CN104333553A - Mass data authority control strategy based on combination of blacklist and whitelist - Google Patents
Mass data authority control strategy based on combination of blacklist and whitelist Download PDFInfo
- Publication number
- CN104333553A CN104333553A CN201410630147.9A CN201410630147A CN104333553A CN 104333553 A CN104333553 A CN 104333553A CN 201410630147 A CN201410630147 A CN 201410630147A CN 104333553 A CN104333553 A CN 104333553A
- Authority
- CN
- China
- Prior art keywords
- authority
- resource
- user
- black
- white lists
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
Abstract
The invention relates to a mass data authority control strategy based on combination of a blacklist and a whitelist. The strategy comprises the following steps: pre-storing an organization table, an user access authority table and a resource information table through a server, wherein the user access authority table is of a multi-level resource set structure and is divided into authority increase and authority decrease, the authority provided for some source means authority increase, otherwise authority decrease is shown; sending an account number and a password input by a user to the server by a client for verifying when the user logs in through the client; inquiring the authority of the user through the user access authority table after passing the verifying, and generating the backlist and the whitelist, wherein the blacklist corresponds to the authority decrease, and the whitelist corresponds to the authority increase; obtaining the resource authority of the user according to the blacklist and the whitelist, and loading the corresponding resource. With the adoption of the strategy, the data quantity of the authority table can be greatly decreased for the resource at tens of thousands of levels; any new resource can be added to the resource set, and all resources can be authorized without changing the authority table, and therefore, the user authority can be flexibly managed.
Description
Technical field
The present invention relates to data access authority administrative skill field, especially a kind of mass data control of authority strategy based on black and white lists combination.
Background technology
Along with the development of computer technology, smart city, safe city are applied widely in city management.In the construction of safe city, create a large amount of network information resources, how properly these resources of management and become the hot issue of research.
In rights management policy traditional at home and abroad, employing be mode by adding resource directly to user, as shown in Figure 1, or license to user by resource group, as shown in Figure 2.The advantage of the rights management policy that the former adopts user corresponding with resource is that rights management is more flexible, but for the resource of this quantity of monitoring camera tens thousand of ranks, use this strategy that authority list can be caused huge, and carry out authority check and correction time inefficiency; And although the latter solves the large problem of data volume, the method rights management granularity is too large, and be not easy to the fine setting of authority, flexibility is poor.
Summary of the invention
The object of the present invention is to provide a kind of when the control of authority for vast resources, the data volume of authority list can be reduced, again can administration authority flexibly, the mass data control of authority strategy based on black and white lists combination of right management method is the most flexibly realized with minimum memory data output, the highest efficiency.
For achieving the above object, present invention employs following technical scheme: a kind of mass data control of authority strategy based on black and white lists combination, this strategy comprises the step of following order:
(1) server prestores organizational chart, access privilege table and resource information table, access privilege table is set to many class resources group structure, and be divided into and increase authority and subtract authority, to this resource, there is authority and be then called increasing authority, otherwise be called and subtract authority;
(2) when user is at client logs, the account that user inputs by client and password are sent to server and verify;
(3) if server authentication is passed through, then inquire about user right in access privilege table, generate black and white lists, wherein blacklist correspondence subtracts authority, and white list correspondence increases authority;
(4) obtain the access authorization for resource of user according to black and white lists and load corresponding resource.
Described organizational chart comprises organization ID, father mechanism ID and organization names, and father mechanism ID is the upper level of organization ID; Described access privilege table comprises user ID, resource type, resource number and increasing/subtract authority, described resource type is divided into resource group and single resource two kinds, when resource type is resource group, described resource number is mechanism ID, when resource type is single resource, described resource number is the ID of this resource, and every bar authority records is distinguished and increased authority and subtract authority.
Every bar of described access privilege table have recorded and adds or the access rights of deletion to the resource under certain resource group to a user, or the access rights to concrete some resources, that resource group or single resource are determined by resource type, wherein, resource group be classification other, and take upward compatible mode, namely parent body has the access authorization for resource to its Lower Establishment; When revising user right, first inquiring user access rights table, if the existing priority assignation to this resource, then whether reminding user covers this record.
When generating black and white lists, adopting top-down mode, for every one-level resource group, first the resource corresponding to increasing authority items all under this user being added, then therefrom delete the resource subtracting authority.
If the user right for different stage has conflicting situation, take low-level grouping authority.
When operation system calls resource or when loading resource, the user right corresponding to black and white lists is converted into the description form of single resource.
As shown from the above technical solution, for the resource of this quantity of monitoring camera tens thousand of ranks, when using this strategy, rights table data amount significantly reduces; When new resources add fashionable, as newly-increased video surveillance point, only this resource need being added resource group, without the need to changing authority list, just can authorize any resource, and can leading subscriber authority flexibly.In a word, present invention incorporates the advantage of the rights management policy that user is corresponding with resource and user is corresponding with resource group, the data volume of authority list can be reduced, again can administration authority flexibly, realize rights management the most flexibly with minimum memory data output, the highest efficiency.
Accompanying drawing explanation
Fig. 1 is the existing user authority control method schematic diagram corresponding with resource.
Fig. 2 is the existing user authority control method schematic diagram corresponding with resource group.
Fig. 3 is control of authority strategy schematic diagram of the present invention.
Fig. 4 is the organization chart in the embodiment of the present invention.
Fig. 5 (a), 5(b), 5(c), 5(d) be black and white lists figure in the embodiment of the present invention.
Embodiment
A kind of mass data control of authority strategy based on black and white lists combination, comprise: first, server prestores organizational chart, access privilege table and resource information table, access privilege table is set to many class resources group structure, and be divided into increasing authority and subtract authority, to this resource, there is authority and be then called increasing authority, otherwise be called and subtract authority; Secondly, when user is at client logs, the account that user inputs by client and password are sent to server and verify; Again, if server authentication is passed through, then inquire about user right in access privilege table, generate black and white lists, wherein blacklist correspondence subtracts authority, and white list correspondence increases authority; Finally, after being verified, user, in client logs success, obtains the access authorization for resource of user according to black and white lists and loads corresponding resource, as shown in Fig. 3,4,5.The present invention adopts and carries out control of authority to the increasing authority of user's granted resources group or single resource or the mode that subtracts authority, and in Fig. 3, positive sign correspondence increases authority, and negative sign correspondence subtracts authority.
As shown in Figure 4, described organizational chart comprises organization ID, father mechanism ID and organization names, and father mechanism ID is the upper level of organization ID, in the present embodiment, organizational chart as shown in Table 1:
Described access privilege table comprises user ID, resource type, resource number and increasing/subtract authority, described resource type is divided into resource group and single resource two kinds, when resource type is resource group, described resource number is mechanism ID, when resource type is single resource, described resource number is the ID of this resource, and every bar authority records is distinguished and increased authority and subtract authority.In the present embodiment, access privilege table as shown in Table 2, wherein, resource type: 0---resource group; 1---single resource; Increase and decrease authority: 1---increase authority; 0---subtract authority.
Described resource is camera, and the grouping of its resource has: municipal public security bureau's group, public security subbureau's group, local police station's group, upward compatible mode is taked in the grouping of three ranks respectively.Camera information table comprises, and camera ID, camera institutional affiliation ID and other camera related service information, this list structure as shown in Table 3.
The equal superior of the institutional affiliation of camera shown in table three is compatible, and such as, it is 10101 local police stations that camera 101010001 shows institutional affiliation in table, then this camera also belongs to 101 branch offices and office of city simultaneously.Therefore before loading resource, user right is processed, the 0 class resource group authority of user is converted into 1 class resource group authority and describes, the description form being converted into single resource by user right is inquired about database and loads corresponding camera resource.
Every bar of described access privilege table have recorded and adds or the access rights of deletion to the resource under certain resource group to a user, or the access rights to concrete some resources, that resource group or single resource are determined by resource type, wherein, resource group be classification other, and take upward compatible mode, namely parent body has the access authorization for resource to its Lower Establishment.
When revising user right, first inquiring user access rights table, if the existing priority assignation to this resource, then whether reminding user covers this record.When generating black and white lists, adopting top-down mode, for every one-level resource group, first the resource corresponding to increasing authority items all under this user being added, then therefrom delete the resource subtracting authority.If the user right for different stage has conflicting situation, take low-level grouping authority.When operation system calls resource or when loading resource, the user right corresponding to black and white lists is converted into the description form of single resource.
In office of city rank, this user user1 has increasing authority, and that is in this rank, user has the access rights to all resources, and as shown in Fig. 5 (a), white represents white list, increases authority.
In branch office's rank, the System undoes authority of user user1 to 101 branch offices, so far, user user1 has the access rights of all resources except 101 branch offices, as shown in Fig. 5 (b), darkly represents blacklist, subtracts authority; White represents white list, increases authority.
In local police station's rank, system imparts the access rights of user user1 to 10101 local police stations of 101 branch office subordinaties again, has cancelled the access rights of user user1 to 102 branch office subordinate 10201 local police stations simultaneously; So far user user1 has the access rights of all resources except 10102 local police stations, 10201 local police stations, and as shown in Fig. 5 (c), dark expression blacklist, subtract authority, white represents white list, increases authority.
In the rank of single resource, system imparts the access rights of user user1 to 102010001 cameras under 10201 local police stations, cancel the resource access authority of user user1 to 101010001 cameras under 10101 local police stations, as shown in Fig. 5 (d), dark expression blacklist, subtract authority, white represents white list, increases authority.
In sum, the present invention is for the resource of this quantity of monitoring camera tens thousand of ranks, when using this strategy, rights table data amount significantly reduces, can authorize any resource, and can leading subscriber authority flexibly, realize rights management the most flexibly with minimum memory data output, the highest efficiency.
Claims (7)
1., based on a mass data control of authority strategy for black and white lists combination, it is characterized in that, this strategy comprises the step of following order:
(1) server prestores organizational chart, access privilege table and resource information table, access privilege table is set to many class resources group structure, and be divided into and increase authority and subtract authority, to this resource, there is authority and be then called increasing authority, otherwise be called and subtract authority;
(2) when user is at client logs, the account that user inputs by client and password are sent to server and verify;
(3) if server authentication is passed through, then inquire about user right in access privilege table, generate black and white lists, wherein blacklist correspondence subtracts authority, and white list correspondence increases authority;
(4) obtain the access authorization for resource of user according to black and white lists and load corresponding resource.
2. the mass data control of authority strategy based on black and white lists combination according to claim 1, it is characterized in that: described organizational chart comprises organization ID, father mechanism ID and organization names, father mechanism ID is the upper level of organization ID; Described access privilege table comprises user ID, resource type, resource number and increasing/subtract authority, described resource type is divided into resource group and single resource two kinds, when resource type is resource group, described resource number is mechanism ID, when resource type is single resource, described resource number is the ID of this resource, and every bar authority records is distinguished and increased authority and subtract authority.
3. the mass data control of authority strategy based on black and white lists combination according to claim 1, it is characterized in that: every bar of described access privilege table have recorded and adds or the access rights of deletion to the resource under certain resource group to a user, or the access rights to concrete some resources, that resource group or single resource are determined by resource type, wherein, resource group be classification other, and take upward compatible mode, namely parent body has the access authorization for resource to its Lower Establishment.
4. the mass data control of authority strategy based on black and white lists combination according to claim 1, it is characterized in that: when revising user right, first inquiring user access rights table, if the existing priority assignation to this resource, then whether reminding user covers this record.
5. the mass data control of authority strategy based on black and white lists combination according to claim 1, it is characterized in that: when generating black and white lists, adopt top-down mode, for every one-level resource group, first the resource corresponding to increasing authority items all under this user is added, then therefrom delete the resource subtracting authority.
6. the mass data control of authority strategy based on black and white lists combination according to claim 1, is characterized in that: if having conflicting situation for the user right of different stage, take low-level grouping authority.
7. the mass data control of authority strategy based on black and white lists combination according to claim 1, is characterized in that: when operation system calls resource or when loading resource, the user right corresponding to black and white lists is converted into the description form of single resource.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410630147.9A CN104333553A (en) | 2014-11-11 | 2014-11-11 | Mass data authority control strategy based on combination of blacklist and whitelist |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410630147.9A CN104333553A (en) | 2014-11-11 | 2014-11-11 | Mass data authority control strategy based on combination of blacklist and whitelist |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104333553A true CN104333553A (en) | 2015-02-04 |
Family
ID=52408204
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410630147.9A Pending CN104333553A (en) | 2014-11-11 | 2014-11-11 | Mass data authority control strategy based on combination of blacklist and whitelist |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104333553A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107231336A (en) * | 2016-03-25 | 2017-10-03 | 中兴通讯股份有限公司 | A kind of access control method, device and the gateway device of LAN Intranet resource |
| CN108268780A (en) * | 2016-12-30 | 2018-07-10 | 航天信息股份有限公司 | A kind of method and device for being used to control system access |
| CN109472124A (en) * | 2018-10-11 | 2019-03-15 | 平安科技(深圳)有限公司 | Matching process, device, equipment and the medium of interface access right |
| CN110909380A (en) * | 2019-11-11 | 2020-03-24 | 西安交通大学 | Abnormal file access behavior monitoring method and device |
| CN111212073A (en) * | 2020-01-02 | 2020-05-29 | 中国银行股份有限公司 | Public cloud-based blacklist account sharing method and device |
| CN113411289A (en) * | 2020-03-16 | 2021-09-17 | 苏州网空慧安科技有限公司 | System and method for controlling access of cameras in a manner of giving authority to cameras |
| CN113642032A (en) * | 2021-10-18 | 2021-11-12 | 北京有生博大软件股份有限公司 | Resource authorization method and resource authorization system based on set operation |
| CN114417336A (en) * | 2022-01-24 | 2022-04-29 | 北京新桥信通科技股份有限公司 | Application system side safety management and control method and system |
| CN115174186A (en) * | 2022-06-30 | 2022-10-11 | 京东城市(北京)数字科技有限公司 | Processing method, device, equipment and medium for address book visibility |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030187993A1 (en) * | 2000-06-23 | 2003-10-02 | Stephan Ribot | Access control in client-server systems |
| CN101197026A (en) * | 2007-12-20 | 2008-06-11 | 浙江大学 | Design and storage method for resource and its access control policy in high-performance access control system |
| CN101646071A (en) * | 2009-08-25 | 2010-02-10 | 深圳市融创天下科技发展有限公司 | Method for controlling camera in monitoring network and system thereof |
| CN101895551A (en) * | 2010-07-22 | 2010-11-24 | 北京天融信科技有限公司 | Resource access control method and system |
-
2014
- 2014-11-11 CN CN201410630147.9A patent/CN104333553A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030187993A1 (en) * | 2000-06-23 | 2003-10-02 | Stephan Ribot | Access control in client-server systems |
| CN101197026A (en) * | 2007-12-20 | 2008-06-11 | 浙江大学 | Design and storage method for resource and its access control policy in high-performance access control system |
| CN101646071A (en) * | 2009-08-25 | 2010-02-10 | 深圳市融创天下科技发展有限公司 | Method for controlling camera in monitoring network and system thereof |
| CN101895551A (en) * | 2010-07-22 | 2010-11-24 | 北京天融信科技有限公司 | Resource access control method and system |
Non-Patent Citations (2)
| Title |
|---|
| 孙建闯: "公安系统中角色权限及用户分派的研究与实践", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 肖川豫: "访问控制中权限的研究与应用", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107231336A (en) * | 2016-03-25 | 2017-10-03 | 中兴通讯股份有限公司 | A kind of access control method, device and the gateway device of LAN Intranet resource |
| CN108268780A (en) * | 2016-12-30 | 2018-07-10 | 航天信息股份有限公司 | A kind of method and device for being used to control system access |
| CN109472124A (en) * | 2018-10-11 | 2019-03-15 | 平安科技(深圳)有限公司 | Matching process, device, equipment and the medium of interface access right |
| CN109472124B (en) * | 2018-10-11 | 2022-12-30 | 平安科技(深圳)有限公司 | Method, device, equipment and medium for matching interface use permission |
| CN110909380A (en) * | 2019-11-11 | 2020-03-24 | 西安交通大学 | Abnormal file access behavior monitoring method and device |
| CN111212073A (en) * | 2020-01-02 | 2020-05-29 | 中国银行股份有限公司 | Public cloud-based blacklist account sharing method and device |
| CN113411289A (en) * | 2020-03-16 | 2021-09-17 | 苏州网空慧安科技有限公司 | System and method for controlling access of cameras in a manner of giving authority to cameras |
| CN113642032A (en) * | 2021-10-18 | 2021-11-12 | 北京有生博大软件股份有限公司 | Resource authorization method and resource authorization system based on set operation |
| CN113642032B (en) * | 2021-10-18 | 2022-01-25 | 北京有生博大软件股份有限公司 | Resource authorization method and resource authorization system based on set operation |
| CN114417336A (en) * | 2022-01-24 | 2022-04-29 | 北京新桥信通科技股份有限公司 | Application system side safety management and control method and system |
| CN115174186A (en) * | 2022-06-30 | 2022-10-11 | 京东城市(北京)数字科技有限公司 | Processing method, device, equipment and medium for address book visibility |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104333553A (en) | Mass data authority control strategy based on combination of blacklist and whitelist | |
| CN110012015A (en) | A kind of internet of things data sharing method and system based on block chain | |
| CN101414253B (en) | Method and system for managing authority | |
| CN102420902B (en) | A kind of method of classification management over right of using functions and mobile terminal | |
| CN108259422B (en) | Multi-tenant access control method and device | |
| CN103927476A (en) | Intelligent system and method for achieving application program authority management | |
| CN107111723A (en) | User terminal, service providing device, the driving method of user terminal, the driving method of service providing device and the search system based on encrypted indexes | |
| CN103813314A (en) | Soft SIM card enabling method and network access method, terminal, and network access device | |
| DE102015111711A1 (en) | Establishing a communication connection with a user device via an access control device | |
| CN103442354A (en) | Mobile-police-terminal safety management and control system | |
| US11126460B2 (en) | Limiting folder and link sharing | |
| CN110933093A (en) | Block chain data sharing platform and method based on differential privacy protection technology | |
| US20140317704A1 (en) | Method and system for enabling the federation of unrelated applications | |
| CN111800410B (en) | Block chain-based data access control method, electronic device and storage medium | |
| CN105450750A (en) | Secure interaction method for intelligent terminal | |
| CN106131029B (en) | A kind of efficient cipher text searching method for resisting attribute key abuse | |
| CN111614664A (en) | Community correction information sharing method based on block chain | |
| CN105119886A (en) | Account ownership determination method and device | |
| CN115766795A (en) | Intelligent service method of trusted electronic file platform based on block chain | |
| CN103778379B (en) | Application in management equipment performs and data access | |
| CN102932443A (en) | HDFS (hadoop distributed file system) cluster based distributed cloud storage system | |
| CN111147496B (en) | Data processing method and device | |
| CN104469770A (en) | WLAN authentication method, platform and system for third-party application | |
| CN108713200A (en) | For the method being loaded into the embedded-type security element of mobile terminal device will to be subscribed to | |
| CN108768918B (en) | Access control method based on authorization management chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150204 |