CN104639320B - Service authority control device - Google Patents
Service authority control device Download PDFInfo
- Publication number
- CN104639320B CN104639320B CN201310559126.8A CN201310559126A CN104639320B CN 104639320 B CN104639320 B CN 104639320B CN 201310559126 A CN201310559126 A CN 201310559126A CN 104639320 B CN104639320 B CN 104639320B
- Authority
- CN
- China
- Prior art keywords
- permission
- control
- subclass
- control device
- drm controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of service authority control devices, including:Overall drm controller, is configured to:Reception business and according to the business to determine whether need carry out permission control;The corresponding parameter of permission control category is searched in the business;And service attribute value is obtained according to the configuration of the parameter, and decide whether to carry out subclass permission control based on the service attribute value;Subclass drm controller, for being matched and being checked according to the service attribute value and permission control category that are received from the overall drm controller;And positive and negative recipe controller, for obtaining permission control result according to the attribute of the first output from the overall drm controller, the second output and rule from the subclass drm controller.
Description
Technical field
A kind of service authority control device of the present invention.
Background technology
In financial system, it is Dai-ichi Mutual Life Insurance line to avert risks.With the development of economy, merchandise medium type increasingly
It is more, in addition to traditional magnetic stripe card, newly there is IC card, virtual card, pure character card, it might even be possible to pay without card.Channel of disbursement
Increase therewith, other than the traditional channels such as POS, ATM, had increased online payment, mobile-phone payment, TV payment etc. newly in recent years.No
Only type is various, and the period that new paragon occurs is also shorter and shorter.
With payment type increase and the access of Third-party payment, it is existing for controlling the technology of trading privilege just
Seem more and more awkward, it generally has following problem:First, it is not easy to change, is not easy to expand;Second, it is numerous for type
More permission controls are difficult to realize.
Therefore, it is necessary to a kind of improved permission control modes.
Invention content
To solve the above-mentioned problems, the present inventor proposes a kind of customized permission control of rule-based height
Mode can flexibly control the various permissions of each transaction using which, and in a manner of parametrization and configuration is simple, is easy to
Expand.Many Internet companies and Web bank can all ensure the account number safety of user using double authentication now, such as
Say the random verification code for also requiring user's input handset to receive outside ordinary cryptographic or by specific hardware facility(Such as U-shield)
Complete authentication needs user or enterprise to face volume although these measures can play the role of certain safeguard protection
Outer cost and equipment management problem.
According to an aspect of the invention, there is provided a kind of service authority control device, including overall drm controller, it should
Overall drm controller is configured to:Reception business and according to the business to determine whether need carry out permission control;Described
The corresponding parameter of permission control category is searched in business;And service attribute value, and base are obtained according to the configuration of the parameter
Decide whether to carry out subclass permission control in the service attribute value.The service authority control device may also include subclass permission control
Device processed, be used for according to the service attribute value and permission control category received from the overall drm controller come into
Row matching and inspection;And positive and negative recipe controller, for being exported, being come from according to first from the overall drm controller
Second output of the subclass drm controller and the attribute of rule obtain permission control result.
In above-mentioned service authority control device, the first output of the totality drm controller includes:Whether need pair
The parameter corresponding with permission control category that the business carries out permission control and found.
In above-mentioned service authority control device, the subclass drm controller is configured as each permission control category and sets
A variety of permission control detailed rules and regulations are set, and the matching result of comprehensive a variety of permission control detailed rules and regulations controls to be used as the subclass permission
The output of device.
In above-mentioned service authority control device, the second output of the subclass drm controller includes permission control detailed rules and regulations
Matching result.
In above-mentioned service authority control device, the permission control category instruction needs to control the one or more of transaction
Aspect.
In above-mentioned service authority control device, the permission control detailed rules and regulations instruction needs to control under a permission control category
Make one or more attributes of transaction.
In above-mentioned service authority control device, the permission control result be this scope check whether by sentence
It is fixed.
In above-mentioned service authority control device, the attribute of the rule is one in just regular and anti-rule.
In above-mentioned service authority control device, the subclass drm controller is that each permission controls detailed rules and regulations configuration difference
Priority.
According to another aspect of the present invention, provide it is a kind of utilize service authority control device carry out service authority control
Method, the service authority control device includes overall drm controller, subclass drm controller and positive and negative rule control
Device.This method may include:Overall drm controller receives business and according to the business to determine whether needing to carry out permission control
System;Overall drm controller searches the corresponding parameter of permission control category in the business;Overall drm controller is according to institute
The configuration of parameter is stated to obtain service attribute value, and decide whether to carry out subclass permission control based on the service attribute value;Carefully
Class drm controller according to the service attribute value and permission control category received from the overall drm controller come
It is matched and is checked;And positive and negative recipe controller exports according to first from the overall drm controller, comes from institute
The attribute of the second output and rule of stating subclass drm controller obtains permission control result.
In the above-mentioned methods, the first output of the overall drm controller includes whether to need to weigh the business
The parameter corresponding with permission control category limit control and found.
The above method may also include:The subclass drm controller is that a variety of permission controls are arranged in each permission control category
Detailed rules and regulations, and comprehensive a variety of permissions control the matching result of detailed rules and regulations to be used as the output of the subclass drm controller.
In the above-mentioned methods, the second output of the subclass drm controller includes the matching result of permission control detailed rules and regulations.
In the above-mentioned methods, the permission control category instruction needs to control the one or more aspects of transaction.
In the above-mentioned methods, the permission control detailed rules and regulations instruction needs to control one to merchandise under a permission control category
Or multiple attributes.
In the above-mentioned methods, the permission control result be this scope check whether by judgement.
In the above-mentioned methods, the attribute of the rule is one in just regular and anti-rule.
It is that each permission control detailed rules and regulations configure different priority that the above method, which may also include the subclass drm controller,.
Description of the drawings
After the specific implementation mode for having read the present invention with reference to attached drawing, those skilled in the art will be more clearly
Solve various aspects of the invention.Skilled person would appreciate that:These attached drawings are used only for cooperation specific embodiment party
Formula illustrates technical scheme of the present invention, and is not intended to and is construed as limiting to protection scope of the present invention.
Fig. 1 is permission control flow chart according to an embodiment of the invention.
Specific implementation mode
Be described below be the present invention multiple possible embodiments in some, it is desirable to provide to the present invention it is basic
Solution, it is no intended to confirm the crucial or conclusive element of the present invention or limit scope of the claimed.It is readily appreciated that, according to this
The technical solution of invention, under the connotation for not changing the present invention, those of ordinary skill in the art can propose can be mutual
The other realization methods replaced.Therefore, detailed description below and attached drawing are only the examples to technical scheme of the present invention
Property explanation, and the whole or be considered as being not to be construed as the present invention defines or limits technical solution of the present invention.
It will be controlled below based on the trading privilege in financial system field to be carried out to the specific implementation mode of the present invention
Description, but it would be readily understood by those of skilled in the art that technical scheme of the present invention is equally applicable to other aspects, and be not limited to
Trading privilege controls.Hereinafter, following term may repeatedly be mentioned:" permission control category (priv_subject) " and
" permission controls detailed rules and regulations (priv_rule) ", wherein " permission control category (priv_subject) " refers to which control merchandises
Aspect.It includes but not limited to encoded rights control of merchandising, the control of transmitting mechanism permission etc., and " permission controls detailed rules and regulations (priv_
Rule) " refer to which attribute of transaction is controlled under certain permission control category, such as:Controlling it to certain transmitting mechanism can only
Send POS transaction.
Referring to Fig.1, it shows permission control flow chart according to an embodiment of the invention.As can be known from Fig. 1, industry
Business permission control device may include three components, they are overall drm controller, subclass drm controller, positive and negative rule control
Device.In other words, high customized permission control mode can be divided into three layers from flow:Overall permission control, the control of subclass permission
And positive and negative rule control.One embodiment according to the invention, the controller in each layer can all be carried out by respective parameter
It controls, is mutually linked again between level, common realize controls the permission of transaction.
The controlling mechanism of controller in each level is explained below.
In one embodiment, overall drm controller is the entrance of trading privilege control, it is configured to according to specific
Transaction to determine whether needing to carry out permission control, searching the corresponding parameter of permission control category and sentenced according to parameter configuration
Whether fixed transaction has certain attributes, is then decided whether to carry out subclass permission control according to the result of judgement.Overall permission control
The outlet that this level of system can judge as permission, directly lets off the transaction for not matching any parameter.For that need not do
For the transaction of subclass permission control, it can be directly entered the inspection that third layer carries out positive and negative rule, other transaction then need elder generation
Subclass permission control is carried out into the second layer.
In one embodiment, subclass drm controller carries out specific according to transaction attribute value and permission control category
Matching and inspection.It has following specific:Each permission control category can configure a variety of permission control detailed rules and regulations;Can be every
Kind scope check detailed rules and regulations configure different priorities;The knot that the matching result of a plurality of detailed rules and regulations is controlled as this layer of permission can be integrated
Fruit.The outlet that this layer of subclass permission control is controlled not as permission, no matter whether subclass permission match succeeds, subclass permission control
Device processed is required for result being passed to the inspection that third layer carries out positive and negative rule.
In one embodiment, the attribute of positive and negative recipe controller is fed back according to first two layers result and rule is (i.e. just
Regular or anti-rule), finally to judge whether this scope check passes through, it can be used as finally going out for permission control subsystem
Mouthful.By increasing positive and negative rule control, the flexibility of rights parameters configuration can be realized to the maximum extent.
Above-described service authority control device at least has the following advantages that compared with existing permission control mode:The
One, design structure is clear(The embodiment of permission control described herein is divided into three layers);Second, parametrization degree is high, configuration
Flexibly(Each level can flexibly be controlled using parameter, and the parameter of each layer can be separately configured);Third, strong applicability,
It can be promoted the use of in different operation systems(Interdependence between three levels, every layer of inspection result can all influence totality
Scope check result so that it is high that three levels realize a kind of flexibility jointly, the wide permission control mode of applicability).
Above, the specific implementation mode of the present invention is described with reference to the accompanying drawings.But those skilled in the art
It is understood that without departing from the spirit and scope of the present invention, can also make to the specific implementation mode of the present invention each
Kind change and replacement.These changes and replacement are all fallen in claims of the present invention limited range.
Claims (9)
1. a kind of service authority control device, including:
Overall drm controller, is configured to:
Reception business and according to the business to determine whether need carry out permission control;
The corresponding parameter of permission control category is searched in the business, wherein the permission control category and the business phase
It closes;And
Service attribute value is obtained according to the configuration of the parameter, and decides whether to carry out subclass power based on the service attribute value
Limit control;
Subclass drm controller, for according to the service attribute value and permission received from the overall drm controller
Control category is matched and is checked;And
Positive and negative recipe controller, for being exported according to first from the overall drm controller, coming from the subclass permission
Second output of controller and the attribute of rule obtain permission control result.
2. service authority control device as described in claim 1, wherein the first output packet of the totality drm controller
It includes:Whether with the permission control category corresponding parameter that permission control is carried out to the business and found is needed.
3. service authority control device as described in claim 1, wherein the subclass drm controller is configured as each power
It limits control category and a variety of permissions control detailed rules and regulations is set, and the matching result of comprehensive a variety of permissions control detailed rules and regulations is described to be used as
The output of subclass drm controller.
4. the service authority control device as described in claim 1 or 3, wherein the second output of the subclass drm controller
The matching result of detailed rules and regulations is controlled including permission.
5. service authority control device as described in claim 1, wherein the permission control category instruction needs to control transaction
One or more aspects.
6. service authority control device as claimed in claim 3, wherein the permission control detailed rules and regulations instruction is controlled in a permission
The one or more attributes for needing control to merchandise under classification.
7. service authority control device as described in claim 1, wherein the permission control result, which is this scope check, is
It is no by judgement.
8. service authority control device as described in claim 1, wherein the attribute of the rule is in just regular and anti-rule
One.
9. service authority control device as claimed in claim 3, wherein the subclass drm controller controls for each permission
Detailed rules and regulations configure different priority.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310559126.8A CN104639320B (en) | 2013-11-12 | 2013-11-12 | Service authority control device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310559126.8A CN104639320B (en) | 2013-11-12 | 2013-11-12 | Service authority control device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104639320A CN104639320A (en) | 2015-05-20 |
| CN104639320B true CN104639320B (en) | 2018-09-04 |
Family
ID=53217678
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310559126.8A Active CN104639320B (en) | 2013-11-12 | 2013-11-12 | Service authority control device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104639320B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111611559A (en) * | 2015-08-21 | 2020-09-01 | 阿里巴巴集团控股有限公司 | Identity verification method and device |
| CN105430013B (en) * | 2015-12-28 | 2019-06-28 | 中国农业银行股份有限公司 | A kind of information access control method and system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100495422C (en) * | 2006-11-09 | 2009-06-03 | 华为技术有限公司 | Controlling method of business operations authority |
| KR101086420B1 (en) * | 2006-12-22 | 2011-11-23 | 삼성전자주식회사 | Method and apparatus for decoding right-object and method and apparatus for sharing contents using it |
| CN101587615A (en) * | 2008-05-22 | 2009-11-25 | 中国建设银行股份有限公司 | Information integrated platform of traffic IC card and bank card |
| CN102447677B (en) * | 2010-09-30 | 2015-05-20 | 北大方正集团有限公司 | Resource access control method, system and equipment |
-
2013
- 2013-11-12 CN CN201310559126.8A patent/CN104639320B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN104639320A (en) | 2015-05-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11374949B2 (en) | Logical validation of devices against fraud and tampering | |
| US20150287026A1 (en) | Data analytic and security mechanism for implementing a hot wallet service | |
| US20140279534A1 (en) | System and method for providing an account holder a notification | |
| EP3479320A1 (en) | Logical validation of devices against fraud and tampering | |
| US20150371209A1 (en) | N to n money transfers | |
| US11803851B2 (en) | Systems and methods for identifying payment accounts to segments | |
| CN106022759A (en) | Electronic payment method supporting multiple accounts | |
| CN105654300A (en) | Payment abnormity processing method and apparatus thereof | |
| US9449328B2 (en) | System for encoding customer data | |
| CN110474903A (en) | Trust data acquisition methods, device and block chain node | |
| CN103679449A (en) | System and method for data processing | |
| CN104639320B (en) | Service authority control device | |
| CN109559159A (en) | A kind of integral method of payment and its system | |
| WO2019047345A1 (en) | Method of generating one-time password sending policy, and one-time password sending method | |
| KR20150046805A (en) | Apparatus and method for issuing in connection with coupon usage information | |
| CN109213612A (en) | A kind of invoice issuing method and system based on webservice interface | |
| US9384366B2 (en) | System for encoding customer data | |
| Curran et al. | Must we vaccinate the most vulnerable? Efficiency, priority, and equality in the distribution of vaccines | |
| CN109636647A (en) | Recognition methods, device, terminal and the computer readable storage medium of abnormal purchase medicine | |
| US9009807B2 (en) | Smart device lockout | |
| Okada | International negotiations on climate change: a noncooperative game analysis of the Kyoto protocol | |
| CN110084577A (en) | Resource payment method and equipment | |
| Lee et al. | Prioritized access control enabling weighted, fine-grained protection in cyber-physical systems | |
| Eraslan | Uniqueness of stationary equilibrium payoffs in the Baron–Ferejohn model with risk‐averse players | |
| CA3169662A1 (en) | Enhanced near field communications attachment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |