CN114422197A - Permission access control method and system based on policy management - Google Patents
Permission access control method and system based on policy management Download PDFInfo
- Publication number
- CN114422197A CN114422197A CN202111606160.7A CN202111606160A CN114422197A CN 114422197 A CN114422197 A CN 114422197A CN 202111606160 A CN202111606160 A CN 202111606160A CN 114422197 A CN114422197 A CN 114422197A
- Authority
- CN
- China
- Prior art keywords
- access
- policy
- authority
- information
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000013475 authorization Methods 0.000 claims abstract description 24
- 238000004891 communication Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 11
- 230000000694 effects Effects 0.000 claims description 4
- 230000007613 environmental effect Effects 0.000 claims description 2
- 230000003068 static effect Effects 0.000 claims description 2
- 239000000126 substance Substances 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 2
- 238000007726 management method Methods 0.000 description 20
- 238000010586 diagram Methods 0.000 description 5
- 230000008520 organization Effects 0.000 description 4
- 238000011156 evaluation Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method and a system for controlling authority access based on policy management. The method comprises the steps that an access controller is constructed to intercept an access request sent by a user terminal to an access object; verifying the user identity information through an access authentication protocol adopted by the user; acquiring authority policy rules according to the user identity information and combining the authority policy rules to generate access decision information, wherein the access decision information comprises an authorization decision; and if the authorization decision is passed, the access request is sent to an access object, otherwise, access failure information is returned. The invention solves the problem that the serial IAM technology can not be accessed because objects are frequently added or deleted, prevents unauthorized users from accessing, and reduces the loss efficiency and the user experience while protecting the digital assets of enterprises more intelligently and safely.
Description
Technical Field
The invention relates to the field of authority access control, in particular to an authority access control method and system based on policy management.
Background
With the business development of enterprises, a large number of application systems are derived in the enterprises, including self-developed, outsourced, private cloud-deployed and public cloud-deployed application systems. User identity authentication and authority access control brought by the application systems cause barriers to user account intercommunication and authority control in enterprises. Application authorization is at the heart of organizational security, which also means that it is at the heart of productivity, and the authorization determines what the digital identity can do in each application. Ensuring data security and avoiding violations is the full content of the authorization, and it is essential to ensure that the right person dynamically obtains the right access right at the right time. The development of authorization methods aims to simplify the authorization process, enable it to be expanded faster, and provide better control and visibility for the organization.
Conventional IAMs are typically used for identity lifecycle management in various systems for managing user access, including enrollment, departure, and role changes, and the solution is that a user or device grants access rights by using policy decision points and corresponding policy enforcement points. In the face of enterprises already presenting distributed diffusion organization and user data, old rights centers have not been able to support cross-tenant, cross-account system, cross-end, and application and identity data separation well, and under the conventional IAM, it is very complicated to execute so many rules in a specific access request, and errors are easily generated because there is no clear view to show which rules will be applied to the request. And in the case of multiple applications, problems such as frequent addition or deletion of objects, access to objects by unauthorized users, direct access to objects by users or devices, and the need to establish multiple access control models may also be faced. The authority granularity between systems cannot be well controlled by personnel maintenance roles. In order to solve the service pain points, the invention provides a permission access control method and a permission access control system based on policy management.
Disclosure of Invention
In view of the above-mentioned shortcomings in the prior art, it is an object of the present invention to provide a method and system for controlling access to rights based on policy management, which are used to solve the above problems in the prior art.
In order to achieve the above objects and other related objects, the present invention provides a method for controlling access to rights based on policy management, the method comprising constructing an access controller intercepting an access request sent by a user terminal to an access object; verifying the user identity information through an access authentication protocol adopted by the user; acquiring authority policy rules according to the user identity information and combining the authority policy rules to generate access decision information, wherein the access decision information comprises an authorization decision; and if the authorization decision is passed, the access request is sent to an access object, otherwise, access failure information is returned.
In an embodiment of the present invention, the method further includes, when verifying the user identity information: and evaluating a trust index by calculating a score, and presetting a threshold value for the score, wherein the score is obtained by calculating the score in real time according to the login environment, the authentication frequency and the activity of the user terminal: storing the score in a permission context, wherein the permission context further stores environmental data; and comparing the score of the user with a score threshold, if the score of the user is not less than the threshold, returning authorization passing decision information, and otherwise, requesting to acquire the authority policy rule.
In an embodiment of the present invention, the method further includes: acquiring the user identity information, an access object, environment information and an access type, wherein the user identity information comprises a user mobile phone number and an ID (identity), the access object comprises an application system address, the environment information comprises an IP (Internet protocol) address, user terminal equipment information and access time, and the access type comprises authorization passing and no access right; performing access policy query in an authority policy database according to the user identity information, the access object and the environment information; and generating applicable access decision information according to the access strategy query result.
In an embodiment of the present invention, the method further includes: matching the user identity information, the access object and the environment information with a main body descriptor, an object descriptor, an environment descriptor and an access type in the authority strategy database one by one; determining N permission policy rules according to the matching result, wherein N is a natural number; and combining the permission policy rules into the access policy.
In an embodiment of the present invention, the method further includes: and judging whether rule conflict exists during the combination of the authority policy rules, and if so, constructing a dynamic policy conflict resolver to solve the authority policy rule conflict.
In an embodiment of the present invention, the step of the dynamic policy conflict resolver resolving the policy rule conflict of the right includes: acquiring the permission policy rule configuration time; and comparing the configuration time information of the authority strategy rules, and defining the authority strategy rules with earlier configuration time as the authority strategy rules.
In an embodiment of the present invention, the method further includes: pre-building a static policy conflict detector: and judging whether conflict exists or not when the authority policy rule is created, if so, prompting that the creation of the authority policy rule fails, otherwise, prompting that the creation of the policy rule succeeds.
To achieve the above and other related objects, the present invention provides a rights access control system based on policy management, the system comprising: the strategy execution module is used for constructing an access controller for intercepting an access request sent by a user terminal to an access object and performing corresponding processing according to the access decision information; the authentication module is used for evaluating the user trust index and verifying the user identity information; the strategy storage database module is used for storing and providing authority information and the authority strategy rules; and the strategy decision module is used for combining the acquired authority strategy rules and generating access decision information.
To achieve the above and other related objects, the present invention provides a computer-readable storage medium, in which a computer program is stored, and the computer program is loaded and executed by a processor to implement the method for controlling access to rights based on policy management.
To achieve the above and other related objects, the present invention provides an electronic device, comprising: a processor, a memory, and a communication interface; wherein the memory is for storing a computer program; the processor is used for loading and executing the computer program to enable the electronic equipment to execute the authority access control method based on the policy management; the communication interface is used for realizing communication between the access device and other equipment.
As described above, according to the permission access control method based on policy management provided by the invention, aiming at the situation that more and more enterprise applications exist, and the problem that a plurality of rule requests of a user are easily made mistakes when the traditional IAM technology is accessed and executed, a plurality of access control models are established, so that the problem that the user cannot access due to frequent addition or deletion of objects is solved, unauthorized users are prevented from accessing, and the loss efficiency and user experience are reduced while the digital assets of the enterprise are protected more intelligently and more safely.
Drawings
Fig. 1 is a flowchart illustrating a method for controlling access to rights based on policy management according to an embodiment of the present invention.
Fig. 2 is a schematic diagram illustrating a data information transmission process of a policy management-based right access control method according to an embodiment of the present invention.
Fig. 3 is a schematic diagram illustrating a user organization architecture used in the method for controlling access to rights based on policy management according to an embodiment of the present invention.
Fig. 4 is a block diagram of an authorization access control system based on policy management according to an embodiment of the present invention.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the invention.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention, and the components related to the present invention are only shown in the drawings rather than drawn according to the number, shape and size of the components in actual implementation, and the type, quantity and proportion of the components in actual implementation may be changed freely, and the layout of the components may be more complicated.
In order to solve the problem that in the prior art, when an enterprise has multiple applications and multiple departments, a traditional IAM executes and processes a multi-rule access control request of a user, which is prone to error, the invention provides an access control method and system based on policy management.
As shown in fig. 1, this embodiment provides a method for controlling access to rights based on policy management, and in combination with the data information transmission diagram shown in fig. 2, the method includes the following specific steps:
s11: and constructing an access controller to intercept an access request sent by the user terminal to the access object.
Specifically, the access controller is constructed in advance at the policy enforcement module 21. After the user terminal 20 sends an access request to the access object, the policy enforcement module 21 intercepts the request through the access controller.
Further, the policy enforcement module 21 sends a user identity authentication request to the authentication module 22 after intercepting the request.
S12: and verifying the user identity information through an access authentication protocol adopted by the user.
Specifically, the authentication module 22 obtains a protocol used when the user logs in the application system, including but not limited to protocols such as SAML, OAuth, oid, Basic, and the like, and verifies the user identity by comparing the login protocol and the account information thereof with the user login information stored in the identity center IDP.
Further, a trust evaluation engine is built in the authentication module 22 by setting score dynamic scores to build a trust evaluation index. A threshold is set in advance for score, for example, to K. Score is stored in the rights context, which in addition stores context data. Then, the score is calculated in real time according to environment information such as a login IP address of the user terminal, information of the user terminal device and the like, authentication frequency and activity, and preferably, for a privileged user, the score of the user can be manually adjusted through a background. When the calculated score of the user score is not less than K, authorization passing determination information is returned to the policy execution module 21, and at this time, the process directly proceeds to step S14, otherwise, information that the trust evaluation fails is returned to the policy execution module 21, the policy execution module 21 requests the policy decision module 23 to acquire permission access decision information, and the policy decision module 23 acquires permission policy rules and performs combination processing.
Preferably, before the policy decision module 23 requests to acquire the authority policy rule, user identity information, an access object, environment information, and an access type are acquired, where the user identity information includes company department organization information, job information, and user personal information, such as personal information of a mobile phone number, a mailbox, an ID, and the like, the access object includes a SaaS application and a system address of an internal application, the environment information includes an IP address, user terminal device information, and access time, and the access type includes authorization passing and no access authority. According to the user identity information, the access object and the environment information, carrying out access strategy query in an authority strategy database; and generating applicable access decision information according to the access strategy query result.
Further, the policy decision module 23 matches the user identity information, the access object, and the environment information with the subject descriptor, the object descriptor, the environment descriptor, and the access type obtained from the policy information storage module 24 one by one; and checking whether N corresponding authority policy rules exist according to the matching result in the authority policy rule set 26 in the authority storage database 25, wherein N is a natural number.
It should be noted that the policy information storage module 24 and the authority policy rule set 26 are included in the policy storage database 25.
S13: and acquiring authority policy rules according to the user identity information and combining the authority policy rules to generate access decision information, wherein the access decision information comprises an authorization decision.
Specifically, after obtaining the authority policy rules, the policy decision module 23 combines N authority policy rules together by using a method for determining a ground rule combination. For example, the authority of the department B in the subordinate company a of the group company a in fig. 3 is to access the application system a, the team leader of the department B sets that the team member of the department B can only grant the access authority of the team member to the application system a between 9 am and 6 pm on the working day, and sets that the employee B can only perform the access authority of the application system a through the intranet. By the method, when an access request of a staff B to the object application system A is received, an access authority policy rule of a department to the object application system A, an access time rule set by a team leader and a network environment rule accessed by the team leader to the staff B need to be combined to judge whether the staff B has access authority when accessing the object application system A. It should be noted that, in order to combine the rules more flexibly, the rules may be grouped and packaged again as a policy set and stored in the permission policy rule set 26 of the policy storage database 25.
Further, since the rights policy rules for the same user object may be designed by different teams, there may be a possibility of conflict between different policy components. Accordingly, a dynamic policy conflict resolver is constructed in the policy decision module 23, and when the authority policy rules are combined, whether rule conflicts exist in the authority policy rules is judged first, and if the rule conflicts exist, the problem of the authority policy rule conflicts is solved by constructing the dynamic policy conflict resolver. For example, according to the creation time of the permission policy rule, the permission policy rule created first is prior to the permission policy rule created later, and when there is a conflict, the permission policy rule created first is taken for rule combination.
Preferably, a dynamic policy conflict solver is constructed in advance, before the authority policy rules are entered into the policy storage database 25, that is, when the authority policy rules are created in the authority policy rule management center, it is determined whether there is a conflict with the created rules, if there is a conflict, an abnormal prompt such as a conflict is prompted, otherwise, the policy rules are prompted to be created successfully.
S14: and if the authorization decision is passed, the access request is sent to an access object, otherwise, access failure information is returned.
Specifically, the policy decision module 23 sends the access authorization information to the policy enforcement module 21 after generating the access decision information by combining the permission policy rules, and the policy enforcement module 21 forwards the intercepted access request to the access object 27.
All or part of the steps for implementing the above method embodiments may be performed by hardware associated with a computer program. Based upon such an understanding, the present invention also provides a computer program product comprising one or more computer instructions. The computer instructions may be stored in a computer readable storage medium. The computer-readable storage medium can be any available medium that a computer can store or a data storage device, such as a server, a data center, etc., that is integrated with one or more available media.
Referring to fig. 4, the present embodiment provides an authorization access control system 40 based on policy management, which is installed in an electronic device as a piece of software to execute the authorization access control method based on policy management described in the foregoing method embodiment when running. Since the technical principle of the embodiment of the system is similar to that of the embodiment of the method, repeated description of the same technical details is omitted.
The right access control system 40 based on policy management in this embodiment specifically includes: authentication module 41, policy storage database module 42, policy decision module 43, policy enforcement module 44. The authentication module 41 is configured to evaluate a user trust index and verify user identity information; the strategy storage database module 42 is used for storing and providing authority strategy rule information; the policy decision module 43 is configured to combine the obtained permission policy rules to form access decision information; the policy execution module 44 is configured to construct an access controller to intercept an access request sent by the user terminal to an access object, and perform corresponding processing according to the access decision information.
Those skilled in the art should understand that the division of the modules in the embodiment of fig. 4 is only a logical division, and the actual implementation can be fully or partially integrated into one or more physical entities. And the modules can be realized in a form that all software is called by the processing element, or in a form that all the modules are realized in a form that all the modules are called by the processing element, or in a form that part of the modules are called by the hardware. For example, the policy decision module 43 may be a separate processing element, or may be implemented by being integrated in a chip, or may be stored in a memory in the form of program code, and a certain processing element calls and executes the function of the policy decision module 43. Other modules are implemented similarly. The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software.
Referring to fig. 5, the embodiment provides an electronic device, which may be a portable computer, a smart phone, a tablet computer, or the like. In detail, the electronic device comprises at least, connected by a bus 51: a memory 52, a processor 53, and a communication interface 54, wherein the communication interface 54 is used for implementing communication between the data access device and other devices, the memory 52 is used for storing computer programs, and the processor 53 is used for executing the computer programs stored in the memory 52 to execute all or part of the steps in the foregoing method embodiments.
The above-mentioned system bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The system bus may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus. The communication interface is used for realizing communication between the database access device and other equipment (such as a client, a read-write library and a read-only library). The Memory may include a Random Access Memory (RAM), and may further include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
In summary, according to the method and system for controlling access to permissions based on policy management provided by the present invention, in an authorization mode of an application system, by combining applicable rules and meta information of users for access objects into policy objects, the policy objects are continuously and centrally grouped into policy sets, the policy sets are uniformly stored and centrally managed, conflicts are resolved by a conflict resolver when conflicts occur, performance bottleneck problem caused by decision is resolved by trust scores, and efficient security access control of permissions under the condition of multi-application system and multi-user hierarchy in an enterprise is achieved by isolating data access, controlling access spreading and preventing authorized users from accessing data in a dangerous manner. Therefore, the invention effectively overcomes various defects in the prior art and has high industrial utilization value.
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Any person skilled in the art can modify or change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Accordingly, it is intended that all equivalent modifications or changes which can be made by those skilled in the art without departing from the spirit and technical spirit of the present invention be covered by the claims of the present invention.
Claims (10)
1. An authority access control method based on policy management is characterized by comprising the following steps:
an access controller is constructed to intercept an access request sent by a user terminal to an access object;
verifying the user identity information through an access authentication protocol adopted by the user;
acquiring authority policy rules according to the user identity information and combining the authority policy rules to generate access decision information, wherein the access decision information comprises an authorization decision;
and if the authorization decision is passed, the access request is sent to an access object, otherwise, access failure information is returned.
2. The method according to claim 1, further comprising, when verifying the user identity information:
and evaluating a trust index by calculating a score, and presetting a threshold value for the score, wherein the score is obtained by calculating the score in real time according to the login environment, the authentication frequency and the activity of the user terminal:
storing the score in a permission context, wherein the permission context further stores environmental data;
and comparing the score of the user with a score threshold, if the score of the user is not less than the threshold, returning authorization passing decision information, and otherwise, requesting to acquire the authority policy rule.
3. The method of claim 1 or 2, further comprising:
acquiring the user identity information, an access object, environment information and an access type, wherein the user identity information comprises a user mobile phone number and an ID (identity), the access object comprises an application system address, the environment information comprises an IP (Internet protocol) address, user terminal equipment information and access time, and the access type comprises authorization passing and no access right;
performing access policy query in an authority policy database according to the user identity information, the access object and the environment information; and generating applicable access decision information according to the access strategy query result.
4. The method of claim 3, further comprising:
matching the user identity information, the access object and the environment information with a main body descriptor, an object descriptor, an environment descriptor and an access type in the authority strategy database one by one;
determining N permission policy rules according to the matching result, wherein N is a natural number;
and combining the permission policy rules into the access policy.
5. The method of claim 4, further comprising:
and judging whether rule conflict exists during the combination of the authority policy rules, and if so, constructing a dynamic policy conflict resolver to solve the authority policy rule conflict.
6. The method of claim 5, wherein the dynamic policy conflict resolver resolving the permission policy rule conflict step comprises:
acquiring the permission policy rule configuration time;
and comparing the configuration time information of the authority strategy rules, and defining the authority strategy rules with earlier configuration time as the authority strategy rules.
7. The method of claim 4, further comprising pre-building a static policy conflict detector:
and judging whether conflict exists or not when the authority policy rule is created, if so, prompting that the creation of the authority policy rule fails, otherwise, prompting that the creation of the policy rule succeeds.
8. An entitlement access control system based on policy management, characterized in that the system comprises:
the strategy execution module is used for constructing an access controller for intercepting an access request sent by a user terminal to an access object and performing corresponding processing according to the access decision information;
the authentication module is used for evaluating the user trust index and verifying the user identity information;
the strategy storage database module is used for storing and providing authority information and the authority strategy rules;
and the strategy decision module is used for combining the acquired authority strategy rules and generating access decision information.
9. A computer-readable storage medium, in which a computer program is stored, which, when loaded and executed by a processor, implements a method for controlling access to rights based on policy management according to any one of claims 1 to 7.
10. An electronic device, comprising: a processor, a memory, and a communication interface; wherein the content of the first and second substances,
the memory is used for storing a computer program;
the processor is used for loading and executing the computer program to enable the electronic equipment to execute the authority access control method based on the policy management according to any one of claims 1 to 7;
the communication interface is used for realizing communication between the access device and other equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111606160.7A CN114422197A (en) | 2021-12-25 | 2021-12-25 | Permission access control method and system based on policy management |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111606160.7A CN114422197A (en) | 2021-12-25 | 2021-12-25 | Permission access control method and system based on policy management |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114422197A true CN114422197A (en) | 2022-04-29 |
Family
ID=81268610
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111606160.7A Pending CN114422197A (en) | 2021-12-25 | 2021-12-25 | Permission access control method and system based on policy management |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114422197A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116545784A (en) * | 2023-07-07 | 2023-08-04 | 国网四川省电力公司信息通信公司 | Data center operation control method and system for multi-user scene |
| CN117371030A (en) * | 2023-09-27 | 2024-01-09 | 上海嗨普智能信息科技股份有限公司 | Multi-tenant limited access object storage method and management system |
| CN117874826A (en) * | 2024-03-11 | 2024-04-12 | 成都数据集团股份有限公司 | Database authority management system and method |
| CN117874826B (en) * | 2024-03-11 | 2024-05-24 | 成都数据集团股份有限公司 | Database authority management system and method |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140075492A1 (en) * | 2012-09-10 | 2014-03-13 | International Business Machines Corporation | Identity context-based access control |
| CN103795688A (en) * | 2012-10-31 | 2014-05-14 | 中国航天科工集团第二研究院七○六所 | Attribute-based fuzzy access control calculation method |
| CN104580163A (en) * | 2014-12-19 | 2015-04-29 | 南阳师范学院 | System for establishing access control policies in private cloud environment |
| CN105049409A (en) * | 2015-05-28 | 2015-11-11 | 合肥城市云数据中心有限公司 | Security access control framework under distributed cloud environment and access method thereof |
| CN110650023A (en) * | 2018-06-26 | 2020-01-03 | 中国移动通信有限公司研究院 | Policy rule processing method and device, functional network element and storage medium |
| CN111064718A (en) * | 2019-12-09 | 2020-04-24 | 国网河北省电力有限公司信息通信分公司 | Dynamic authorization method and system based on user context and policy |
| CN112187799A (en) * | 2020-09-28 | 2021-01-05 | 京东数字科技控股股份有限公司 | Resource access policy generation method and device, storage medium and electronic equipment |
| CN112738194A (en) * | 2020-12-25 | 2021-04-30 | 南京联成科技发展股份有限公司 | Access control system for safe operation and maintenance management |
| CN113051602A (en) * | 2021-01-22 | 2021-06-29 | 东南大学 | Database fine-grained access control method based on zero trust architecture |
| US20210297451A1 (en) * | 2020-03-19 | 2021-09-23 | International Business Machines Corporation | Policy rule enforcement decision evaluation with conflict resolution |
-
2021
- 2021-12-25 CN CN202111606160.7A patent/CN114422197A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140075492A1 (en) * | 2012-09-10 | 2014-03-13 | International Business Machines Corporation | Identity context-based access control |
| CN103795688A (en) * | 2012-10-31 | 2014-05-14 | 中国航天科工集团第二研究院七○六所 | Attribute-based fuzzy access control calculation method |
| CN104580163A (en) * | 2014-12-19 | 2015-04-29 | 南阳师范学院 | System for establishing access control policies in private cloud environment |
| CN105049409A (en) * | 2015-05-28 | 2015-11-11 | 合肥城市云数据中心有限公司 | Security access control framework under distributed cloud environment and access method thereof |
| CN110650023A (en) * | 2018-06-26 | 2020-01-03 | 中国移动通信有限公司研究院 | Policy rule processing method and device, functional network element and storage medium |
| CN111064718A (en) * | 2019-12-09 | 2020-04-24 | 国网河北省电力有限公司信息通信分公司 | Dynamic authorization method and system based on user context and policy |
| US20210297451A1 (en) * | 2020-03-19 | 2021-09-23 | International Business Machines Corporation | Policy rule enforcement decision evaluation with conflict resolution |
| CN112187799A (en) * | 2020-09-28 | 2021-01-05 | 京东数字科技控股股份有限公司 | Resource access policy generation method and device, storage medium and electronic equipment |
| CN112738194A (en) * | 2020-12-25 | 2021-04-30 | 南京联成科技发展股份有限公司 | Access control system for safe operation and maintenance management |
| CN113051602A (en) * | 2021-01-22 | 2021-06-29 | 东南大学 | Database fine-grained access control method based on zero trust architecture |
Non-Patent Citations (2)
| Title |
|---|
| 王小明;付红;张立臣;: "基于属性的访问控制研究进展", 电子学报, no. 07 * |
| 韩涛;郭荷清;: "基于XACML的访问控制策略", 计算机工程与设计, no. 12, 28 June 2006 (2006-06-28) * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116545784A (en) * | 2023-07-07 | 2023-08-04 | 国网四川省电力公司信息通信公司 | Data center operation control method and system for multi-user scene |
| CN116545784B (en) * | 2023-07-07 | 2023-09-08 | 国网四川省电力公司信息通信公司 | Data center operation control method and system for multi-user scene |
| CN117371030A (en) * | 2023-09-27 | 2024-01-09 | 上海嗨普智能信息科技股份有限公司 | Multi-tenant limited access object storage method and management system |
| CN117874826A (en) * | 2024-03-11 | 2024-04-12 | 成都数据集团股份有限公司 | Database authority management system and method |
| CN117874826B (en) * | 2024-03-11 | 2024-05-24 | 成都数据集团股份有限公司 | Database authority management system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10673866B2 (en) | Cross-account role management | |
| US20190097807A1 (en) | Network access control based on distributed ledger | |
| US20220400084A1 (en) | Organization level identity management | |
| JP2013033449A (en) | Server system, control method and program | |
| US11580206B2 (en) | Project-based permission system | |
| US11647026B2 (en) | Automatically executing responsive actions based on a verification of an account lineage chain | |
| US20220083936A1 (en) | Access control method | |
| US20140208409A1 (en) | Access to data stored in a cloud | |
| CN105827645B (en) | Method, equipment and system for access control | |
| US20200412736A1 (en) | Dynamic security policy consolidation | |
| CN114422197A (en) | Permission access control method and system based on policy management | |
| US20140230012A1 (en) | Systems, methods, and media for policy-based monitoring and controlling of applications | |
| US11005853B1 (en) | Restriction transitivity for session credentials | |
| US9516031B2 (en) | Assignment of security contexts to define access permissions for file system objects | |
| US11810130B2 (en) | Security policy enforcement | |
| CN111914295A (en) | Database access control method and device and electronic equipment | |
| CN115987696A (en) | Block chain structure-based zero-trust security gateway implementation method and device | |
| US10333939B2 (en) | System and method for authentication | |
| US20220255970A1 (en) | Deploying And Maintaining A Trust Store To Dynamically Manage Web Browser Extensions On End User Computing Devices | |
| US10496840B1 (en) | Recommending security controls for similar data | |
| CN114003877A (en) | Data access method, device, medium and electronic equipment of multi-tenant system | |
| US20210044589A1 (en) | Access control | |
| CN111723401A (en) | Data access authority control method, device, system, storage medium and equipment | |
| US20220353298A1 (en) | Embedded and distributable policy enforcement | |
| US20230370473A1 (en) | Policy scope management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |