2. background technology
Computer system, especially network system, resource are put together to concentrate and are shared, and these resources can be picture, database, text, computing machine etc.When user's request certain resource is operated, normally move in order to ensure security of system, system will carry out the authority judgement to user and resource, guarantee that this user has operating right to this resource, otherwise refusing user's request.
Rights management is exactly the operating right of leading subscriber to resource.The present most widely used two kinds of technical methods that have:
1. based on role's access control authorization method;
2.XACML(OASIS eXtensible Access Control Markup Language)。
Based on role's access control authorization method, create the role earlier, authorize this role that the authority accessed resources is arranged then; Give the user with one or more role authorization.When the user capture resource, which role at first searches this user has, and finds out the authorization resources of these role's correspondences.If there is accessed resource the authorization resources the inside, then allow the user to ask; Otherwise refusing user's request.Such as creative management person role, the authorized administrator role allows visit " interpolation mechanism ", " deletion mechanism " web page resources authority.Authorize administrator role for then user Zhang San.When Zhang San's visit " is added mechanism ", system will allow this request.When Zhang San's visit " is added the user ", be awarded " adding the user " authority because the role that Zhang San possesses is useless, this request will be refused by system.
Access control authorization method based on the role is a kind of authority control method of coarseness.For the demand of refinement, then powerless based on role's access control.
Such as in certain banking system, the user Li Si of the user Zhang San of head office and Beijing branch is arranged, existing access control demand:
1. the keeper of head office can only add each column split, can not add mechanism of subbranch
2. the keeper of Beijing branch can only add Beijing subordinate subbranch of branch, can not add column split, and can not add other mechanisms of subbranch of branch.
For above demand, can only authorize Zhang San and Li Si's administrator role based on role's access control, give the authority that this role adds mechanism.But can't further authorize, so can't realize this type of fine-grained access control according to the various level attribute of mechanism.
XACML is the standard of OASIS.XACML has defined a kind of general policy language that is used for resources conseravtion and a kind of access decision language.
Typical access control and mandate scene comprise three main entities: main body (Subject), resource (Resource) and action (Action) and their attribute.Subject requests obtains resource is carried out the authority of action.Such as in request of access " client requests is checked the order of oneself ", main body is " client ", and resource is " order of oneself ", and action is " checking ".
The mandate of XACML is realized by strategy (Policy).Define several rules (Rule) in the strategy, rule is specified the condition that allows or refuse request.When the subject requests access resources, the XACML engine can be selected the strategy that mates, assessment and tactful related rule.In the evaluation process, engine can calculate and assess according to the definition of the rule attribute to main body, resource and running environment (Environment), finally makes allowing or the decision-making of refusal request.Its step such as Fig. 1.
Because the rule support of XACML is carried out complicated calculations and assessment to the attribute of main body, resource and environment, so possessed the ability of carrying out the fine granularity access control.For example for fine granularity mandate " keeper of branch adds mechanism of subordinate subbranch ", XACML need create a delegated strategy.The rule that this strategy comprises is:
1. main body is for having " keeper " role, and institutional affiliation is a branch;
2. resource is a mechanism of subbranch, and is under the jurisdiction of the branch of main body;
3. action is for adding branch offices.
When above condition satisfied, the result of decision-making was permission, on the contrary refusal.
In this rule, the main body attribute that participates in assessment has " role who is had " and " institutional affiliation "; Resource Properties is " mechanism of subbranch " and " being under the jurisdiction of main body branch ".
Its core of XACML is to be the authorization policy definition rule, and to main body, resource and environment attribute are assessed in rule, makes access control decision-making (allowing or refusal) according to assessment result.IBM Tivoli Access Manager and OracleEntitlement Server adopt this thinking to realize the fine granularity access control at present.
This method and imperfection have following two shortcomings:
1. reusability is not strong
Strategy comprises several rules, and different strategies often has similar rule, but incomplete same.For example following two strategies:
Strategy 1: the keeper of branch adds mechanism of subordinate subbranch.Rule: the role of main body is the keeper, and institutional affiliation is a branch; Resource is a mechanism of subbranch, and is under the jurisdiction of the branch of main body.
Strategy 2: the keeper of branch adds the user of branch.The role of main body is the keeper, and institutional affiliation is a branch; Resource is the user, and belongs to same branch with main body.
All comprised the restrictive condition to main body in the rule of strategy 1 and strategy 2: the role of main body is the keeper, and institutional affiliation is a branch.
2. not support resource inquiry
For " keeper of branch has mechanism of weight update subordinate subbranch " this access control, XACML can judge whether certain keeper can revise certain mechanism of subbranch, but can not return all mechanisms of subbranch that this keeper has weight update.Because XACML can only return authorization strategic decision-making result, promptly allow or refusal, and can not carry out resource query, return the resource collection that satisfies policing rule.And in the application system of reality, this demand is seen everywhere.XACML does not also support this class query demand.Its practicality is restricted.
3. summary of the invention
The present invention comprises two principal themes:
1. based on the fine-grain authorization decision method of main body classification and resource classification;
2. based on the fine-grain authority inquiry method of main body classification and data query.
Above theme has used body portion class methods, resource classification method and data enquire method.Body portion class methods and resource classification method are subordinate to the present invention.Data enquire method is a kind of common methods, is not subordinate to the present invention.
The body portion class methods: the classifying rules of definition main body, directly the attribute of given main body is assessed, thereby judged whether main body belongs to this classification, and need not put main body under certain classification with showing in advance.The feature of body portion rule-like is made up of expression formula or expression formula group, and returns Boolean.Expression formula can be mathematical computations (+,-, *, /), logical calculated (AND, OR) and function etc.The feature of expression formula is the calculating of attribute, context property or other data source data to main body.Main body, context environmental and data source all are the input parameters of rule.
The resource classification method: definition resource classification rule, directly the attribute of given resource and given main body (given main body is optional) is assessed, thereby judged whether resource belongs to this classification, and need not put resource under certain classification with showing in advance.
Resource classification method and body portion class methods are similar substantially, and mainly contain a significantly difference: the resource classification input parameter is: resource, main body, context environmental and data source.And the input parameter of main body classification does not have resource.The main body input parameter of resource classification method is optional.
Resource classification rule, expression formula, expression formula value and main body are classified consistent, no longer repeat.
Data enquire method: the custom-built query template, in operation,, form complete S QL statement to the placeholder assignment in the template, carry out data base querying then.
Data enquire method is a kind of common methods.Apply to the fine grain authority management field, the data of data query placeholder representative can be from context, main body, resource or data source.
Fine-grain authorization decision is for different request bodies are provided with the different resource operating right.To given main body, given resource, system can make a policy by calculating, and allows or refuse this request.
Based on the fine-grain authorization decision method of main body classification and resource classification, be a kind of simple, directly perceived and practical fine-grain authorization decision method.This method is the one or more of authorization decision strategies of each operating and setting.If many strategies are arranged, strategy is according to prioritization.When certain subject requests is operated certain resource, be evaluated as the authorization decision strategy of this operation setting, draw the result of decision.The result of decision has two kinds of situations: 1, allow; 2, refusal, and return reason for rejection.
The fine-grain authorization decision method judge whether request body has operating right to request resource, but which the resource that can not tell request body to have limiting operation has.Fine-grain authority inquiry method is to be used for inquiring request body which resource is had operating right.Fine-grain authority inquiry method,
Based on the fine-grain authority inquiry method of main body classification and data query, solved the field that do not relate to, rights management field in the past such as XACML.This method is the one or more of authorization query strategies of each operating and setting.If many strategies are arranged, strategy is according to prioritization.To given main body, the requestor of coupling can be selected by calculating by system, carries out resource query.Its Query Result is the resource collection that request body has limiting operation.
5. embodiment
5.1. body portion class methods
The body portion class methods: the classifying rules of definition main body, directly the attribute of given main body is assessed, thereby judged whether main body belongs to this classification, and need not put main body under certain classification with showing in advance.Main body classification principal character is:
1. Dynamic matching is calculated.Judge by Rules of Assessment whether main body belongs to this classification, and need not in advance main body be put under classification, for the fine granularity mandate provides precondition.
2. has better reusability, readability.Main body judges rule and the resource judgment rule of XACML mix.By the main body judges Rule Extraction is come out, form independent classification, this classification is consistent with notion in the business field, has good stability, can be multiplexing in different business is operated.Classification purpose and readability are stronger.
The feature of body portion rule-like is made up of expression formula or expression formula group, and returns Boolean.Expression formula can be mathematical computations (+,-, *, /), logical calculated (AND, OR) and function etc.Expression formula is given an example:
// mathematical computations int a=b+1; // logical calculated boolean f=(a﹠﹠b) ﹠﹠ (c||d) ﹠﹠e; // function c=a.add (b.getValue ()); |
The feature of expression formula is the calculating of attribute, context property or other data source data to main body.Main body, context environmental and data source all are the input parameters of rule.The expression formula value of obtaining is given an example:
Attribute String organization=(String) SUBJECT.get (" organization ") of // main body; // context property Double money=(Double) CONTEXT.get (" money "); // execution SQL query Collection queryResult=DATASOURCE.query (" select column1, column2 from tablename "); |
With main body, context environmental and data source as input parameter, the expression formula of executing rule or expression formula group, execution result is exactly an assessment result.
Main body classification embodiment 1:
Title |
Rule |
Describe |
The user of head office |
String organization=SUBJECT.get (" organization "); Return organization.equals (" head office "); |
Take out the organization property value of main body (user), then with head office's organization names " head office " compare.Equal expression belongs to the user of head office classification, otherwise is not. |
The user of branch |
Collection branches=DATASOURCE.query (" select name from |
Inquiry organization shows all column splits (father mechanism is " head office "), and is right |
|
Organization where parent=' head office ' "); String organization=SUBJECT. get (" organization "); Return branches.contains (organization); |
The back relatively the mechanism of main body whether in column split.If, expression belongs to the user of branch classification, otherwise is not. |
5.2. resource classification method
The resource classification method: definition resource classification rule, directly the attribute of given resource and given main body (given main body is optional) is assessed, thereby judged whether resource belongs to this classification, and need not put resource under certain classification with showing in advance.
Resource classification method and body portion class methods are similar substantially, and mainly contain a significantly difference: the resource classification input parameter is: resource, main body, context environmental and data source.And the input parameter of main body classification does not have resource.
Resource classification rule, expression formula, expression formula value and main body are classified consistent, no longer repeat.
Resource classification embodiment 1:
Title |
Rule |
Describe |
Column split |
String parent=RESOURCE.get (" parent "); Return parent.equals (" head office "); |
Take out the parent property value of resource, check then whether this mechanism is head office.If expression belongs to this classification, otherwise is not. |
The mechanism of subordinate subbranch of current main body |
Collection branches=DATASOURCE.query (" select name from organization where parent=' head office ' "); String organization=SUBJECT. get (" organization "); String parent=RESOUCE.get (" parent "); Return branches.contains (organization) ﹠amp; ﹠amp; Parent.equals (organization); |
Take out the organization property value of request body, all column splits in the unloading device table take out the parent property value of resource.If organization is a column split, and parent is equal with organization, and expression belongs to this classification, otherwise is not. |
5.3. data enquire method
In different scenes, but query statement is very similarly under the situation, our custom-built query template.In operation, to the placeholder assignment in the template, form complete S QL statement, carry out data base querying then.
Apply to the fine grain authority management field, the data of data query placeholder representative can be from context, main body, resource or data source.
5.4. fine-grain authorization decision method
Based on the fine-grain authorization decision method of main body classification and resource classification, be a kind of simple, directly perceived and practical fine-grain authorization decision method.
Fine-grain authorization decision is for different request bodies are provided with the different resource operating right.To given main body, given resource, system can make a policy by calculating, and allows or refuse this request.
This method is the one or more of authorization decision strategies of each operating and setting.If many strategies are arranged, strategy is according to prioritization.
The authorization decision strategy comprises:
1. which type of main body main body classification describes;
2. which type of resource resource classification describes;
3. authorize relation: allow or refusal;
4. reason for rejection.
This method principle of work is: when certain subject requests is operated certain resource:
1. be listed as the authorization decision strategy of this operation setting according to priority orders, assess the authorization decision strategy successively;
2. assess current authorization decision strategy, if request body satisfies this tactful body portion rule-like, and request resource satisfies this tactful resource classification rule, and then this strategy draws the result of decision; Otherwise this strategy is considered as drawing the result of decision;
3. if the result of decision is to allow, directly return permission, do not reevaluate next bar strategy; If the result of decision is a refusal, directly return refusal, the reason for rejection of returning is exactly the reason for rejection of current strategies, does not also reevaluate next bar strategy; If do not draw the result of decision, turn back to next bar strategy of step 2 assessment, till not having strategy that assessment can be supplied;
4. if the All Policies assessment finishes, all can not draw the result of decision, will refuse, and assess out reason for rejection as the result of decision, return reason for rejection then.The assessment reason for rejection is made up of following steps:
A) be listed as the authorization decision strategy of this operation setting according to priority orders, assess the authorization decision strategy successively;
B) the current authorization decision strategy of assessment if request body satisfies this tactful body portion rule-like, is then chosen this tactful reason for rejection;
C) turn back to step b and assess next bar strategy, till not having strategy to supply assessment;
D) reason for rejection of returning is exactly all reasons for rejection of choosing, and the reason for rejection of returning may be 0,1 or many.
Illustrate the validity of this method below.
Fine-grain authorization decision method embodiment 1:
Certain bank management system, the maintenance mechanism operation.The fine granularity control of authority requires:
1. the user of head office can safeguard all column splits, but can not safeguard mechanism of subordinate subbranch of branch;
2. the user of branch can safeguard mechanism of subordinate subbranch of this branch, can not safeguard other any mechanism, such as other subordinate subbranches of branch, mechanism of this branch etc.
Use this fine-grain authorization decision method, be the maintenance mechanism operation, following authorization decision strategy is set:
Priority |
The main body classification |
Resource classification |
Authorize relation |
Reason for rejection |
1 |
The user of head office |
Column split |
Allow |
The user of head office can only safeguard column split |
2 |
The user of branch |
Subordinate subbranch of this branch |
Allow |
The user of branch can only safeguard subordinate subbranch of this branch |
Remarks:
1. the user of head office (main body classification), rule is: the mechanism of request body equals mechanism of head office;
2. the user's (main body classification) of branch, rule is: the column split that checks out that the mechanism of request body belongs in the mechanism table is gathered;
3. column split (resource classification), rule is: the father mechanism of request resource equals mechanism of head office;
4. the subordinate of this branch subbranch (resource classification), rule is: the father mechanism of request resource equals the mechanism of request body, and the mechanism of request body is a column split.
Investigate following input below, the result of decision is how:
Input |
The result of decision |
Explanation |
Request body: the user Zhang San of head office request resource: Beijing branch column split |
Allow |
Request body and request resource satisfy the authorization decision strategy of priority 1, return the mandate relation of this rule |
Request body: the user Zhang San of head office request resource: subordinate Dongdan subbranch of Beijing branch |
Refusal.Reason for rejection: the user of head office can only safeguard column split |
Request body and request resource do not satisfy any authorization decision strategy.But request body only satisfies the main body classification of priority 1, and reason for rejection that therefore should rule is returned as reason for rejection. |
Request body: the user Li Si of Beijing branch request resource: subordinate Dongdan subbranch of Beijing branch |
Allow |
Request body and request resource satisfy the authorization decision strategy of priority 2, return the mandate relation of this rule |
Request body: the user Li Si of Beijing branch request resource: Shanghai subordinate Pudong subbranch of branch |
Refusal.Reason for rejection: the user of branch can only safeguard subordinate subbranch of this branch |
Request body and request resource do not satisfy any authorization decision strategy.But request body only satisfies the main body classification of priority 2, and reason for rejection that therefore should rule is returned as reason for rejection. |
Fine-grain authorization decision method embodiment 2:
Certain corporate client relational system, the maintain customer operation.The fine granularity control of authority requires:
1. common sales force safeguards the client that oneself is developed;
2. the departmental manager of sales department safeguards all clients;
3. the user who is piped off by company management person can not safeguard any client.
Use this fine-grain authorization decision method, be the maintain customer operation, following authorization decision strategy is set:
Priority |
The main body classification |
Resource classification |
Authorize relation |
Reason for rejection |
1 |
The black list user |
All clients |
Refusal |
The black list user does not allow to safeguard any client |
2 |
Common sales force |
The client that oneself is developed |
Allow |
Common sales force can only safeguard the client that oneself is developed |
3 |
The departmental manager of sales department |
All clients |
Allow |
|
Remarks:
1. black list user's (main body classification), rule is: the ID attribute of request body belongs to the ID set that checks out in the blacklist table;
2. common sales force (main body classification), rule is: mechanism's attribute of request body is " sales department ", and departmental manager's attribute of request body equals "No";
3. the departmental manager of sales department (main body classification), rule is: mechanism's attribute of request body is " sales department ", and departmental manager's attribute of request body equals "Yes";
4. all clients (resource classification), rule is: do not do any judgement and directly return true;
Oneself the exploitation client's (resource classification), rule is: the customer representative ID attribute of request resource equals the ID attribute of request body.
Investigate following input below, the result of decision is how:
Input |
The result of decision |
Explanation |
Request body: black list user Zhang San request resource: the client ABC of Zhang San's exploitation |
Refusal |
Request body and request resource satisfy the authorization decision strategy of priority 1, return the mandate relation of this rule |
Request body: common sales force Li Si request resource: the client ABC of Zhang San's exploitation |
Refusal.Reason for rejection: common sales force can only safeguard the client that oneself is developed |
Request body and request resource do not satisfy any authorization decision strategy.But request body only satisfies the main body classification of priority 2, and reason for rejection that therefore should rule is returned as reason for rejection. |
Request body: common sales force Li Si request resource: the client EFG of Li Si's exploitation |
Allow |
Request body and request resource satisfy the authorization decision strategy of priority 2, return the mandate relation of this rule |
Request body: the departmental manager king of sales department five request resource: the client EFG of Li Si's exploitation |
Allow |
Request body and request resource satisfy the authorization decision strategy of priority 3, return the mandate relation of this rule |
Based on the fine-grain authorization decision method of main body classification and resource classification, principal character is:
1. based on body portion class methods and resource classification method, directly describe out which type of main body, have what kind of operating right which type of resource;
2. a kind of fine granularity control method more directly perceived, more practical, easier than XACML is provided;
3. main body classification, resource classification are the business domains notions, so main body is classified, the resource classification definition can be multiplexing in the authorization decision strategy, improved the efficiency of management.
5.5. fine-grain authority inquiry method
The fine-grain authorization decision method judge whether request body has operating right to request resource, but which the resource that can not tell request body to have limiting operation has.Fine-grain authority inquiry method is to be used for inquiring request body which resource is had operating right.
Based on the fine-grain authority inquiry method of main body classification and data query, for different request bodies are provided with the data query device.The data query device can be realized by this paper 5.3 described data enquire methods.To given main body, the requestor of coupling can be selected by calculating by system, carries out resource query.Its Query Result is the resource collection that request body has limiting operation.
This method is the one or more of authorization query strategies of each operating and setting.If many strategies are arranged, strategy is according to prioritization.
The authorization query strategy comprises:
1. which type of main body main body classification describes;
2. the data query device is described which resource of inquiry.
This method principle of work is: when certain subject requests query manipulation:
1. be listed as the authorization query strategy of this operation setting according to priority orders, assess the authorization query strategy successively;
2. assess current authorization query strategy,, carry out this tactful query template and obtain Query Result if request body satisfies this tactful body portion rule-like;
3., needn't assess next bar strategy so if current authorization query Policy evaluation draws Query Result; Otherwise be considered as to draw Query Result, perform to next bar strategy of step 2 assessment, till not having strategy to supply assessment;
4. if the All Policies assessment finishes, all can not draw Query Result, return null set, promptly this request body does not have the data query authority.
Illustrate the validity of this method below.
Fine-grain authority inquiry method embodiment 1:
Certain bank management system, the operation of inquiry mechanism.The fine granularity control of authority requires:
1. the user of head office can inquire about all mechanisms;
2. the user of branch can inquire about mechanism of this branch and mechanism of subordinate subbranch of this branch.
Use this fine-grain authorization decision method, be the operation of inquiry mechanism, following authorization query strategy is set:
Priority |
The main body classification |
The data query device |
1 |
The user of head office |
Inquiry mechanism shows all data |
2 |
The user of branch |
Inquiry mechanism shows this branch and the subordinate of this branch props up line data |
Remarks:
1. the user of head office (main body classification), rule is: the mechanism of request body equals mechanism of head office;
2. the user's (main body classification) of branch, rule is: the column split that checks out that the mechanism of request body belongs in the mechanism table is gathered;
3. inquiry mechanism shows all data (data query device), and rule is: inquiry mechanism shows all data;
4. inquiry mechanism shows this branch and the subordinate of this branch props up line data (data query device), and rule is: inquire about mechanism and show data, querying condition is that mechanism number equals request body mechanism number, and perhaps father mechanism number equals request body mechanism number.
Investigate following input below, Query Result is how:
Input |
Query Result |
Explanation |
Request body: the user Zhang San of head office |
Mechanism shows all organization data |
Request body satisfies the main body classification of the authorization query strategy of priority 1, carries out this regular data query device, all data of gigback table |
Request body: the user Li Si of Beijing branch |
Beijing branch and the subordinate of Beijing branch prop up line data |
Request body satisfies the main body classification of the authorization query strategy of priority 2, carries out this regular data query device, returns Beijing branch and the subordinate of Beijing branch props up line data |
Request body: the user king of Shanghai branch |
Shanghai branch and the subordinate of Shanghai branch prop up |
Request body satisfies awarding of priority 2 |
Five |
Line data |
This regular data query device is carried out in the main body classification of power query strategy, returns Shanghai branch and the subordinate of Shanghai branch props up line data |
Fine-grain authority inquiry method embodiment 2:
Certain corporate client relational system, inquiry client operation.The fine granularity control of authority requires:
1. common sales force inquires about the client who oneself develops;
2. the departmental manager of sales department inquires about all clients;
3. the user who is piped off by company management person can not inquire about any client.
Use this fine-grain authorization decision method, be the maintain customer operation, following authorization query strategy is set:
Priority |
The main body classification |
The data query device |
1 |
The black list user |
Do not inquire about any client |
2 |
Common sales force |
The inquiry client shows the client of sales force's exploitation |
3 |
The departmental manager of sales department |
The inquiry client shows all clients |
Remarks:
1. black list user's (main body classification), rule is: the ID attribute of request body belongs to the ID set that checks out in the blacklist table;
2. common sales force (main body classification), rule is: mechanism's attribute of request body is " sales department ", and departmental manager's attribute of request body equals "No";
3. the departmental manager of sales department (main body classification), rule is: mechanism's attribute of request body is " sales department ", and departmental manager's attribute of request body equals "Yes";
4. do not inquire about any client (data query device), rule is: inquiry client table, querying condition is 1=2.Be that Query Result is always empty.
5. the inquiry client shows client's (data query device) of sales force's exploitation, and rule is: inquiry client table, and querying condition is that customer representative ID equals request body ID attribute;
6. the inquiry client shows all clients (data query device), and rule is: the inquiry client shows all data.
Investigate following input below, Query Result is how:
Input |
Query Result |
Explanation |
Request body: black list user Zhang San |
Null set |
Request body satisfies the body portion rule-like of the authorization query strategy of priority 1, carries out the data query device of this classification, returns null set |
Request body: common sales force Li Si |
Client table equals the client of Li Si ID customer representative ID number |
Request body satisfies the body portion rule-like of the authorization query strategy of priority 2, carries out the data query device of this classification, returns the client of Li Si's exploitation |
Request body: common Zhao sales force six |
Client's table, customer representative ID equals the client of Zhao six ID |
Request body satisfies the body portion rule-like of the authorization query strategy of priority 2, carries out the data query device of this classification, returns the client of Zhao's six exploitations |
Request body: the departmental manager king of sales department five |
Client's table, all clients |
Request body satisfies the body portion rule-like of the authorization query strategy of priority 3, carries out the data query device of this classification, returns all clients |
Based on the fine-grain authority inquiry method of main body classification and data query, principal character is:
1. based on body portion class methods and data enquire method, directly describe out which type of main body which resource is had search access right;
2. solved the field that do not relate to, rights management field in the past such as XACML;
3. main body classification, data query device are the business domains notions, so main body is classified, the definition of data query device can be multiplexing in the authorization query strategy, improved the efficiency of management.