CN100349407C - Electronic safe deposit box and its managment method - Google Patents
Electronic safe deposit box and its managment method Download PDFInfo
- Publication number
- CN100349407C CN100349407C CNB2004100044114A CN200410004411A CN100349407C CN 100349407 C CN100349407 C CN 100349407C CN B2004100044114 A CNB2004100044114 A CN B2004100044114A CN 200410004411 A CN200410004411 A CN 200410004411A CN 100349407 C CN100349407 C CN 100349407C
- Authority
- CN
- China
- Prior art keywords
- visit person
- deposit box
- user
- current
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention relates to an electronic storage box which comprises an electronic storage box for users, a virtual storage box for accessors, an access control strategy module for all accessors and an access control strategy module for current accessors, wherein the electronic storage box is used for storing files of users; the virtual storage box for accessors is used for generating a virtual storage box permitted to control in the extent of authority of accessors; the access control strategy module for current accessors is used for generating access strategies for current accessors; the access control strategy module for all accessors is used for generating virtual catalogues which can be controlled by accessors and converting the operation of the catalogues by the accessors into the actual maintenance of the storage box for users. The present invention has the advantages that the support of access information on a complicated catalogue layer is controlled through the support of a user layer; the method guarantees that the storage space of the control information of accessors are controlled and the verification of the control information during operation is effective; the electronic storage box supporting the flexible access control of accessors in the Web environment is realized; the range of application of the electronic storage box in the network environment is enlarged; the effective flexible data exchange among users becomes convenient.
Description
Technical field
The present invention relates to a kind of electronics safety-deposit box and management method thereof, especially a kind of being applied under the network environment, the user serves provider's webpage Web interface by the electronics safety-deposit box, preserves important file and information, and realizes the electronics safety-deposit box and the management method thereof of visit, control.
Background technology
At present, the same with the safety-deposit box of depositing individual important item in the bank, in the Web environment, there is a kind of electronics safety-deposit box, preserve the important privately owned electronic bits of data of user or other information.The user can be by being provided with the electronics safety-deposit box, after the input personal information is registered, and login electronics safety-deposit box, on/electronic bits of data of download user.
For making things convenient for business user's needs, in the electronics safe deposit box system, the owner of electronics safety-deposit box and visit person's notion have been proposed.The owner is the creator of electronics safety-deposit box, has whole administration authorities; Visit person is other users of electronics safety-deposit box owner appointment, and it has certain authority, can visit the part path of electronics safety-deposit box.Visit person can be the owner of other electronics safety-deposit boxes equally.
For example, in the electronics safety-deposit box of computermaker, suppose the catalogue that exists computer fittings information relevant, then the owner can specify this catalogue open to the components plant merchant.Like this, accessory manufacturer can be with visit person's identity, and oneself data is uploaded in the accessory information catalogue of computermaker.In this way, made things convenient for interchange between computermaker and the accessory manufacturer.
Introduce after the visit person, make that the electronics safety-deposit box among the Web possesses safety of data on the one hand, can deposit the privately owned information of the owner.On the other hand, allow other users under the situation that the owner authorizes, can part limited visit active user's part catalogue has enlarged the range of application of electronics safety-deposit box.
In the Web environment, consider the owner and the visit person that there are magnanimity, its visit person's access control right management faces a lot of challenges: visit person's access control policy is flexible; The electronics safety-deposit box owner and visit person's number are numerous; The rational efficient of electronics safety-deposit box checking visit person operation requires very high.
The user that prior art all is defined as operating system with the owner and the visit person of electronics safety-deposit box by the limiting operation of operating system, realizes the control of authority of different user in the electronics safety-deposit box; But there are many problems in this method: at first, operating system need define a large amount of users, and the user who is supported in the general operating system will be far smaller than the user of electronics safety-deposit box; Secondly, visit person's access control policy requires flexibly, utilizes operating system to realize not possessing enough extensibilities; In addition, operating system is not considered the compression problem of access rights, takies big quantity space, makes carrying cost too high.
Summary of the invention
Technical problem to be solved by this invention is: electronics safety-deposit box in a kind of network environment is provided, supports to utilize relational database, level coding, effectively realize the storage of visit person's control strategy; Support to produce the legitimacy that dynamic access control tree comes efficient verification user operation; Support multi-user's level authorization.
Another technical problem to be solved by this invention is: the management method that a kind of above-mentioned electronics safety-deposit box is provided.Electronics safety-deposit box of the present invention comprises: user's electronic safety-deposit box, visit person's virtual safety-deposit box, all visit person's access control policy module and current visit person's access control policy module;
Described user's electronic safety-deposit box is used for finishing the storage of user file, comprising: the file structure of electronics safety-deposit box and user file;
Described visit person's virtual safety-deposit box, according to visit person's access strategy control module and backstage catalogue, produce the virtual safety-deposit box that visit person's authority allows control, and the operation that visit person does for virtual safety-deposit box may be fed back on user's the electronics safety-deposit box;
Described whole visit person's access control policy module is used for writing down whole visit persons' access control policy, after visit person's login, indicates according to visit person user, produces current visit person's access strategy;
Described current visit person's access strategy control module: describe current visit person's access control right,, produce the controllable virtual safety-deposit box of current visit person according to the catalogue on active user's access rights and backstage.Visit person converts the actual attended operation to user's safety-deposit box to for the operation of Virtual User.
Described whole visit person's access control policy module comprises: user's stratification USERS, electronics safety-deposit box stratification Directory, three relational databases of user capture control authority Table A CList are used for preserving whole visit person users' control authority.
The management method of above-mentioned electronics safety-deposit box comprises:
Step 1, when the owner of electronics safety-deposit box logins the electronics safety-deposit box, directly to the true bibliographic structure of owner's explicit user safety-deposit box, the owner can safeguard the electronics safety-deposit box, the owner can also safeguard visit person's access rights;
Step 2, when the visit person of electronics safety-deposit box logins the electronics safety-deposit box, according to whole visit person's access control policy modules and current visit person's user ID, obtain the access rights of active user in the electronics safety-deposit box, generate active user's access strategy;
Visit person's control module is according to this access strategy, produce current login visit person's virtual electronic safety-deposit box, offer visit person, visit person is to the operation of virtual electronic safety-deposit box, by the Information Authentication in current visit person's access control policy module, and convert to the true catalogue of user's safety-deposit box and the operation of file, realize that visit person has the visit to user's safety-deposit box of control of authority.
Wherein, the owner safeguards electronics safety-deposit box structure, comprising:
Step 101, judge that whether possessory operation is to increase catalogue, if then carry out next step; Otherwise execution in step 106;
Step 102, obtain the coding of current directory D, be set to code;
Step 103, obtain the code set of the subdirectory of D;
Step 104, according to above information, generate a unique subdirectory coding, new coding satisfies the level coding requirement, and different with existing coding;
Step 105, the relevant authority setting of catalogue of in user capture control authority Table A CList, checking and increasing newly, whether the inquiry owner allows newly-increased catalogue to participate in current authority setting, if do not participate in, then in user capture control authority Table A CList, increase access control information, show that current newly-increased catalogue does not participate in the authority setting of being correlated with, promptly its permit classifies ' false ' as;
Step 106 is then obtained the coding of current directory if directory delete is operated, and is set to code; In Directory, delete current directory, the relevant control of authority of this catalogue of deletion in user capture control authority Table A CList;
Described Code is the code field of electronics safety-deposit box stratification Directory.
The present invention supports the control of the visit information of complicated TOC level by supporting user's level; The validity that makes control information checking in the saving of visit person's control information memory space and the running; Realized supporting in the Web environment visit person's of flexible access control electronics safety-deposit box; Thereby the range of application of electronics safety-deposit box makes the user flexibility of electronics safety-deposit box preserve effectively and shared data in the expansion network environment.
Description of drawings
Fig. 1 is the schematic diagram of electronics safety-deposit box structure of the present invention;
Fig. 2 is the example schematic diagram of level coding of the present invention;
Fig. 3 is the example schematic diagram of visit person's access control tree of the present invention;
Fig. 4 is the schematic diagram of electronics safety-deposit box management method of the present invention;
Fig. 5 is the schematic diagram that the owner of the present invention increases visit person;
Fig. 6 is the schematic diagram that the owner of the present invention safeguards visit person's authority;
Fig. 7 is the schematic diagram that the present invention carries out the control information compression;
Fig. 8 is the schematic diagram of the present invention by user's level compression control information;
Fig. 9 is the schematic diagram of the present invention by catalogue compression control information;
Figure 10 is the schematic diagram that the present invention generates visit person's access control tree;
Figure 11 is the schematic diagram of visit person's control module of the present invention to the checking of visit person's operation.
Embodiment
The control strategy of electronics safety-deposit box of the present invention need utilize ripe relational database to deposit, to guarantee stability, the high efficiency of inquiry and the extensibility of system of system.In the technical scheme of the present invention, concrete implementation is to preserve the bibliographic structure of electronics safety-deposit box and user's hierarchical structure by level coding, improves the operational efficiency of system.
In the electronics safety-deposit box, there are two class users, the visit person of the owner of electronics safety-deposit box and electronics safety-deposit box.The owner of electronics safety-deposit box has absolute right for all catalogues of electronics safety-deposit box, and visit person's authority is provided with by the owner of safety-deposit box.In the electronics safety-deposit box technical scheme of Web environment, the visit person who has realized the electronics safety-deposit box comprises the preservation of visit person's access rights, the generation of the virtual safety-deposit box of visit person, the maintenance of access rights, scheme can effectively realize visit person's authority, enlarges the range of application of electronics safety-deposit box.
Be electronics safety-deposit box of the present invention as shown in Figure 1, comprise: user's electronics safety-deposit box (catalogue and file), visit person's virtual safety-deposit box, all visit person's access control policy module and current visit person's access control policy module;
Described user's electronics safety-deposit box (catalogue and file) is used for finishing the storage of user file, comprising: the file structure of electronics safety-deposit box and user file;
Described visit person's virtual safety-deposit box is according to visit person's access strategy control module and backstage catalogue, produces the virtual safety-deposit box that visit person's authority allows control;
Described whole visit person's access control policy module is used for writing down whole visit persons' access control policy, after visit person's login, according to visit person's user ID, produces current visit person's access strategy;
Described current visit person's access strategy control module produces the controllable virtual safety-deposit box of current visit person according to the catalogue on active user's access strategy and backstage; Visit person is for the operation of virtual safety-deposit box, converts actual attended operation to user's safety-deposit box to by current visit person's access strategy control module.
Described whole visit person's access control policy module comprises: user's stratification USERS, electronics safety-deposit box stratification Directory, three relational databases of user capture control authority Table A CList are used for preserving whole visit person users' control authority.
After the owner of electronics safety-deposit box logined the electronics safety-deposit box, directly to the true bibliographic structure of owner's explicit user safety-deposit box, the owner can safeguard the electronics safety-deposit box, and this maintenance may relate to the maintenance of visit person's access control policy; The owner can also safeguard visit person's access rights, such as, the owner creates visit person, and visit person's authority is set.
After the visit person of electronics safety-deposit box logins the electronics safety-deposit box, Customs Assigned Number according to whole visit person's access control policy modules and current visit person, efficiently obtain the access rights of current visit person user in the electronics safety-deposit box, generate current visit person user's access strategy, visit person's control module produces virtual directory according to this access strategy, promptly according to the user right that obtains, produce current login visit person's virtual electronic safety-deposit box, offer visit person.Visit person converts to the true catalogue of user's safety-deposit box and the operation of file by current visit person's access strategy control module the operation of virtual electronic safety-deposit box, realizes that visit person has the visit to user's safety-deposit box of control of authority.
If described visit person's access control policy is preserved, then the information of Bao Cuning comprises: the tree-shaped level at user place, the current directory of safety-deposit box, user's operating right, operation permission.
In order further to reduce carrying cost, the owner of electronics safety-deposit box can compress visit person's access rights, is promptly adjusted visit person's access rights by the owner, make that visit person's the logical semantics of access rights is constant, but memory space is more effective.
Further describe the storage of whole visit person's access control policies below:
The present invention preserves control authority by three relational databases: user's stratification, electronics safety-deposit box stratification, user capture control authority table.These three parts that relational database is the electronics safe deposit box system, visit person's access control policy module can be visited these databases, obtain visit person's user right information of storage or store new visit person user control authority information or, revise visit person user's control authority according to possessory setting.
Described user's stratification USERS writes down the owner user of current electronics safety-deposit box.If requiring the visit person of electronics safety-deposit box is the owner of certain electronics safety-deposit box equally, we can obtain relevant visit person in the USERS table.
USERS has two fields, and Code and Name adopt level coding to represent user's level, and Name writes down the title of current level, and the visit person who allows certain electronics safety-deposit box is the owner of another safety-deposit box simultaneously.
Implication with example shown in Figure 2 explanation level coding:, can utilize relation to describe the structure of level if be example with user's hierarchical tree
Table 1: the relation table example of user tree:
| Coding code | Title name |
| 0 | |
| 00 | Computer |
| 001 | Desktop |
| 0010 | Company's first |
| 0011 | Company's |
| 002 | … |
For a tree T, the level counting of the root node R of tree T is 1; If the level of certain node n counting is L, then the level of the child node of n counting is L+1;
Analyze the characteristics of above-mentioned level coding:
The length of the level coding of node n is to equate with the level counting of node n in tree, is equivalent to the level counting of computer as the length of the corresponding coding of computer.
If node r is the father node of node r1, suppose that the level counting of r is k, preceding k the letter of node r1 is equivalent to the coding of node r; For the coding of node r, in whole coding range, be unique.
On level coding, the present invention can conveniently finish the various operations of supporting visit person's control of authority.
If in the client layer aggregated(particle) structure, need to obtain whole ancestors of currentcode node, can adopt following query template:
select * from USERS where contain(currentcode,code);
If whole directly child nodes of inquiry currentcode node can adopt following query template:
select*from USERS where contain(code,currentcode)andlength(code)=length(currentcode)+1;
Wherein, (s1 s2) for character string comprises function, shows that s1 comprises s2 to contain, and length (s1) shows the length of character string s1.These two functions all exist in the business data base management system, but method for expressing difference that may be concrete.The preservation of electronics safety-deposit box directory tree information is to adopt level coding to finish equally.
Described electronics safety-deposit box stratification Directory writes down the inside bibliographic structure of current electronics safety-deposit box, comprises two fields equally, Code and Name.
Described visit person's authority list: ACList, record visit person is for the accessing operation of certain electronics safety-deposit box.Comprise that field is:
SafeID: the sign of electronics safety-deposit box, in the technical program, discussion be the management of visit person's authority of each electronics safety-deposit box, so SafeID hereinafter no longer relating in the technical program;
UserID: visit person ID, visit person ID can obtain in the USERS table;
DirectoryID: catalogue ID obtains catalog code from the Directory table;
Control: enumerated variable, Control enumerates the authority of current directory.In the technical program, Control is divided into this catalogue and uploads authority, and this catalogue is downloaded authority, the directory permission that this directory creating is new, the authority of this directory delete catalogue.The authority that the present invention is different is set to the row of ACList, but the value of being set to, the expansion of person's rights management is not conveniently visited in main consideration.
Descendant Control: enumerated variable, DescendantControl enumerates the descendants path authority of current directory.Show that this catalogue descendants catalogue uploads authority, this catalogue descendants catalogue is uploaded authority, the directory permission that this catalogue descendants directory creating is new, the authority of this catalogue descendants directory delete catalogue.
Permit: Boolean variable shows the operation permission of user on catalogue.Introduce the operation permission, make us not only can express which visit person and possess which authority, and know which authority which visit person does not possess.For example, the catalogue that the accessory of computermaker is relevant, all accessory commercial cities can at first be set can be visited, but enters for some concrete accessory manufacturer restriction.
The present invention sets (access control tree) by current visit person's authority and realizes the control of visit person's access rights.Current visit person's authority tree is after visit person's login, the control of authority that system produces corresponding to current visit person, inconsistent with whole control of authority information storage meanss, active user's authority tree is not to be saved in the database, but leaves in the internal memory with the form of tree.This preservation form helps the reasonability of judging that efficiently the user operates.
We can use T
v=(N, E C) represent the access control tree of visit person V, and wherein N represents the node set, certain node of corresponding background user electronics safety-deposit box catalogue, and E represents the relation between the node, corresponding to the relation of the levels of user's electronic safety-deposit box catalogue; C represents the control of active user's operating right.
Be the example of visit person's access control tree as shown in Figure 3, notice in the access control tree not have visit person's information, this is to be certain visit person's dynamic creation because of this tree; In the information record of access control, there is not the control information of subsequent node yet, but each nodes records and oneself relevant control information.
In last example, D represents download, and promptly current catalogue possesses the right of file in download; U represents the authority of Upload, and promptly visit person can upload to file in the visit control tree.
The management method of electronics safety-deposit box of the present invention comprises:
Step 1, when the owner of electronics safety-deposit box logins the electronics safety-deposit box, directly to the true bibliographic structure of owner's explicit user safety-deposit box, the owner can safeguard the electronics safety-deposit box, the owner can also safeguard visit person's access rights;
Step 2, when the visit person of electronics safety-deposit box logins the electronics safety-deposit box, according to whole visit person's access control policy modules and current visit person's user ID, generate current visit person user's access control policy;
According to visit person's access control policy, produce current login visit person's virtual electronic safety-deposit box, offer visit person, visit person is to the operation of virtual electronic safety-deposit box, by current visit person's access control policy checking, convert to the true catalogue of user's safety-deposit box and the operation of file, realize that visit person has the visit to user's safety-deposit box of control of authority.
The electronics safety-deposit box owner creates new catalogue, establishment/deleted file in catalogue, and upload/download/deleted file in catalogue is realized according to the usual manner of operating system.
But possessory action need and current visit person's access control policy combines.
If the owner directly operates the electronics safety-deposit box, then except file operation, needs and access control policy carry out alternately.To increase catalogue is example and the most direct operation of access control right, is in the Directory table, increases the new pairing level coding of subdirectory; Secondly, the control information among the existing ACList may exert an influence to aforesaid operations.For example: on certain catalogue, write down certain visit person and can operate following all catalogues, if the owner has created new subdirectory, existing rule is effective equally for new catalogue, but the checking of this validity need obtain possessory approval.
Be the schematic diagram that the owner safeguards electronics safety-deposit box structure as shown in Figure 4, comprise:
Step 101, judge that whether possessory operation is to increase catalogue, if then carry out next step; Otherwise execution in step 106;
Step 102, obtain the coding of current directory D, be set to code;
Step 103, obtain the code set of the subdirectory of D;
Step 104, according to above information, generate a unique subdirectory coding, new coding satisfies the level coding requirement, and different with existing coding;
Step 105, the relevant authority setting of catalogue of in user capture control authority Table A CList, checking and increasing newly, whether the inquiry owner allows newly-increased catalogue to participate in current authority setting, if do not participate in, then in user capture control authority Table A CList, increase access control information, show that current newly-increased catalogue does not participate in the authority setting of being correlated with, promptly its permit classifies ' false ' as;
Step 106 is then obtained the coding of current directory if directory delete is operated, and is set to code; In Directory, delete current directory.And the deletion control of authority relevant with this catalogue in user capture control authority Table A CList, the method for deletion utilizes the level coding of descendants's catalogue of catalogue to comprise this characteristic of level coding of current directory.
In the above step, obtain the coding of all child nodes of certain node, can call relevant SQL query routine, routine utilizes the level coding of child node to comprise this feature of level coding of father node; Obtain all to the effectively existing authority setting of initiate catalogue, can utilize above-mentioned character to obtain:
Select * from ACList where contains (currnetdir, DirectoryID), wherein, currentdir represents current newly-increased catalogue, DirectoryID shows the category field of ACList in the database.
After finding permissions list, need the owner of electronics safety-deposit box to determine whether whether this ACL control information effective on current newly-increased catalogue, if it is invalid, also need to increase an ACL access control policy, directory number information is consistent with newly-increased directory information, operation information also is consistent, but permit wherein is " False ".
Be in the step 1 as shown in Figure 5, the owner increases visit person's schematic diagram, increases in visit person's the process the owner, mainly is to judge whether existing access control is reasonable for newly-increased user.Because may there be the rule that all users are adapted in the present invention in the ACList control information, so the owner in the electronics safety-deposit box need confirm whether these rules satisfy for newly-increased user.
Specifically comprise:
Step 111, selection visit person user obtain visit person's user ID;
Step 112, according to visit person's user ID, obtain the relevant access control of visit person user in user capture control authority Table A CList;
Step 113, the owner judge whether the existing access control of visit person is reasonable, if rationally, then finish the increase process, otherwise the owner increases visit person user's access control as required.
Be the schematic diagram that the owner of the present invention safeguards visit person's authority as shown in Figure 6, safeguard the process of whole visit person's access rights, just the electronics safety-deposit box is provided with the process of visit person's authority, comprises the increase and the delete procedure of visit person's authority, and two processes all need operation A CList access control list.Specifically comprise:
Step 121, from UserCode, select current visit person user CurrentUser;
Step 122, from current catalogue, select current catalogue CurrentDirectory;
If the possessory deletion visit person authority that is operating as of step 123, then according to current visit person currentUser, current directory CurrentDirectory finds the authority access control of visit person among the ACList, and the visit person who obtains according to the deletion of the characteristic of the level coding control information of being correlated with; Otherwise carry out next step;
If possessory being operating as of step 124 increases visit person's authority, then obtain visit person's authority configuration information, comprise whether allowing/file in download, whether allow to create/deltree, whether obtain this authority simultaneously effective to the node of descendants's catalogue; According to above-mentioned information structuring tuple-set, be inserted in the user capture control authority Table A CList table.
In the above-mentioned flow process, visit person's selection is not only concrete visitor, and can be the different levels node of supporting in user's hierarchical tree.For example, the accessory manufacturer that the safety-deposit box of computermaker can be all is set to call on a customer.
Consider the owner and the visit person of the electronics safety-deposit box of magnanimity in the Web environment, it is very high to the storage cost of the access control policy of each catalogue to deposit each user fully, so, be necessary to finish the compression of access control policy.
The compression of access control policy has mainly utilized the similitude of the access control information of father node and descendants's node to finish.Depend on two kinds of trees, user's hierarchical tree and directory tree.If the child user set shows certain similitude, then the relevant access control policy of child user utilizes father user's relevant access strategy to substitute; If the access control policy that subdirectory is relevant shows certain similitude, then the access strategy that subdirectory is relevant utilizes the access control policy of parent directory to replace.
As shown in Figure 7, be the schematic diagram that the present invention carries out the control information compression, specifically comprise:
Step 131, according to user capture control authority Table A CList control tabulation structure directory tree;
Step 132, according to topological order, handle the node of current tree from top to bottom;
Step 133, judged whether that directory node still is untreated, if then carry out next step; Otherwise, the compression process of finishing control information;
Step 134, obtain the difference visit person control information that this directory node possesses the same operation authority,, compress present node visit person's access control information according to visit person user's hierarchical information;
Step 135, obtain the access control information of same visit person, utilize the DescendantControl field of this directory node access control information, compress present node visit person's access control information the child of this directory node;
Step 136, repeated execution of steps 133.
Hierarchical information according to visit person user, compress present node visit person's access control information, promptly the level according to the user compresses, at first, whether the checking user belongs to same one deck, surpass 3/4 access control information unanimity if find the active user, and belong to same one deck, then can compress.
As shown in Figure 8, specifically comprise:
Step 1341, obtain all users of the identical access control policy of current directory node;
Step 1342, in user's hierarchical tree, the mark user profile;
Step 1343, according to process user hierarchical tree from bottom to top;
Step 1344, judge whether to remain in addition node,, then carry out next step if having; Otherwise, end step 134;
If the child node more than 3/4 of certain node of step 1345 all obtains mark, then create compressed format, and with this node mark;
Step 1346, repeated execution of steps 1344.
If the user is u1, u2, u3 are in same one deck of user tree, the access control policy unanimity, and its father node u, the child user of u also comprises u4, but the u4 access control policy is different with u1.We are with u1, and u2, the access control policy of u3 utilize the Descendantcontrol field of father node u to represent that the access control policy of u4 is constant, and like this, we increase a new access control policy, but have deleted 3 access control policies.After the whole adjustment of access control, the semanteme of visit person's access control does not change, but memory space reduces.
For example, have user's level u, its child user is u1, u2, u3, u4, u1, u2, the u3 access control information in ACList is just the same, and its form is exemplified as (u1, d1, o1, p1) whether the operation o1 of expression u1 on catalogue d1 allows p1. same, exist (u2, d1, o1, p1), (u3, d1, o1, p1), but the form of u4 is (u4, d1, o4, p4), like this, the compressed format that we create is (u, d1, o1, p1) and (u4, d1, o4, p4).Since u1, u2, u3 belongs to u, and its rights expression is identical with original form, but space compression.
The second kind of strategy that adopts is according to compressing by TOC level, just utilize the DescendantControl field of this directory node access control information, compress present node visit person's access control information, at first, check all subdirectories under each catalogue, whether have the access control policy unanimity more than 3/4, if consistent, the access control information that then access control information of subdirectory can be risen to parent directory embodies.
As shown in Figure 9, specifically comprise:
Step 1351, the control information of obtaining present node CurrentNode;
Step 1352, obtain the access control information of all child nodes of CurrentNode;
Step 1353, obtain all visit person clients of present node, handle the access control right of current visit person CurrentUser according to different clients respectively.If still untreated visit person user is arranged, then carries out next step; Otherwise, end step 135;
If step 1354 user is CurrentUser, on the child node catalogue more than 3/4 of nodal directory CurrentNode, access rights are identical, then on the directory node of currentNode, utilize the DescendantControl field to come the access control information of descriptor node;
Step 1355, in ACList the repeated control information of child node of deletion CurrentNode, revise visit person's control information of CurrentNode;
Step 1356, repeated execution of steps 1353.
Compress the level that needs to promote catalogue according to catalogue, but user's level does not change; Compress needs according to user's level and improve user's level, but catalogue does not change.
For example, have TOC level d, its subdirectory is d1, d2, d3, d4, d1, d2, the access control information of d3 in ACList is just the same, and its form is exemplified as (u1, d1, o1, p1) whether the operation o1 of expression u1 on catalogue d1 allows p1. same, has (u1, d2, o1, p1), (u1, d3, o1, p1), but the form of d4 is (u1, d4, o4, p4), like this, the compress mode that we create is a descendantcontrol field of utilizing the access control information on the d, form is (u1, d, do, dp) and (u1, d4, o4, p4), wherein do represents the access control right of descendants's catalogue of d, and dp represents whether the access control right of descendants's catalogue of d is reasonable.Because d1 is the subdirectory of d, the access control policy of descendants's node that we can be by the access control of d authority obtains the access control policy of d1.Its rights expression is identical with original form, but space compression.But space compression.
In the step 2 of the present invention, according to whole visit person's access control policy modules and current visit person's user ID, obtain the access rights of current visit person user in the electronics safety-deposit box, generate current visit person user's access control policy module:, produce current visit person's the access control tree in internal memory promptly according to whole access control policies of relation table.
In the storing process of access control information, the present invention adopts the data policy of compression, has guaranteed magnanimity visit person's the depositing of control information, and helps the saving of controller memory space; When producing current visit person's access control policy, the present invention has then adopted the mode of record fully, and this is because in current visit person's access control policy, needs the rational judgement of efficient complete operation.
As shown in figure 10, specifically comprise:
Step 201, generation fake root node root;
Step 202, according to current visit person's Customs Assigned Number, find and should visit person relevant ACL control;
Step 203, according to the back end in visit person user's the ACL control, constructing virtual directory tree;
Step 204, according to top-down topological structure, handle each node;
Step 205, judge whether in addition still untreated node,, then carry out next step if having, otherwise, the generation of virtual directory finished;
Step 206, obtain present node, judge whether current visit person allows to visit present node, if then this node is joined in the virtual route; Otherwise, turn to step 207;
Step 207, judge whether this visit person allows to operate descendants's node of present node CurrentDirectory, if allow, then in the Directory table, obtain descendants's node of present node CurrentDirectory, DescendantControl access control information according to present node CurrentDirectory, to the conduct interviews assignment of information of descendants's node, execution in step 205 again; Otherwise, direct execution in step 205.
Be in the step 2 as shown in figure 11, visit person's control module is to the checking of visit person's operation.Visit person comprises for the checking of virtual electronic safety-deposit box whether the current operation of user satisfies the authority of setting.If satisfy, then allow, otherwise do not allow.
Described visit person user at the enterprising line operate of current virtual directory by current visit person's control strategy resume module, for upload, file in download and establishment, the operation that deltrees, check current directory, judge whether current visit person user has authority can finish this operation; If can, then in safety-deposit box, finish this operation, otherwise, refusal visit person user's operation.
The present invention proposes design and the realization of supporting the electronics safety-deposit box of visitor in the Web environment.The owner who the present invention includes the electronics safety-deposit box safeguards the electronics safety-deposit box, visit person's access rights are set, effectively store visit person's access rights, based on the whole visit person's access control informations that utilize relational database to preserve, produce the virtual electronics safety-deposit box of current visit person, realize visit person's operation and rational checking.Present technique can realize the setting of the access privilege of electronics safety-deposit box flexibly, has improved the range of application of electronics safety-deposit box.
It should be noted last that: above embodiment is the unrestricted technical scheme of the present invention in order to explanation only, although the present invention is had been described in detail with reference to the foregoing description, those of ordinary skill in the art is to be understood that: still can make amendment or be equal to replacement the present invention, and not breaking away from any modification or partial replacement of the spirit and scope of the present invention, it all should be encompassed in the middle of the claim scope of the present invention.
Claims (20)
1, a kind of electronics safety-deposit box is characterized in that: comprising: user's electronic safety-deposit box, visit person's virtual safety-deposit box, all visit person's access control policy module and current visit person's access control policy module;
Described user's electronic safety-deposit box is used for finishing the storage of user file, comprising: the file structure of electronics safety-deposit box and user file;
Described visit person's virtual safety-deposit box is according to visit person's access strategy control module and backstage catalogue, produces the virtual safety-deposit box that visit person's authority allows control;
Described whole visit person's access control policy module is used for writing down whole visit persons' access control policy, after visit person's login, according to visit person's user ID, produces current visit person's access strategy;
Described current visit person's access strategy control module produces the controllable virtual safety-deposit box of current visit person according to the catalogue on active user's access strategy and backstage; Visit person is for the operation of virtual safety-deposit box, converts actual attended operation to user's safety-deposit box to by current visit person's access strategy control module;
Described whole visit person's access control policy module comprises: user's stratification USERS, electronics safety-deposit box stratification Directory, three relational databases of user capture control authority Table A CList are used for preserving whole visit person users' control authority.
2, electronics safety-deposit box according to claim 1 is characterized in that: after the owner of electronics safety-deposit box logined the electronics safety-deposit box, directly to the true bibliographic structure of owner's explicit user safety-deposit box, the owner can safeguard the electronics safety-deposit box.
3, electronics safety-deposit box according to claim 1, it is characterized in that: after the visit person of electronics safety-deposit box logins the electronics safety-deposit box, according to whole visit person's access control policy modules, obtain the access rights of active user in the electronics safety-deposit box, produce the access control policy module of current visitor, according to this access strategy, produce the virtual electronic safety-deposit box, visit person is to the operation of virtual electronic safety-deposit box, convert to the true catalogue of user's safety-deposit box and the operation of file through current visit person's access strategy control module, realize that visit person has the visit to user's safety-deposit box of control of authority.
4, electronics safety-deposit box according to claim 1 is characterized in that: described visit person's access control policy comprises: the tree-shaped level at user place, the hierarchical structure of electronics safety-deposit box, user's operating right and operation permission.
5, electronics safety-deposit box according to claim 1 is characterized in that: described user's stratification USERS, write down the visit person user of current electronics safety-deposit box;
USERS has two fields, and Code and Name, Code adopt level coding to represent whole electronics safety-deposit box users' level, and Name writes down the title of current level.
6, electronics safety-deposit box according to claim 5, it is characterized in that: described level coding is meant: for a tree T, the level counting of the root node R of tree T is 1; If the level of certain node n counting is L, then the level of the child node of n counting is L+1; The length of the level coding of node n is to equate with the level counting of node n in tree, if node r is the father node of node r1, supposes that the level counting of r is k, and preceding k the letter of node r1 is equivalent to the coding of node r; For the coding of node r, in whole coding range, be unique.
7, electronics safety-deposit box according to claim 1 is characterized in that: described electronics safety-deposit box stratification Directory, write down the inside bibliographic structure of current electronics safety-deposit box, and comprise two fields, Code and Name;
Code is used to represent user's level, and Name is used to write down the title of current level.
8, electronics safety-deposit box according to claim 1 is characterized in that: described user capture control authority Table A CList, and record visit person is for the access control right of certain electronics safety-deposit box; Comprise that field is:
The authority that the sign Safe ID of electronics safety-deposit box, visit person identify User ID, directory markeys Directory ID, current directory is enumerated Control, descendants path authority is enumerated Descendant Control and operation permission Permit.
9, electronics safety-deposit box according to claim 8 is characterized in that: described Control is divided into this catalogue and uploads authority, and this catalogue is downloaded authority, the directory permission that this directory creating is new, the authority of this directory delete catalogue.
10, electronics safety-deposit box according to claim 8, it is characterized in that: described Descendant Control shows that this catalogue descendants catalogue uploads authority, this catalogue descendants catalogue is downloaded authority, the directory permission that this catalogue descendants directory creating is new, the authority of this catalogue descendants directory delete catalogue.
11, electronics safety-deposit box according to claim 8 is characterized in that: described Permit shows the permission of the operation under given authority between visit person user and the current directory.
12, electronics safety-deposit box according to claim 8 is characterized in that: set by visit person's access control and realize the access rights control of current visit person in certain electronics safety-deposit box;
Described visit person's access control tree T
V=N, E, C} represent the access control tree of current visit person V, and wherein N represents the node set, and certain node of corresponding background user electronics safety-deposit box catalogue, E represents the relation between the node, corresponding to the levels relation of user's electronic safety-deposit box catalogue; C represents the control of active user's operating right.
13, a kind of management method of electronics safety-deposit box is characterized in that: in arbitrary described electronics safety-deposit box as claim 1-12, comprise the steps:
Step 1, when the owner of electronics safety-deposit box logins the electronics safety-deposit box, directly to the true bibliographic structure of owner's explicit user safety-deposit box, the owner can safeguard the electronics safety-deposit box, the owner can also safeguard whole visit person's access rights;
Step 2, when the visit person of electronics safety-deposit box logins the electronics safety-deposit box, according to whole visit person's access control policy modules and current visit person's user ID, obtain the access rights of current visit person user, generate current visit person user's access control policy module in the electronics safety-deposit box;
Current visit person user's access control policy module, be used for producing current login visit person's virtual electronic safety-deposit box, offer visit person, visit person is to the operation of virtual electronic safety-deposit box, by the Information Authentication in current visit person's access strategy control module, and convert to the true catalogue of user's safety-deposit box and the operation of file, realize that visit person has the visit to user's safety-deposit box of control of authority;
Wherein, the owner safeguards electronics safety-deposit box structure, comprising:
Step 101, judge that whether possessory operation is to increase catalogue, if then carry out next step; Otherwise execution in step 106;
Step 102, obtain the coding of current directory D, be set to code;
Step 103, obtain the code set of the subdirectory of D;
Step 104, according to above information, generate a unique subdirectory coding, new coding satisfies the level coding requirement, and different with existing coding;
Step 105, the relevant authority setting of catalogue of in user capture control authority Table A CList, checking and increasing newly, whether the inquiry owner allows newly-increased catalogue to participate in current authority setting, if do not participate in, then in user capture control authority Table A CList, increase access control information, show that current newly-increased catalogue does not participate in the authority setting of being correlated with, promptly its permit classifies ' false ' as;
Step 106 is then obtained the coding of current directory if directory delete is operated, and is set to code; In Directory, delete current directory, the relevant control of authority of this catalogue of deletion in user capture control authority Table A CList;
Described Code is the code field of electronics safety-deposit box stratification Directory.
14, the management method of electronics safety-deposit box according to claim 13, it is characterized in that: in the described step 2, according to whole visit person's access control policy modules and current visit person's user ID, obtain the access rights of current visit person user in the electronics safety-deposit box, generate current visit person user's access control policy module, specifically comprise:
Step 111, selection visit person user obtain visit person's user ID;
Step 112, according to visit person's user ID, obtain visit person user relevant access control in user capture control authority Table A CList;
Step 113, the owner judge whether the existing access control of visit person is reasonable, if rationally, then finish the increase process, otherwise the owner increases visit person user's access control as required.
15, the management method of electronics safety-deposit box according to claim 13 is characterized in that: in the described step 1, safeguard the process of whole visit person's access rights, specifically comprise:
Step 121, from User Code, select current visit person user Current User;
Step 122, from current catalogue, select current catalogue Current Directory;
If the possessory deletion visit person authority that is operating as of step 123, then according to current visit person current User, current directory Current Directory finds the authority access control of visit person among the ACList, and deletes visit person's control information of obtaining; Otherwise carry out next step;
If possessory being operating as of step 124 increases visit person's authority, then obtain visit person's authority configuration information, comprise whether allowing/file in download, whether allow to create/deltree, whether obtain this authority simultaneously effective to the node of descendants's catalogue; According to above-mentioned information structuring tuple-set, be inserted among the user capture control authority Table A CList.
16, the management method of electronics safety-deposit box according to claim 13 is characterized in that: also comprise the person's of visit control information compression process, specifically comprise:
Step 131, according to user capture control authority Table A CList control tabulation structure directory tree;
Step 132, according to topological order, handle the node of current tree from top to bottom;
Step 133, judged whether that directory node still is untreated, if then carry out next step; Otherwise, the compression process of finishing control information;
Step 134, obtain the difference visit person control information that this directory node possesses the same operation authority,, compress present node visit person's access control information according to visit person user's hierarchical information;
Step 135, obtain the access control information of same visit person, utilize the Descendant Control field of this directory node access control information, compress present node visit person's access control information the child of this directory node;
Step 136, repeated execution of steps 133.
17, the management method of electronics safety-deposit box according to claim 16 is characterized in that: described step 134, according to visit person user's hierarchical information, compress present node visit person's access control information, and specifically comprise:
Step 1341, obtain all users of the identical access control policy of current directory node;
Step 1342, in user's hierarchical tree, the mark user profile;
Step 1343, according to process user hierarchical tree from bottom to top;
Step 1344, judge whether to remain in addition node,, then carry out next step if having; Otherwise, end step 134;
If the child node more than 3/4 of certain node of step 1345 all obtains mark, then create compressed format, and with this node mark;
Step 1346, repeated execution of steps 1344.
18, the management method of electronics safety-deposit box according to claim 16, it is characterized in that: described step 135, utilize the Descendant Control field of this directory node access control information, compress present node visit person's access control information, specifically comprise:
Step 1351, the control information of obtaining present node Current Node;
Step 1352, obtain the access control information of all child nodes of Current Node;
Step 1353, obtain all visit person clients of present node, handle the access control right of current visit person Current User according to different clients respectively.If still untreated visit person user is arranged, then carries out next step; Otherwise, end step 135;
If step 1354 user Current is User, on the child node catalogue more than 3/4 of nodal directory Current Node, access rights are identical, then on the directory node of current Node, utilize Descendant Control field to come the access control information of descriptor node;
Step 1355, in ACList the repeated control information of the child node of deletion Current Node, revise visit person's control information of CurrentNode;
Step 1356, repeated execution of steps 1353.
19, the management method of electronics safety-deposit box according to claim 13, it is characterized in that: in the described step 2, according to whole visit person's access control policy modules and current visit person's user ID, obtain the access rights of current visit person user in the electronics safety-deposit box, generate current visit person user's access control policy module, specifically comprise:
Step 201, generation fake root node root;
Step 202, according to current visit person's Customs Assigned Number, find and should visit person relevant ACL control;
Step 203, according to the back end in visit person user's the ACL control, constructing virtual directory tree;
Step 204, according to top-down topological structure, handle each node;
Step 205, judge whether in addition still untreated node,, then carry out next step if having, otherwise, the generation of virtual directory finished;
Step 206, obtain present node, judge whether current visit person allows to visit present node, if then this node is joined in the virtual route; Otherwise, turn to step 207;
Step 207, judge whether this visit person allows to operate descendants's node of present node Current Directory, if allow, then in the Directory table, obtain descendants's node of present node Current Directory, Descendant Control access control information according to present node Current Directory, to the conduct interviews assignment of information of descendants's node, execution in step 205 again; Otherwise, direct execution in step 205.
20, the management method of electronics safety-deposit box according to claim 13 is characterized in that: current visit person's control strategy module is to the checking of visit person's operation, and concrete steps comprise:
Described visit person user at the enterprising line operate of current virtual directory by current visit person's control strategy resume module, for upload, file in download and establishment, the operation that deltrees, check current directory, judge whether current visit person user has authority can finish this operation; If can, then in safety-deposit box, finish this operation, otherwise, refusal visit person user's operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100044114A CN100349407C (en) | 2004-02-19 | 2004-02-19 | Electronic safe deposit box and its managment method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100044114A CN100349407C (en) | 2004-02-19 | 2004-02-19 | Electronic safe deposit box and its managment method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1658568A CN1658568A (en) | 2005-08-24 |
| CN100349407C true CN100349407C (en) | 2007-11-14 |
Family
ID=35007837
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100044114A Expired - Fee Related CN100349407C (en) | 2004-02-19 | 2004-02-19 | Electronic safe deposit box and its managment method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100349407C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI695925B (en) * | 2018-03-27 | 2020-06-11 | 合作金庫商業銀行股份有限公司 | Safe deposit box system including money-laundering prevention features |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546108A (en) * | 2011-12-28 | 2012-07-04 | 深圳市新为软件有限公司 | Method and device for transmitting network resources by tree structure |
| CN105306481B (en) * | 2015-11-12 | 2018-06-19 | 北京锐安科技有限公司 | A kind of operating method of access control policy rules |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH08335191A (en) * | 1995-06-06 | 1996-12-17 | Canon Inc | Os management resource access device |
| US6226743B1 (en) * | 1998-01-22 | 2001-05-01 | Yeda Research And Development Co., Ltd. | Method for authentication item |
| EP1320239A2 (en) * | 2001-12-13 | 2003-06-18 | Sony Corporation | Communication device, communication system and method therefor |
-
2004
- 2004-02-19 CN CNB2004100044114A patent/CN100349407C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH08335191A (en) * | 1995-06-06 | 1996-12-17 | Canon Inc | Os management resource access device |
| US6226743B1 (en) * | 1998-01-22 | 2001-05-01 | Yeda Research And Development Co., Ltd. | Method for authentication item |
| EP1320239A2 (en) * | 2001-12-13 | 2003-06-18 | Sony Corporation | Communication device, communication system and method therefor |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI695925B (en) * | 2018-03-27 | 2020-06-11 | 合作金庫商業銀行股份有限公司 | Safe deposit box system including money-laundering prevention features |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1658568A (en) | 2005-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8793489B2 (en) | Method and system for controlling data access to organizational data maintained in hierarchical | |
| US7233959B2 (en) | Life-cycle management engine | |
| US11341171B2 (en) | Method and apparatus for implementing a set of integrated data systems | |
| CN101714172B (en) | Search method of index structure supporting access control | |
| US7461066B2 (en) | Techniques for sharing persistently stored query results between multiple users | |
| CN100456311C (en) | System and method for actualizing content-based file system security | |
| CN102968501B (en) | A kind of general full-text search method | |
| JP4793839B2 (en) | Access control means using tree structure data | |
| Clifford Neuman | Prospero: A tool for organizing internet resources | |
| CN102354356A (en) | Data authority management device and method | |
| CN102129469A (en) | Virtual experiment-oriented unstructured data accessing method | |
| US20100114935A1 (en) | Populating a multi-relational enterprise social network with disparate source data | |
| WO2018036324A1 (en) | Smart city information sharing method and device | |
| CN101316273A (en) | Distributed safety memory system | |
| CN101256605A (en) | Enterprise entitlement framework | |
| JP2019522303A (en) | Comprehensive use, separation independence and fusion synergy of business management information system | |
| CN101360123A (en) | Network system and management method thereof | |
| CN101794312A (en) | XML (Extensive Makeup Language) access control method based on security view | |
| CN100349407C (en) | Electronic safe deposit box and its managment method | |
| CN115114643A (en) | Rank-level data authority management and access query method and system | |
| CN106126555A (en) | A kind of file management method and file system | |
| Doshi et al. | Using attribute certificates with mobile policies in electronic commerce applications | |
| CN111444694B (en) | Universal information resource customized collection and release method | |
| WO2003083719A2 (en) | Life-cycle management engine | |
| TWI227420B (en) | System and method for controlling multi-dimensional data content with limits of authority and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20071114 Termination date: 20160219 |