CN101577622A - Method for controlling access to shared component of leveled partition - Google Patents
Method for controlling access to shared component of leveled partition Download PDFInfo
- Publication number
- CN101577622A CN101577622A CNA2009103035995A CN200910303599A CN101577622A CN 101577622 A CN101577622 A CN 101577622A CN A2009103035995 A CNA2009103035995 A CN A2009103035995A CN 200910303599 A CN200910303599 A CN 200910303599A CN 101577622 A CN101577622 A CN 101577622A
- Authority
- CN
- China
- Prior art keywords
- group
- user
- shared
- subregion
- integrity grade
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method for controlling the access to a shared component of a leveled partition, wherein, the method does not allow the upper/lower level relations between any two shared components in a network to be circulated; each shared component comprises one or more than one users and one or more than one partitions, the users and the partitions are assigned an integrity level, and the documents are stored in the partitions; particularly, the integrity level is comparable numerals in sequence; and the integrity level of a document can be determined by the partition of the document, and the confidentiality level thereof can be determined by the level of the shared component in the network. The invention provides the shared component of a leveled partition for the construction of a security model, a complex problem can be divided into a few minor problems, therefore, the problems can be solved locally, and the invention has the advantages of decentralized rights and uniform availability, confidentiality and integrity.
Description
Technical field
The present invention relates to the method for a kind of level subregion shared group access control, belong to the security certificate and the administrative skill field of computer resource.
Background technology
Access control is meant the different granted access that some control strategy of main body basis or authority are carried out document itself or its resource.Because the needs of Network Transmission, research side's development of access control is very fast, has many access control models to be suggested.Setting up the access control model of standard, is to realize that strict access control policy is necessary.The seventies in 20th century, Harrison, Ruzzo and Ullman have proposed the HRU model.Then, people such as Jones proposed the Take-Grant model in 1976.Subsequently, US military proposed Trusted Computer System Evaluation Criteria TCSEC in 1985, had wherein described two kinds of famous access control policies: autonomous access control model (DAC) and Mandatory Access Control Model (MAC).Proposed in 1992 by Ferraiolo and Kuhn based on role's access control (RBAC).
Autonomous access control model (DAC Model, Discretionary Access Control Model) is a kind of model of setting up according to autonomous access control policy, allow the document of validated user with the identity access strategy regulation of user or user's group, stop the unauthorized user access document simultaneously, the certain user can also independently authorize other user the access rights of the own document that is had.The DAC model generally adopts access control matrix and Access Control List (ACL) to deposit the access control information of different subjects, thereby reaches the restriction purpose to the principal access authority.
Mandatory Access Control Model (MAC Model:Mandatory Access Control Model) begins in order to realize the access control policy more stricter than DAC most, the U.S. government and the military have developed various controlling models, and these schemes or model all have fairly perfect and detailed definition.Subsequently, form the model of forcing visit gradually, and obtain wide range of commercial concern and application.In the DAC access control, user and document resources all are endowed certain level of security, and the user can not change the level of security of self and document, has only the keeper can determine the access rights of user and group.Different with the DAC model is, MAC is a kind of multistage access control policy, its main feature is that system carries out the pressure access control to visit main body and controlled object, system distributes different security level attributes with controlled object in advance the visit main body, when implementing access control, system compares the security level attributes of visit main body and controlled object earlier, and can decision visit main body visit this controlled object again.MAC identifies two safety labels to visit main body and controlled object: one is the safe class mark with partial ordering relation; Another is non-grade separation mark.
Because MAC has realized the one-way flow of information by the safety label of classification, therefore it is adopted by the military always, the wherein foremost Bell-LaPadula of being model and Biba model: the Bell-LaPadula model has and only allows the characteristics reading, upwards write downwards, can prevent effectively that confidential information from revealing to subordinate.The Bell-LaPadula model can prevent effectively that rudimentary user and process access security rank are than their high information resources.Problem how to handle trusted subjects is the problem that the BLP model must be faced; trusted subjects can be keeper or the process that key service is provided; picture device driver and memory management functions module; these trusted subjects be if just can not normally carry out their task without prejudice to the rule of BLP model, and the leakage crisis that the BLP model may cause these trusted subjects is without any processing and the method avoided.
The Biba model finds that the BLP model has only solved the privacy problem of information when the characteristic of research BLP model, it has certain defective in the integrality definition aspect existing.The BLP model does not take effective measures the unauthorized update that restricts information, therefore make illegal, going beyond one's commission to distort becomes possibility.Consider above-mentioned factor, the information privacy rank of Biba model imitation BLP model, defined the information integrity rank, do not allowing aspect the definition of information flow direction from the low process of rank to the high process of rank, that is to say that the user can only be to the document writing information lower than own level of security, thereby prevent that the disabled user from creating the high document information of level of security, avoids the generation of behaviors such as going beyond one's commission, distort.
The Biba model is and the opposed model of BLP model that the Biba model has corrected the information integrity problem of being ignored by the BLP model, but has ignored confidentiality to a certain extent.
MAC access control model and DAC access control model belong to traditional access control model, to also comparing fully of these two kinds of scale-model investigations.In realization, MAC and DAC are generally each user and give access rights rule set to document, consider the convenience of management, often will have also in this course that the user of identical function is poly-to be group, and then are each set of dispense license.This way that the user independently authorizes other user the access rights of the own document that is had, its advantage is conspicuous, if but the organization structure of enterprise or the demand for security of system are in the process that changes the time, so just need carry out a large amount of loaded down with trivial details mandate changes, it is very heavy that system manager's work will become, and main is to make a mistake easily to cause some beyond thought security breaches.
Summary of the invention
The technical problem to be solved in the present invention provides the method for a kind of level subregion shared group access control of a kind of energy united and coordinating access control confidentiality, integrality and availability, can overcome the deficiencies in the prior art.
Technical scheme of the present invention is: comprise the network that one or more a plurality of shared group with levels relation constitute, the levels relation in the network between any two shared group can not circulate; Comprise one or more user and one or more subregions in each shared group, user and subregion all are endowed an integrity grade, and document storage is in subregion; Integrity grade is the numeral with order, can compare height; Document is determined its integrity grade according to residing subregion, determines privacy levels according to the level of residing shared group in network.
One or more special user is arranged in the user of each shared group, be called the Group administrators.
Group administrators's subregion in the division group of having the right, and give the subregion integrity grade; The Group administrators has the right to receive and discharge from certain user for the user of this group and give this user an integrity grade; The Group administrators has the right to determine originally to consist of upper layer group or lower floor's group of another shared group, and when the Group administrators of different sharing group agreed that setting up levels concerns, the direct levels relation between these two shared group could be set up; When the Group administrators of any one group in two shared group having set up direct levels relation determines to cancel levels and concern, the just abolishment of levels relation.
User in the shared group can the reader group in all documents in each subregion, the integrity grade of lower floor's group that can the reader group is higher than and equals to run through document in the subregion of whole Grade I Br; This group user can create document in the integrity grade of this group is less than or equal to the subregion of this user class; Be less than or equal in this user's the subregion of mapping integrity grade with integrity grade in the upper layer group of this group and create document; The user can revise and delete the document in the subregion that integrity grade is less than or equal to this user's integrity grade in the shared group.
User in the shared group can adjust the integrity grade that the interior integrity grade of this group is less than or equal to another user of this user's integrity grade, and adjusted another user's integrity grade will be less than or equal to this user's integrity grade.
User and document in the directly management group of shared group, the reference of holding according to this user for the outer user's shared group of group is determined this user's access control power, the user who reads reference who holds direct upper layer group is issued the reference of reading of this group, write the user of reference for holding the direct group I of lower floor integrity grade, issue the reference of writing of I integrity grade through the I ' integrity grade after shining upon; Read introductory user to holding direct upper layer group, permit him and read integrity grade and be higher than and equal document in the subregion that this group runs through whole Grade I Br; Write the user of reference for holding the direct group I of lower floor integrity grade, permit creating document in the subregion of his the I ' integrity grade after integrity grade is lower than and equals I integrity grade mapping.
Levels relation in the network between any two shared group can not circulate, and promptly the C of recurrence lower floor of the group B of lower floor of shared group A and shared group A group can not be again the upper layer group of shared group A simultaneously all.
Document itself does not have clear and definite privacy levels and integrity grade.
In two shared group having set up direct levels relation, the Group administrators of lower floor's group determines the integrity grade that opening is read to upper layer group, be called to run through and put in order Grade I Br, the Group administrators of upper layer group determines the integrity grade that lower floor's group is write, and is called to write complete rank IAw; The Group administrators of upper layer group determine lower floor's group from minimum integrity grade IBmin to high integrality Grade I Bmax to upper layer group from minimum integrity grade IAmin to the constant mapping of maintenance order of writing complete rank IAw.
When the level of two shared group in same network in network do not have levels and recurrence levels to concern, just relevant operation such as read-write between them so.
The present invention has following advantage compared with the prior art:
1, propose to adopt level subregion shared group to make up security model.The confidentiality of information solves by the shared group layering, has realized the function of BLP model " on write read " easily, and information integrity is finished by the subregion in organizing, and function easily that just can write has realized having the right.Realize control simultaneously according to layering and subregion to information privacy and integrality.
2, by grouping a complicated problems is divided into some minor issues, makes the solution localization of problem.
3, the real dispersion of power.Each Group administrators management shared group separately, whole system can unified management also can Decentralization.During unified management, system manager's authority is just created the user and is locked the user that may produce destabilizing factor to safety, does not have power user's authority, and the system manager is if not the user of certain group, and he does not almost have authority in this group.During Decentralization, a group or several groups form a management system, establish the system manager, can be divided into a plurality of independently management systems in whole system, realize sharing and the control access rights by reference mechanism between each shared group.
4, the availability of this model, confidentiality, integrality obtain unified.The dispersion of power, layering, subregion simplify a problem, carry out information privacy by different level by shared group, write operation has also used the subregion integrality to check, and the levels relation between the negotiation structure group between two Group administrators makes model have flexibility and availability.
5, embody the relativity and the dynamic of safety, the upper and lower layer group relation between two groups has showed maintaining secrecy relatively and safety of two groups, and the foundation of relation is with remove can be according to the actual requirements, and this embodies the dynamic of safety.Than the shared group on upper strata and than if there is no levels and recurrence levels relation between the shared group of lower floor, relevant operations such as read-write just can not be arranged between them in the level of network, this embodies the relativity of safety, and the while also has secret protection.
6, certain user can become the user in the different sharing group, when these shared group have levels and concern, this user is exactly the trusted users of these shared group, he can write the information in the shared group of High Security Level level in the shared group of Low Security Level level, and this has just realized the function of decrypts information.
Description of drawings
Fig. 1 is the concept map of level subregion shared group access control;
Fig. 2 is the schematic diagram of level subregion shared group access control;
Fig. 3 level subregion shared group information reads rough schematic;
Fig. 4 has based on the level subregion between the group of decay principle and writes schematic diagram on the information;
The simple examples figure of Fig. 5 school level subregion shared group.
Embodiment
Now reach embodiment in conjunction with the accompanying drawings the present invention is described in further detail, embodiment is referring to figs. 1 to 5.
1, system definition is shared group, user, document, and the levels network of personal connections (Fig. 1) that constitutes between the shared group.
Systems={Groups,Users,Documents}。
2, the user be one can the independent access protected data or the main body of resource, can be people or program and process, simplify here and be the people, represent user's collection with Users, U represents a user, that is:
Users={U
1,U
2,…,U
n}。
3, document is protected data or resource, is reduced to document here, represents a document sets with Documents, and D represents a document, that is:
Documents={D
1,D
2,…,D
n}。
4, because safety according to the privacy requirements of section office of department and individual's privacy requirement, is set up one by one independently shared group, make up network diagram (Fig. 2) by these shared group with levels relation.Shared group comprises user collection and a document sets, and the user has identical read access to weigh in this group in the group, represents the set of shared group with Groups, and G represents a shared group, that is:
Groups={G
1,G
2,…,G
n};
G
1={Users
1,Documents
1}。
5, each shared group must have a minimum integrality subregion, and the user of all its lower floor's groups can be at this partition creating document, but the user of lower floor's group can not read these documents.
This method embodies the write permission of lower floor's group to upper layer group, show the identity group reference in each layer transmittance process, also will follow the decay principle in layer transmittance process simultaneously.
6, each subregion shared group must have a maximum integrality subregion, and all its upper layer group can be read.
This method embodies the read right of upper layer group to lower floor's group, also will show the identity group reference in layer transmittance process simultaneously.
7, user creatable shared group, the user is the Group administrators of the own new group of creating.
Create(U
i,G
j)→U
i Creates?Group?G
j;
Manger(U
i,G
j)→U
i is?manger?of?G
j。
This method is newly organized and the keeper, has embodied safe theory, and everybody creates, and everybody is responsible for.One or more special user is arranged in the user of each shared group, be called the Group administrators.
8, the shared group keeper can increase the user of this group, and defines new user's integrity grade, also can increase the Group administrators.
Add(U
i,G
j)→G
j-manager adds?U
i?to?G
j;
Intergity(I
ui,U
i)→G
i-manager gives?I
ui?to?U
i;
Addmanger(U
i,G
j)→G
j-manager adds?U
i?to?a?new?manger?of?G
j。
New user's increase that this method obtains organizing and given user's integrity grade.
9, the shared group keeper determines whether this group becomes lower floor's group of other group, and the Group administrators determines whether this group becomes the upper layer group of other group, has only the keeper of two groups all to agree the existence that levels concerns, two groups could be set up the levels relation.The levels relation can not circulate, and the relation of removing only needs side keeper decision.In two shared group having set up direct levels relation, the Group administrators of lower floor's group determines the integrity grade that opening is read to upper layer group, be called to run through and put in order Grade I Br, the Group administrators of upper layer group determines the integrity grade that lower floor's group is write, and is called to write complete rank IAw; The Group administrators of upper layer group determine lower floor's group from minimum integrity grade IBmin to high integrality Grade I Bmax to upper layer group from minimum integrity grade IAmin to the constant mapping of maintenance order of writing complete rank IAw.
Uppergroup(G
i,G
k)←→Lowergroup(G
k,G
i);
The relation of setting up between this method obtains organizing, and require the irreversible of relation.
Keep the constant mapping of order: [IBmin, IBmax] → [IAmin, IAw] implication is: the IB1 of [IBmin, IBmax] during belonging to, and the IA1 of [IAmin, IAw] during IB2 is mapped to accordingly and belongs to, behind the IA2, if IB1 〉=IB2, then,
IA1≥IA2。
For example: [IBmin, IBmax]=(1,2,3,4,5) during supposing,
[IAmin, IAw] during this time=(1,2,3), then figure below is exactly a mapping that mapping remains unchanged.
Because writing complete rank IAw always is less than or equal to maximum integrity grade IAman's, after lower floor's shared group is through the mapping of multilayer recurrence, can only write in the subregion of minimum integrity grade of high-rise recurrence upper strata shared group the decay principle of writing on Here it is (Fig. 4) probably.
10, the user can any document of reader group and the partial document of lower floor's group in the shared group, read the document of lower floor's group and also will observe the integrity grade regulation that lower floor's group opening is read to upper layer group, for example the document of Group administrators's regulation integrity grade more than how many ranks can be read by upper layer group.
Read(U
i,D
j)if?D
j?is?the?group?of?including?U
i;Or?the?group?of?includingU
iis?uppergroup?of?the?group?of?including?D
j?and?reading?is?acccording?to?therule?of?lowergroup.
This method obtains the read right of user to document, simultaneously reads authority relation (Fig. 3) between the embodied layers.
11, the user creates document, and the integrity grade of document determines that according to the subregion of depositing the integrity grade of subregion is less than or equal to user's integrity grade.The document that the user creates is as writing in the upper layer group, and the document integrity grade that writes in the upper layer group is to be determined by the integrity grade of the upper layer group administrator specified user group that writes and the integrity grade mapping relations of upper layer group, and deposits in the corresponding subregion.
Create(U
i,D
j)→U
i?Creates?D
j;U
i?gives?I
uito?D
j(I
Ui>=I
Dj)。
12, the user can move integrity grade in this group and is less than or equal to document in this user's the subregion of integrity grade is less than or equal to this user's integrity grade to another integrity grade subregion.
Change(U
k,D
j,I’
Dj)iff?I
Uk>=I
Dj?and?I
uk>=I’
Dj。
13, the user can only edit the document that integrity grade in this group is less than or equal to this user's integrity grade.
Write(U
i,D
j)iff?I
Ui>=I
Dj。
14, the user can revise the integrity grade that integrity grade in this group is less than or equal to other users of this user, and amended other user's integrity grade still are less than or equal to this user's integrity grade.
Change(U
k,U
j,I’
Uj)iff?I
Uk>=I
Uj?and?I
Uk>=I’
Uj。
15, stride the layer levels between operate, comprise read-write operation, need the ATM layer relationsATM reference in intermediate layer.
The user who reads reference who holds direct upper layer group is issued the reference of reading of this group, write the user of reference, issue the reference of writing the I ' integrity grade of I integrity grade after through mapping for holding the direct group I of lower floor integrity grade; Read introductory user to holding direct upper layer group, permit him and read integrity grade and be higher than and equal document in the subregion that this group runs through whole Grade I Br; Write the user of reference for holding the direct group I of lower floor integrity grade, permit creating document in the subregion of his the I ' integrity grade after integrity grade is lower than and equals I integrity grade mapping.
According to the above control law that reads, can set up levels shared group network diagram shown in Figure 5.Because administrative leader's relationship between superior and subordinate, the document of teaching and research room's shared group are to open read right to the leader of institute, to the recursively open read right of school leader.Correspondingly, school leader's shared group is permitted institute's leader's shared group and is created the lower document of integrity grade, but the leader of institute can not read and revise these documents, and teaching and research room's shared group then concerns according to the recurrence levels, also can in shared group is led in the school, create document, but integrity grade is lower.It should be noted that, the leader of A institute has been divided into three shared group with levels relation, the leaders of A institute are the users in these shared group, for the leader of A institute (maintaining secrecy) shared group, because it does not have in the upper layer group, so the document in the group has only the interior user of group just can read, the user of school leader shared group does not have power to read yet, and the document in the leader of A institute (inside) shared group is only that the school leader can read.And the document in the leader of A institute (disclosing) shared group can allow many teaching and research rooms shared group read.In addition, also showed the secretary of the discipline inspection commission shared group and the discipline inspection shared group network that separate among Fig. 5, but the secretary of discipline inspection commission still leads the user of shared group in the school, makes the levels network of these two separation have indirect relation.
When the level of two shared group in same network in network do not have levels and recurrence levels to concern, just relevant operation such as read-write between them so.Such as, between the leader of A institute (inside) shared group among Fig. 5 and teaching and research room's 3 shared group just without any read-write operation.
The above execution mode only is embodiments of the invention; and be not limited to the foregoing description; for persons skilled in the art, any conspicuous change of under the prerequisite that does not deviate from the principle of the invention it being done all belongs to the protection range of design of the present invention and claim.
Claims (8)
1. the method for level subregion shared group access control comprises the network that one or more a plurality of shared group with levels relation constitute, and it is characterized in that: the levels relation in the network between any two shared group can not circulate; Comprise one or more user and one or more subregions in each shared group, user and subregion all are endowed an integrity grade, and document storage is in subregion; Integrity grade is the numeral with order, can compare height; Document itself does not have clear and definite privacy levels and integrity grade, and document is determined its integrity grade according to residing subregion, determines privacy levels according to the level of residing shared group in network.
2. the method for level subregion shared group according to claim 1 access control is characterized in that: the implication that the levels relation in the network between any two shared group can not circulate is that the group B of lower floor of shared group A and the C of the recurrence lower floor group of shared group A can not be again the upper layer group of shared group A simultaneously all.
3. the method for level subregion shared group according to claim 1 access control is characterized in that: one or more special user is arranged in the user of each shared group, be called the Group administrators.
4. the method for level subregion shared group according to claim 3 access control is characterized in that: Group administrators's subregion in the division group of having the right, and give the subregion integrity grade; The Group administrators has the right to receive and discharge from certain user for the user of this group and give this user an integrity grade; The Group administrators has the right to determine originally to consist of upper layer group or lower floor's group of another shared group, and when the Group administrators of different sharing group agreed that setting up levels concerns, the direct levels relation between these two shared group could be set up; When the Group administrators of any one group in two shared group having set up direct levels relation determines to cancel levels and concern, the just abolishment of levels relation.
5. the method for level subregion shared group according to claim 4 access control, it is characterized in that: in two shared group having set up direct levels relation, the Group administrators of lower floor's group determines the integrity grade that opening is read to upper layer group, be called and run through whole Grade I Br, the Group administrators of upper layer group determines the integrity grade that lower floor's group is write, and is called to write complete rank IAw; The Group administrators of upper layer group determine lower floor's group from minimum integrity grade IBmin to high integrality Grade I Bmax to upper layer group from minimum integrity grade IAmin to the constant mapping of maintenance order of writing complete rank IAw.
6. the method for level subregion shared group according to claim 1 access control, it is characterized in that: the user in the shared group can the reader group in all documents in each subregion, the integrity grade of lower floor's group that can the reader group is higher than and equals to run through document in whole other subregion of level; This group user can create document in the integrity grade of this group is less than or equal to the subregion of this user class; Be less than or equal in this user's the subregion of mapping integrity grade with integrity grade in the upper layer group of this group and create document; The user can revise and delete the document in the subregion that integrity grade is less than or equal to this user's integrity grade in the shared group.
7. the method for level subregion shared group according to claim 1 access control, it is characterized in that: the user in the shared group can adjust the integrity grade that the interior integrity grade of this group is less than or equal to another user of this user's integrity grade, and adjusted another user's integrity grade will be less than or equal to this user's integrity grade.
8. the method for level subregion shared group according to claim 1 access control, it is characterized in that: user and document in the directly management group of shared group, the reference of holding according to this user for the outer user's shared group of group is determined this user's access control power, the user who reads reference who holds direct upper layer group is issued the reference of reading of this group, write the user of reference for holding direct lower floor group integrity grade, issue the reference of writing of integrity grade through the integrity grade after shining upon; Read introductory user to holding direct upper layer group, permit him and read integrity grade and be higher than and equal this group and run through document in other subregion of whole level; Write the user of reference for holding direct lower floor group integrity grade, permit creating document in the subregion of his integrity grade after integrity grade is lower than and equals integrity grade mapping.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009103035995A CN101577622B (en) | 2009-06-24 | 2009-06-24 | Method for controlling access to shared component of leveled partition |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009103035995A CN101577622B (en) | 2009-06-24 | 2009-06-24 | Method for controlling access to shared component of leveled partition |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101577622A true CN101577622A (en) | 2009-11-11 |
| CN101577622B CN101577622B (en) | 2012-07-04 |
Family
ID=41272420
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009103035995A Expired - Fee Related CN101577622B (en) | 2009-06-24 | 2009-06-24 | Method for controlling access to shared component of leveled partition |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101577622B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104484617A (en) * | 2014-12-05 | 2015-04-01 | 中国航空工业集团公司第六三一研究所 | Database access control method on basis of multi-strategy integration |
| WO2017174030A1 (en) * | 2016-04-08 | 2017-10-12 | 中兴通讯股份有限公司 | Data access control method and device |
| CN107277023A (en) * | 2017-06-28 | 2017-10-20 | 中国科学院信息工程研究所 | A kind of thin terminal access control method of movement based on Web, system and thin terminal |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1773413B (en) * | 2004-11-10 | 2010-04-14 | 中国人民解放军国防科学技术大学 | Character constant weight method |
| CN101039322A (en) * | 2007-04-20 | 2007-09-19 | 华中师范大学 | Dynamic access control method of pervasive computing |
-
2009
- 2009-06-24 CN CN2009103035995A patent/CN101577622B/en not_active Expired - Fee Related
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104484617A (en) * | 2014-12-05 | 2015-04-01 | 中国航空工业集团公司第六三一研究所 | Database access control method on basis of multi-strategy integration |
| CN104484617B (en) * | 2014-12-05 | 2017-09-26 | 中国航空工业集团公司第六三一研究所 | A kind of Access and control strategy of database method based on many strategy fusions |
| WO2017174030A1 (en) * | 2016-04-08 | 2017-10-12 | 中兴通讯股份有限公司 | Data access control method and device |
| CN107277023A (en) * | 2017-06-28 | 2017-10-20 | 中国科学院信息工程研究所 | A kind of thin terminal access control method of movement based on Web, system and thin terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101577622B (en) | 2012-07-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108322432B (en) | Organization application authority management method and service system based on tree organization model | |
| CN101908106B (en) | Memory system with versatile content control | |
| EP0697662B1 (en) | Method and system for advanced role-based access control in distributed and centralized computer systems | |
| JP4903287B2 (en) | User classification and leveling management system in image information management system | |
| JP2010537285A5 (en) | ||
| CN101453475A (en) | Authentication management system and method | |
| CN105516117A (en) | Cloud computing based power data security storage method | |
| CN106445399A (en) | Control method of storage system, and storage system | |
| CN103763369A (en) | Multi-permission distribution method based on SAN storage system | |
| WO2009145760A1 (en) | Hierarchical administration of resources | |
| JP2006099779A (en) | Right management | |
| JP2004158007A (en) | Computer access authorization | |
| CN102904877A (en) | Binary serialization role permission management method based on cloud storage | |
| CN103605916A (en) | RBAC (Role-Based policies Access Control) accessing control model based on organization | |
| WO2010028583A1 (en) | Method and apparatus for managing the authority in workflow component based on authority component | |
| CN101577622B (en) | Method for controlling access to shared component of leveled partition | |
| CN104717206B (en) | A kind of Internet of Things resource access right control method and system | |
| CN102185836A (en) | Standalone electronic document protection system based on information stream model | |
| CN108092808A (en) | A kind of method for managing security of data center's total management system | |
| Balamurugan et al. | A Honey Bee behaviour inspired novel Attribute-based access control using enhanced Bell-Lapadula model in cloud computing | |
| Weippl et al. | Content-based Management of Document Access Control. | |
| CN106411895B (en) | A kind of more size distribution formula Informationflow Control method and system | |
| CN110532789A (en) | A kind of the system firewall and configuration method of stratification | |
| Zhao et al. | On the modeling of bell-lapadula security policies using RBAC | |
| Bijon et al. | A group-centric model for collaboration with expedient insiders in multilevel systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120704 Termination date: 20150624 |
|
| EXPY | Termination of patent right or utility model |