CN101493872A - Fine grain authority management method based on classification method - Google Patents
Fine grain authority management method based on classification method Download PDFInfo
- Publication number
- CN101493872A CN101493872A CNA2009100086374A CN200910008637A CN101493872A CN 101493872 A CN101493872 A CN 101493872A CN A2009100086374 A CNA2009100086374 A CN A2009100086374A CN 200910008637 A CN200910008637 A CN 200910008637A CN 101493872 A CN101493872 A CN 101493872A
- Authority
- CN
- China
- Prior art keywords
- classification
- strategy
- resource
- main body
- decision
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a dynamic and intelligent subject and resource classification method and a fine-grain authority management method based on the classification method. The subject classification method is a dynamic and intelligent classification method and realized by various algorithms carried out to subjects, subject properties, context and data sources. As to a given subject, only an algorithm rule is required for determining whether the subject belongs to a class. The resource classification method is quite similar to the subject classification method and can carry out the algorithm to resources and resource properties. Both a fine-grain authorization decision-making method and a fine-grain authorization inquiry method are applied to the filed of authority management. The fine-grain authorization decision-making method defines authority decision strategies based on subject classification and resources classification. When a certain subject requests operation to a certain resource, the strategies are assessed to permit or deny the request. If the request is denied, refusal reasons are returned. The fine-grain authority inquiry method defines authority inquiry strategies based on the subject classification and a data inquiry template. When a certain subject requests certain inquiry, the strategies are assessed and inquiry results are returned. The authority strategies based on classification are characterized by simpleness, strong reusability, easy implementation and the like.
Description
1. technical field
Body portion class methods and resource classification method are a kind of dynamic, intelligent method for classifying.Can apply to fields such as rights management, authentication.Based on the fine-grain authorization decision method and the fine-grain authority inquiry method of sorting technique, apply to computer software rights management field.Management subject is to the access rights of resource, and management subject is to the search access right of resource.
2. background technology
Computer system, especially network system, resource are put together to concentrate and are shared, and these resources can be picture, database, text, computing machine etc.When user's request certain resource is operated, normally move in order to ensure security of system, system will carry out the authority judgement to user and resource, guarantee that this user has operating right to this resource, otherwise refusing user's request.
Rights management is exactly the operating right of leading subscriber to resource.The present most widely used two kinds of technical methods that have:
1. based on role's access control authorization method;
2.XACML(OASIS eXtensible Access Control Markup Language)。
Based on role's access control authorization method, create the role earlier, authorize this role that the authority accessed resources is arranged then; Give the user with one or more role authorization.When the user capture resource, which role at first searches this user has, and finds out the authorization resources of these role's correspondences.If there is accessed resource the authorization resources the inside, then allow the user to ask; Otherwise refusing user's request.Such as creative management person role, the authorized administrator role allows visit " interpolation mechanism ", " deletion mechanism " web page resources authority.Authorize administrator role for then user Zhang San.When Zhang San's visit " is added mechanism ", system will allow this request.When Zhang San's visit " is added the user ", be awarded " adding the user " authority because the role that Zhang San possesses is useless, this request will be refused by system.
Access control authorization method based on the role is a kind of authority control method of coarseness.For the demand of refinement, then powerless based on role's access control.
Such as in certain banking system, the user Li Si of the user Zhang San of head office and Beijing branch is arranged, existing access control demand:
1. the keeper of head office can only add each column split, can not add mechanism of subbranch
2. the keeper of Beijing branch can only add Beijing subordinate subbranch of branch, can not add column split, and can not add other mechanisms of subbranch of branch.
For above demand, can only authorize Zhang San and Li Si's administrator role based on role's access control, give the authority that this role adds mechanism.But can't further authorize, so can't realize this type of fine-grained access control according to the various level attribute of mechanism.
XACML is the standard of OASIS.XACML has defined a kind of general policy language that is used for resources conseravtion and a kind of access decision language.
Typical access control and mandate scene comprise three main entities: main body (Subject), resource (Resource) and action (Action) and their attribute.Subject requests obtains resource is carried out the authority of action.Such as in request of access " client requests is checked the order of oneself ", main body is " client ", and resource is " order of oneself ", and action is " checking ".
The mandate of XACML is realized by strategy (Policy).Define several rules (Rule) in the strategy, rule is specified the condition that allows or refuse request.When the subject requests access resources, the XACML engine can be selected the strategy that mates, assessment and tactful related rule.In the evaluation process, engine can calculate and assess according to the definition of the rule attribute to main body, resource and running environment (Environment), finally makes allowing or the decision-making of refusal request.Its step such as Fig. 1.
Because the rule support of XACML is carried out complicated calculations and assessment to the attribute of main body, resource and environment, so possessed the ability of carrying out the fine granularity access control.For example for fine granularity mandate " keeper of branch adds mechanism of subordinate subbranch ", XACML need create a delegated strategy.The rule that this strategy comprises is:
1. main body is for having " keeper " role, and institutional affiliation is a branch;
2. resource is a mechanism of subbranch, and is under the jurisdiction of the branch of main body;
3. action is for adding branch offices.
When above condition satisfied, the result of decision-making was permission, on the contrary refusal.
In this rule, the main body attribute that participates in assessment has " role who is had " and " institutional affiliation "; Resource Properties is " mechanism of subbranch " and " being under the jurisdiction of main body branch ".
Its core of XACML is to be the authorization policy definition rule, and to main body, resource and environment attribute are assessed in rule, makes access control decision-making (allowing or refusal) according to assessment result.IBM Tivoli Access Manager and OracleEntitlement Server adopt this thinking to realize the fine granularity access control at present.
This method and imperfection have following two shortcomings:
1. reusability is not strong
Strategy comprises several rules, and different strategies often has similar rule, but incomplete same.For example following two strategies:
Strategy 1: the keeper of branch adds mechanism of subordinate subbranch.Rule: the role of main body is the keeper, and institutional affiliation is a branch; Resource is a mechanism of subbranch, and is under the jurisdiction of the branch of main body.
Strategy 2: the keeper of branch adds the user of branch.The role of main body is the keeper, and institutional affiliation is a branch; Resource is the user, and belongs to same branch with main body.
All comprised the restrictive condition to main body in the rule of strategy 1 and strategy 2: the role of main body is the keeper, and institutional affiliation is a branch.
2. not support resource inquiry
For " keeper of branch has mechanism of weight update subordinate subbranch " this access control, XACML can judge whether certain keeper can revise certain mechanism of subbranch, but can not return all mechanisms of subbranch that this keeper has weight update.Because XACML can only return authorization strategic decision-making result, promptly allow or refusal, and can not carry out resource query, return the resource collection that satisfies policing rule.And in the application system of reality, this demand is seen everywhere.XACML does not also support this class query demand.Its practicality is restricted.
3. summary of the invention
The present invention comprises two principal themes:
1. based on the fine-grain authorization decision method of main body classification and resource classification;
2. based on the fine-grain authority inquiry method of main body classification and data query.
Above theme has used body portion class methods, resource classification method and data enquire method.Body portion class methods and resource classification method are subordinate to the present invention.Data enquire method is a kind of common methods, is not subordinate to the present invention.
The body portion class methods: the classifying rules of definition main body, directly the attribute of given main body is assessed, thereby judged whether main body belongs to this classification, and need not put main body under certain classification with showing in advance.The feature of body portion rule-like is made up of expression formula or expression formula group, and returns Boolean.Expression formula can be mathematical computations (+,-, *, /), logical calculated (AND, OR) and function etc.The feature of expression formula is the calculating of attribute, context property or other data source data to main body.Main body, context environmental and data source all are the input parameters of rule.
The resource classification method: definition resource classification rule, directly the attribute of given resource and given main body (given main body is optional) is assessed, thereby judged whether resource belongs to this classification, and need not put resource under certain classification with showing in advance.
Resource classification method and body portion class methods are similar substantially, and mainly contain a significantly difference: the resource classification input parameter is: resource, main body, context environmental and data source.And the input parameter of main body classification does not have resource.The main body input parameter of resource classification method is optional.
Resource classification rule, expression formula, expression formula value and main body are classified consistent, no longer repeat.
Data enquire method: the custom-built query template, in operation,, form complete S QL statement to the placeholder assignment in the template, carry out data base querying then.
Data enquire method is a kind of common methods.Apply to the fine grain authority management field, the data of data query placeholder representative can be from context, main body, resource or data source.
Fine-grain authorization decision is for different request bodies are provided with the different resource operating right.To given main body, given resource, system can make a policy by calculating, and allows or refuse this request.
Based on the fine-grain authorization decision method of main body classification and resource classification, be a kind of simple, directly perceived and practical fine-grain authorization decision method.This method is the one or more of authorization decision strategies of each operating and setting.If many strategies are arranged, strategy is according to prioritization.When certain subject requests is operated certain resource, be evaluated as the authorization decision strategy of this operation setting, draw the result of decision.The result of decision has two kinds of situations: 1, allow; 2, refusal, and return reason for rejection.
The fine-grain authorization decision method judge whether request body has operating right to request resource, but which the resource that can not tell request body to have limiting operation has.Fine-grain authority inquiry method is to be used for inquiring request body which resource is had operating right.Fine-grain authority inquiry method,
Based on the fine-grain authority inquiry method of main body classification and data query, solved the field that do not relate to, rights management field in the past such as XACML.This method is the one or more of authorization query strategies of each operating and setting.If many strategies are arranged, strategy is according to prioritization.To given main body, the requestor of coupling can be selected by calculating by system, carries out resource query.Its Query Result is the resource collection that request body has limiting operation.
4. description of drawings
Accompanying drawing 1 is the XACML fundamental diagram.
Accompanying drawing 2 is fine-grain authorization decision methods, the decision process synoptic diagram.
Accompanying drawing 3 is fine-grain authorization decision methods, when All Policies does not satisfy, and assessment reason for rejection synoptic diagram.
Accompanying drawing 4 is fine-grain authority inquiry method, the query script synoptic diagram.
5. embodiment
5.1. body portion class methods
The body portion class methods: the classifying rules of definition main body, directly the attribute of given main body is assessed, thereby judged whether main body belongs to this classification, and need not put main body under certain classification with showing in advance.Main body classification principal character is:
1. Dynamic matching is calculated.Judge by Rules of Assessment whether main body belongs to this classification, and need not in advance main body be put under classification, for the fine granularity mandate provides precondition.
2. has better reusability, readability.Main body judges rule and the resource judgment rule of XACML mix.By the main body judges Rule Extraction is come out, form independent classification, this classification is consistent with notion in the business field, has good stability, can be multiplexing in different business is operated.Classification purpose and readability are stronger.
The feature of body portion rule-like is made up of expression formula or expression formula group, and returns Boolean.Expression formula can be mathematical computations (+,-, *, /), logical calculated (AND, OR) and function etc.Expression formula is given an example:
| // mathematical computations int a=b+1; // logical calculated boolean f=(a﹠﹠b) ﹠﹠ (c||d) ﹠﹠e; // function c=a.add (b.getValue ()); |
The feature of expression formula is the calculating of attribute, context property or other data source data to main body.Main body, context environmental and data source all are the input parameters of rule.The expression formula value of obtaining is given an example:
| Attribute String organization=(String) SUBJECT.get (" organization ") of // main body; // context property Double money=(Double) CONTEXT.get (" money "); // execution SQL query Collection queryResult=DATASOURCE.query (" select column1, column2 from tablename "); |
With main body, context environmental and data source as input parameter, the expression formula of executing rule or expression formula group, execution result is exactly an assessment result.
Main body classification embodiment 1:
| Title | Rule | Describe |
| The user of head office | String organization=SUBJECT.get (" organization "); Return organization.equals (" head office "); | Take out the organization property value of main body (user), then with head office's organization names " head office " compare.Equal expression belongs to the user of head office classification, otherwise is not. |
| The user of branch | Collection branches=DATASOURCE.query (" select name from | Inquiry organization shows all column splits (father mechanism is " head office "), and is right |
| Organization where parent=' head office ' "); String organization=SUBJECT. get (" organization "); Return branches.contains (organization); | The back relatively the mechanism of main body whether in column split.If, expression belongs to the user of branch classification, otherwise is not. |
5.2. resource classification method
The resource classification method: definition resource classification rule, directly the attribute of given resource and given main body (given main body is optional) is assessed, thereby judged whether resource belongs to this classification, and need not put resource under certain classification with showing in advance.
Resource classification method and body portion class methods are similar substantially, and mainly contain a significantly difference: the resource classification input parameter is: resource, main body, context environmental and data source.And the input parameter of main body classification does not have resource.
Resource classification rule, expression formula, expression formula value and main body are classified consistent, no longer repeat.
Resource classification embodiment 1:
| Title | Rule | Describe |
| Column split | String parent=RESOURCE.get (" parent "); Return parent.equals (" head office "); | Take out the parent property value of resource, check then whether this mechanism is head office.If expression belongs to this classification, otherwise is not. |
| The mechanism of subordinate subbranch of current main body | Collection branches=DATASOURCE.query (" select name from organization where parent=' head office ' "); String organization=SUBJECT. get (" organization "); String parent=RESOUCE.get (" parent "); Return branches.contains (organization) ﹠amp; ﹠amp; Parent.equals (organization); | Take out the organization property value of request body, all column splits in the unloading device table take out the parent property value of resource.If organization is a column split, and parent is equal with organization, and expression belongs to this classification, otherwise is not. |
5.3. data enquire method
In different scenes, but query statement is very similarly under the situation, our custom-built query template.In operation, to the placeholder assignment in the template, form complete S QL statement, carry out data base querying then.
Apply to the fine grain authority management field, the data of data query placeholder representative can be from context, main body, resource or data source.
5.4. fine-grain authorization decision method
Based on the fine-grain authorization decision method of main body classification and resource classification, be a kind of simple, directly perceived and practical fine-grain authorization decision method.
Fine-grain authorization decision is for different request bodies are provided with the different resource operating right.To given main body, given resource, system can make a policy by calculating, and allows or refuse this request.
This method is the one or more of authorization decision strategies of each operating and setting.If many strategies are arranged, strategy is according to prioritization.
The authorization decision strategy comprises:
1. which type of main body main body classification describes;
2. which type of resource resource classification describes;
3. authorize relation: allow or refusal;
4. reason for rejection.
This method principle of work is: when certain subject requests is operated certain resource:
1. be listed as the authorization decision strategy of this operation setting according to priority orders, assess the authorization decision strategy successively;
2. assess current authorization decision strategy, if request body satisfies this tactful body portion rule-like, and request resource satisfies this tactful resource classification rule, and then this strategy draws the result of decision; Otherwise this strategy is considered as drawing the result of decision;
3. if the result of decision is to allow, directly return permission, do not reevaluate next bar strategy; If the result of decision is a refusal, directly return refusal, the reason for rejection of returning is exactly the reason for rejection of current strategies, does not also reevaluate next bar strategy; If do not draw the result of decision, turn back to next bar strategy of step 2 assessment, till not having strategy that assessment can be supplied;
4. if the All Policies assessment finishes, all can not draw the result of decision, will refuse, and assess out reason for rejection as the result of decision, return reason for rejection then.The assessment reason for rejection is made up of following steps:
A) be listed as the authorization decision strategy of this operation setting according to priority orders, assess the authorization decision strategy successively;
B) the current authorization decision strategy of assessment if request body satisfies this tactful body portion rule-like, is then chosen this tactful reason for rejection;
C) turn back to step b and assess next bar strategy, till not having strategy to supply assessment;
D) reason for rejection of returning is exactly all reasons for rejection of choosing, and the reason for rejection of returning may be 0,1 or many.
Illustrate the validity of this method below.
Fine-grain authorization decision method embodiment 1:
Certain bank management system, the maintenance mechanism operation.The fine granularity control of authority requires:
1. the user of head office can safeguard all column splits, but can not safeguard mechanism of subordinate subbranch of branch;
2. the user of branch can safeguard mechanism of subordinate subbranch of this branch, can not safeguard other any mechanism, such as other subordinate subbranches of branch, mechanism of this branch etc.
Use this fine-grain authorization decision method, be the maintenance mechanism operation, following authorization decision strategy is set:
| Priority | The main body classification | Resource classification | Authorize relation | Reason for rejection |
| 1 | The user of head office | Column split | Allow | The user of head office can only safeguard column split |
| 2 | The user of branch | Subordinate subbranch of this branch | Allow | The user of branch can only safeguard subordinate subbranch of this branch |
Remarks:
1. the user of head office (main body classification), rule is: the mechanism of request body equals mechanism of head office;
2. the user's (main body classification) of branch, rule is: the column split that checks out that the mechanism of request body belongs in the mechanism table is gathered;
3. column split (resource classification), rule is: the father mechanism of request resource equals mechanism of head office;
4. the subordinate of this branch subbranch (resource classification), rule is: the father mechanism of request resource equals the mechanism of request body, and the mechanism of request body is a column split.
Investigate following input below, the result of decision is how:
| Input | The result of decision | Explanation |
| Request body: the user Zhang San of head office request resource: Beijing branch column split | Allow | Request body and request resource satisfy the authorization decision strategy of priority 1, return the mandate relation of this rule |
| Request body: the user Zhang San of head office request resource: subordinate Dongdan subbranch of Beijing branch | Refusal.Reason for rejection: the user of head office can only safeguard column split | Request body and request resource do not satisfy any authorization decision strategy.But request body only satisfies the main body classification of priority 1, and reason for rejection that therefore should rule is returned as reason for rejection. |
| Request body: the user Li Si of Beijing branch request resource: subordinate Dongdan subbranch of Beijing branch | Allow | Request body and request resource satisfy the authorization decision strategy of priority 2, return the mandate relation of this rule |
| Request body: the user Li Si of Beijing branch request resource: Shanghai subordinate Pudong subbranch of branch | Refusal.Reason for rejection: the user of branch can only safeguard subordinate subbranch of this branch | Request body and request resource do not satisfy any authorization decision strategy.But request body only satisfies the main body classification of priority 2, and reason for rejection that therefore should rule is returned as reason for rejection. |
Fine-grain authorization decision method embodiment 2:
Certain corporate client relational system, the maintain customer operation.The fine granularity control of authority requires:
1. common sales force safeguards the client that oneself is developed;
2. the departmental manager of sales department safeguards all clients;
3. the user who is piped off by company management person can not safeguard any client.
Use this fine-grain authorization decision method, be the maintain customer operation, following authorization decision strategy is set:
| Priority | The main body classification | Resource classification | Authorize relation | Reason for rejection |
| 1 | The black list user | All clients | Refusal | The black list user does not allow to safeguard any client |
| 2 | Common sales force | The client that oneself is developed | Allow | Common sales force can only safeguard the client that oneself is developed |
| 3 | The departmental manager of sales department | All clients | Allow |
Remarks:
1. black list user's (main body classification), rule is: the ID attribute of request body belongs to the ID set that checks out in the blacklist table;
2. common sales force (main body classification), rule is: mechanism's attribute of request body is " sales department ", and departmental manager's attribute of request body equals "No";
3. the departmental manager of sales department (main body classification), rule is: mechanism's attribute of request body is " sales department ", and departmental manager's attribute of request body equals "Yes";
4. all clients (resource classification), rule is: do not do any judgement and directly return true;
Oneself the exploitation client's (resource classification), rule is: the customer representative ID attribute of request resource equals the ID attribute of request body.
Investigate following input below, the result of decision is how:
| Input | The result of decision | Explanation |
| Request body: black list user Zhang San request resource: the client ABC of Zhang San's exploitation | Refusal | Request body and request resource satisfy the authorization decision strategy of priority 1, return the mandate relation of this rule |
| Request body: common sales force Li Si request resource: the client ABC of Zhang San's exploitation | Refusal.Reason for rejection: common sales force can only safeguard the client that oneself is developed | Request body and request resource do not satisfy any authorization decision strategy.But request body only satisfies the main body classification of priority 2, and reason for rejection that therefore should rule is returned as reason for rejection. |
| Request body: common sales force Li Si request resource: the client EFG of Li Si's exploitation | Allow | Request body and request resource satisfy the authorization decision strategy of priority 2, return the mandate relation of this rule |
| Request body: the departmental manager king of sales department five request resource: the client EFG of Li Si's exploitation | Allow | Request body and request resource satisfy the authorization decision strategy of priority 3, return the mandate relation of this rule |
Based on the fine-grain authorization decision method of main body classification and resource classification, principal character is:
1. based on body portion class methods and resource classification method, directly describe out which type of main body, have what kind of operating right which type of resource;
2. a kind of fine granularity control method more directly perceived, more practical, easier than XACML is provided;
3. main body classification, resource classification are the business domains notions, so main body is classified, the resource classification definition can be multiplexing in the authorization decision strategy, improved the efficiency of management.
5.5. fine-grain authority inquiry method
The fine-grain authorization decision method judge whether request body has operating right to request resource, but which the resource that can not tell request body to have limiting operation has.Fine-grain authority inquiry method is to be used for inquiring request body which resource is had operating right.
Based on the fine-grain authority inquiry method of main body classification and data query, for different request bodies are provided with the data query device.The data query device can be realized by this paper 5.3 described data enquire methods.To given main body, the requestor of coupling can be selected by calculating by system, carries out resource query.Its Query Result is the resource collection that request body has limiting operation.
This method is the one or more of authorization query strategies of each operating and setting.If many strategies are arranged, strategy is according to prioritization.
The authorization query strategy comprises:
1. which type of main body main body classification describes;
2. the data query device is described which resource of inquiry.
This method principle of work is: when certain subject requests query manipulation:
1. be listed as the authorization query strategy of this operation setting according to priority orders, assess the authorization query strategy successively;
2. assess current authorization query strategy,, carry out this tactful query template and obtain Query Result if request body satisfies this tactful body portion rule-like;
3., needn't assess next bar strategy so if current authorization query Policy evaluation draws Query Result; Otherwise be considered as to draw Query Result, perform to next bar strategy of step 2 assessment, till not having strategy to supply assessment;
4. if the All Policies assessment finishes, all can not draw Query Result, return null set, promptly this request body does not have the data query authority.
Illustrate the validity of this method below.
Fine-grain authority inquiry method embodiment 1:
Certain bank management system, the operation of inquiry mechanism.The fine granularity control of authority requires:
1. the user of head office can inquire about all mechanisms;
2. the user of branch can inquire about mechanism of this branch and mechanism of subordinate subbranch of this branch.
Use this fine-grain authorization decision method, be the operation of inquiry mechanism, following authorization query strategy is set:
| Priority | The main body classification | The data query device |
| 1 | The user of head office | Inquiry mechanism shows all data |
| 2 | The user of branch | Inquiry mechanism shows this branch and the subordinate of this branch props up line data |
Remarks:
1. the user of head office (main body classification), rule is: the mechanism of request body equals mechanism of head office;
2. the user's (main body classification) of branch, rule is: the column split that checks out that the mechanism of request body belongs in the mechanism table is gathered;
3. inquiry mechanism shows all data (data query device), and rule is: inquiry mechanism shows all data;
4. inquiry mechanism shows this branch and the subordinate of this branch props up line data (data query device), and rule is: inquire about mechanism and show data, querying condition is that mechanism number equals request body mechanism number, and perhaps father mechanism number equals request body mechanism number.
Investigate following input below, Query Result is how:
| Input | Query Result | Explanation |
| Request body: the user Zhang San of head office | Mechanism shows all organization data | Request body satisfies the main body classification of the authorization query strategy of priority 1, carries out this regular data query device, all data of gigback table |
| Request body: the user Li Si of Beijing branch | Beijing branch and the subordinate of Beijing branch prop up line data | Request body satisfies the main body classification of the authorization query strategy of priority 2, carries out this regular data query device, returns Beijing branch and the subordinate of Beijing branch props up line data |
| Request body: the user king of Shanghai branch | Shanghai branch and the subordinate of Shanghai branch prop up | Request body satisfies awarding of priority 2 |
| Five | Line data | This regular data query device is carried out in the main body classification of power query strategy, returns Shanghai branch and the subordinate of Shanghai branch props up line data |
Fine-grain authority inquiry method embodiment 2:
Certain corporate client relational system, inquiry client operation.The fine granularity control of authority requires:
1. common sales force inquires about the client who oneself develops;
2. the departmental manager of sales department inquires about all clients;
3. the user who is piped off by company management person can not inquire about any client.
Use this fine-grain authorization decision method, be the maintain customer operation, following authorization query strategy is set:
| Priority | The main body classification | The data query device |
| 1 | The black list user | Do not inquire about any client |
| 2 | Common sales force | The inquiry client shows the client of sales force's exploitation |
| 3 | The departmental manager of sales department | The inquiry client shows all clients |
Remarks:
1. black list user's (main body classification), rule is: the ID attribute of request body belongs to the ID set that checks out in the blacklist table;
2. common sales force (main body classification), rule is: mechanism's attribute of request body is " sales department ", and departmental manager's attribute of request body equals "No";
3. the departmental manager of sales department (main body classification), rule is: mechanism's attribute of request body is " sales department ", and departmental manager's attribute of request body equals "Yes";
4. do not inquire about any client (data query device), rule is: inquiry client table, querying condition is 1=2.Be that Query Result is always empty.
5. the inquiry client shows client's (data query device) of sales force's exploitation, and rule is: inquiry client table, and querying condition is that customer representative ID equals request body ID attribute;
6. the inquiry client shows all clients (data query device), and rule is: the inquiry client shows all data.
Investigate following input below, Query Result is how:
| Input | Query Result | Explanation |
| Request body: black list user Zhang San | Null set | Request body satisfies the body portion rule-like of the authorization query strategy of priority 1, carries out the data query device of this classification, returns null set |
| Request body: common sales force Li Si | Client table equals the client of Li Si ID customer representative ID number | Request body satisfies the body portion rule-like of the authorization query strategy of priority 2, carries out the data query device of this classification, returns the client of Li Si's exploitation |
| Request body: common Zhao sales force six | Client's table, customer representative ID equals the client of Zhao six ID | Request body satisfies the body portion rule-like of the authorization query strategy of priority 2, carries out the data query device of this classification, returns the client of Zhao's six exploitations |
| Request body: the departmental manager king of sales department five | Client's table, all clients | Request body satisfies the body portion rule-like of the authorization query strategy of priority 3, carries out the data query device of this classification, returns all clients |
Based on the fine-grain authority inquiry method of main body classification and data query, principal character is:
1. based on body portion class methods and data enquire method, directly describe out which type of main body which resource is had search access right;
2. solved the field that do not relate to, rights management field in the past such as XACML;
3. main body classification, data query device are the business domains notions, so main body is classified, the definition of data query device can be multiplexing in the authorization query strategy, improved the efficiency of management.
Claims (12)
1. body portion class methods is characterized in that given main body by the classifying rules of computing main body classification, judge whether this main body belongs to this classification, and explicitly being classified in advance, mainly is made up of following steps as input parameter to main body:
A) create main body classification, defining classification rule;
B) with given main body as input parameter, the classifying rules of computing main body classification;
C) draw the operation result of Boolean, this Boolean represents whether this main body belongs to this main body classification.
2. body portion class methods according to claim 1 is characterized in that described classifying rules is made up of expression formula or expression formula group, and return described Boolean.
3. body portion class methods according to claim 2 is characterized in that described expression formula can carry out computing to main body, main body attribute, context, data source.
4. resource classification method, its feature as input parameter, by the classifying rules of calculation resources classification, judges whether this resource belongs to this classification with the request body of given resource and this resource of request, and explicitly is classified to resource in advance, mainly is made up of following steps:
A) establishing resource classification, the defining classification rule;
B) with the request body of given resource and this resource of request as input parameter, the classifying rules of calculation resources classification;
C) draw the operation result of Boolean, this Boolean represents whether this resource belongs to this resource classification.
5. resource classification method according to claim 4 is characterized in that described classifying rules is made up of expression formula or expression formula group, and returns Boolean.
6. resource classification method according to claim 5 is characterized in that described expression formula can carry out computing to resource, Resource Properties, main body, main body attribute, context, data source.
7. resource classification method according to claim 4 is characterized in that the request body of this resource of described request, is optional input parameter.
8. fine-grain authorization decision method based on main body classification and resource classification, mainly form by following steps:
A) create one or more main body classification, be each body portion class definition classifying rules;
B) create one or more resource classification, be each resource classification defining classification rule;
C) create the authorization decision strategy, this strategy comprises main body classification, resource classification, mandate relation, 4 key elements of reason for rejection;
D) to authorization decision strategy of given operation setting or one group of authorization decision strategy, if a group policy is provided with priority orders to strategy;
E) when certain subject requests is operated certain resource, choose this operation corresponding authorization decision strategy or one group of authorization decision strategy and assess, draw the result of decision, according to the result of decision, allow or the refusal request, if the refusal request, and would return reason for rejection.
9. fine-grain authorization decision method according to claim 8 is characterized in that described assessment authorization decision strategy is made up of following steps:
A) be listed as the authorization decision strategy of this operation setting according to priority orders, assess the authorization decision strategy successively;
B) the current authorization decision strategy of assessment, if request body satisfies this tactful body portion rule-like, and request resource satisfies this tactful resource classification rule, then this strategy draws the result of decision; Otherwise this strategy is considered as drawing the result of decision;
C) if the result of decision is to allow, directly return permission, do not reevaluate next bar strategy; If the result of decision is a refusal, directly return refusal, the reason for rejection of returning is exactly the reason for rejection of current strategies, does not also reevaluate next bar strategy; If do not draw the result of decision, turn back to step b and assess next bar strategy, till not having strategy to supply assessment;
D) if the All Policies assessment finishes, all can not draw the result of decision, will refuse, and assess out reason for rejection, return reason for rejection then as the result of decision.
10. fine-grain authorization decision method according to claim 9 is characterized in that the assessment of described All Policies finishes, and in the time of all can not drawing the result of decision, assesses out and returns reason for rejection and be made up of following steps:
A) be listed as the authorization decision strategy of this operation setting according to priority orders, assess the authorization decision strategy successively;
B) the current authorization decision strategy of assessment if request body satisfies this tactful body portion rule-like, is then chosen this tactful reason for rejection;
C) turn back to step b and assess next bar strategy, till not having strategy to supply assessment;
D) reason for rejection of returning is exactly all reasons for rejection of choosing, and the reason for rejection of returning may be 0,1 or many.
11. the fine-grain authority inquiry method based on main body classification and data query technique mainly is made up of following steps:
A) create one or more main body classification, be each body portion class definition classifying rules;
B) create one or more data query template;
C) create the authorization query strategy, this strategy comprises main body classification, 2 key elements of data query template;
D) given query manipulation is provided with an authorization query strategy or one group of authorization query strategy, if a group policy is provided with priority order to strategy;
E) when certain subject requests is carried out certain query manipulation, choose this operation corresponding authorization query strategy or one group of authorization query strategy and assess, obtain Query Result, return Query Result.
12. fine-grain authority inquiry method according to claim 11 is characterized in that described authorization query Policy evaluation is made up of following steps:
A) be listed as the authorization query strategy of this operation setting according to priority orders, assess the authorization query strategy successively;
B) the current authorization query strategy of assessment if request body satisfies this tactful body portion rule-like, is carried out this tactful query template and is obtained Query Result;
C) if current authorization query Policy evaluation draws Query Result, needn't assess next bar strategy so; Otherwise be considered as to draw Query Result, perform to step b and assess next bar strategy, till not having strategy to supply assessment;
D) if the All Policies assessment finishes, all can not draw Query Result, return null set, promptly this request body does not have the data query authority.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009100086374A CN101493872A (en) | 2009-02-09 | 2009-02-09 | Fine grain authority management method based on classification method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009100086374A CN101493872A (en) | 2009-02-09 | 2009-02-09 | Fine grain authority management method based on classification method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101493872A true CN101493872A (en) | 2009-07-29 |
Family
ID=40924464
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2009100086374A Pending CN101493872A (en) | 2009-02-09 | 2009-02-09 | Fine grain authority management method based on classification method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101493872A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102831123A (en) * | 2011-06-16 | 2012-12-19 | 航天信息股份有限公司 | Method and system for querying authority control of data |
| CN103093140A (en) * | 2011-10-31 | 2013-05-08 | 腾讯科技(深圳)有限公司 | Method and system for managing authority |
| CN104008142A (en) * | 2014-05-09 | 2014-08-27 | 北京航空航天大学 | Data protection method and system for social network |
| CN104537316A (en) * | 2014-12-30 | 2015-04-22 | 深圳市科漫达智能管理科技有限公司 | Data authorization method and device based on function permissions |
| CN109104412A (en) * | 2018-07-13 | 2018-12-28 | 万翼科技有限公司 | Account right management method, management system and computer readable storage medium |
| CN113032745A (en) * | 2021-03-19 | 2021-06-25 | 上海依图网络科技有限公司 | Authority management apparatus, authority management method and medium |
| CN114844702A (en) * | 2022-05-05 | 2022-08-02 | 南京航空航天大学 | Access control method based on strategy examination and authorization extension |
-
2009
- 2009-02-09 CN CNA2009100086374A patent/CN101493872A/en active Pending
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102831123A (en) * | 2011-06-16 | 2012-12-19 | 航天信息股份有限公司 | Method and system for querying authority control of data |
| CN102831123B (en) * | 2011-06-16 | 2015-04-08 | 航天信息股份有限公司 | Method and system for querying authority control of data |
| CN103093140A (en) * | 2011-10-31 | 2013-05-08 | 腾讯科技(深圳)有限公司 | Method and system for managing authority |
| CN103093140B (en) * | 2011-10-31 | 2015-11-25 | 腾讯科技(深圳)有限公司 | Right management method and system |
| CN104008142A (en) * | 2014-05-09 | 2014-08-27 | 北京航空航天大学 | Data protection method and system for social network |
| CN104008142B (en) * | 2014-05-09 | 2017-06-06 | 北京航空航天大学 | Towards the data guard method and system of social networks |
| CN104537316A (en) * | 2014-12-30 | 2015-04-22 | 深圳市科漫达智能管理科技有限公司 | Data authorization method and device based on function permissions |
| CN109104412A (en) * | 2018-07-13 | 2018-12-28 | 万翼科技有限公司 | Account right management method, management system and computer readable storage medium |
| CN109104412B (en) * | 2018-07-13 | 2021-10-26 | 万翼科技有限公司 | Account authority management method, account authority management system and computer readable storage medium |
| CN113032745A (en) * | 2021-03-19 | 2021-06-25 | 上海依图网络科技有限公司 | Authority management apparatus, authority management method and medium |
| CN114844702A (en) * | 2022-05-05 | 2022-08-02 | 南京航空航天大学 | Access control method based on strategy examination and authorization extension |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103078859B (en) | Operation system right management method, equipment and system | |
| CN102341809B (en) | Distributed filesystem access | |
| US8370388B2 (en) | Mandatory access control list for managed content | |
| US7299492B2 (en) | Multi-level multi-user web services security system and method | |
| CN102968501B (en) | A kind of general full-text search method | |
| CN102307185B (en) | Data isolation method used in storage cloud | |
| EP2405607B1 (en) | Privilege management system and method based on object | |
| CN101493872A (en) | Fine grain authority management method based on classification method | |
| US20080005115A1 (en) | Methods and apparatus for scoped role-based access control | |
| US20050193221A1 (en) | Information processing apparatus, information processing method, computer-readable medium having information processing program embodied therein, and resource management apparatus | |
| WO2016169324A1 (en) | Access management method for cloud computing data centre and cloud computing data centre | |
| US8719903B1 (en) | Dynamic access control list for managed content | |
| US10432642B2 (en) | Secure data corridors for data feeds | |
| De Capitani di Vimercati et al. | Private data indexes for selective access to outsourced data | |
| US8875222B1 (en) | Efficient XACML access control processing | |
| Yoon et al. | Blockchain-based object name service with tokenized authority | |
| Idar et al. | Dynamic data sensitivity access control in Hadoop platform | |
| Ruan et al. | LedgerView: access-control views on hyperledger fabric | |
| Cai et al. | Distributed management of permission for access control model | |
| CN104994086A (en) | Database cluster authority control method and device | |
| Shastri et al. | Efficient and effective security model for database specially designed to avoid internal threats | |
| JP4723930B2 (en) | Compound access authorization method and apparatus | |
| US10432641B2 (en) | Secure data corridors | |
| CN107124429A (en) | A kind of Network security protection method and system designed based on Double Data table | |
| KR101304452B1 (en) | A cloud system for document management using location |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C57 | Notification of unclear or unknown address | ||
| DD01 | Delivery of document by public notice |
Addressee: Wang Jinbao Document name: Notice of application for publication of patent for invention and entry into the substantive examination procedure |
|
| ASS | Succession or assignment of patent right |
Free format text: FORMER OWNER: WANG LEI |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| C53 | Correction of patent for invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Wang Jinbao Inventor before: Wang Jinbao Inventor before: Wang Lei |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: WANG JINBAO WANG LEI TO: WANG JINBAO |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20100607 Address after: 102208 Beijing city Changping District Huilongguan dragon Jinyuan 2 District 4 Building 5 unit 601 room Applicant after: Wang Jinbao Address before: 102208 Beijing city Changping District Huilongguan dragon Jinyuan 2 District 4 Building 5 unit 601 room Applicant before: Wang Jinbao Co-applicant before: Wang Lei |
|
| DD01 | Delivery of document by public notice |
Addressee: Wang Jinbao Document name: Notification of Passing Examination on Formalities |
|
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20090729 |