CN103677829B - Object Operations accesses the method controlled - Google Patents
Object Operations accesses the method controlled Download PDFInfo
- Publication number
- CN103677829B CN103677829B CN201310676111.XA CN201310676111A CN103677829B CN 103677829 B CN103677829 B CN 103677829B CN 201310676111 A CN201310676111 A CN 201310676111A CN 103677829 B CN103677829 B CN 103677829B
- Authority
- CN
- China
- Prior art keywords
- object operations
- operations
- configuration
- unauthorized
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The present invention relates to a kind of Object Operations and access the system and method controlled, it is provided that in order to the function being controlled according to the classification defined in filtering object operating process.An authority configuring method to all Object Operations functions in operating system.Object tracking according to following, but can be not limited to index structure, daily record and audit-trail, behavior tracking, user right.Described object accesses controls as all operations mode to object, it is possible to extension upgrading.Object Operations access control method can carry out the most single or combination function and control any object.Function upgrading can be carried out.The function that Object Operations is controlled by the present invention is more, does not terminate in three classes: reads, writes, and performs;Object Operations authority source is increased: be not limited to user right and user organizes authority.
Description
Technical field
The present invention relates to a kind of Object Operations and access the method controlled, belong to access control method technical field.
Background technology
Due to more and more important to the protection of data obj ect security, right access control requires more and more various.Currently, traditional Object Operations control of authority relies primarily on and makes a distinction operating function based on user right.And the operation limited is mainly " reading ", " writing ", " execution ".By file adeditive attribute is marked, typically there is file owners, group belonging to file, other users.Again by judging the user of current accessed, or the associated rights of its place user group is the control conducted interviews.Each class user typically configures " reading ", " writing ", " execution " three rights markings.Corresponding user, when performing some and performing, if the mark performed is to authorize, operates;It is labeled as unauthorized, it is impossible to carry out.To have reached to access the purpose controlled.
Although the restriction of common user authority has proven to useful, but the authority access privilege control of routine can not carry out general trickleer operation and control various Object Operations.A part of extended operation is also limited to specific operating system and file system, and these controls can not meet the demand that Object Operations is controlled by user.Limitation essentially consists in: 1. Object Operations control kind is the most single.2. the granularity of Object Operations is excessive.Actual write operation is segmented into multiple little particle.Such as segmentation write operation requirement, does not allow to revise object name, deletes, but allows to add object content, revises content, revises attribute, revises extended attribute, and the current operation write also is unable to reach requirement.3. carry out operation based on user right to distinguish, it is impossible to meet business operation and distinguish, need satisfaction has limitation.4. it is limited to specific operating system, file system.5. authority accesses, and needs to revise the metadata of file system.In a word, thus reduce the freedom that Object Operations controls, make Object Operations Control constraints in the original design basis storing system.Make some little functional requirement, it is impossible to fully meet the demand of user.And other softwares, part control can only be carried out, it is impossible to system All Files is controlled, and system performance difficulty, complexity is set, maintainability is poor.
Accordingly, it would be desirable to a flexible Object Operations access control method, carrying out operational access filtration, Authorized operation could perform.Computer program is with and related methods, up to now, is not met by the needs to this solution.
Summary of the invention
The invention provides access control system and the method for a new Object Operations, including building object concrete operations classifying module, building operational access control configuration module, structure Object Operations control module.
" build operational access and control configuration module " and depend on " building Object Operations classifying module ", it is provided that all Object Operations kinds that can be monitored in system, such that it is able to be controlled configuration.The operative configuration that " structure Object Operations control module " depends on " build operational access and control configuration module " and provide is controlled foundation when judging.
Concrete technical scheme is:
Step one: build Object Operations classifying module, all of Object Operations is divided into Authorized operation, unauthorized operation;All classified object are divided into mandate monitoring class, unauthorized monitoring class;For can be according to the index structure of object, daily record, audit trail, behavioural analysis, user right, it is judged that the most labeled operation, it be included into mandate monitoring class;Otherwise, it is included into unauthorized monitoring class;To authorizing monitoring class, when other modules use, needs determine whether, carrying out Object Operations mandate to judge to filter, i.e. this class of operation is distinguished is Authorized operation, or unauthorized operation, if configured to " authorization configuration ", then operation is " Authorized operation ", is otherwise configured to " unauthorized configuration ", operates as " unauthorized operation ";To unauthorized monitoring class, this time Object Operations directly operates, and i.e. in this type of, all operations is judged to " Authorized operation ";
After activity classification, operating right controls just to be no longer confined to " user right and user organize authority ".
" operation " identified, when accessing object, can be divided into " Authorized operation " and " unauthorized operation " according to object " operation ", is just included into " authorizing monitoring class ".
The purpose carrying out authorizing monitoring to classify to object is, when carrying out Object Operations, sorting out according to the seizable attribute of a certain kind of object, the operation identified.
The purpose of activity classification is, carries out two kinds of execution authorities of " permission " and " forbidding " to sorted operation and returns.
Step 2: build object accesses and control configuration module, first according to the definition of step one Object Operations classifying module, sets up operational access and controls set, storage object operation method, object operation method includes: read operation, write operation, obtaining authority, arrange authority, object is opened, is discharged, delete, create, obtain private attribute information, check, perform, obtain private data, private data is set, it is possible to is automatically finely divided current operation and combines;Object identifying attribute: index structure, daily record and audit-trail, behavior tracking;Within the storage system, user is according to the needs of own service, it is possible to carry out individual cultivation;
Step 3, obtaining step one authorize Object Operations the most labeled in monitoring class, display configured list, user selects the object operation method in one or more step 2, user configures corresponding " authorization configuration " or " unauthorized configuration ", storage device configurations to the Object Operations that each item is selected;
Step 4, structure Object Operations control module, in systems, carry out the operation before Object Operations access and obtain, the configuration specified according to " build operational access and control configuration module ", conduct interviews authorization control: reads Object Operations in monitoring system, then reads all Object Operations configured lists;Judge that existing object operation is " permission ", if " permission ", perform this Object Operations, return after operating successfully, terminate;If " forbidding ", then this Object Operations is asked unsuccessfully, after returning operation failure, terminates;
The acquisition of each operation is attained by the atomic level of atomic operation composition.Atomic operation, refers to operational access to subdivided into the degree that can not segment.Because General System can only limit " read, write, perform ", and real system can be sub-divided into atomic level by operation particle, is just not limited only to above three classes.And it is can be caught by operation calls during Object Operations, according to the classification in step one, carries out Authorized operation judgement.Mandate monitoring classification in step one according to object place, carries out Object Operations filtration, can not modify former data.
Beneficial effect
The function that Object Operations is controlled by the present invention is more, does not terminate in three classes: reads, writes, and performs;Object Operations authority source is increased: be not limited to user right and user organizes authority.Increase index structure, daily record and audit-trail, behavior tracking;It is not limited to specific operating system, file system.User can freely configure, and this function can conduct interviews control with business characteristic.
Accompanying drawing explanation
Fig. 1 is Object Operations control method schematic diagram
Fig. 2 is for building Object Operations classifying module schematic diagram
Fig. 3 controls configuration module diagram for building operational access
Fig. 4 is for building Object Operations control module schematic diagram
Fig. 5 is " Object Operations in monitoring system " the sub-schematic diagram building Object Operations control module
Detailed description of the invention
The present invention meets this needs, and provides the function that Object Operations filters, and authority freely configures.Object classification can be according to following but be not limited to, index structure, daily record and audit trail, behavioural analysis, user right.Native system includes object storage system, its storage object supporting to include different operation authority.In a particular embodiment, storage object accesses controls function and the kind of method of operating, can be upgraded change.
Fig. 1 for a kind of use according to the present invention for providing object to support the exemplary overall environment of operational access control method (storage system 10).
As it is shown in figure 1, storage system 10 includes Object Operations access control logic 30, it is generally embedded in or is arranged on the form of hardware logic or software program code in computer system 20.Object Operations access control logic 30 includes building Object Operations classifying module 40, building object accesses control configuration module 50 and build Object Operations control module 60.Storage system 10 also includes storage medium 70.Such as: hardware.Such as client 80,85 passes through network 90 with storage system communication.
According to step one, build Object Operations classifying module 40, need all of Object Operations classification in current system to find, and classify.Operate such as: read operation, write operation, obtain authority, authority is set, object is opened, is discharged, and deletes, and creates, and obtains private attribute information, checks, execution obtains private data, arranges private data.The basis of classification is when obtaining Object Operations, and can judge according to the index structure of object, daily record, audit trail, behavioural analysis, user right etc., and this operation can set up contact with this object, and can well distinguish.Judge the most labeled operational access, be included into mandate monitoring class;Otherwise, it is included into unauthorized monitoring class.Authorize monitoring class such as: read operation, write operation, obtain authority, authority is set, object is opened, is discharged, and deletes, and creates, and obtains private attribute information, checks, performs.Unauthorized monitoring class: obtain private data, private data is set.
Build object accesses and control configuration module 50, be that obtained Object Operations has been included into the operation authorized in monitoring class according to building in Object Operations classifying module 40.The method carrying out configuring to user.User can view can configure for which operation.User can once choose one or more Object Operation to carry out authority configuration, is configurable to " authorization configuration " and " unauthorized configuration ".
According to step 2, build Object Operations control module 60, control configuration module 50 according to building object accesses, there has been provided Object Operations configuration, when carrying out Object Operations, carry out operation and obtain, if this time operation is configured without in module configuration, do not judge.Illustrate that this operation is according to regard to nonrecognition.If be configured with, then illustrate that this operation can classified module identify.Carry out configuration determination again, if " authorization configuration ", then operate permission;If " unauthorized configuration " ", then attendant exclusion.Such as: control in configuration module 50 action name building object accesses: " deletion ", " renaming " is configured to " unauthorized configuration ", and other operations are defaulted as " authorization configuration ".So for object carries out " deletion " and " renaming " operation, when operation performs, can be fabricated accessed by Object Operations control module 60, and judge.Judge that this Object Operations accesses whether in " authorizing monitoring class ".If it is, carrying out judging whether is " authorization configuration " again, if it is, this operational access " allows " to perform;If " unauthorized configuration ", then this operational access " forbids " performing.For " read operation ", for " write operation ", after carrying out judging more than similar, meeting " allows " to perform.
Build Object Operations classifying module idiographic flow as shown in Figure 3: " the building Object Operations classifying module 50 " in " Object Operations access control logic 30 " is that obtained Object Operations has been included into the operation authorized in monitoring class according to building in Object Operations classifying module 40.The method carrying out configuring to user.User can view can configure for which operation.User can once choose one or more Object Operation to carry out authority configuration, is configurable to " authorization configuration " and " unauthorized configuration ".
In icon 305, first obtain in icon 225, the Object Operations classification of storage.These classifications are included in authorizing monitoring class.Service to next icon 310 after these operations are got.
In icon 310, in icon 305, the Object Operations obtained, show user.And the operation that can configure also is shown at this.Two " authorization configuration " and " unauthorized configuration " are provided.
In icon 315, user, according to the demand of self, listed Object Operations list, carries out one or more selection.
In icon 320, the Object Operation selected is carried out content configuration, is configured to " authorization configuration " or " unauthorized configuration ".
In icon 325, user is configured later data and carries out preserving within the storage system.The content of storage includes: the title of Object Operations, and the situation of configuration.And this information can also the most all increases.
According to step 3, obtaining step one authorizes Object Operations the most labeled in monitoring class, display configured list, user selects the object operation method in one or more step 2, user configures corresponding " authorization configuration " or " unauthorized configuration ", storage device configurations to the Object Operations that each item is selected;Flow process is as shown in Figure 2;
Fig. 2 illustrates " building Object Operations classifying module 40 " the detailed annotation implementation in " Object Operations access control logic 30 ".
Build Object Operations classifying module 40, need all of Object Operations classification in current system to find, and classify.The basis of classification is when obtaining Object Operations, and can judge according to the index structure of object, daily record, audit trail, behavioural analysis, user right etc., and this operation can set up contact with this object, and can well distinguish.Judge the most labeled operational access, be included into mandate monitoring class;Otherwise, it is included into unauthorized monitoring class.
This module is an initialization module of system, before running configuration and controlling, needs first to carry out initial operation classification.
In icon 205, first have to obtain current all Object Operations functions that can capture.Such as: " read operation, write operation obtain authority, arrange authority, and object is opened, discharged, and delete, and create, and obtain private attribute information, check, perform, and obtain private data, arrange private data etc.." quantity of this time step identification and situation, can change according to the upgrading of system.
In icon 210, it is judged that whether Object Operations classification in authorizing monitoring class, it is judged that according to being this type of this Object Operation, can be by the relevant information of the index structure of object, daily record, audit trail, behavioural analysis, user right to marking.If information flag is the object identity of " can mark ".During then this Object Operation kind can be included into " authorization control class " (icon 215), otherwise at " unauthorized monitoring class " (icon 220).
In icon 215, according to icon 210, when for "Yes", this Object Operations kind is included into " authorizing monitoring class ".
In icon 220, according to icon 210, when for "No", this Object Operations kind is included into " unauthorized monitoring class ".
In icon 225, the result obtained in a upper icon 215 and icon 220, the classification of Object Operations stores, in order to controls configuration module 50 to structure object accesses and uses.
According to step 4, build Object Operations control module 60, idiographic flow as shown in Figure 4:
Object Operations 405 in monitoring system, and identify the type of current operation;Read all Object Operations configured lists 410, including Object Operations kind and situation about being configured thereof.
In icon 415, the Object Operations type obtained in icon 405 and the object in icon 410 configured list.The first, action type in lists, judges, if had configured to " authorization configuration ", then this time Object Operations " allows ", enters icon 420;Be otherwise " unauthorized configuration ", then this time Object Operations " is forbidden ", enters icon 425.Situation for the second time, action type the most in lists, no longer carries out configuration determination.This Object Operations behavior is not limited.Enter icon 420.
In icon 420, this Object Operations is performed.Enter icon 430.
In icon 425, this Object Operations is intercepted and performs, operation requests failure.Enter icon 435.
After having performed operation, to current system " return operate successfully 430 ".
In icon 435, after normal interception operation, return to current system one and ask unsuccessfully.
Fig. 5 carries out illustrating the operation behavior of icon 405.I.e. build " Object Operations in monitoring system " sub-schematic diagram of Object Operations control module.
In icon 505, each Object Operations in system is obtained current type constantly.Can obtain in current system, all of Object Operations.Being to prepare for next step judgement, guard system is not to identify, or nonrecognition.
In icon 510, mainly in current system operation be identified.Check in current version recognized list, if can recognize.Because Object Operations access control method can be upgraded, so listing the action type of main flow.
521 to the 533 of Fig. 5, list the action type of main flow, described are: read operation, write operation, obtain authority, arrange authority, and object is opened, discharged, and deletes, and creates, checks, performs, and obtains private attribute information, arranges private data, new Operation Definition action type.
In icon 540, carry out Object Operations filtration, the operation in authorizing monitoring range at icon 215, remain, and in the form of a list, to next icon 410.
Claims (2)
1. access the method controlled for Object Operations, including building Object Operations classifying module, structure
Operational access controls configuration module, builds Object Operations control module, it is characterised in that:
Step one: build Object Operations classifying module, all of Object Operations is divided into Authorized operation, unauthorized
Operation;All classified object are divided into mandate monitoring class, unauthorized monitoring class;For tying according to the index of object
Structure, daily record, audit trail, behavioural analysis, user right, it is judged that the most labeled operation, be included into mandate
Monitoring class;Otherwise, it is included into unauthorized monitoring class;To authorize monitoring class, when other modules use, need into
One step judges, carries out Object Operations mandate and judges to filter, and i.e. this class of operation is distinguished is Authorized operation,
Or unauthorized operation, if configured to " authorization configuration ", then operation is " Authorized operation ", is otherwise configured to
" unauthorized configuration ", operates as " unauthorized operation ";To unauthorized monitoring class, this time Object Operations is directly grasped
Making, i.e. in this type of, all operations is judged to " Authorized operation ";
Step 2: build object accesses and control configuration module, first according to step one Object Operations classifying module
Definition, sets up operational access and controls set, store object operation method;
Step 3, obtaining step one authorize Object Operations the most labeled in monitoring class, show configured list,
User selects the object operation method in one or more step 2, and the Object Operations that each item is selected is joined by user
Put corresponding " authorization configuration " or " unauthorized configuration ", storage device configurations;
Step 4, structure Object Operations control module, in systems, carry out the operation before Object Operations access and obtain
Taking, the configuration specified according to " build operational access and control configuration module ", conduct interviews authorization control: reads
Object Operations in monitoring system, then reads all Object Operations configured lists;Judge that existing object operation is not
It is " permission ", if " permission ", performs this Object Operations, return after operating successfully, terminate;If
Be " forbidding ", then this Object Operations is asked unsuccessfully, after returning operation failure, terminates.
2. the method for claim 1, object accesses controls configuration module, the Object Operations side of storage
Method includes: read operation, write operation, obtains authority, arranges authority, and object is opened, discharged, and deletes, and creates,
Obtain private attribute information, check, perform, obtain private data, private data is set, it is possible to the most right
Current operation is finely divided and combines;Object identifying attribute: index structure, daily record and audit-trail, behavior
Follow the tracks of;Within the storage system, user, according to the needs of own service, carries out individual cultivation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310676111.XA CN103677829B (en) | 2013-12-13 | 2013-12-13 | Object Operations accesses the method controlled |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310676111.XA CN103677829B (en) | 2013-12-13 | 2013-12-13 | Object Operations accesses the method controlled |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103677829A CN103677829A (en) | 2014-03-26 |
| CN103677829B true CN103677829B (en) | 2016-08-17 |
Family
ID=50315496
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310676111.XA Active CN103677829B (en) | 2013-12-13 | 2013-12-13 | Object Operations accesses the method controlled |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103677829B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108243175B (en) * | 2016-12-27 | 2021-03-12 | 北京金山云网络技术有限公司 | Access control method and device based on bucket policy |
| CN109948360B (en) * | 2019-02-26 | 2023-04-07 | 维正知识产权科技有限公司 | Multi-control-domain security kernel construction method and system for complex scene |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1305611A (en) * | 1998-05-15 | 2001-07-25 | 特里迪姆公司 | System and methods for object-oriented control of diverse electromechanical systems using computer network |
| CN1570910A (en) * | 2003-07-11 | 2005-01-26 | 北京直真节点技术开发有限公司 | A universal object modeling method and universal object management system |
| CN101674334A (en) * | 2009-09-30 | 2010-03-17 | 华中科技大学 | Access control method of network storage equipment |
| CN101895551A (en) * | 2010-07-22 | 2010-11-24 | 北京天融信科技有限公司 | Resource access control method and system |
| CN101997912A (en) * | 2010-10-27 | 2011-03-30 | 苏州凌霄科技有限公司 | Mandatory access control device based on Android platform and control method thereof |
| CN102426552A (en) * | 2011-10-31 | 2012-04-25 | 成都市华为赛门铁克科技有限公司 | Storage system service quality control method, device and system |
-
2013
- 2013-12-13 CN CN201310676111.XA patent/CN103677829B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1305611A (en) * | 1998-05-15 | 2001-07-25 | 特里迪姆公司 | System and methods for object-oriented control of diverse electromechanical systems using computer network |
| CN1570910A (en) * | 2003-07-11 | 2005-01-26 | 北京直真节点技术开发有限公司 | A universal object modeling method and universal object management system |
| CN101674334A (en) * | 2009-09-30 | 2010-03-17 | 华中科技大学 | Access control method of network storage equipment |
| CN101895551A (en) * | 2010-07-22 | 2010-11-24 | 北京天融信科技有限公司 | Resource access control method and system |
| CN101997912A (en) * | 2010-10-27 | 2011-03-30 | 苏州凌霄科技有限公司 | Mandatory access control device based on Android platform and control method thereof |
| CN102426552A (en) * | 2011-10-31 | 2012-04-25 | 成都市华为赛门铁克科技有限公司 | Storage system service quality control method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103677829A (en) | 2014-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101467144B (en) | Declarative management framework | |
| CN102799827B (en) | Effective protection of data in mobile device | |
| US8479302B1 (en) | Access control via organization charts | |
| US20180300494A1 (en) | Method of identifying and tracking sensitive data and system thereof | |
| CN103020541B (en) | Personal space (data) in contrast to company space (data) | |
| CN102110211B (en) | For the method and apparatus of Administrative Security event | |
| US20170161503A1 (en) | Determining a risk indicator based on classifying documents using a classifier | |
| EP2711860B1 (en) | System and method for managing role based access control of users | |
| CN103368904A (en) | Mobile terminal, and system and method for suspicious behavior detection and judgment | |
| CN103581187A (en) | Method and system for controlling access rights | |
| CN101359355A (en) | Method for raising user's authority for limitation account under Windows system | |
| CN107209765A (en) | System and method for aggregation information assets classes | |
| CN104462937B (en) | Operating system peripheral access permission control method based on users | |
| CN109359171A (en) | Management-control method, device, computer equipment and the storage medium of label | |
| KR100853721B1 (en) | Method for real-time integrity check and audit trail connected with the security kernel | |
| WO2016197814A1 (en) | Junk file identification and management method, identification device, management device and terminal | |
| CN104680070A (en) | Method, device and system for managing files used by user | |
| CN107358122A (en) | The access management method and system of a kind of data storage | |
| CN106936812A (en) | File privacy leakage detection method based on Petri network under a kind of cloud environment | |
| CA2673422A1 (en) | Software for facet classification and information management | |
| CN106339629A (en) | Application management method and device | |
| CN102110201A (en) | System for monitoring and auditing compact disc burning | |
| CN105760746A (en) | Authority management method, authority distribution method and equipment | |
| CN105095564A (en) | Data processing method and apparatus based on building information model | |
| CN105930726A (en) | Processing method for malicious operation behavior and user terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |