | 2021-05-20 | 2021-08-03 | 远景智能国际私人投资有限公司 | Resource management method, resource management device, computer equipment and storage medium |
| CN113221138A (en) * | 2021-04-30 | 2021-08-06 | 中核武汉核电运行技术股份有限公司 | Authority management system |
| CN113239344A (en) * | 2021-05-12 | 2021-08-10 | 建信金融科技有限责任公司 | Access right control method and device |
| CN113282896A (en) * | 2021-06-11 | 2021-08-20 | 上海数禾信息科技有限公司 | Authority management method and system |
| CN113507443A (en) * | 2021-06-10 | 2021-10-15 | 广州大学 | Internet of things access control method and device based on time capability tree |
| CN113505996A (en) * | 2021-07-13 | 2021-10-15 | 上海数禾信息科技有限公司 | Authority management method and device |
| CN113536254A (en) * | 2021-07-26 | 2021-10-22 | 平安资产管理有限责任公司 | Resource permission configuration method and device, computer equipment and storage medium |
| CN113591134A (en) * | 2021-09-28 | 2021-11-02 | 广东机电职业技术学院 | Threat intelligence big data sharing method and system |
| CN113591126A (en) * | 2021-08-12 | 2021-11-02 | 北京滴普科技有限公司 | Data authority processing method and computer readable storage medium |
| CN113590118A (en) * | 2021-07-23 | 2021-11-02 | 南京赛宁信息技术有限公司 | Resource authority control device and method based on DRF framework |
| CN113612724A (en) * | 2021-06-10 | 2021-11-05 | 广州大学 | Internet of things access control method and device based on capability |
| CN113722725A (en) * | 2020-12-24 | 2021-11-30 | 京东数字科技控股股份有限公司 | Resource data acquisition method and system |
| CN113742743A (en) * | 2021-07-23 | 2021-12-03 | 苏州浪潮智能科技有限公司 | LDAP-based data encryption access control method and system |
| CN113778991A (en) * | 2021-09-14 | 2021-12-10 | 珠海市新德汇信息技术有限公司 | Method for realizing resource access control of big data |
| CN113839942A (en) * | 2021-09-22 | 2021-12-24 | 上海妙一生物科技有限公司 | User authority management method, device, equipment and storage medium |
| CN114139139A (en) * | 2022-02-07 | 2022-03-04 | 树根互联股份有限公司 | Authority management and control method and device for service and application and electronic equipment |
| CN114422183A (en) * | 2021-12-13 | 2022-04-29 | 北京思特奇信息技术股份有限公司 | Micro-service access control method, system and device based on security attribute |
| CN114726632A (en) * | 2022-04-14 | 2022-07-08 | 天工信创(广州)信息科技有限公司 | Login method, device, storage medium and processor |
| CN116186652A (en) * | 2022-12-22 | 2023-05-30 | 博上(山东)网络科技有限公司 | Authority management method, system, equipment and readable storage medium |
| CN116800550A (en) * | 2023-08-29 | 2023-09-22 | 北京仁科互动网络技术有限公司 | Region management method, device and equipment in software as a service (SaaS) mode |
| CN116842220A (en) * | 2023-07-06 | 2023-10-03 | 中国科学院青藏高原研究所 | Data access method based on logic classification and data role control |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100306393A1 (en) * | 2009-05-26 | 2010-12-02 | Microsoft Corporation | External access and partner delegation |
| US20130283350A1 (en) * | 2012-04-18 | 2013-10-24 | Ifat Afek | Access authorization |
| CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
| CN107104931A (en) * | 2016-02-23 | 2017-08-29 | 中兴通讯股份有限公司 | A kind of access control method and platform |
| WO2018121445A1 (en) * | 2016-12-29 | 2018-07-05 | 中兴通讯股份有限公司 | Multi-tenant access control method and apparatus |
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100306393A1 (en) * | 2009-05-26 | 2010-12-02 | Microsoft Corporation | External access and partner delegation |
| US20130283350A1 (en) * | 2012-04-18 | 2013-10-24 | Ifat Afek | Access authorization |
| CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
| CN107104931A (en) * | 2016-02-23 | 2017-08-29 | 中兴通讯股份有限公司 | A kind of access control method and platform |
| WO2018121445A1 (en) * | 2016-12-29 | 2018-07-05 | 中兴通讯股份有限公司 | Multi-tenant access control method and apparatus |
Non-Patent Citations (3)
| Title |
|---|
| GUIHUA WANG: "Service Availability Monitoring and Measurement Based on Customer Perception", 《2018 IEEE 9TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING AND SERVICE SCIENCE (ICSESS)》, 10 March 2019 (2019-03-10) * |
| 熊光辉;白尚旺;党伟超;潘理虎;张睿;: "一种基于角色等级树的SaaS多租户多域访问控制模型", 计算机应用与软件, no. 06, 12 June 2018 (2018-06-12) * |
| 申利民: "SaaS模式下可插拔访问控制框架的设计", 《小型微型计算机系统》, vol. 31, no. 6, 15 June 2010 (2010-06-15) * |
Cited By (38)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113722725A (en) * | 2020-12-24 | 2021-11-30 | 京东数字科技控股股份有限公司 | Resource data acquisition method and system |
| CN112633764A (en) * | 2020-12-31 | 2021-04-09 | 北京捷通华声科技股份有限公司 | Intelligent customer service system and customer service method |
| CN112800413A (en) * | 2021-02-26 | 2021-05-14 | 上海派拉软件股份有限公司 | Authority information pushing method, device, equipment and storage medium |
| CN112800413B (en) * | 2021-02-26 | 2024-03-15 | 上海派拉软件股份有限公司 | Authority information pushing method, device, equipment and storage medium |
| CN112818309A (en) * | 2021-03-04 | 2021-05-18 | 重庆度小满优扬科技有限公司 | Method and device for controlling data access authority and storage medium |
| CN112861087A (en) * | 2021-03-08 | 2021-05-28 | 山东高速信息集团有限公司 | Authority distribution management method and system based on multiple parks and multiple units |
| CN113190348A (en) * | 2021-04-28 | 2021-07-30 | 深圳市鹰硕云科技有限公司 | Cross-platform virtual resource allocation method, device, equipment and storage medium |
| CN113190348B (en) * | 2021-04-28 | 2023-03-10 | 深圳市鹰硕云科技有限公司 | Cross-platform virtual resource allocation method, device, equipment and storage medium |
| CN113221138A (en) * | 2021-04-30 | 2021-08-06 | 中核武汉核电运行技术股份有限公司 | Authority management system |
| CN113239344A (en) * | 2021-05-12 | 2021-08-10 | 建信金融科技有限责任公司 | Access right control method and device |
| CN112966292A (en) * | 2021-05-19 | 2021-06-15 | 北京仁科互动网络技术有限公司 | Metadata access authority control method, system, electronic equipment and storage medium |
| CN113204427A (en) * | 2021-05-20 | 2021-08-03 | 远景智能国际私人投资有限公司 | Resource management method, resource management device, computer equipment and storage medium |
| CN113507443A (en) * | 2021-06-10 | 2021-10-15 | 广州大学 | Internet of things access control method and device based on time capability tree |
| CN113612724A (en) * | 2021-06-10 | 2021-11-05 | 广州大学 | Internet of things access control method and device based on capability |
| CN113507443B (en) * | 2021-06-10 | 2022-03-25 | 广州大学 | Internet of things access control method and device based on time capability tree and storage medium |
| CN113612724B (en) * | 2021-06-10 | 2022-01-25 | 广州大学 | Internet of things access control method and device based on capability |
| CN113282896A (en) * | 2021-06-11 | 2021-08-20 | 上海数禾信息科技有限公司 | Authority management method and system |
| CN113505996A (en) * | 2021-07-13 | 2021-10-15 | 上海数禾信息科技有限公司 | Authority management method and device |
| CN113742743A (en) * | 2021-07-23 | 2021-12-03 | 苏州浪潮智能科技有限公司 | LDAP-based data encryption access control method and system |
| CN113590118B (en) * | 2021-07-23 | 2024-02-09 | 南京赛宁信息技术有限公司 | Resource authority control device and method based on DRF framework |
| CN113742743B (en) * | 2021-07-23 | 2023-08-08 | 苏州浪潮智能科技有限公司 | LDAP-based data encryption access control method and system |
| CN113590118A (en) * | 2021-07-23 | 2021-11-02 | 南京赛宁信息技术有限公司 | Resource authority control device and method based on DRF framework |
| CN113536254A (en) * | 2021-07-26 | 2021-10-22 | 平安资产管理有限责任公司 | Resource permission configuration method and device, computer equipment and storage medium |
| CN113591126A (en) * | 2021-08-12 | 2021-11-02 | 北京滴普科技有限公司 | Data authority processing method and computer readable storage medium |
| CN113778991A (en) * | 2021-09-14 | 2021-12-10 | 珠海市新德汇信息技术有限公司 | Method for realizing resource access control of big data |
| CN113839942A (en) * | 2021-09-22 | 2021-12-24 | 上海妙一生物科技有限公司 | User authority management method, device, equipment and storage medium |
| CN113591134A (en) * | 2021-09-28 | 2021-11-02 | 广东机电职业技术学院 | Threat intelligence big data sharing method and system |
| WO2023051235A1 (en) * | 2021-09-28 | 2023-04-06 | 广东机电职业技术学院 | Threat intelligence big data sharing method and system |
| CN113591134B (en) * | 2021-09-28 | 2021-12-14 | 广东机电职业技术学院 | Threat intelligence big data sharing method and system |
| CN114422183A (en) * | 2021-12-13 | 2022-04-29 | 北京思特奇信息技术股份有限公司 | Micro-service access control method, system and device based on security attribute |
| CN114139139A (en) * | 2022-02-07 | 2022-03-04 | 树根互联股份有限公司 | Authority management and control method and device for service and application and electronic equipment |
| CN114726632A (en) * | 2022-04-14 | 2022-07-08 | 天工信创(广州)信息科技有限公司 | Login method, device, storage medium and processor |
| CN114726632B (en) * | 2022-04-14 | 2024-04-05 | 广州鑫景信息科技服务有限公司 | Login method, login equipment and storage medium |
| CN116186652B (en) * | 2022-12-22 | 2024-01-02 | 博上(山东)网络科技有限公司 | Authority management method, system, equipment and readable storage medium |
| CN116186652A (en) * | 2022-12-22 | 2023-05-30 | 博上(山东)网络科技有限公司 | Authority management method, system, equipment and readable storage medium |
| CN116842220A (en) * | 2023-07-06 | 2023-10-03 | 中国科学院青藏高原研究所 | Data access method based on logic classification and data role control |
| CN116842220B (en) * | 2023-07-06 | 2024-01-02 | 中国科学院青藏高原研究所 | Data access method based on logic classification and data role control |
| CN116800550A (en) * | 2023-08-29 | 2023-09-22 | 北京仁科互动网络技术有限公司 | Region management method, device and equipment in software as a service (SaaS) mode |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107046530B (en) | Coordination management system for heterogeneous agile information technology environment | |
| US8433717B2 (en) | System and method for efficiently securing enterprise data resources | |
| Hu et al. | Guidelines for access control system evaluation metrics | |
| US8381306B2 (en) | Translating role-based access control policy to resource authorization policy | |
| US8327419B1 (en) | System and method for efficiently securing enterprise data resources | |
| US8010991B2 (en) | Policy resolution in an entitlement management system | |
| US9384361B2 (en) | Distributed event system for relational models | |
| CN110990150A (en) | Tenant management method and system of container cloud platform, electronic device and storage medium | |
| CN110472388B (en) | Equipment management and control system and user permission control method thereof | |
| CN108092945B (en) | Method and device for determining access authority and terminal | |
| Li et al. | RBAC-based access control for SaaS systems | |
| US8719894B2 (en) | Federated role provisioning | |
| WO2016026320A1 (en) | Access control method and apparatus | |
| Bradshaw et al. | The kaos policy services framework | |
| CN114143069B (en) | Authority management system and method applied to microservice | |
| US20240007458A1 (en) | Computer user credentialing and verification system | |
| CN115022020B (en) | Access control method and system based on multidimensional set calculation | |
| CN111935131B (en) | SaaS resource access control method based on resource authority tree | |
| CN111935131A (en) | SaaS resource access control method based on resource authority tree | |
| CN113407626B (en) | Planning management and control method based on blockchain, storage medium and terminal equipment | |
| CN114491498A (en) | Wind power plant central monitoring login system based on permission classification | |
| CN110348184B (en) | Industrial cloud-based permission resource configuration method, system and storage medium | |
| Schwarzbach et al. | Cloud based privacy preserving collaborative business process management | |
| Sengupta | Dynamic fragmentation and query translation based security framework for distributed databases | |
| Wang et al. | A SaaS Resource Authorization Management Model based on Resource Directed Tree |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |