CN116975842A - User authority access control method and system based on cloud center - Google Patents

Abstract

The user authority access control method and system based on the cloud center includes creating and generating account password configuration information of a system manager A, an authorization manager C and an audit manager L through the cloud center; the cloud center distributes menu authorities of a system manager A, an authorized manager C and an audit manager L in a factory to generate Json format data, and encrypts the Json format data to generate a factory configuration file; when the inside of the system is delivered from the factory, a Json format data file of the configuration of the delivery is loaded for analysis, and the authority information of the configuration file is initialized through database migration to generate a corresponding database structure; and storing account password information of a system administrator A, an authorized administrator C and an audit administrator L with the factory configuration and the three rights separated. The application adopts the three-layer control thought, which not only limits the flexible identity authentication, operation authentication and security audit of the visitor by the factory system, but also supports the authority control of the system user in combination with the self business requirement.

Description

User authority access control method and system based on cloud center

Technical Field

The application belongs to the technical field of access control, and particularly relates to a user authority access control method and system based on a cloud center.

Background

Currently, RBAC Role-based access control (Role-Based Access Control) is receiving widespread attention as a promising alternative to conventional access control (autonomous access, forced access). The remarkable features of the role-based access control method (RBAC) are:

first, the change between roles/rights is relatively less than the change between roles/user relationships, thus minimizing the complexity of authorization management and reducing management overhead.

Second, the security policy of the enterprise is flexibly supported, and the enterprise has great scalability to the changes of the enterprise.

In a large information network, user identity management, user authorization management and audit management are three important factors of system security management, and the main management work is completed by a system administrator. The rights of the manager are too large, and misuse or abuse of the rights is easily caused. Furthermore, if an attacker breaks a management role, full control of the system is obtained, and the security of the system is very fragile.

Disclosure of Invention

Therefore, the application provides a user authority access control method and system based on a cloud center, which are used for solving the problem of poor safety of the traditional technology.

In order to achieve the above object, the present application provides the following technical solutions: the user authority access control method based on the cloud center comprises the following steps:

creating and generating account password configuration information of a system manager A, an authorization manager C and an audit manager L through a cloud center;

the cloud center distributes menu authorities of the system manager A, the authorized manager C and the auditing manager L in a factory to generate Json format data, and encrypts the Json format data to generate a factory configuration file;

when the inside of the system is delivered from the factory, a Json format data file of the configuration of the delivery is loaded for analysis, and the authority information of the configuration file is initialized through database migration to generate a corresponding database structure;

and storing account password information of the system administrator A, the authorized administrator C and the audit administrator L with the factory configuration three-rights separation.

As a preferred scheme of the user authority access control method based on the cloud center, the menu authorities of the system administrator A, the authorization administrator C and the auditing administrator L adopt a Restful API style URL to access the collection vocabulary of the route.

As a preferred scheme of the user authority access control method based on the cloud center, generating the corresponding database structure through the database migration file comprises the following steps:

a role and menu relationship table structure;

a role table structure;

role and rights relation table structure;

a rights table structure;

user table structure.

As a preferred scheme of the user authority access control method based on the cloud center, four roles of a system manager A, an authorized manager C, an audit manager L and a common manager N are generated in a role database;

and giving access rights of URL access routes under corresponding menus to a system manager A, an authorized manager C and an audit manager L based on the cloud center menu rights.

As a user authority access control method preferred scheme based on the cloud center, a system administrator A creates designated roles and levels according to the needs; the highest role authority of the common manager N is consistent with the role authority of the system manager A.

As a user authority access control method optimization scheme based on the cloud center, if Json format data encryption is generated to generate factory configuration file errors, performing error prompt termination flow;

if the Json format data file loaded with the factory configuration is wrong, performing error prompt termination flow;

if the authority information of the initialization configuration file is wrong through database migration, performing error prompt termination flow.

The application also provides a user authority access control system based on the cloud center, which comprises:

the role creation module is used for creating and generating account password configuration information of a system manager A, an authorization manager C and an auditing manager L through a cloud center;

the menu authority allocation module is used for dispatching the menu authorities of the system manager A, the authorized manager C and the audit manager L by a cloud center;

the factory configuration file generation module is used for generating Json format data and encrypting the Json format data to generate a factory configuration file;

the Json format file analysis module is used for loading a Json format data file of factory configuration to analyze before factory in the system and generating a corresponding database structure through database migration initialization configuration file authority information;

and the role information storage module is used for storing account password information of the system administrator A, the authorization administrator C and the auditing administrator L with separate factory configuration and three rights.

As a preferred scheme of the user authority access control system based on the cloud center, in the menu authority allocation module, menu authorities of the system manager A, the authorized manager C and the audit manager L adopt a Restful API style URL to access a collection vocabulary of a route.

As a preferred solution of the cloud center-based user permission access control system, the generating, in the Json format file parsing module, a corresponding database structure by migrating a file through a database includes:

a role and menu relationship table structure;

a role table structure;

role and rights relation table structure;

a rights table structure;

a user table structure;

in the Json format file analysis module, four roles of a system manager A, an authorized manager C, an audit manager L and a common manager N are generated in a role database;

giving access rights of URL access routes under corresponding menus to a system administrator A, an authorized administrator C and an audit administrator L based on cloud center menu rights;

a system administrator A creates designated roles and hierarchies according to the needs; the highest role authority of the common manager N is consistent with the role authority of the system manager A.

As a preferred scheme of the cloud center-based user authority access control system, the cloud center-based user authority access control system further comprises:

the first error prompting module is used for performing error prompting termination flow if the Json format data is generated and encrypted to generate a factory configuration file error;

the second error prompting module is used for carrying out error prompting termination flow if the Json format data file loaded with the factory configuration is wrong;

and the third error prompting module is used for performing error prompting termination flow if the authority information of the initialization configuration file is wrong through database migration.

The method has the beneficial effects that account password configuration information of a system manager A, an authorization manager C and an audit manager L is created and generated through the cloud center; the cloud center distributes menu authorities of the system manager A, the authorized manager C and the auditing manager L in a factory to generate Json format data, and encrypts the Json format data to generate a factory configuration file; when the inside of the system is delivered from the factory, a Json format data file of the configuration of the delivery is loaded for analysis, and the authority information of the configuration file is initialized through database migration to generate a corresponding database structure; and storing account password information of the system administrator A, the authorized administrator C and the audit administrator L with the factory configuration three-rights separation. The application adopts the thinking of three-layer control, customizes menu control of the factory system through the cloud center, and the policies of independent system management, authorization management and audit management, and based on the two-layer authorization control, adds role control of RBAC of the third layer factory system to inherit, thereby not only limiting the factory system to flexibly identify authentication, operation authentication and security audit of visitors, but also supporting the system user to carry out authorization control in combination with own business requirements.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It will be apparent to those skilled in the art from this disclosure that the drawings described below are merely exemplary and that other embodiments may be derived from the drawings provided without undue effort.

The structures, proportions, sizes, etc. shown in the present specification are shown only for the purposes of illustration and description, and are not intended to limit the scope of the application, which is defined by the claims, so that any structural modifications, changes in proportions, or adjustments of sizes, which do not affect the efficacy or the achievement of the present application, should fall within the scope of the application.

Fig. 1 is a schematic flow chart of a user authority access control method based on a cloud center provided by an embodiment of the present application;

fig. 2 is a schematic diagram of an implementation route of a user authority access control method based on a cloud center according to an embodiment of the present application;

fig. 3 is a schematic view of a rights frame of a user rights access control method based on a cloud center according to an embodiment of the present application;

fig. 4 is a data structure before encryption in the cloud center-based user right access control method according to the embodiment of the present application;

FIG. 5 is a menu interface of a user right access control method based on a cloud center provided by an embodiment of the application;

FIG. 6 is a table structure of roles and menu relationships in a cloud center-based user rights access control method according to an embodiment of the present application;

fig. 7 is a role table structure in a cloud center-based user permission access control method according to an embodiment of the present application;

FIG. 8 is a table structure of roles and rights relation in the cloud center-based user rights access control method according to the embodiment of the present application;

fig. 9 is a rights table structure in a user rights access control method based on a cloud center according to an embodiment of the present application;

fig. 10 is a user table structure in a user authority access control method based on a cloud center according to an embodiment of the present application;

FIG. 11 is a role generation interface structure in a cloud center-based user permission access control method according to an embodiment of the present application;

fig. 12 is a schematic diagram of a user authority access control system based on a cloud center according to an embodiment of the present application.

Detailed Description

Other advantages and advantages of the present application will become apparent to those skilled in the art from the following detailed description, which, by way of illustration, is to be read in connection with certain specific embodiments, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

Currently, RBAC Role-based access control (Role-Based Access Control) is receiving widespread attention as a promising alternative to conventional access control (autonomous access, forced access). In RBAC, rights are associated with roles and users get rights to the roles by becoming members of the appropriate roles, greatly simplifying the management of rights.

In an organization, roles are created to accomplish various tasks, and users are assigned corresponding roles according to their responsibilities and qualifications, so that users can be easily assigned from one role to another. Roles can be given new rights according to the combination of new requirements and systems, and rights can be recovered from a role as required. Roles-to-roles relationships can be established to encompass a wider range of objective situations.

Role access control (RBAC) introduces the concept of Role in order to isolate User (i.e., action Subject) from privile (rights, meaning an Operation on Resource, i.e., operation+resource). The Role acts as a proxy layer for a User (User) and rights (privile), explaining the relationship of rights and users, all rights should be given to the Role rather than directly to the User or Group. Privilege is a rights granule consisting of Operat1n and Resource, representing one Operat1n to Resource. For example, a delete operation for news. Role-Privilege is a management-to-management relationship, which is the core of the rights.

In a large information network, user identity management, user authorization management and audit management are three important factors of system security management, and the main management work is completed by a system administrator. In addition to technology, a security policy, security management mechanism and system are needed to provide security assurance. The rights of the manager are too large, and misuse or abuse of the rights is easily caused. Furthermore, if an attacker breaks a management role, full control of the system is obtained, and the security of the system is very fragile. In view of the above, the application provides a user authority access control method and system based on a cloud center, which adds the control based on the cloud center and realizes the separation of three rights and user access authority on the basis of three types of entities of roles, users and menus in the traditional authority control; the cloud center leaves the factory to realize a control menu, the cloud center realizes a three-authorization discrete and RBAC Role control (roller-Based Access Control) mode, and finally three-layer authorization control for the access user is realized. The following is a specific content of an embodiment of the present application.

Referring to fig. 1, 2 and 3, an embodiment of the present application provides a user authority access control method based on a cloud center, including the following steps:

s1, creating and generating account password configuration information of a system administrator A, an authorization administrator C and an audit administrator L through a cloud center;

s2, distributing menu authorities of the system manager A, the authorized manager C and the audit manager L by a cloud center in a factory to generate Json format data, and encrypting the Json format data to generate a factory configuration file;

s3, loading a Json format data file of factory configuration to analyze before factory configuration in the system, and initializing configuration file authority information through database migration to generate a corresponding database structure;

s4, storing account password information of the system administrator A, the authorization administrator C and the auditing administrator L with the factory configuration separated three rights.

In this embodiment, the system management, the authorization management, and the audit management must be completed by three administrators, namely, a system administrator a, an authorization administrator C, and an audit administrator L. The user manager cannot conduct authorization management and audit management on the user; the authorized manager cannot manage users, groups, domains, etc., and cannot manage audit records; the audit administrator cannot manage users, groups, domains, etc., and cannot perform authorization management.

In this embodiment, menu authorities of the system administrator a, the authorization administrator C, and the auditing administrator L use Restful API style URLs to access the aggregate vocabulary of the route.

Specifically, the cloud center creates and generates configuration information of account numbers (encryption passwords) of three administrators (a system administrator A, an authorized administrator C and an audit administrator L), and the cloud center leaves a factory to configure and specify three corresponding menus (Restful API style URL access routes) of the administrators, generates Json format data, encrypts by using an encryption mode of the SHA265 and a secret key, and generates a factory configuration file (first-layer system menu control and second-layer three-rights discrete authority control). The data before encryption is shown in fig. 4.

With the aid of fig. 5, the target contains, as a menu, a restful route list, which corresponds to a collection of route lists. The finest granularity authority uses URL access routes in a Restful API style, and a menu is an aggregate vocabulary of a plurality of URL access routes and also adopts the Restful style.

In this embodiment, before internal factory shipment, the factory configuration json. Txt file needs to be loaded for analysis, and a corresponding database structure is generated through database migration file migration, and factory configuration three-authority discrete manager account information is stored.

The database structure is generated as shown in fig. 6, 7, 8, 9 and 10. FIG. 6 is a role and menu relationship table structure; FIG. 7 is a role table structure; FIG. 8 is a role and rights relationship table structure; FIG. 9 is a rights table structure; fig. 10 is a user table structure.

Referring to fig. 11, in this embodiment, four roles of a system administrator a, an authorized administrator C, an audit administrator L, and a general administrator N are generated in a role database according to RBAC authority design; therefore, the access authority of the URL access route under the corresponding menu of the system manager A, the authorized manager C and the audit manager L is given based on the cloud center menu authority.

The system administrator A creates designated roles and levels according to the needs; the highest role authority of the common manager N is consistent with the role authority of the system manager A. System administrator a may create other roles and hierarchies as needed, but none will be higher than the role authority of system administrator a. And then the highest authority list of RBAC roles is controlled by json. Txt file content.

In this embodiment, if the generated Json format data is encrypted to generate a factory configuration file error, an error prompt termination flow is performed;

if the Json format data file loaded with the factory configuration is wrong, performing error prompt termination flow;

if the authority information of the initialization configuration file is wrong through database migration, performing error prompt termination flow.

In summary, in the embodiment of the application, the account password configuration information of the system administrator a, the authorization administrator C and the auditing administrator L is created and generated through the cloud center; the cloud center distributes menu authorities of the system manager A, the authorized manager C and the auditing manager L in a factory to generate Json format data, and encrypts the Json format data to generate a factory configuration file; when the inside of the system is delivered from the factory, a Json format data file of the configuration of the delivery is loaded for analysis, and the authority information of the configuration file is initialized through database migration to generate a corresponding database structure; and storing account password information of the system administrator A, the authorized administrator C and the audit administrator L with the factory configuration three-rights separation. The application adopts the thinking of three-layer control, customizes menu control of the factory system through the cloud center, and the policies of independent system management, authorization management and audit management, and based on the two-layer authorization control, adds role control of RBAC of the third layer factory system to inherit, thereby not only limiting the factory system to flexibly identify authentication, operation authentication and security audit of visitors, but also supporting the system user to carry out authorization control in combination with own business requirements.

It should be noted that the method of the embodiments of the present disclosure may be performed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene, and is completed by mutually matching a plurality of devices. In the case of such a distributed scenario, one of the devices may perform only one or more steps of the methods of embodiments of the present disclosure, the devices interacting with each other to accomplish the methods.

It should be noted that the foregoing describes some embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

Referring to fig. 12, in one embodiment of the present application, there is further provided a user authority access control system based on a cloud center, including:

the role creation module 1 is used for creating and generating account password configuration information of a system manager A, an authorization manager C and an auditing manager L through a cloud center;

the menu authority allocation module 2 is used for dispatching the menu authorities of the system manager A, the authorized manager C and the audit manager L by a cloud center;

the factory configuration file generation module 3 is used for generating Json format data and encrypting the Json format data to generate a factory configuration file;

the Json format file analysis module 4 is used for loading a Json format data file of factory configuration to analyze before the factory is carried out in the system, and initializing configuration file authority information through database migration to generate a corresponding database structure;

and the role information storage module 5 is used for storing account password information of the system administrator A, the authorized administrator C and the audit administrator L with the factory configuration three-weight separation.

In this embodiment, in the menu authority allocation module 2, menu authorities of the system administrator a, the authorization administrator C, and the audit administrator L use a Restful API style URL to access a collection vocabulary of the route.

In this embodiment, in the Json format file parsing module 4, generating the corresponding database structure by migrating the file through the database includes:

a role and menu relationship table structure;

a role table structure;

role and rights relation table structure;

a rights table structure;

a user table structure;

in the Json format file analysis module 4, four roles of a system manager A, an authorized manager C, an audit manager L and a common manager N are generated in a role database;

giving access rights of URL access routes under corresponding menus to a system administrator A, an authorized administrator C and an audit administrator L based on cloud center menu rights;

a system administrator A creates designated roles and hierarchies according to the needs; the highest role authority of the common manager N is consistent with the role authority of the system manager A.

In this embodiment, the method further includes:

the first error prompting module 6 is used for performing error prompting termination flow if the Json format data is generated and encrypted to generate a factory configuration file error;

the second error prompting module 7 is used for performing error prompting termination flow if the Json format data file loaded with the factory configuration is wrong;

and the third error prompting module is used for performing error prompting termination flow 8 if the authority information of the initialization configuration file is wrong through database migration.

It should be noted that, because the content of information interaction and execution process between the modules of the above system is based on the same concept as the method embodiment of the present application, the technical effects brought by the content are the same as the method embodiment of the present application, and the specific content may be referred to the description in the foregoing illustrated method embodiment of the present application, which is not repeated herein.

An embodiment of the present application provides a non-transitory computer readable storage medium having stored therein program code for a cloud center based user rights access control method, the program code comprising instructions for performing the cloud center based user rights access control method of the method embodiment or any possible implementation thereof.

Computer readable storage media can be any available media that can be accessed by a computer or data storage devices, such as servers, data centers, etc., that contain an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk, SSD), etc.

In one embodiment of the present application, there is provided an electronic apparatus including: a memory and a processor;

the processor and the memory complete communication with each other through a bus; the memory stores program instructions executable by the processor to invoke the cloud-centric based user rights access control method capable of performing the method embodiment or any possible implementation thereof.

Specifically, the processor may be implemented by hardware or software, and when implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor, implemented by reading software code stored in a memory, which may be integrated in the processor, or may reside outside the processor, and which may reside separately.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable devices. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.).

It will be appreciated by those skilled in the art that the modules or steps of the application described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may alternatively be implemented in program code executable by computing devices, so that they may be stored in a memory device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than that shown or described, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps within them may be fabricated into a single integrated circuit module for implementation. Thus, the present application is not limited to any specific combination of hardware and software.

While the application has been described in detail in the foregoing general description and specific examples, it will be apparent to those skilled in the art that modifications and improvements can be made thereto. Accordingly, such modifications or improvements may be made without departing from the spirit of the application and are intended to be within the scope of the application as claimed.

Claims (10)

1. The user authority access control method based on the cloud center is characterized by comprising the following steps of:

creating and generating account password configuration information of a system manager A, an authorization manager C and an audit manager L through a cloud center;

the cloud center distributes menu authorities of the system manager A, the authorized manager C and the auditing manager L in a factory to generate Json format data, and encrypts the Json format data to generate a factory configuration file;

when the inside of the system is delivered from the factory, a Json format data file of the configuration of the delivery is loaded for analysis, and the authority information of the configuration file is initialized through database migration to generate a corresponding database structure;

and storing account password information of the system administrator A, the authorized administrator C and the audit administrator L with the factory configuration three-rights separation.

2. The cloud-center-based user permission access control method according to claim 1, wherein menu permissions of the system administrator a, the authorization administrator C, and the auditing administrator L use a Restful API style URL to access a collection vocabulary of routes.

3. The cloud-center-based user rights access control method of claim 1, wherein generating a corresponding database structure by database migration files comprises:

a role and menu relationship table structure;

a role table structure;

role and rights relation table structure;

a rights table structure;

user table structure.

4. The cloud-center-based user right access control method according to claim 3, wherein four roles of a system administrator a, an authorized administrator C, an audit administrator L, and a general administrator N are generated in a role database;

and giving access rights of URL access routes under corresponding menus to a system manager A, an authorized manager C and an audit manager L based on the cloud center menu rights.

5. The cloud-center-based user right access control method according to claim 4, wherein a system administrator a creates a designated role and hierarchy as needed; the highest role authority of the common manager N is consistent with the role authority of the system manager A.

6. The cloud center-based user right access control method according to claim 1, wherein if a factory configuration file error is generated by generating Json format data encryption, performing an error prompt termination flow;

if the Json format data file loaded with the factory configuration is wrong, performing error prompt termination flow;

if the authority information of the initialization configuration file is wrong through database migration, performing error prompt termination flow.

7. The user authority access control system based on the cloud center is characterized by comprising the following components:

the role creation module is used for creating and generating account password configuration information of a system manager A, an authorization manager C and an auditing manager L through a cloud center;

the menu authority allocation module is used for dispatching the menu authorities of the system manager A, the authorized manager C and the audit manager L by a cloud center;

the factory configuration file generation module is used for generating Json format data and encrypting the Json format data to generate a factory configuration file;

the Json format file analysis module is used for loading a Json format data file of factory configuration to analyze before factory in the system and generating a corresponding database structure through database migration initialization configuration file authority information;

and the role information storage module is used for storing account password information of the system administrator A, the authorization administrator C and the auditing administrator L with separate factory configuration and three rights.

8. The cloud-center-based user rights access control system of claim 7, wherein in said menu rights assignment module, menu rights of said system administrator a, said authorization administrator C, said audit administrator L employ a Restful API style URL to access a collection vocabulary of routes.

9. The cloud-center-based user rights access control system of claim 7, wherein in the Json-format file parsing module, generating a corresponding database structure by database migration files comprises:

a role and menu relationship table structure;

a role table structure;

role and rights relation table structure;

a rights table structure;

a user table structure;

in the Json format file analysis module, four roles of a system manager A, an authorized manager C, an audit manager L and a common manager N are generated in a role database;

giving access rights of URL access routes under corresponding menus to a system administrator A, an authorized administrator C and an audit administrator L based on cloud center menu rights;

a system administrator A creates designated roles and hierarchies according to the needs; the highest role authority of the common manager N is consistent with the role authority of the system manager A.

10. The cloud-centric based user-rights access control system of claim 7, further comprising:

the first error prompting module is used for performing error prompting termination flow if the Json format data is generated and encrypted to generate a factory configuration file error;

the second error prompting module is used for carrying out error prompting termination flow if the Json format data file loaded with the factory configuration is wrong;

and the third error prompting module is used for performing error prompting termination flow if the authority information of the initialization configuration file is wrong through database migration.