CN103514412A - Method and cloud server for establishing role-based access control system - Google Patents
Method and cloud server for establishing role-based access control system Download PDFInfo
- Publication number
- CN103514412A CN103514412A CN201210213506.1A CN201210213506A CN103514412A CN 103514412 A CN103514412 A CN 103514412A CN 201210213506 A CN201210213506 A CN 201210213506A CN 103514412 A CN103514412 A CN 103514412A
- Authority
- CN
- China
- Prior art keywords
- role
- rbac
- mining
- template
- upa data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 120
- 238000005065 mining Methods 0.000 claims abstract description 107
- 238000010276 construction Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 79
- 238000010586 diagram Methods 0.000 description 14
- 238000012545 processing Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000005457 optimization Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 239000003086 colorant Substances 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000007418 data mining Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000007935 neutral effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000010845 search algorithm Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention provides a method and cloud server for establishing a role-based access control system. The method includes the steps that request information used for requesting to establish an RBAC role assembly of a hierarchal structure is received from a client, and the request information carries UPA data; an RBAC template is obtained, and role matching is performed according to the RBAC template and the UPA data so that a first role assembly of a hierarchal structure can be determined; according to the first role assembly and the UPA data, role mining is performed so that the RBAC role assembly can be determined; the RBAC role assembly is sent to the client so that the client can establish the RBAC system according to the RBAC role assembly. According to the method, not only can semantic accuracy of the RBAC role assembly be improved and cost be lowered, but also the efficiency of establishing the RBAC system can be improved.
Description
Technical Field
The present invention relates to the field of information technology, and in particular, to a method for constructing a Role-based Access Control (RBAC) system and a cloud server.
Background
Access control is a defense against unauthorized use of resources, with the primary objective of ensuring reasonable and effective access to system resources by users. There are roughly three methods for Access Control, namely, a conventional autonomous Access Control (DAC) method and a Mandatory Access Control (MAC) method, and a recently popular RBAC method. Among them, the granularity of the DAC method is too fine, and the granularity of the MAC method is too coarse, and both of them are heavy and are not easy to manage. The RBAC method is policy neutral, which can be used to represent various kinds of policies including DAC and MAC, and is closer to the way of management of a real organization, so that it is possible to conveniently describe a high-level policy. The RBAC approach has thus become an accepted effective approach to address uniform resource access control for large enterprises.
Currently, the RBAC system is constructed mainly through Role Engineering (Role Engineering) technology. The character engineering technology mainly comprises a Top-down (Top-down) method and a Bottom-up (Bottom-up) method. Top-down approaches typically require complex business process analysis with low automation. The bottom-up method has high automation degree, but the semantic property of the obtained role is not good due to the lack of business process analysis.
Disclosure of Invention
The embodiment of the invention provides a method for constructing an RBAC and a cloud server, which can improve the semantic accuracy of an RBAC role set, reduce the cost and improve the efficiency of constructing an RBAC system.
In one aspect, a method for constructing an RBAC is provided, including: receiving a request message for requesting to construct an RBAC role set with a hierarchical structure from a client, wherein the request message carries user authority distribution (UPA) data; obtaining an RBAC template, and performing role matching according to the RBAC template and the UPA data to determine a first role set with a hierarchical structure; performing role mining according to the first role set and the UPA data to determine the RBAC role set; and sending the RBAC role set to the client so that the client constructs an RBAC system according to the RBAC role set.
In another aspect, a cloud server is provided, including: the receiving module is used for receiving a request message for requesting to construct a role set of the RBAC with a hierarchical structure from a client, wherein the request message carries user authority distribution (UPA) data and transmits the UPA data to the role matching module; the role matching module is used for receiving the UPA data from the receiving module, acquiring an RBAC template, performing role matching according to the RBAC template and the UPA data to determine a first role set with a hierarchical structure, and transmitting the first role set to the role mining module; the role mining module is used for receiving the first role set from the role matching module, performing role mining according to the first role set and the UPA data to determine the RBAC role set, and transmitting the RBAC role set to the sending module; and the sending module is used for receiving the RBAC role set from the role mining module and sending the RBAC role set to the client so that the client can construct an RBAC system according to the RBAC role set.
In the embodiment of the invention, the first role set is determined by matching roles according to the RBAC template and the UPA data, and the RBAC role set is determined by mining roles according to the first role set and the UPA data, so that the business process information contained in the RBAC template is merged into the RBAC role set without performing expensive and complicated business process analysis, and the high automation degree of the role mining process is kept, therefore, the semantic accuracy of the RBAC role set can be improved, the cost is reduced, and the efficiency of constructing the RBAC system can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments of the present invention will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of an example of an RBAC system to which embodiments of the present invention may be applied.
Fig. 2 is a schematic flow chart of a method of constructing an RBAC system according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of a process of a method of constructing an RBAC system according to one embodiment of the present invention.
Fig. 4 is a diagram illustrating an example of a role hierarchy of an RBAC template according to an embodiment of the present invention.
Fig. 5 is a schematic diagram of a process of a method of constructing an RBAC system according to another embodiment of the present invention.
Fig. 6 is a schematic block diagram of a cloud server according to an embodiment of the present invention.
Fig. 7 is a schematic diagram of one example of an implementation of a cloud server according to one embodiment of the invention.
Fig. 8 is a schematic diagram of another example of an implementation of a cloud server according to another embodiment of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, shall fall within the scope of protection of the present invention.
Fig. 1 is a schematic diagram of an example of an RBAC system to which embodiments of the present invention may be applied. It should be noted that the example of fig. 1 is only for helping those skilled in the art to better understand the embodiments of the present invention, and does not limit the scope of the embodiments of the present invention. For example, in fig. 1, 4 users (users), 3 roles (Role), and 3 servers are described, but in the embodiment of the present invention, the number of users, the number of roles, and the number of servers may be other numbers, which is not limited in the embodiment of the present invention.
In the RBAC system, a layer of 'roles' is added between a user and a server as a bridge, the roles can be regarded as a set of permissions, and access control is realized by the fact that the user corresponds to the roles and the roles correspond to the permissions. For example, in fig. 1, user1 and user2 correspond to role 1, and the authority of role 1 is to access server 1, then both user1 and user2 can access server 1. User 3 corresponds to role 2, and role 2 has the right to access server 1 and server 2, so user 3 can access server 1 and server 2. User 4 corresponds to role 3, and role 3 is authorized to access server 1, server 2, and server 3. Therefore, the process of constructing the RBAC system is the process of creating roles and setting the distribution relationship between users and roles and between roles and permissions, wherein the process of constructing a role set with a hierarchical structure is the most core process.
Fig. 2 is a schematic flow chart of a method of constructing an RBAC system according to an embodiment of the present invention. The method of fig. 2 is performed by a cloud server.
210, receiving a request message for requesting to construct a hierarchical RBAC role set from a client, where the request message carries User-Permission Assignment (UPA) data.
UPA data may represent a correspondence between users and permissions, and each record in the UPA data may be in the form { user XX → permission had }.
And 220, acquiring an RBAC template, and performing role matching according to the RBAC template and the UPA data to determine a first role set with a hierarchical structure.
Optionally, as an embodiment, the cloud server may select the RBAC template from a RBAC template library stored in the cloud server according to industry information associated with the UPA data. Or the cloud server can receive the RBAC template from the client, wherein the RBAC template is selected from the RBAC template library by the client according to the industry information associated with the UPA data.
For example, since Cloud Service Providers (CSPs) typically have a large number of customers, a RBAC template library may be built based on the RBAC systems that the customers already run or deploy. In addition, the CSP can classify the RBAC templates in the RBAC template library according to industries (such as banks, hospitals and the like), industrial characteristics (such as comprehensive hospitals, special hospitals and the like) and the like, and store the RBAC templates in the RBAC template library in a cloud server. Therefore, the cloud server or the client can select a proper RBAC template from the RBAC template library according to the industry information associated with the UPA data. The representation form of the RBAC template can be various forms, such as a role hierarchy, or a form of table record representing the role assembly and the hierarchy of the role assembly. The embodiment of the present invention is not limited thereto.
In the embodiment of the invention, because the RBAC template contains the extracted business process information of the industry associated with the UPA data, the business process information can be merged into the role set generated in the role matching process by performing role matching according to the RBAC template and the UPA data without performing an expensive and complicated business process analysis process, thereby reducing the cost and complexity of constructing the role set.
In addition, the cloud server has strong storage capacity, so that the storage space for storing the RBAC template library can be ensured. And because the cloud server has a large number of diversified customers, sufficient RBAC template sources can be ensured.
Optionally, as another embodiment, the cloud server may perform role matching on the RBAC template and the UPA data, determine a second role set having a hierarchical structure, send the second role set to the client, receive an adjustment scheme of the client for the second role set from the client, and adjust the second role set according to the adjustment scheme to determine the first role set.
For example, the cloud server can match each record in the UPA data with the RBAC template to determine a second set of roles having a hierarchical structure. The client can determine an adjustment scheme for the second role set according to the actual requirements of the client, and send the adjustment scheme to the cloud server. The cloud server can modify and adjust the second role set according to the adjustment scheme, so that the first role set with the hierarchical structure generated in the role matching process is determined.
And 230, performing role mining according to the first role set and the UPA data to determine the RBAC role set.
Optionally, as another embodiment, the cloud server may perform role mining on the UPA data based on the first role set to determine the RBAC role set.
Specifically, the cloud server may determine the RBAC role set by role mining all of the UPA data using the first role set with a hierarchical structure generated in step 220 as an input.
Due to differences of information systems and organizations, the first role set generated by role matching cannot generally cover all the UPA data, and therefore, the accuracy of the finally generated RBAC role set can be improved by performing role mining on the UPA data based on the first role set generated by the role matching process.
Optionally, as another embodiment, the cloud server may Role mine the UPA data based on the first Role set according to an algorithm for solving a minimum Perturbation Role mining problem (MinPert-RHMP) with a Hierarchy to determine the RBAC Role set.
Specifically, the MinPert-RHMP refers to a given User set U, an authority set P, and UPA data, and aims to enable a Role set to completely cover UPA data and ensure low system complexity by establishing a Role set, a corresponding User-Role Assignment (UA) relationship, and an authority-Role Assignment (PA) relationship. Furthermore, when the beginning of the MinPert-RHMP solution is solved, a part of Roles (commonly called DRoles (Deployed Roles)) is defined, and DRoles are required to be reserved in the role set as much as possible. At present, there are various algorithms for solving the MinPert-RHMP, for example, the cloud server may perform role mining on all UPA data by using the first role set as an input according to the statemer algorithm to determine the RBAC role set. The cloud server may also perform role mining according to other algorithms capable of solving the MinPert-RHMP, which is not limited in the embodiment of the present invention.
Optionally, as another embodiment, the cloud server may determine remaining UPA data in the UPA data that does not match the role of the first role set, perform role mining on the remaining UPA data, determine a third role set having a hierarchical structure, and merge the first role set and the third role set to determine the RBAC role set.
Specifically, the cloud server may perform role mining on the remaining UPA data that is not matched in the role matching process, and then merge a third role set with a hierarchical structure generated by the role mining with the first role set to determine a final RBAC role set. The third role set and the first role set are merged in a manner that reference is made to the prior art, for example, a public role appears in both the third role set and the first role set, and the cloud server may reserve only one role and transfer the parent and child node relationship of the deleted node to the reserved role. The cloud server can retain the different roles in the final set of RBAC roles.
In the embodiment of the invention, as the information contained in the matched UPA data in the role matching process is embodied in the first role set, and the RBAC template is matched with the UPA data in the role matching process, and the RBAC template is from the industry associated with the UPA data, most of the UPA data can be successfully matched in the role matching process. Therefore, the cloud server can perform role mining on the residual UPA data which are not matched in the role matching process, so that the data volume required to be processed in the role mining process can be reduced, and the processing efficiency is improved.
Optionally, as another embodiment, the cloud server may perform Role Mining on the remaining UPA data according to an algorithm for solving a Role Mining Problem (RHMP) with a hierarchical structure, and determine the third set of triangle colors.
Specifically, the RHMP refers to a given user set U, a permission set P, and UPA data, and aims to enable a role set to completely cover UPA data by establishing a role set, a corresponding UA relationship, and a PA relationship, and the system complexity is low. In addition, the RHMP adds a hierarchy structure considering roles (i.e. there is an inheritance relationship between roles, etc.), and the complexity of the hierarchy structure needs to be considered in the system complexity. Currently, there are a number of algorithms for solving RHMP. For example, the cloud server may perform role mining on the remaining UPA data according to a Graph optimization (Graph optimization) algorithm to determine a third set of triangles. The cloud server may also perform role mining according to other algorithms capable of solving the RHMP, which is not limited in the embodiment of the present invention.
Optionally, as another embodiment, the cloud server may perform Role Mining on the remaining UPA data according to an algorithm for solving a Role Mining Problem (RMP), determine a third Role set without a hierarchical structure, and construct a hierarchical structure for the third Role set without a hierarchical structure according to an algorithm for solving a Role Hierarchy construction Problem (RHBP).
Specifically, RMP refers to a given user set U, a permission set P, and UPA data, and aims to enable a role set to completely cover UPA data by establishing a role set, a corresponding UA relationship, and a PA relationship, and to ensure that the system complexity is low. RHBP refers to a given set of roles for which the goal is to construct an optimal hierarchy. The cloud server can determine the third set of roles without a hierarchy and then construct the hierarchy to determine the third set of roles with a hierarchy.
And 240, sending the RBAC role set to the client so that the client constructs an RBAC system according to the RBAC role set.
The embodiment of the invention provides RaaS (RBAC as a Service) by utilizing the computing and storing capacity of the cloud, namely, the RBAC role set is constructed by the cloud server by means of the strong computing and storing capacity of the cloud, so that the client can conveniently construct the RBAC system according to the RBAC role set, thereby improving the efficiency of constructing the RBAC system and reducing the cost.
In the embodiment of the invention, the first role set is determined by matching roles according to the RBAC template and the UPA data, and the RBAC role set is determined by mining roles according to the first role set and the UPA data, so that the business process information contained in the RBAC template is merged into the RBAC role set without performing expensive and complicated business process analysis, and the high automation degree of the role mining process is kept, therefore, the semantic accuracy of the RBAC role set can be improved, the cost is reduced, and the efficiency of constructing the RBAC system can be improved.
The embodiments of the present invention will be described in detail below with reference to specific examples. It should be noted that these examples are intended to help those skilled in the art better understand the embodiments of the present invention, and do not limit the scope of the embodiments of the present invention.
Fig. 3 is a schematic diagram of a process of a method of constructing an RBAC system according to one embodiment of the present invention.
301, the cloud server stores the RBAC template library, and updates and maintains the RBAC template library.
The CSP typically has a large number of customers, some of which have user identity management, access control, etc. functions via the RBAC system, the CSP can obtain the RBAC template directly from these operating RBAC systems. The RBAC template can also be extracted or purchased from RBAC systems already deployed by other companies, so that an RBAC template library is built and stored in the cloud server. In addition, the CSP can classify the RBAC templates in the RBAC template library according to industries (such as banks, hospitals and the like), industrial characteristics (such as comprehensive hospitals, special hospitals and the like) and the like, and store the RBAC templates in the RBAC template library in a cloud server. The cloud server can update and maintain the RBAC template library. The RBAC template library may be published externally. The representation of the RBAC template in the RBAC template library may be a set of roles and a hierarchy of the set of roles.
The cloud server has strong storage capacity, so that the storage space for storing the RBAC template library can be ensured. And because the cloud server has a large number of diversified customers, sufficient RBAC template sources can be ensured.
302, a client sends a request message for requesting to construct an RBAC role set to a cloud server, where the request message carries UPA data.
UPA data may represent a relationship between users and permissions, with each record RQ being of the form { user XX → permission had }.
303, the cloud server selects the RBAC template from the RBAC template library according to the industry information associated with the UPA data in step 302.
For example, the cloud server may select the RBAC template according to the industry and industry characteristics associated with the UPA data. In addition, the RBAC template library is published externally, so that the client can select the RBAC template according to the industry and the industry characteristics associated with the UPA data and send the RBAC template to the cloud server. The embodiment of the present invention is not limited thereto.
The representation form of the RBAC template can be various forms, such as a role hierarchy, or a role set and the hierarchy of the role set are represented in the form of table records.
The form of the RBAC template will be exemplified below. Fig. 4 is a diagram illustrating an example of a role hierarchy of an RBAC template according to an embodiment of the present invention. Suppose that the cloud server obtains an example of the RBAC template according to the industry information associated with the UPA data as shown in fig. 4. In fig. 4, the set of roles R = { R1, R2, R3, R4, R5, R6} in the RBAC template, and the corresponding sets of permissions are { p1, p2, p3, p4, p5, p6 }. The RBAC template may also be represented by two tables, which represent the role set R and the hierarchical structure of the role set R, as shown in tables 1 and 2. Tables 1 and 2 are another representation of the set of roles shown in figure 4. Table 1 records relationships (e.g., inheritance, conflict, etc.) between roles. Table 2 records the matching relationship between roles and rights in table 1.
TABLE 1 relationships between roles
TABLE 2 relationship between roles and Authority
304, the cloud server performs role matching on the RBAC template acquired in step 303 and the UPA data received in step 302, and determines a second role set with a hierarchical structure.
The cloud server may perform role matching according to a variety of algorithms, such as a greedy search (greedy search) algorithm, and the like. The execution of step 304 will be described below by taking the greedy search algorithm as an example. It should be noted that, in the embodiment of the present invention, the cloud server may also use other algorithms to perform role matching, which is not limited in the embodiment of the present invention.
Assuming that one record in the UPA data is { user1 → p1, p2, p3, p4}, the right set RQ of the record = { p1, p2, p3, p4 }.
The cloud server performs role matching on the record and the RBAC template shown in FIG. 4 and tables 1 and 2, and determines a second role set with a hierarchical structure, wherein the main process is as follows:
the method comprises the following steps: all roles corresponding to the subset with the authority set RQ are selected from the role set R = { R1, R2, R3, R4, R5 and R6} in the RBAC template, and the set R1= { R3, R4, R5 and R6} is formed. That is, the sets of permissions for roles r1, r2, r3, and r4 are all subsets of the set of permissions RQ.
Step two: the role with the largest number of rights is selected from the set R1 and placed in the result set R, and then the role is deleted from R1 and the rights the role has are deleted from the right set RQ. Here, the role R3 has the greatest authority, and the role R3 is put into the set R ×, at which time the set R1 and the authority set RQ, i.e., the set R1= { R4, R5, R6}, are updated, and the authority set RQ = { p4 }.
Step three: the process of step two is repeated for the updated set R1 and the privilege set RQ until RQ is empty. Here, that is, the role R6 with the most rights in the set of rights RQ is selected from the updated set R1 because neither role R4 nor role R5 has rights p 4. The character R6 is placed in the result set R. The set R1 is updated again, when R1= { R4, R5 }. The permission set RQ is an empty set. The cycle ends. The result set R = { R3, R6} of role matching of the record to RBAC template.
An example of pseudo code for the above process may be as follows:
it should be noted that this example of pseudo code is provided herein to assist those skilled in the art in better understanding the embodiments of the present invention and is not intended to limit the scope of the embodiments of the present invention. It will be apparent to those skilled in the art from the examples of pseudo code given that various equivalent modifications or variations are possible, and such modifications or variations are within the scope of embodiments of the invention.
And (3) performing the processing procedures from the first step to the third step on each record in the UPA data to obtain a result set of role matching of all records in the UPA data, and combining the result sets of each record to obtain a second role set with a hierarchical structure.
In addition, for some records in the UPA data, such as { user2 → p4, p5, p6}, the role subset can not be found in the role set R of the RBAC template to cover it. It should be noted that the role r1+ r2 may not be used because this would give the user2 the permissions p1, p2 and p3 that the user2 did not have originally, resulting in an expansion of the permissions of the user 2. In this way, the cloud server may not process such records any more in step 204, but process them in subsequent role mining processes.
Because the RBAC template contains the extracted business process information of the industry associated with the UPA data, the business process information can be merged into the role set generated in the role matching process by performing role matching according to the RBAC template and the UPA data without performing an expensive and complicated business process analysis process, thereby reducing the cost and complexity of constructing the role set.
305, the cloud server sends the second role set with the hierarchical structure determined in step 304 to the client.
The client sends 306 the adjustment to the second set of roles to the cloud server.
The client can determine an adjustment scheme for the second role set according to the actual requirements of the client, and send the adjustment scheme to the cloud server.
307, the cloud server adjusts the second role set according to the adjustment scheme in step 306, and determines the first role set with a hierarchical structure.
308, the cloud server performs role mining on the UPA data based on the first role set in the step 307, and determines an RBAC role set.
The cloud server may perform role mining on the UPA data based on the first role set according to an algorithm for solving MinPert-RHMP, and determine a RBAC role set. For example, the cloud server may perform role mining on all UPA data with the first role set as an input according to a statemaker algorithm to determine the RBAC role set. The specific process of the statemer algorithm can refer to the prior art, and is not described herein in detail to avoid repetition. The cloud server may also perform role mining according to other algorithms capable of solving the MinPert-RHMP, which is not limited in the embodiment of the present invention.
Due to differences of information systems and organizations, the first role set generated by role matching generally cannot cover all the UPA data, so that the accuracy of the finally generated RBAC role set can be improved by performing role mining on the UPA data based on the first role set generated by the role matching process.
In addition, the cloud server can adopt a single algorithm to perform role mining, and does not need to combine multiple algorithms to perform role mining, so that the processing process is simple.
309, the cloud server sends the set of RBAC roles determined in step 308 to the client.
The client builds 310 the RBAC system from the set of RBAC roles in step 309.
In the embodiment of the invention, the first role set is determined by matching roles according to the RBAC template and the UPA data, and the RBAC role set is determined by mining roles according to the first role set and the UPA data, so that the business process information contained in the RBAC template is merged into the RBAC role set without performing expensive and complicated business process analysis, and the high automation degree of the role mining process is kept, therefore, the semantic accuracy of the RBAC role set can be improved, the cost is reduced, and the efficiency of constructing the RBAC system can be improved.
In addition, in the embodiment of the invention, the cloud server can replace different algorithms to perform role matching and role mining, so that the process of constructing the RBAC role set has good expansibility and flexibility.
Fig. 5 is a schematic diagram of a process of a method of constructing an RBAC system according to another embodiment of the present invention.
In fig. 5, steps 501 to 507 are substantially the same as steps 301 to 307 in fig. 3, and are not described herein again to avoid repetition.
And 508, the cloud server performs data mining on the residual UPA data which is not matched with the roles of the first role set in the UPA data, and determines a third role set.
Because the information contained in the matched UPA data in the role matching process is embodied in the first role set, and because the RBAC template and the UPA data are matched in the role matching process, and the RBAC template is from the industry associated with the UPA data, most UPA data can be successfully matched in the role matching process. The cloud server can perform role mining on the remaining UPA data that is not matched during the role matching process.
Optionally, the cloud server may perform role mining on the remaining UPA data according to an algorithm for solving the RHMP, and determine a third set of triangle. At present, there are many algorithms for solving the RHMP, for example, the cloud server may perform role mining on the remaining UPA data according to the Graph optimization algorithm to determine a third set of triangles. The specific process of the Graph optimization algorithm can refer to the prior art, and is not described herein in detail to avoid repetition. The cloud server may also perform role mining according to other algorithms capable of solving the RHMP, which is not limited in the embodiment of the present invention.
Optionally, the cloud server may perform role mining on the remaining UPA data according to an algorithm for solving the RMP, determine a third role set without a hierarchical structure, and construct a hierarchical structure for the third role set without a hierarchical structure according to an algorithm for solving the RHBP. That is, the cloud server can determine the third set of roles that do not have a hierarchy and then construct the hierarchy to determine the third set of roles that have a hierarchy.
509, the cloud server merges the first role set determined in step 507 with the third role set determined in step 508 to determine an RBAC role set.
The third role set and the first role set are merged in a manner that reference is made to the prior art, for example, a public role appears in both the third role set and the first role set, and the cloud server may reserve only one role and transfer the parent and child node relationship of the deleted node to the reserved role. The cloud server can retain the different roles in the final set of RBAC roles. In addition, the cloud server may also combine the first role set and the third role set in other manners, which is not limited in the embodiment of the present invention.
The cloud server sends 510 the RBAC role set to the client.
511, the client constructs the RBAC system according to the RBAC role set in the step 510.
In the embodiment of the invention, the first role set is determined by matching roles according to the RBAC template and the UPA data, and the RBAC role set is determined by mining roles according to the first role set and the UPA data, so that the business process information contained in the RBAC template is merged into the RBAC role set without performing expensive and complicated business process analysis, and the high automation degree of the role mining process is kept, therefore, the semantic accuracy of the RBAC role set can be improved, the cost is reduced, and the efficiency of constructing the RBAC system can be improved.
In addition, in the embodiment of the invention, the cloud server is used for carrying out role mining on the residual UPA data which are not matched in the role matching process, so that the data volume required to be processed in the role mining process can be reduced, and the processing efficiency is improved.
In addition, in the embodiment of the invention, the cloud server can replace different algorithms to perform role matching and role mining, so that the process of constructing the RBAC role set has good expansibility and flexibility.
Fig. 6 is a schematic block diagram of a cloud server according to an embodiment of the present invention. The cloud server 600 of fig. 6 includes a receiving module 610, a role matching module 620, a role mining module 630, and a transmitting module 640.
The receiving module 610 receives a request message for requesting to construct a role set of RBAC having a hierarchical structure from a client, where the request message carries user right assignment UPA data. The role matching module 620 receives the UPA data from the receiving module 610 to obtain the RBAC template, and performs role matching according to the RBAC template and the UPA data to determine a first role set having a hierarchical structure. Role mining module 630 receives the first set of roles from role matching module 620 and performs role mining based on the first set of roles and the UPA data to determine the RBAC role set. The sending module 640 receives the RBAC role set from the role mining module 630 and sends the RBAC role set to the client, so that the client constructs a RBAC system according to the RBAC role set.
In the embodiment of the invention, the first role set is determined by matching roles according to the RBAC template and the UPA data, and the RBAC role set is determined by mining roles according to the first role set and the UPA data, so that the business process information contained in the RBAC template is merged into the RBAC role set without performing expensive and complicated business process analysis, and the high automation degree of the role mining process is kept, therefore, the semantic accuracy of the RBAC role set can be improved, the cost is reduced, and the efficiency of constructing the RBAC system can be improved.
Other functions and operations of the cloud server 600 may refer to the processes related to the cloud server in the method embodiments of fig. 2 to fig. 5, and are not described herein again to avoid repetition.
Optionally, as an embodiment, the role matching module 620 may perform role matching on the RBAC template and the UPA data to determine a second role set having a hierarchical structure; sending the second role set to the client; receiving a client's adjustment scheme to the second role set from the client; and adjusting the second role set according to the adjusting scheme to determine the first role set.
Optionally, as another embodiment, role mining module 630 can role mine the UPA data based on the first role set to determine the RBAC role set.
Optionally, as another embodiment, the role mining module 630 may perform role mining on the UPA data based on the first role set according to an algorithm for solving MinPert-RHMP to determine the RBAC role set.
Optionally, as another embodiment, the role mining module 630 can determine the remaining UPA data in the UPA data that does not match the roles of the first role set; performing role mining on the residual UPA data, and determining a third role set with a hierarchical structure; and merging the first role set and the third role set to determine the RBAC role set.
Optionally, as another embodiment, the role mining module 630 performs role mining on the remaining UPA data according to an algorithm for solving RHMP, and determines a third set of triangle colors.
Optionally, as another embodiment, the role mining module 630 may perform role mining on the remaining UPA data according to an algorithm for solving RMP, and determine a third role set without a hierarchical structure; a hierarchy is constructed for the set of third triangles that do not have a hierarchy according to the algorithm used to resolve the RHBP.
Optionally, as another embodiment, the role matching module 630 may select an RBAC template from a RBAC template library stored in the cloud server according to industry information associated with the UPA data; or receiving the RBAC template from the client, wherein the RBAC template is selected from the RBAC template library by the client according to the industry information associated with the UPA data.
In the embodiment of the invention, the first role set is determined by matching roles according to the RBAC template and the UPA data, and the RBAC role set is determined by mining roles according to the first role set and the UPA data, so that the business process information contained in the RBAC template is merged into the RBAC role set without performing expensive and complicated business process analysis, and the high automation degree of the role mining process is kept, therefore, the semantic accuracy of the RBAC role set can be improved, the cost is reduced, and the efficiency of constructing the RBAC system can be improved.
Fig. 7 is a schematic diagram of one example of an implementation of a cloud server according to one embodiment of the invention.
In fig. 7, the same or similar portions as those in fig. 6 are denoted by the same reference numerals. The cloud server 700 includes a storage module 650 in addition to the receiving module 610, the role matching module 620, the role mining module 630, and the transmitting module 640 in fig. 6. The storage module 650 may store the first set of roles determined by the role matching module 620.
In fig. 7, numerals "1", "2", "3", and "4" indicate the order of data flow. Other functions and operations of the cloud server 700 in fig. 7 may refer to processes related to the cloud server in the method embodiments of fig. 2 and fig. 3, and are not described herein again to avoid repetition.
In the embodiment of the invention, the first role set is determined by matching roles according to the RBAC template and the UPA data, and the RBAC role set is determined by mining roles according to the first role set and the UPA data, so that the business process information contained in the RBAC template is merged into the RBAC role set without performing expensive and complicated business process analysis, and the high automation degree of the role mining process is kept, therefore, the semantic accuracy of the RBAC role set can be improved, the cost is reduced, and the efficiency of constructing the RBAC system can be improved.
In addition, in the embodiment of the invention, the cloud server can replace different algorithms to perform role matching and role mining, so that the process of constructing the RBAC role set has good expansibility and flexibility.
Fig. 8 is a schematic diagram of another example of an implementation of a cloud server according to another embodiment of the invention.
In fig. 8, the same or similar portions as those in fig. 6 are denoted by the same reference numerals. The cloud server 800 includes a storage module 660 and a merging module 670 in addition to the receiving module 610, the role matching module 620, the role mining module 630, and the transmitting module 640 in fig. 6.
Storage module 660 may store the first set of roles determined by role matching module 620 and the third set of roles determined by role mining module 630.
The merging module 670 may obtain the first role set and the third role set from the storage module 660, merge the first role set and the third role set, determine an RBAC role set having a hierarchical structure, and send the RBAC role set to the sending module 640.
In fig. 8, numerals "1", "2", "3", "4", and "5" indicate the order of data flow. Other functions and operations of the cloud server 800 in fig. 8 may refer to processes related to the cloud server in the method embodiments of fig. 2 and fig. 5, and are not described herein again to avoid repetition.
In the embodiment of the invention, the first role set is determined by matching roles according to the RBAC template and the UPA data, and the RBAC role set is determined by mining roles according to the first role set and the UPA data, so that the business process information contained in the RBAC template is merged into the RBAC role set without performing expensive and complicated business process analysis, and the high automation degree of the role mining process is kept, therefore, the semantic accuracy of the RBAC role set can be improved, the cost is reduced, and the efficiency of constructing the RBAC system can be improved.
In addition, in the embodiment of the invention, the cloud server is used for carrying out role mining on the residual UPA data which are not matched in the role matching process, so that the data volume required to be processed in the role mining process can be reduced, and the processing efficiency is improved.
In addition, in the embodiment of the invention, the cloud server can replace different algorithms to perform role matching and role mining, so that the process of constructing the RBAC role set has good expansibility and flexibility.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (16)
1. A method for constructing a role-based access control (RBAC) system, comprising:
receiving a request message for requesting to construct a role set of RBAC with a hierarchical structure from a client, wherein the request message carries user authority distribution (UPA) data;
obtaining an RBAC template, and performing role matching according to the RBAC template and the UPA data to determine a first role set with a hierarchical structure;
performing role mining according to the first role set and the UPA data to determine the RBAC role set;
and sending the RBAC role set to the client so that the client can construct an RBAC system according to the RBAC role set.
2. The method of claim 1, wherein said role matching based on said RBAC template and said UPA data to determine a first set of roles having a hierarchical structure comprises:
performing role matching on the RBAC template and the UPA data, and determining a second role set with a hierarchical structure;
sending the second role set to the client;
receiving, from the client, an adjustment scheme of the client to the second set of roles;
and adjusting the second role set according to the adjusting scheme to determine the first role set.
3. The method of claim 1 or 2, wherein the role mining based on the first role set and the UPA data to determine a hierarchical RBAC role set comprises:
and performing role mining on the UPA data based on the first role set to determine the RBAC role set.
4. The method of claim 3, wherein the role mining the UPA data based on the first set of roles to determine the RBAC role set comprises:
and performing role mining on the UPA data based on the first role set according to an algorithm of role mining problem MinPert-RHMP for solving a minimum-disturbance layer hierarchy structure to determine the RBAC role set.
5. The method of claim 1 or 2, wherein the role mining based on the first role set and the UPA data to determine a hierarchical RBAC role set comprises:
determining remaining UPA data in the UPA data that does not match a role of the first set of roles;
performing role mining on the residual UPA data, and determining a third role set with a hierarchical structure;
merging the first role set and the third role set to determine the RBAC role set.
6. The method of claim 5, wherein the role mining the remaining UPA data to determine a third set of roles having a hierarchical structure comprises:
and performing role mining on the residual UPA data according to an algorithm for solving a role mining problem with a hierarchical structure, namely RHMP, and determining the third role set.
7. The method of claim 5, wherein the role mining the remaining UPA data to determine a third set of roles having a hierarchical structure comprises:
according to an algorithm for solving a Role Mining Problem (RMP), performing role mining on the residual UPA data, and determining a third role set without a hierarchical structure;
and constructing a hierarchical structure for the third triangle set without the hierarchical structure according to an algorithm for solving a role hierarchical structure construction problem RHBP.
8. The method of any of claims 1-7, wherein the obtaining the RBAC template comprises:
selecting the RBAC template from an RBAC template library stored in a cloud server according to the industry information associated with the UPA data; or,
and receiving the RBAC template from the client, wherein the RBAC template is selected from the RBAC template library by the client according to the industry information associated with the UPA data.
9. A cloud server, comprising:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a request message for requesting to construct an RBAC role set with a hierarchical structure from a client, and the request message carries user authority distribution (UPA) data;
the role matching module is used for receiving the UPA data from the receiving module, acquiring an RBAC template, and performing role matching according to the RBAC template and the UPA data to determine a first role set with a hierarchical structure;
the role mining module is used for receiving the first role set from the role matching module and mining roles according to the first role set and the UPA data so as to determine the RBAC role set;
and the sending module is used for receiving the RBAC role set from the role mining module and sending the RBAC role set to the client so that the client can construct an RBAC system according to the RBAC role set.
10. The cloud server of claim 9, wherein the role matching module is specifically configured to perform role matching on the RBAC template and the UPA data to determine a second role set having a hierarchical structure; sending the second role set to the client; receiving, from the client, an adjustment scheme of the client to the second set of roles; and adjusting the second role set according to the adjusting scheme to determine the first role set.
11. The cloud server of claim 9 or 10, wherein the role mining module is specifically configured to perform role mining on the UPA data based on the first role set to determine the RBAC role set.
12. The cloud server of claim 11, wherein the role mining module is specifically configured to perform role mining on the UPA data based on the first role set according to an algorithm for solving a role mining problem MinPert-RHMP of a minimum perturbation layer hierarchy structure to determine the RBAC role set.
13. The cloud server of claim 9 or 10, wherein the role mining module is specifically configured to determine remaining UPA data in the UPA data that does not match a role of the first set of roles; performing role mining on the residual UPA data, and determining a third role set with a hierarchical structure; merging the first role set and the third role set to determine the RBAC role set.
14. The cloud server of claim 13, wherein the role mining module is specifically configured to perform role mining on the remaining UPA data according to an algorithm for solving a role mining problem with a hierarchical structure, RHMP, to determine the third role set.
15. The cloud server of claim 13, wherein the role mining module is specifically configured to perform role mining on the remaining UPA data according to an algorithm for solving a role mining problem RMP, and determine a third role set without a hierarchical structure; and constructing a hierarchical structure for the third triangle set without the hierarchical structure according to an algorithm for solving a role hierarchical structure construction problem RHBP.
16. The cloud server according to any one of claims 9 to 15, wherein the role matching module is specifically configured to select the RBAC template from a RBAC template library stored in the cloud server according to industry information associated with the UPA data; or receiving the RBAC template from the client, wherein the RBAC template is selected from the RBAC template library by the client according to the industry information associated with the UPA data.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210213506.1A CN103514412B (en) | 2012-06-26 | 2012-06-26 | Build the method and Cloud Server of access control based roles system |
| PCT/CN2013/076705 WO2014000554A1 (en) | 2012-06-26 | 2013-06-04 | Method for constructing role-based access control system and cloud server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210213506.1A CN103514412B (en) | 2012-06-26 | 2012-06-26 | Build the method and Cloud Server of access control based roles system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103514412A true CN103514412A (en) | 2014-01-15 |
| CN103514412B CN103514412B (en) | 2017-06-20 |
Family
ID=49782208
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210213506.1A Active CN103514412B (en) | 2012-06-26 | 2012-06-26 | Build the method and Cloud Server of access control based roles system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN103514412B (en) |
| WO (1) | WO2014000554A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104657928A (en) * | 2015-02-14 | 2015-05-27 | 张晓� | Medical treatment cooperation system |
| CN108416200A (en) * | 2018-03-02 | 2018-08-17 | 信阳师范学院 | It is a kind of that optimization method is excavated based on the role for enumerating mining method and gesture constraint |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107645532B (en) * | 2016-07-22 | 2020-07-24 | 腾讯科技(深圳)有限公司 | User management method and device of hybrid cloud |
| US11803634B2 (en) | 2021-02-25 | 2023-10-31 | International Business Machines Corporation | Secure preconfigured profile for role-based access control setup |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060047657A1 (en) * | 2004-08-26 | 2006-03-02 | Ophir Frieder | Refined permission constraints using internal and external data extraction in a role-based access control system |
| CN101379507A (en) * | 2006-01-31 | 2009-03-04 | 皇家飞利浦电子股份有限公司 | Role-based access control |
| US20100325684A1 (en) * | 2009-06-17 | 2010-12-23 | Microsoft Corporation | Role-based security for messaging administration and management |
| CN102156833A (en) * | 2011-04-12 | 2011-08-17 | 华中科技大学 | Role-based access control model constructing system |
| CN102236763A (en) * | 2010-05-05 | 2011-11-09 | 微软公司 | Data driven role based security |
| CN102307185A (en) * | 2011-06-27 | 2012-01-04 | 北京大学 | Data isolation method used in storage cloud |
| CN102456106A (en) * | 2010-10-28 | 2012-05-16 | 北京北方微电子基地设备工艺研究中心有限责任公司 | Method and device for assigning user right, and method and device for controlling user right |
| CN102456103A (en) * | 2010-10-26 | 2012-05-16 | 王芳 | Improved RBAC (Role Based Access Control) model |
-
2012
- 2012-06-26 CN CN201210213506.1A patent/CN103514412B/en active Active
-
2013
- 2013-06-04 WO PCT/CN2013/076705 patent/WO2014000554A1/en active Application Filing
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060047657A1 (en) * | 2004-08-26 | 2006-03-02 | Ophir Frieder | Refined permission constraints using internal and external data extraction in a role-based access control system |
| CN101379507A (en) * | 2006-01-31 | 2009-03-04 | 皇家飞利浦电子股份有限公司 | Role-based access control |
| US20100325684A1 (en) * | 2009-06-17 | 2010-12-23 | Microsoft Corporation | Role-based security for messaging administration and management |
| CN102236763A (en) * | 2010-05-05 | 2011-11-09 | 微软公司 | Data driven role based security |
| CN102456103A (en) * | 2010-10-26 | 2012-05-16 | 王芳 | Improved RBAC (Role Based Access Control) model |
| CN102456106A (en) * | 2010-10-28 | 2012-05-16 | 北京北方微电子基地设备工艺研究中心有限责任公司 | Method and device for assigning user right, and method and device for controlling user right |
| CN102156833A (en) * | 2011-04-12 | 2011-08-17 | 华中科技大学 | Role-based access control model constructing system |
| CN102307185A (en) * | 2011-06-27 | 2012-01-04 | 北京大学 | Data isolation method used in storage cloud |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104657928A (en) * | 2015-02-14 | 2015-05-27 | 张晓� | Medical treatment cooperation system |
| CN108416200A (en) * | 2018-03-02 | 2018-08-17 | 信阳师范学院 | It is a kind of that optimization method is excavated based on the role for enumerating mining method and gesture constraint |
| CN108416200B (en) * | 2018-03-02 | 2021-12-14 | 信阳师范学院 | Role mining optimization method based on enumeration mining method and potential constraint |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103514412B (en) | 2017-06-20 |
| WO2014000554A1 (en) | 2014-01-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109522735B (en) | Data permission verification method and device based on intelligent contract | |
| US20230297711A1 (en) | Systems for Secure Policies-Based Information Governance Using a Policy Enforcement Point (PEP) | |
| US10609031B2 (en) | Private consolidated cloud service architecture | |
| US9740468B2 (en) | Cloud-based application resource files | |
| EP3149650B1 (en) | System for managing personal data | |
| US9112749B2 (en) | Functionality management via application modification | |
| US11811907B2 (en) | Data processing permits system with keys | |
| CN103544153B (en) | A kind of data-updating method based on data base and system | |
| CN109347839B (en) | Centralized password management method and device, electronic equipment and computer storage medium | |
| CN108092945B (en) | Method and device for determining access authority and terminal | |
| CN103620556A (en) | Binding applications to device capabilities | |
| CN102439898A (en) | Model based multi-tier authentication | |
| US20180352034A1 (en) | Dynamic routing of file system objects | |
| CN110022315A (en) | Weight management method, device and equipment in a kind of piece of chain type account book | |
| CN102316152A (en) | The Distributed Services empowerment management | |
| CN103514412B (en) | Build the method and Cloud Server of access control based roles system | |
| CN103778364B (en) | Management is set applied to the license of application | |
| CN110213290A (en) | Data capture method, API gateway and storage medium | |
| CN103763370B (en) | A kind of method, system and device for changing mobile terminal workspace screen-lock password | |
| CN110727930B (en) | Authority control method and device | |
| US20230179634A1 (en) | Secure policy distribution in a cloud environment | |
| CN109784016B (en) | Authority management method, system, electronic device and medium | |
| Hernandez-Ramos et al. | The challenges of software cybersecurity certification [Building Security In] | |
| CN108667647B (en) | Method and device for setting device parameters and server | |
| CN115438333A (en) | Authority distribution method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |