Summary of the invention
The embodiment of the present invention provides a kind of access control method and device of network security group, is intended to the inefficient problem of access control solving network security group.
First aspect, provide a kind of access control method of network security group, described method comprises:
All-network secure group in same human-computer interaction interface in display system;
Detect the mouse drag operation of user in this human-computer interaction interface;
Network security group corresponding to reference position setting up the operation of this mouse drag is to the access control relation of network security group corresponding to end position.
In the first possible implementation of first aspect, the access control relation of described network security group corresponding to reference position setting up the operation of described mouse drag to network security group corresponding to end position specifically comprises:
Follow the operation of described mouse drag and generate the figure for the access between marked network secure group, interviewed or exchanging visit relation be connected between network security group.
In conjunction with the first possible implementation of first aspect, in the implementation that the second of first aspect is possible, the described connecting line comprising band arrow for the access between marked network secure group, figure that is interviewed or exchanging visit relation be connected between network security group, the connecting line of described band arrow comprises single arrow connecting line and double-head arrow connecting line, described single arrow connecting line represents access between network security group or interviewed relation, and described double-head arrow connecting line represents the exchanging visit relation between network security group.
In the third possible implementation of first aspect, the access relation of described network security group corresponding to reference position setting up the operation of described mouse drag to network security group corresponding to end position specifically comprises:
Determine the network segment of the network security group that reference position that described mouse drag operates is corresponding;
The rule allowing the network segment of network security group corresponding to the reference position of described mouse drag operation to access described virtual machine is increased in each virtual machine in the network security group that the end position operated in described mouse drag is corresponding.
In the 4th kind of possible implementation of first aspect, described method also comprises:
Adopt the access control relation between each network security group in the mode display systems of topological diagram.
In conjunction with the 4th kind of possible implementation of first aspect, in the 5th kind of possible implementation of first aspect, the access control relation in the mode display systems of described employing topological diagram between each network security group specifically comprises:
In topological diagram, with the unique identification of network security group be connected to and show access control relation between network security group for the access between marked network secure group, figure that is interviewed or exchanging visit relation between network security group, to the multiple network security groups that there is interleaving access control planning with bunch mode assemble.
In the 6th kind of possible implementation of first aspect, before the mouse drag of described detection user in this human-computer interaction interface operates, described method also comprises:
Create or select network security group;
Filter out other network security groups needing to set up vertical access control relation with the network security created or select.
In the 7th kind of possible implementation of first aspect, described method also comprises:
Receive the delete instruction of access control relation that user is inputted by human-computer interaction interface, according to this delete instruction, delete the access control relation between network security group that this delete instruction specifies;
The mode of the delete instruction of access control relation that wherein user's input is inputted by human-computer interaction interface is: user selects click right on the figure of the access between marked network secure group in topological diagram, interviewed or exchanging visit relation to carry out the delete instruction of input reference control planning, and the network security group that the delete instruction of described access control relation is specified is the described network security group connected for the access between marked network secure group, figure that is interviewed or exchanging visit relation.
In the 8th kind of possible implementation of first aspect, described method also comprises:
Receive user and add instruction for the IP granted access of the network security group input of selection, described IP granted access is added instruction and is comprised IP scope, both port of origination and end port;
For each virtual machine in the network security group of selection increases the rule allowing the both port of origination within the scope of described IP and the network segment terminated in port to access described virtual machine.
Second aspect, provides a kind of fail-safe computer, and described device comprises:
Secure group display unit, for the all-network secure group in display system in same human-computer interaction interface;
Operation detection unit, for detecting the mouse drag operation of user in this human-computer interaction interface;
Access control unit, for network security group corresponding to reference position of setting up the operation of this mouse drag access control relation to network security group corresponding to end position
In the first possible implementation of second aspect, described access control unit generates specifically for following the operation of described mouse drag the figure for the access between marked network secure group, interviewed or exchanging visit relation be connected between network security group.
In the implementation that the second of second aspect is possible, described access control unit comprises:
Network segment acquisition module, for determining the network segment of the network security group that reference position that described mouse drag operates is corresponding;
Rule adds module, increases the rule allowing the network segment of network security group corresponding to the reference position of described mouse drag operation to access described virtual machine in each virtual machine in the network security group that the end position for operating in described mouse drag is corresponding.
In the third possible implementation of second aspect, described device also comprises:
Topology exhibits unit, for adopting the access control relation in the mode display systems of topological diagram between each network security group.
In the 4th kind of possible implementation of second aspect, described topology exhibits unit is specifically in topological diagram, with the unique identification of network security group be connected to and show access control relation between network security group for the access between marked network secure group, figure that is interviewed or exchanging visit relation between network security group, to the multiple network security groups that there is interleaving access control planning with bunch mode assemble.
In the 5th kind of possible implementation of second aspect, described device also comprises:
Secure group creating unit, creating instruction for receiving secure group, creating instruction create new network security group according to described secure group;
Secure group filter element, for filtering out other network security groups needing to set up vertical access control relation with the network security created or select.
In the 6th kind of possible implementation of second aspect, described device also comprises:
Secure group creating unit, creating instruction for receiving secure group, creating instruction create new network security group according to described secure group;
Secure group filter element, for filtering out other network security groups needing to set up vertical access control relation with the network security created or select.
In the 7th kind of possible implementation of second aspect, described device also comprises:
IP granted unit, instruction is added for the IP granted access of the network security group input selected for receiving user, described IP granted access is added instruction and is comprised IP scope, both port of origination and end port, for each virtual machine in the network security group of selection increases the rule allowing the network segment in the both port of origination within the scope of described IP and end port to access described virtual machine.
In embodiments of the present invention, by the all-network secure group in output system in same human-computer interaction interface, detect the mouse drag operation of user in this human-computer interaction interface, network security group corresponding to reference position setting up the operation of this mouse drag is to the access relation of network security group corresponding to end position, and add IP granted access for the access relation between the network security group set up, thus user can be proceeded from the situation as a whole, fast, accurately, set up the access control relation between each network security group efficiently, improve the access control efficiency between network security group.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
In embodiments of the present invention, all-network secure group in same human-computer interaction interface in output system, detect the mouse drag operation of user in this human-computer interaction interface, network security group corresponding to reference position setting up the operation of this mouse drag is to the access relation of network security group corresponding to end position, thus user can be proceeded from the situation as a whole, set up the access control relation between each network security group fast, accurately and efficiently, improve the access control efficiency between network security group.
In order to technical solutions according to the invention are described, be described below by specific embodiment.
Fig. 2 shows the realization flow of the access control method of the network security group that the embodiment of the present invention provides, and details are as follows:
S201, the all-network secure group in same human-computer interaction interface in display system.
In the present embodiment, by the all-network secure group in display system in same human-computer interaction interface, thus user can check all secure group system from the overall situation.
When showing all-network secure group, the information of each network security groups of energy unique identification such as the title of this network security group, unique identification or icon can be shown.
S202, detects the mouse drag operation of user in this human-computer interaction interface, and network security group corresponding to reference position setting up the operation of this mouse drag is to the access control relation of network security group corresponding to end position.
In the present embodiment, after the all-network secure group in same human-computer interaction interface in display system, if user needs to set up the access control relation between each network security group, then user can be undertaken by the mode of mouse drag.Detailed process is as follows:
User clicks a network security group SG1 in this human-computer interaction interface with mouse after, mouse is dragged to needing another network security group SG2 setting up vertical access control relation with this network security, when mouse arrives SG2, unclamp mouse, now, detect user's operating from network security group SG1 to the mouse drag of network security group SG2 in human-computer interaction interface, determine the network security group that reference position that this mouse drag operates is corresponding, be SG1, and the network security group that the end position of this mouse drag operation is corresponding, be SG2.
After the network security group that the end position determining network security group corresponding to reference position that the mouse drag of user at human-computer interaction interface operate and mouse drag operation is corresponding, network security group corresponding to reference position can setting up the operation of this mouse drag is to the access control relation of network security group corresponding to end position, and the network security group namely setting up the reference position of this mouse drag operation corresponding can access network security group corresponding to end position.
And this access control relation in order to make user can see foundation intuitively, the operation of this mouse drag can be followed and generate the figure for the access between marked network secure group, interviewed or exchanging visit relation be connected between network security group.
Wherein be connected to the connecting line including but not limited to be with arrow for the access between marked network secure group, figure that is interviewed or exchanging visit relation between network security group.Connecting line wherein with arrow comprises single arrow connecting line and double-head arrow connecting line.Wherein single arrow connecting line represents access between network security group or interviewed relation.Double-head arrow connecting line represents the exchanging visit relation between network security group.
The line of the band arrow between the network security group corresponding to reference position of this mouse drag operation and network security group corresponding to end position is connected as generated, and the network security group corresponding to end position of this mouse drag of arrow points operation, thus to be used to indicate this access relation that user sets up be that network security group corresponding to the reference position of this mouse drag operation can access network security group corresponding to end position.
Refer to Fig. 3, be the schematic diagram of the access control relation between the network security group being used to indicate user's foundation of following this mouse drag operation generation that the embodiment of the present invention provides, but be not limited with this schematic diagram.In figure 3, user unclamps mouse by clicking network security group SG6 and dragging mouse to network security group SG3, can set up the access relation of network security group SG6 accesses network secure group SG3; To network security group SG4, mouse is unclamped by first clicking network security group SG3 and dragging mouse, click network security group SG4 again and drag mouse and unclamp mouse to network security group SG3, exchanging visit relation between network security group SG3 and network security group SG4 can be set up.
The detailed process of network security group corresponding to reference position wherein setting up the operation of this mouse drag to the access control relation of network security group corresponding to end position is as follows:
A1, determine the network segment of the network security group that reference position that this mouse drag operates is corresponding;
The rule allowing the network segment of network security group corresponding to the reference position of this mouse drag operation to access this virtual machine is increased in each virtual machine in the network security group that A2, the end position operated in this mouse drag are corresponding.
In the present embodiment, by the all-network secure group in output system in same human-computer interaction interface, and detect the mouse drag operation of user in this human-computer interaction interface, user can be made to proceed from the situation as a whole, even if when there is a large amount of network security group, also can set up the access control relation between each network security group fast, accurately and efficiently, comprise access, interviewed and/or exchanging visit control planning, improve the access control efficiency between network security group.
In an alternative embodiment of the invention, the method also comprises the steps:
For network security group adds IP granted access.
The detailed process of adding IP granted access for network security group is as follows:
B1, selection need the network security group of adding IP granted access.
B2, reception user add instruction for the IP granted access of the network security group input selected.Wherein IP granted access interpolation instruction comprises IP scope, also comprises transport layer protocol, both port of origination and end port etc.Wherein IP scope refers to the scope that can allow the IP address accessed.Both port of origination and end port refer to the port range of the allowed access in the IP address range that can allow access.Any one mode that the concrete mode that wherein user inputs IP granted access interpolation instruction can adopt prior art to provide.
The rule allowing the both port of origination within the scope of this IP and the network segment terminated in port to access this virtual machine is increased in B3, the network selected for the user each virtual machine completely in group.
Refer to Fig. 4, be the schematic diagram for network security group interpolation IP granted access that the embodiment of the present invention provides, but be not limited with this schematic diagram.
Fig. 5 shows the realization flow of the access control method of the network security group that another embodiment of the present invention provides, and the S201 to S202 wherein shown in S501 to S502 with Fig. 2 is identical, does not repeat them here, and the present embodiment also comprises the steps, details are as follows:
Access control relation in the mode display systems of S503, employing topological diagram between each network security group.
Wherein adopt the detailed process of the access control relation in the mode display systems of topological diagram between each network security group as follows:
In topological diagram, with the unique identification of network security group be connected to and show access control relation between network security group for the access between marked network secure group, figure etc. that is interviewed or exchanging visit relation between network security group, to the multiple network security groups that there is interleaving access control planning with bunch mode assemble.
The wherein each network security group of unique identification energy unique identification of network security group, the unique identification of this network security group includes but not limited to the title, icon, mark etc. of network security group, also can be the combination in any of the title of network security group, icon, mark.
Wherein access between marked network secure group, mark that is interviewed or exchanging visit relation can include but not limited to the connecting line etc. being with arrow.Connecting line wherein with arrow comprises single arrow connecting line and double-head arrow connecting line.Wherein single arrow connecting line is for representing access between network security group or interviewed relation, and the network security group of arrow points is interviewed network security group.Double-head arrow connecting line is for representing the exchanging visit relation between network security group.
Refer to Fig. 6, be the schematic diagram by the access control relation between network security group each in the mode display systems of topological diagram that the embodiment of the present invention provides, but be not limited with this schematic diagram.Pass through Fig. 6, user can see the access control relation in system between each network security group intuitively, and by the multiple network security groups that there is interleaving access control planning with bunch mode assemble, thus user can see the access control relation between multiple network security group more intuitively.
In the present embodiment, by the access control relation in the mode display systems of employing topological diagram between each network security group, and to the multiple network security groups that there is interleaving access control planning with bunch mode assemble, thus make user can know access control relation system between each network security group intuitively from the overall situation.
During in the present invention, another is implemented, in order to the access control relation of checking between network security group making user more convenient, the method also comprises the steps:
Receive switching command by the change-over switch be arranged in this human-computer interaction interface, according to the access control relation between this switching command display all-network secure group, or the access control relation of network security group is chosen in display.For the ease of understanding, illustrate as follows:
When the instruction of this switching command shows the access control relation between all-network secure group, then by this human-computer interaction interface with the access control relation between the all-network secure group existed in the mode output system of topological diagram so that the access control relation that user checks whole system from the overall situation between network security group;
When the access control relation of network security group is chosen in this switching command instruction display, then by this human-computer interaction interface with exist in the mode output system of topological diagram choose the access control relation of network security group (comprising this network security group access, interviewed and exchange visits access control relation), so that user can check separately the access control relation of its network security group paid close attention to.
In an alternative embodiment of the invention, check the more detailed information of network security group for the ease of user, the method also comprises the steps:
Secure group details idsplay order is received, according to the details of all-network secure group of this secure group details idsplay order by existing in secure group list window display system by being arranged at secure group list window in this human-computer interaction interface.Wherein the details of network security group include but not limited to the mark of network security group, the owning user etc. of network security group.Refer to Fig. 7, be the exemplary plot of the details by secure group list window display all-network secure group that the embodiment of the present invention provides, but be not limited with this exemplary plot.
In an alternative embodiment of the invention, before detecting the mouse drag operation of user in this human-computer interaction interface, the method also comprises the steps:
C1, establishment or selection network security group.
The detailed process wherein creating network security group can be as follows: user sends establishment instruction by the mode of click right in the human-computer interaction interface for output network secure group, after receiving this establishment instruction, output network secure group creates window, formed the configuration information of network security group to be created building window reception user input by this network security, and create a new network security group according to this configuration information.
Wherein select the concrete mode of network security group can be click by left button the network security group exported, this network security group can be selected.
C2, filter out and need and to create or the network security selected sets up other network security groups founding access control relation.
Wherein filtercondition includes but not limited to the owning user etc. of network security group, or user's other filterconditions self-defining in advance, as:
Wherein filter out and need the detailed process of other network security groups setting up vertical access control relation with the network security created or select as follows:
When filtercondition is the owning user of network security group, then obtain the owning user of the network security group created or select, filter out other network security groups that owning user is the owning user of the network security group creating or select.
In an alternative embodiment of the invention, also can carry out sequencing display according to owning user to network security group, so that user selects network group completely.
In the present embodiment, new network security group can be created as required at any time, when needing to set up the access control relation between the network security group created of user's selection and other secure group, in order to avoid user selects from a large amount of network security group, can first self-defined filtercondition, the network security group needing the network security selected with user to set up vertical access control relation is filtered out again according to this filtercondition, like this, the Operating Complexity of user when creating the access control relation between network security group can be reduced, and time consumption when reducing the access control relation created between network security group.
In an alternative embodiment of the invention, the method also comprises the steps:
Receive the delete instruction of access control relation that user is inputted by human-computer interaction interface, according to this delete instruction, delete the access control relation between network security group that this delete instruction specifies.
Wherein the mode of the delete instruction of access control relation that inputted by human-computer interaction interface of user's input is as follows:
User selects click right on the figure of the access between marked network secure group in topological diagram, interviewed or exchanging visit relation to carry out the delete instruction of input reference control planning, and the network security group that the delete instruction of this access control relation is specified is this network security group connected for the access between marked network secure group, figure that is interviewed or exchanging visit relation.When being the line of band arrow for the access between marked network secure group, figure that is interviewed or exchanging visit relation, then user's click right input delete instruction on the line of band arrow, the access control relation between the network security group that the line can deleting this band arrow connects.
Be appreciated that, the mode of the delete instruction of user's input reference control planning is not illustrated as limit with above-mentioned, can also be other a variety of modes, as a delete button can be arranged in human-computer interaction interface, after user selects to be used for the figure of access between marked network secure group, interviewed or exchanging visit relation, click this delete button, get final product the delete instruction of input reference control planning.
Wherein, according to this delete instruction, the detailed process of deleting the access control relation between network security group that this delete instruction specifies illustrates as follows:
Suppose need delete be the access control relation of network security group SG1 addressable network secure group SG2 time, then user selects the arrow pointing to SG2 from SG1 in topological diagram, with the delete instruction of input reference control planning, after the delete instruction of access control relation that user inputs being detected, delete the rule allowing the network segment of network security group SG1 to access this virtual machine in each virtual machine in network security group SG2, in topological diagram, delete the arrow pointing to SG2 from SG1 simultaneously.
In the present embodiment, by selecting to be used for access between marked network secure group in topological diagram, the mode of figure of interviewed or exchanging visit relation inputs delete instruction, can delete the access control relation between the network security group set up fast, accurately and efficiently, adjust the access control relation between existing network security group easily, thus can increase work efficiency greatly.
Fig. 8 shows the structure of the fail-safe computer that the embodiment of the present invention provides, and illustrate only the part relevant to the embodiment of the present invention for convenience of explanation.
This fail-safe computer may be used for cloud computing server, can be the software unit run in cloud computing server, the unit that combines of hardware cell or software and hardware, also can be integrated in cloud computing server as independently suspension member or run in the application system of cloud computing server, wherein:
The all-network secure group of secure group display unit 1 in same human-computer interaction interface in display system.
When showing all-network secure group, the information that the title of this network security group, unique identification or icon etc. can be used for each network security group of unique identification can be shown.
Operation detection unit 2 detects the mouse drag operation of user in this human-computer interaction interface.
Access control unit 3 network security group corresponding to reference position of setting up the operation of this mouse drag is to the access control relation of network security group corresponding to end position.
In the present embodiment, in order to this access control relation making user can see foundation intuitively, access control unit 3 generates specifically for following the operation of this mouse drag the figure for the access between marked network secure group, interviewed or exchanging visit relation be connected between network security group.
Wherein be connected to the line including but not limited to be with arrow for the access between marked network secure group, figure that is interviewed or exchanging visit relation between network security group.Connecting line with arrow comprises single arrow connecting line and double-head arrow connecting line, and described single arrow connecting line represents access between network security group or interviewed relation, and described double-head arrow connecting line represents the exchanging visit relation between network security group.
Wherein access control unit 3 comprises network segment acquisition module 31 Sum fanction interpolation module 32.Wherein:
Network segment acquisition module 31 determines the network segment of the network security group that reference position that this mouse drag operates is corresponding.
Each virtual machine in the network security group that the end position that rule interpolation module 32 operates in this mouse drag is corresponding increases the rule allowing the network segment of network security group corresponding to the reference position of this mouse drag operation to access this virtual machine.
In an alternative embodiment of the invention, this device also comprises IP granted unit 4.This IP granted unit 4 is network security group interpolation IP granted access.This IP granted unit 4 adds instruction specifically for receiving user for the IP granted access of the network security group input selected, described IP granted access is added instruction and is comprised IP scope, both port of origination and end port, for each virtual machine in the network security group of selection increases the rule allowing the network segment in the both port of origination within the scope of described IP and end port to access described virtual machine.
In an alternative embodiment of the invention, this device also comprises topology exhibits unit 5.This topology exhibits unit 5 adopts the access control relation in the mode display systems of topological diagram between each network security group.
This topology exhibits unit 5 is specifically in topological diagram, with the unique identification of network security group be connected to and show access control relation between network security group for the access between marked network secure group, figure etc. that is interviewed or exchanging visit relation between network security group, to the multiple network security groups that there is interleaving access control planning with bunch mode assemble.
The wherein each network security group of unique identification energy unique identification of network security group, the unique identification of this network security group includes but not limited to the title, icon, mark etc. of network security group, also can be the combination in any of the title of network security group, icon, mark.
Wherein be connected to the connecting line etc. including but not limited to be with arrow for the access between marked network secure group, mark that is interviewed or exchanging visit relation between network security group.Connecting line wherein with arrow comprises single arrow connecting line and double-head arrow connecting line.Wherein single arrow connecting line is for representing access between network security group or interviewed relation, and the network security group of arrow points is interviewed network security group.Double-head arrow connecting line is for representing the exchanging visit relation between network security group.
During in the present invention, another is implemented, in order to the access control relation of checking between network security group making user more convenient, this device also comprises shows switch unit 6.This displaying switch unit 6 receives switching command by the change-over switch be arranged in this human-computer interaction interface, and according to the access control relation between this switching command display all-network secure group, or the access control relation of network security group is chosen in display.
When the instruction of this switching command shows the access control relation between all-network secure group, then by this human-computer interaction interface with the access control relation between the all-network secure group existed in the mode output system of topological diagram so that the access control relation that user checks whole system from the overall situation between network security group;
When the access control relation of network security group is chosen in this switching command instruction display, then by this human-computer interaction interface with exist in the mode output system of topological diagram choose the access control relation of network security group (comprising this network security group access, interviewed and exchange visits access control relation), so that user can check separately the access control relation of its network security group paid close attention to.
In an alternative embodiment of the invention, check the more detailed information of network security group for the ease of user, this device also comprises details display unit 7.This details display unit 7 receives secure group details idsplay order by being arranged at secure group list window in this human-computer interaction interface, according to the details of all-network secure group of this secure group details idsplay order by existing in secure group list window display system.Wherein the details of network security group include but not limited to the mark of network security group, the owning user etc. of network security group.
In an alternative embodiment of the invention, this device also comprises secure group creating unit 8 and secure group filter element 9.Wherein:
Secure group creating unit 8 receives secure group and creates instruction, creates instruction create new network security group according to secure group.
The detailed process wherein creating network security group can be as follows: user sends establishment instruction by the mode of click right in the human-computer interaction interface for output network secure group, after receiving this establishment instruction, output network secure group creates window, formed the configuration information of network security group to be created building window reception user input by this network security, and create a new network security group according to this configuration information.
Secure group filter element 9 filters out other network security groups needing to set up vertical access control relation with the network security created or select.
Wherein filtercondition includes but not limited to the owning user etc. of network security group, or user's other filterconditions self-defining in advance.
Wherein filter out and need the detailed process of other network security groups setting up vertical access control relation with the network security created or select as follows:
When filtercondition is the owning user of network security group, then obtain the owning user of the network security group created or select, filter out other network security groups that owning user is the owning user of the network security group creating or select.
In an alternative embodiment of the invention, this device also comprises the delete instruction that access relation delete cells 10 receives the access control relation that user is inputted by human-computer interaction interface, according to this delete instruction, delete the access control relation between network security group that this delete instruction specifies.
Wherein the mode of the delete instruction of access control relation that inputted by human-computer interaction interface of user's input is as follows:
User selects click right on the figure of the access between marked network secure group in topological diagram, interviewed or exchanging visit relation to carry out the delete instruction of input reference control planning, and the network security group that the delete instruction of this access control relation is specified is this network security group connected for the access between marked network secure group, figure that is interviewed or exchanging visit relation.When being the line of band arrow for the access between marked network secure group, figure that is interviewed or exchanging visit relation, then user's click right input delete instruction on the line of band arrow, the access control relation between the network security group that the line can deleting this band arrow connects.
Be appreciated that, the mode of the delete instruction of user's input reference control planning is not illustrated as limit with above-mentioned, can also be other a variety of modes, as a delete button can be arranged in human-computer interaction interface, after user selects to be used for the figure of access between marked network secure group, interviewed or exchanging visit relation, click this delete button, get final product the delete instruction of input reference control planning.The functional unit described in above-described embodiment or module can be used for implementing the method for above-mentioned Fig. 2-Fig. 7.It should be noted that the unit included by said apparatus is carry out dividing according to function logic, but be not limited to above-mentioned division, as long as corresponding function can be realized; In addition, the concrete title of each functional unit, also just for the ease of mutual differentiation, is not limited to protection scope of the present invention.
One of ordinary skill in the art will appreciate that, the all or part of step realized in above-described embodiment method is that the hardware that can carry out instruction relevant by program has come, described program can be stored in a computer read/write memory medium, described storage medium, as ROM/RAM, disk, CD etc.
Please refer to Fig. 9, embodiments provide a kind of schematic diagram of fail-safe computer 700.Fail-safe computer 700 may be the host server comprising computing power, or personal computer PC, or portable portable computer or terminal etc., and the specific embodiment of the invention does not limit the specific implementation of computing node.Fail-safe computer 700 comprises:
Processor (processor) 710, storer (memory) 720, bus 730.
Processor 710, storer 720 completes mutual communication by bus 730.
Processor 710, for executive routine 722.
Particularly, program 722 can comprise program code, and described program code comprises computer-managed instruction.
Processor 710 may be a central processor CPU, or specific integrated circuit ASIC(ApplicationSpecificIntegratedCircuit), or be configured to the one or more integrated circuit implementing the embodiment of the present invention.
Storer 700, for depositing program 722.Storer 720 may comprise high-speed RAM storer, still may comprise nonvolatile memory (non-volatilememory), such as at least one magnetic disk memory.Program 722 specifically can comprise:
Secure group display unit 1, for the all-network secure group in display system in same human-computer interaction interface;
Operation detection unit 2, for detecting the mouse drag operation of user in described human-computer interaction interface;
Access control unit 3, for network security group corresponding to reference position of setting up the operation of this mouse drag access relation to network security group corresponding to end position.
Corresponding units in program 722 in the specific implementation of each unit embodiment shown in Figure 8, is not repeated herein.
In embodiments of the present invention, all-network secure group in same human-computer interaction interface in output system, detect the mouse drag operation of user in this human-computer interaction interface, network security group corresponding to reference position setting up the operation of this mouse drag is to the access relation of network security group corresponding to end position, and add IP granted access for the access relation between the network security group set up, thus user can be proceeded from the situation as a whole, fast, accurately, set up the access control relation between each network security group efficiently, improve the access control efficiency between network security group.By the access control relation in the mode display systems of employing topological diagram between each network security group, and to the multiple network security groups that there is interleaving access control planning with bunch mode assemble, thus make user can know access control relation system between each network security group intuitively from the overall situation.By filtering out needs according to filtercondition and user selects or set up the network security group of access control relation between the network security group that creates, thus the Operating Complexity of user when creating the access control relation between network security group can be reduced, and time consumption when reducing the access control relation created between network security group.By selecting to be used for access between marked network secure group in topological diagram, the mode of figure of interviewed or exchanging visit relation inputs delete instruction, can delete the access control relation between the network security group set up fast, accurately and efficiently, adjust the access control relation between existing network security group easily, thus can increase work efficiency greatly.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any amendments done within the spirit and principles in the present invention, equivalent replacement and improvement etc., all should be included within protection scope of the present invention.