CN106104548B - Integrated access control and identity management system - Google Patents

Integrated access control and identity management system Download PDF

Info

Publication number
CN106104548B
CN106104548B CN201480065011.6A CN201480065011A CN106104548B CN 106104548 B CN106104548 B CN 106104548B CN 201480065011 A CN201480065011 A CN 201480065011A CN 106104548 B CN106104548 B CN 106104548B
Authority
CN
China
Prior art keywords
access
information
user
standard
access control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201480065011.6A
Other languages
Chinese (zh)
Other versions
CN106104548A (en
Inventor
杨长辉
陈宝明
叶泰山
梅拉图尔·S·钱德拉塞克兰
吕瀚政
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Certis Cisco Security Pte Ltd
Original Assignee
Certis Cisco Security Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Certis Cisco Security Pte Ltd filed Critical Certis Cisco Security Pte Ltd
Publication of CN106104548A publication Critical patent/CN106104548A/en
Application granted granted Critical
Publication of CN106104548B publication Critical patent/CN106104548B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2111Location-sensitive, e.g. geographical location, GPS

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Time Recorders, Dirve Recorders, Access Control (AREA)

Abstract

A kind of integrated access control and identity management system include IT access control unit and physical access control unit.IT access control unit includes the access standard stored that access authority is defined for each user associated with this system.IT access control unit is arranged to determine whether and should permit user in which kind of degree to access based on the access standard stored.Physical access control unit is arranged to monitor the trial in personnel's physical access region.The integrated system is arranged to be stored in access information in access information storage equipment, and access information instruction is attempted by the access that IT access control unit and physical access control unit monitor.The access standard stored is provided so that following standard can be defined in stored access standard: the type standard, and/or access level standard of the type for the IT resource that user identity standard, access location criteria, access time standard, instruction user are allowed access to.

Description

Integrated access control and identity management system
Technical field
The present invention relates to it is a kind of for controllers to the integrated access control system of the access of at least one IT resource, with And it is a kind of for controllers to the method for the access of at least one IT resource.
Background technique
Known to provide a kind of system, the system is for monitoring and controlling the physical access to region, so that access is only limitted to Authorized person.In such a system, the access of the personnel by any one in multiple doors is controlled by following: for Each is provided for acquiring such as Personal Identification Number, biological information or the id number being stored on card from personnel One or more vouchers voucher reader, and to voucher collected be stored in background system reference voucher progress Verifying.
It it is known that and a kind of system is provided, which answers for monitoring and controlling the access to IT resource for example including software With and data so that only authorized person be able to use software and/or access data.Such IT access control can by with IT Resource associated each operable calculating equipment of user is realized, or independent gateway can be used to come at least partly Ground realizes that the gateway is operated to control access, and is permitted according to the voucher of user or denied access.
However, this traditional IT access control system is relatively easy, therefore effective access control can not be provided.
Summary of the invention
According to the first aspect of the invention, a kind of access control system is provided, comprising:
IT access control unit is set the trial for accessing at least one IT resource to personnel and monitors;
Physical access control unit is arranged to monitor the trial of personnel's physically access region, and is based on people Whether member by the physical access control unit is permitted the personnel physically access region by certainty identification;
The IT access standard stored, defines access right for each user associated at least one IT resource Limit;And
Access information stores equipment,
The IT access control unit is arranged to access standard based on the IT that is stored, to determine whether and should be at what User, which is permitted, in kind degree carries out IT access,
Each of the IT access control unit and the physical access control unit can directly be accessed by user, and The IT access control unit and the physical access control unit operate independently of one another, to permit or refuse the use respectively Family accesses the IT resource, or permits or refuse the user physically accessing the region,
The system is arranged to be stored in IT access information in the access information storage equipment, and physics is visited Ask that information is stored in the access information storage equipment, the IT access information instruction is monitored by the IT access control unit Access attempt, the access trial that the physical access information instruction monitor by the physical access control unit,
The IT access standard wherein stored is provided so that following standard can be defined within stored access standard In: identification criteria, instruction are able to access that the identity of the user of the IT resource;Location criteria indicates that the user is allowed to visit Ask the position when IT resource;Time standard indicates the time when user is allowed access to the IT resource;Type mark Standard indicates the type for the IT resource that the user is allowed access to;And/or access level standard, instruction assign the user's The rank of access authority;And
Wherein the system is arranged to that IT mark information is associated with the IT access information, by physical mark information It is associated with the physical access information, and the IT mark information and the physical mark information are stored in the access In information storing device, the IT mark information and the physical mark information include that can be used to determine by the physical access control First access trial of monitoring units processed letter whether relevant to the second access trial monitored by the IT access control unit Breath, and the easily accessible IT mark information being stored at the access information storage equipment of the system and the object Mark information is managed, so that described be determined to be made.
In one embodiment, the system comprises access informations to store equipment, and the system is arranged to that letter will be accessed Breath is stored in the access information storage equipment, and the access information instruction is by the IT access control unit and the physics The access of access control unit monitoring is attempted.
In one embodiment, at least one user associated with the system, the identification criteria, institute's rheme It sets standard, the time standard, the type standard and the access level standard and is all defined within stored access In standard.
In one embodiment, the IT resource includes at least one software application and/or is stored at least one data Store the data in equipment.
In one embodiment, the time standard indicates duration when user is allowed access to the IT resource.
In one embodiment, the type standard indicates one or more storage positions that the user is allowed access to It sets, and/or one or more software applications that the user is allowed access to, and/or one that the user is allowed access to Or multiple data types.
In one embodiment, the type standard indicates that the maximum level for the data that the user is allowed access to is sensitive The level of trust standard of property.
In one embodiment, the access level standard from comprising administrator, power user, only check and inaccessible Group in selected.
In one embodiment, the identity of the user collected voucher from from the personnel determines.
The credential information can include: biological information associated with the personnel, from what is carried by the personnel The collected identification information of identification card, the Personal Identification Number provided by the personnel or any other identification information.
In one embodiment, the mark information includes indicating that the access associated with the mark information is attempted Position location information.
In one embodiment, the mark information includes indicating to collect from the personnel for attempting access region or resource At least one voucher credential information.
In one embodiment, the mark information includes date and/or temporal information.
In one embodiment, the mark information is added to the access information in the form of metadata.
In one embodiment, the access information stores equipment and visits from first access control unit and described second Ask that control unit receives the access information and the mark information, and access information storage equipment is provided so that It is accessed that the access information and the mark information can control equipment by the access information.
The access information control equipment can be arranged to carry out convenient for user by access information and/or mark information Search.
The access information control equipment can be locally or remotely accessed, and can pass through the communication network of such as internet Network is accessed.
According to the second aspect of the invention, a kind of method of controllers to the access of IT resource, the method packet are provided It includes:
The trial for accessing IT resource to personnel monitors;And
It stores IT and accesses standard, the IT access standard stored is defined for each user associated with the system visits Ask permission;
User's progress IT access is determined whether and should permitted in which kind of degree based on the IT access standard stored;
The trial of personnel's physically access region is monitored;
Whether identified by certainty by the physical access control unit based on personnel, to permit the personnel physically Access region;And
IT access information is stored in access information storage equipment, and physical access information is stored in the access In information storing device, the IT access information instruction is attempted by the access that the IT access control unit monitors, the physics Access information instruction is attempted by the access that the physical access control unit monitors,
Wherein each of the IT access control unit and the physical access control unit can directly be accessed by user, And the IT access control unit and the physical access control unit operate independently of one another, to permit or refuse institute respectively It states user and accesses the IT resource, or permit or refuse the user physically accessing the region,
The access standard wherein stored is provided so that following standard can be defined in stored access standard: Identification criteria, instruction are able to access that the identity of the user of the IT resource;Location criteria indicates that the user is allowed to visit Ask the position when IT resource;Time standard indicates the time when user is allowed access to the IT resource;Type mark Standard indicates the type for the IT resource that the user is allowed access to;And/or access level standard, instruction assign the user's The rank of access authority;And
Wherein the system is arranged to that IT mark information is associated with the IT access information, by physical mark information It is associated with the physical access information, and the IT mark information and the physical mark information are stored in the access In information storing device, the IT mark information and the physical mark information include that can be used to determine by the physical access control First access trial of monitoring units processed letter whether relevant to the second access trial monitored by the IT access control unit Breath, and the easily accessible IT mark information being stored at the access information storage equipment of the system and the object Mark information is managed, so that described be determined to be made.
Detailed description of the invention
The present invention now will only by way of example and be described with reference to the accompanying figures, in attached drawing:
Fig. 1 is the graphical representation of access control system according to an embodiment of the present invention;
Fig. 2 is the graphical representation of the component of access control system shown in FIG. 1;And
Fig. 3 shows the access matrix of Fig. 1 and access control system shown in Fig. 2.
Specific embodiment
With reference to Fig. 1, the embodiment of access control system 10 is shown, and access control system 10 is arranged to control to region Physical access and the IT of resource is accessed.In this example, access control system 10 in access information storage also by setting It is standby it is middle record history Access Events information associated with the user and convenient for by the operator of system to the history Access Events The access of information, to be convenient for the monitoring attempted access.
In this example, IT resource may include one or more software applications and/or be stored in one or more data and deposit Store up the data in one or more files in equipment.
Access Events include: the certainty identification to personnel, thus permit the personnel physically in access region at least The application of a part or electronically access IT resource or at least part in data;Negativity identification, wherein participant attempts It is accessed, but the identity of the personnel is invalidated, thus refuses the access of the personnel;And in addition unauthorized to region Or the physically or electrically son access of IT resource, it such as makes a forcible entry into controlled access ports door or physics disconnects calculating equipment from IT resource.
System 10 includes physical access control device 12 and IT access control apparatus 14, in this example, physical access control Each of device 12 and IT access control apparatus 14 processed are communicated with access information storage equipment, and access information storage equipment is adopted It is controlled with the integrated access that can be remotely placed relative to physical access control device 12 and IT access control apparatus 14 and identity The form of admin site 16, such as communicated by internet with physical access control device 12 and IT access control apparatus 14.? In this example, physical access control device 12 and IT access control apparatus 14 are disposed at identical position or connect very much each other Closely.
Physical access control device 12 is arranged to control the physical access to region, and determines whether to have had occurred the not phase Physical access is attempted or is obtained by force in the physical access of the Access Events of prestige, the failure such as based on user credential collected Trial.Similarly, IT access control apparatus 14 is arranged to control the visit to the IT resource for including software application and/or data It asks, and determines whether that undesirable Access Events have had occurred, the IT access of the failure such as based on user credential collected Access except trial, defined access period or more than defined access duration time is attempted, is not awarded to user The visit to software or data is attempted or is obtained by force in the trial of the access of the data of power, the access from uncommitted position The trial asked.
In this example, the information that instruction access is attempted is sent out by physical access control device 12 and IT access control apparatus 14 Integrated access control and Identity Management website 16 are given, and relevant mark information passes through in access control apparatus 12 and 14 Each it is added to access information.Mark information includes that can be used for the information that Access Events are associated with each other, for example, indicating positions Information, information, date and/or the temporal information of instruction user credential data collected etc..
Because the access control event that may be relative to each other can be associated with each other by means of mark information, operator Potentially relevant physics and IT access control event can be readily recognized by searching for specific mark information.
In the example depicted in fig. 1, physical access device 12 includes physical access control unit 20, and physical access control is single Member 20, which is arranged to control physical access, to be attempted to control, specifically from the user for seeking to obtain the physical access to region Acquisition voucher in place's compares voucher collected with reference to voucher, and allowance or denied access based on this comparison.
In this example, physical access control unit 20 is connected at least one and is arranged to acquire view from peripheral region The video camera 22 of frequency information, the access point 24 of at least one such as door and at least one voucher reader 26.
The associated door lock 25 in each access point 24, door lock 25 are controlled by corresponding physical access single in this example Member 20 controls, so that can cause door lock 25 in response to the proper signal from physical access control unit 20 to enable or prevent to visit Ask a little 24 unlatching.
During use, voucher reader 26 acquired from the personnel for being expected that by access point 24 at least one user with Card, and physical access control unit 20 compares user credential collected with the reference user credential stored, and right Access is allowed or denied to make decision.If access is allowed, physical access control unit 20 sends signal to door Lock 25, door lock 25 is placed in unlocked state, to allow personnel to pass through access point 24 and access to region.If Access is not allowed, then physical access control unit 20 does not send the signal to door lock 25, therefore door lock 25 is maintained at locking Under state, to prevent personnel from passing through access point 24 and enter region.The decision for being allowed or denied access can also be based on Time and/or date that access is attempted occurs.For example, when access is licensed, user can be assigned different date and/or Time, and physical access control unit 20 is arranged to allow only to access in the date/time distributed.
In this example, voucher reader 26 uses the form of biometric reader, which is set It is set to the biological attribute data that such as finger print data is acquired from personnel, it is to be understood that, also contemplate other kinds of voucher Reader is such as arranged to the card reader of personal identification card entrained by reading personnel, for enabling personnel to input individual The keypad of identification number or be arranged to determine personnel identity any other equipment.
Although access point 24 is door in this example, it should be recognized that also contemplating other kinds of access point, such as Elevator door, revolving door, parking door or any other physical barriers.
In this example, the associated sensor 27 in access point 24, sensor 27 are visited for detecting in this example Ask a little 24 to be to open or close.Any sensor appropriate for this purpose is also contemplated, and is used in this example Magnetic-type proximity sensor.
Sensor 27 is connected to physical access control unit 20, and 20 monitoring sensor of physical access control unit 27, and caution signal is generated when access point 24 is open.Warning can be used for triggering alarm, such as indicate physics in sensor 27 Access point 24 is open but there is no in the case where effective credential verification.
Access is attempted, and the unauthorized access event or actual unauthorized access event specifically attempted can also make It is determined with video camera 22, such as by automatically analyzing the video shot by video camera 22 at physical access control unit 20 And/or image.
In this example, physical access control unit 20 further includes label using 28, and label is arranged to mark using 28 Note information 29 is added to the access information for being sent to integrated access control and Identity Management website 16.In this example, it marks Information 29 includes that the information of the position of instruction physics access control apparatus 12, access attempt the date and time occurred, from expectation Collected biological information, and/or any other relevant informations at personnel by access point 24.
Label can obtain mark information from following source using 28: voucher reader is stored in from access control unit 20 Position and/or identification information, obtain to the corresponding electronic identifier of the associated such as IP address of access control unit 20 Location information or be capable of providing can be used to any of the mark information for attempting physical access to be associated with other access trials Other sources.In this example, physical access control device 12 includes that positioning applies 31, and positioning is arranged to determine physics using 31 The position of access control unit 20, such as use identified IP address relevant to the current location of access control unit 20.
At integrated access control and Identity Management website 16 it is received instruction physical access attempt access information and Associated mark information is stored in the data storage device communicated with integrated access control and Identity Management website 16, the number Use the form of database 40 in this example according to storage equipment.Database 40 includes multiple records 42, wherein each record relates to And access is attempted.
Mark information is used to allow the operator to attempt physical access to attempt to be associated with IT access.
It should be appreciated that physical access control unit 20 can be realized by calculating equipment, such as it is implemented as being set by calculating The standby software application realized.
IT access control apparatus 14 includes IT access control unit 30, and IT access control unit 30 is arranged to control to IT The access of resource is attempted, and voucher is acquired from the user for seeking to obtain the access to IT resource, by voucher collected and reference Voucher compares, and permits or denied access based on this comparison, if access is allowed, it is determined that access should be in which kind of degree It is allowed.
What IT access control apparatus 14 directly can be arranged locally from one or more is for example connected to IT access by LAN The calculating equipment 32 of control unit 30 receives access and attempts, or directly for example passes through interconnection from what one or more was remotely placed The calculating equipment 33 that net is connected to IT access control unit 30 receives access and attempts.
Voucher reader 34 can be connected to by calculating any one of equipment 32,33, and voucher reader 34 can be from the phase It hopes and obtains to collecting at least one user credential at the personnel of the access of IT resource.
Voucher reader may include the biology for being arranged to acquire the biological attribute data of such as finger print data from personnel Characteristic reader.It should be appreciated, however, that the other kinds of authenticating device for being arranged to determine the identity of personnel is also contemplated, it is all As being arranged to the card reader of personal identification card entrained by reading personnel, for enabling personnel to input Personal Identification Number Keypad or traditional usemame/password device.
The degree that the decision and access for being allowed or denied access are allowed is by accessing standard for defined IT Relatively determined compared with current accessed standard, current accessed standard may include in user credential collected any one or it is more It is a, access attempt occur time and/or the date, access duration, attempt obtain access personnel position, and/or User it is expected the type of the data of access.Therefore, IT access control apparatus 14 based on user whom can be, user wherein, use When family attempts to be accessed and user attempts access what permits, refuses or limit the access to IT resource, and Under this mode, IT access control apparatus 14 is capable of providing the access control of height.
For example, user can be assigned different date and/or time or defined visit when access is licensed Ask the duration, and IT access control unit 30 be arranged to allow only to access in the date/time distributed and/or Only access reaches the defined duration.
Access level can be determined based on the position for the personnel for attempting to obtain access, such as calculating associated with personnel is set It is standby whether internet to be passed through by the calculating equipment that local area network is connected to IT access control unit 30 or user It is connected to IT access control unit 30.In one embodiment, location information can from physical access control device 12 (such as with Card reader 26) at obtain so that obtaining certainty certification by using voucher reader 26, the position of the personnel is visited in physics It asks and is identified at control unit.
Access level can determine that the subscriber identity information is believed by the voucher acquired from user based on subscriber identity information Breath obtains.
Whether access level can be endowed based on user accesses to certain types of data or specific to being stored in Permission that the data of position access determines.For example, the user for possessing senior position in the tissue can be authorized to this The user for organizing associated all data to access, and possess primary position in the tissue can be authorized to only to the user Directly related data access, such as the data being stored in file associated with the user.
It should be appreciated that in the present embodiment, physical access control unit 20 and IT access control unit 30 are engaged with each other, and make Obtaining can be used by the information of the collected such as credential information of physical access control unit 20 by IT access control unit 30, and/ Or it can be used by physical access control unit 20 by the collected information of IT access control unit 30.
It should be appreciated that access control system 10 is provided so that above-mentioned access standard can be customized, so as to be suitable for The access standard of user can be modified, to be applied to the available modification of safety grade of user.
IT access control unit 30 in this example, which is also set to, is added to access information for mark information 37, the visit Ask that information instruction is sent to integrated access control by IT monitoring device 14 and the access of Identity Management website 16 is attempted.In this example In, mark information 37 include instruction IT monitoring device 14 position information, access attempt occur date and time, such as from It is expected that obtaining at the personnel of the access to IT system the identity information of collected biological information, and/or any other Relevant information.
In the present embodiment, IT access control unit 30 further includes label using 36, and label is arranged to mark using 36 Note information 37 is added to the access information for being sent to integrated access control and Identity Management website 16.Label application can be from such as Mark information is obtained in lower source: voucher reader 26,34, the position that is stored at IT access control unit 30 and/or identification letter Breath, the location information obtained from the electronic identifier of such as IP address associated with IT access control unit 30 can mention Attempt to access any other source for attempting the mark information that record 42 is associated with other for can be used to access IT.
In this example, IT access control unit 30 may include positioning using 38, and positioning is arranged to using 38 to expectation The position for obtaining the calculating equipment 32,33 of access is determined, such as using relevant to the current location of equipment 32,33 is calculated IP address.Based on identified position, when calculating equipment 32 in specified region, access can be allowed, but when calculating When equipment is not in specified region, access denied.Similarly, access can based on calculate equipment 32,33 position whether by Verifying is to be allowed or refuse, such as based on calculating whether equipment 33 by internet is connected to IT access control unit 30 simultaneously And whether the position for calculating equipment can be determined and whether the position has been authorized to be safety.
It should be appreciated that IT access control unit 30, which can be used, calculates equipment to realize, for example, at least partly it is implemented as Software application.
In this example, the visit that the instruction IT access received at integrated access control and Identity Management website 16 is attempted Ask that information and associated mark information are stored in the record 42 in database 40.
In this example, physical access control device 12 and IT access control apparatus 14 include functional unit appropriate, with Can based on relevant criterion defined in user to whether and in what degree permit or refuse personnel access make certainly It is fixed.For this purpose, functional unit may include the processor and memory for being arranged to realize one or more software applications. In this example, access standard is stored in physical access control device 12 and IT access control apparatus 14, and voucher quilt Access is allowed or denied for determination.It is to be understood, however, that also contemplating other implementations.For example, access standard can To be stored, and it may be located remotely from physical access control device and IT access control apparatus (such as in integrated access control and body At part admin site 16) it makes about the decision for being allowed or denied access.
Mark information can take any form appropriate, and in this example, mark information is added to access information As metadata.
With reference to Fig. 2, the component of IT access control apparatus 14 is shown.In this example, IT access control unit 30 controls One or more user calculating equipments 32 or 33 pairs of one or more user calculating equipment one or more software applications 50 and/or Be stored in the access of the data in one or more storage equipment 54, one or more user calculating equipments 32 arranged by local and IT access control unit 30 is connected to via wired or wireless LAN, and one or more user calculating equipments 33 are by remote arrangement And IT access control unit 30 is connected to by internet 52.
In this example, IT access control unit 30 is arranged to using the access mark being stored in access matrix 56 Standard, to determine that being allowed or denied access and access should be allowed in which kind of degree.Exemplary access matrix 56 is in Fig. 3 In be shown, and include: user information 58, indicate user associated with system 10;Location criteria 60 defines each user The permitted position of access system 10;Time standard 62, define each user access the permitted time, the date and/or Duration;Level of trust standard 64, defines the type for the data that user is allowed access to, which is allowed to visit according to user The susceptibility for the data asked carries out;And the rank of the access authority of each user is authorized in access level standard 66, definition.
In this example, user A is allowed access to the data of high-level sensibility, only when user be located at home A or Allow to access data when home B, and is only allowed in office hours access data.In addition, when user A is located at home When A, user is assigned Admin Access's rank, which provides high level access authority for user.It compares Under, when user A is located at home B, user is assigned supervisor access's rank, which is to use Family provides the access authority for reducing rank.
In the present embodiment, Admin Access's rank provides a user the abundant and complete access to data, so that with Data can be read, be written and be modified in family, and user is able to carry out all applications and all to execute with total system permission Function.Supervisor access's rank provides a user part permission, which depends on the role of user and need to be somebody's turn to do The function that user executes.In general, power user can only read and write data, and data can be modified sometimes.
It should be appreciated that since user A is only allowed access to IT money when the user is located at home A or home B Source, so if the trial of access IT resource has occurred, but the position of user is unauthenticated, for example, by home A or User credential is confirmed at home B using voucher reader, then the access of data will be rejected.
In this example simultaneously, user C is assigned different access authority (only checking, power user or inaccessible), Whether this position for depending on the user is verified, such as by verifying the position for calculating equipment associated with the user, and And depend on the time in one day.
It should be appreciated that access matrix 56 may be set so that level of trust standard 64 alternatively or additionally according to number According to position (for example, storage equipment and/or data folder that user is able to access that) type of data is specifically defined.
In this example, all access trial relevant to both physics and IT be stored in integrated access control and In the associated database 40 of Identity Management website 16, and in this manner, single addressable source is provided with and institute There is access to attempt relevant information.
It is appreciated that in this example, attempting for each access, instruction user attempts to access to region or resource Information, access attempt occur date and time, be given access duration, user position and user access Region (multiple) and/or resource (multiple) be recorded in database 40, and therefore can be used to monitor, track and/or comment Estimate user's access activity.For example, if personnel repeatedly attempt to access IT money from the specific invalidated position of such as Internet bar Source, then system 10 can be arranged to generate alarm to operator.
In addition, system can be arranged in response to the potential visit of determination according to the access information being stored in database 40 Ask risk status, Lai Xiugai any one or more access standards defined in access matrix 56.Such as in above example In, it is attempted wherein repeatedly access occurs from not verified position, system 10 can be arranged to be to use in access matrix 56 The specified level of trust 64 in family is revised as such as inaccessible lower rank.
For the ease of the record 42 in search database 40, system may include calculating for example, by using personal computer, plate The terminal 44 of machine or smart phone form.For this purpose, integrated access control and Identity Management website 16 are arranged to fair Perhaps user terminal 44 is searched for based on potential common variable attempts related record with access involved in physics and IT the two 42, so that relevant physics and IT access are attempted to be identified when physical access is attempted also to access trial along with IT. In this example, integrated access control and Identity Management website 16 can for example pass through internet online access.
It should be appreciated that mark information also allows operator to track personnel associated with physics or IT Access Events.
It should be appreciated that system is enabled an administrator to based on user whom is, user wherein, when user attempts is visited It asks and user attempts that is accessed, to control the access to IT resource.Access control system provides the access control of height, And a possibility that minimizing impersonation attack (for example, pass through tampered with machine or pass through deception).
It should also be appreciated that different from traditional electronic access control system, this access control system is provided based on use The position at family controls the ability of access, such as uses the position from physical access control system.
This integrated access control system is regarded as tissue removal data generality or realizes data generality System.The system can remove generality to the private data for needing tightened up access control, while can be to unclassified number Factually show generality.
The modifications and variations that will be apparent to those skilled in the art are considered as within the scope of the invention.

Claims (31)

1. a kind of access control system, comprising:
IT access control unit, the trial for being arranged to access personnel at least one IT resource monitor;
Physical access control unit is arranged to monitor the trial of personnel's physically access region, and is based on personnel It is no that the personnel physically access region is permitted by certainty identification by the physical access control unit;
The IT access standard stored, defines access authority for each user associated at least one IT resource; And
Access information stores equipment,
The IT access control unit is arranged to access standard based on the IT that is stored, to determine whether and should be in which kind of journey User is permitted on degree carries out IT access,
Each of the IT access control unit and the physical access control unit can directly be accessed by user, and described IT access control unit and the physical access control unit operate independently of one another, are visited with permitting or refusing the user respectively It asks the IT resource, or permits or refuse the user physically accessing the region,
The system is arranged to be stored in IT access information in the access information storage equipment, and physical access is believed Breath is stored in the access information storage equipment, and the IT access information indicates the visit monitored by the IT access control unit Ask that trial, the physical access information instruction are attempted by the access that the physical access control unit monitors,
The IT access standard wherein stored is provided so that following standard can be defined in stored access standard: body Part standard, instruction are able to access that the identity of the user of the IT resource;Location criteria indicates that the user is allowed access to Position when the IT resource;Time standard indicates the time when user is allowed access to the IT resource;Type mark Standard indicates the type for the IT resource that the user is allowed access to;And/or access level standard, instruction assign the user's The rank of access authority;
Wherein the system is arranged to that IT mark information is associated with the IT access information, by physical mark information and institute It is associated to state physical access information, and the IT mark information and the physical mark information are stored in the access information It stores in equipment, the IT mark information and the physical mark information are single by physical access control including that can be used to determine First access trial of member monitoring information whether relevant to the second access trial monitored by the IT access control unit, and And the easily accessible IT mark information being stored at the access information storage equipment of the system and the physics mark Information is remembered, so that described be determined to be made;And
Wherein the type standard is the level of trust of the maximum level sensibility for the data that the instruction user is allowed access to Standard.
2. access control system according to claim 1, wherein it is directed at least one user associated with the system, The identification criteria, the location criteria, the time standard, the type standard and the access level standard whole quilt It is defined in stored access standard.
3. according to claim 1 or access control system as claimed in claim 2, wherein the IT resource includes that at least one is soft The data that part is applied and/or is stored at least one data storage device.
4. according to claim 1 or access control system as claimed in claim 2, wherein time standard instruction user is permitted Perhaps the duration when IT resource is accessed.
5. according to claim 1 or access control system as claimed in claim 2, wherein the type standard indicates the user One or more software applications that the one or more storage locations, and/or the user being allowed access to are allowed access to, And/or one or more data types that the user is allowed access to.
6. according to claim 1 or access control system as claimed in claim 2, wherein the access level standard is from including pipe Reason person, power user, only check and inaccessible group in selected.
7. according to claim 1 or access control system as claimed in claim 2, wherein the identity of the user is based on from described Collected voucher determines at personnel.
8. access control system according to claim 7, wherein the credential information includes: associated with the personnel Biological information is known from the collected identification information of identification card carried by the personnel, by the individual that the personnel provide Alias code or any other identification information.
9. according to claim 1 or access control system as claimed in claim 2, wherein the IT mark information and/or described Physical mark information includes the location information for the position that the instruction access associated with the mark information is attempted.
10. according to claim 1 or access control system as claimed in claim 2, wherein the IT mark information and/or described Physical mark information includes the voucher letter indicated from least one collected voucher from the personnel for attempting access region or resource Breath.
11. according to claim 1 or access control system as claimed in claim 2, wherein the IT mark information and/or described Physical mark information includes date and/or temporal information.
12. according to claim 1 or access control system as claimed in claim 2, wherein the IT mark information and/or described Physical mark information is added to the access information in the form of metadata.
13. according to claim 1 or access control system as claimed in claim 2, wherein the access information store equipment from Corresponding IT access control unit and physical access control unit receive the access information and the IT mark information and institute Physical mark information is stated, and access information storage equipment is provided so that the access information and IT label It is accessed that information and the physical mark information can store equipment by the access information.
14. access control system according to claim 13, wherein access information storage equipment is arranged to be convenient for User is scanned for by the access information and/or the IT mark information and the physical mark information.
15. access control system according to claim 14, wherein the access information stores equipment energy Local or Remote Ground access, and can be accessed by the communication network of such as internet.
16. a kind of use an access control system controllers to the method for the access of IT resource, which comprises
The trial for accessing IT resource to personnel monitors;
It stores IT and accesses standard, the IT access standard stored defines access right for each user associated with the system Limit;
User's progress IT access is determined whether and should permitted in which kind of degree based on the IT access standard stored;
The trial of personnel's physically access region is monitored;
It is identified based on whether personnel pass through a physical access control unit by certainty, is physically accessed to permit the personnel Region;And
IT access information is stored in access information storage equipment, and physical access information is stored in the access information It stores in equipment, the IT access information instruction is attempted by the access of an IT access control unit monitoring, the physical access Information instruction is attempted by the access that the physical access control unit monitors,
Wherein each of the IT access control unit and the physical access control unit can directly be accessed by user, and The IT access control unit and the physical access control unit operate independently of one another, to permit or refuse the use respectively Family accesses the IT resource, or permits or refuse the user physically accessing the region,
The access standard wherein stored is provided so that following standard can be defined in stored access standard: identity Standard, instruction are able to access that the identity of the user of the IT resource;Location criteria indicates that the user is allowed access to institute State position when IT resource;Time standard indicates the time when user is allowed access to the IT resource;Type standard, Indicate the type for the IT resource that the user is allowed access to;And/or access level standard, instruction assign the access of the user The rank of permission;
Wherein the system is arranged to that IT mark information is associated with the IT access information, by physical mark information and institute It is associated to state physical access information, and the IT mark information and the physical mark information are stored in the access information It stores in equipment, the IT mark information and the physical mark information are single by physical access control including that can be used to determine First access trial of member monitoring information whether relevant to the second access trial monitored by the IT access control unit, and And the easily accessible IT mark information being stored at the access information storage equipment of the system and the physics mark Information is remembered, so that described be determined to be made;And
Wherein the type standard is the level of trust of the maximum level sensibility for the data that the instruction user is allowed access to Standard.
17. according to the method for claim 16, comprising: at least one user associated with the system is directed to, in institute The identification criteria, the location criteria, the time standard, the type standard and institute are defined in the access standard of storage State the whole in access level standard.
18. according to claim 16 or claim 17 described in method, wherein the IT resource includes that at least one software is answered With and/or the data that are stored at least one data storage device.
19. according to claim 16 or claim 17 described in method, wherein the time standard instruction user be allowed to visit Ask the duration when IT resource.
20. according to claim 16 or claim 17 described in method, wherein the type standard indicates that the user is permitted Perhaps one or more software applications that the one or more storage locations, and/or the user accessed are allowed access to, and/or One or more data types that the user is allowed access to.
21. according to claim 16 or claim 17 described in method, comprising: from comprising administrator, power user, only check And the access level standard is selected in inaccessible group.
22. according to claim 16 or claim 17 described in method, comprising: based on from the personnel collected voucher To determine the identity of the user.
23. according to the method for claim 22, wherein the credential information includes: that biology associated with the personnel is special Reference breath, collected identification information, the personal identity number provided by the personnel from the identification card carried by the personnel Code or any other identification information.
24. according to claim 16 or claim 17 described in method, wherein the IT mark information and/or the physics mark Note information includes the location information for the position that the instruction access associated with the mark information is attempted.
25. according to claim 16 or claim 17 described in method, wherein the IT mark information and/or the physics mark Note information includes the credential information indicated from least one collected voucher from the personnel for attempting access region or resource.
26. according to claim 16 or claim 17 described in method, wherein the IT mark information and/or the physics mark Remember that information includes date and/or temporal information.
27. according to claim 16 or claim 17 described in method, wherein the IT mark information and/or the physics mark Note information is added to the access information in the form of metadata.
28. according to claim 16 or claim 17 described in method, comprising:
The access information and the IT mark information and the physical markings are received at access information storage equipment Information;And
Convenient for passing through access information described in the access information storage device access and the IT mark information and the physics Mark information.
29. according to the method for claim 28, comprising: pass through access information and/or the IT mark information convenient for user It is scanned for the physical mark information.
30. according to the method for claim 29, comprising: convenient for locally or remotely accessing the access by communication network Information storing device.
31. according to claim 16 or claim 17 described in method, comprising: use the access information and/or the IT Mark information and the physical mark information track personnel associated with access trial.
CN201480065011.6A 2013-12-26 2014-04-30 Integrated access control and identity management system Expired - Fee Related CN106104548B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
SG2013096227A SG2013096227A (en) 2013-12-26 2013-12-26 An integrated access control and identity management system
SG201309622-7 2013-12-26
PCT/SG2014/000192 WO2015099607A1 (en) 2013-12-26 2014-04-30 An integrated access control and identity management system

Publications (2)

Publication Number Publication Date
CN106104548A CN106104548A (en) 2016-11-09
CN106104548B true CN106104548B (en) 2019-08-06

Family

ID=53479313

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201480065011.6A Expired - Fee Related CN106104548B (en) 2013-12-26 2014-04-30 Integrated access control and identity management system

Country Status (4)

Country Link
CN (1) CN106104548B (en)
AU (1) AU2014370501A1 (en)
SG (3) SG2013096227A (en)
WO (1) WO2015099607A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3590100B1 (en) 2017-03-01 2022-08-31 Carrier Corporation Spatio-temporal topology learning for detection of suspicious access behavior
WO2018160560A1 (en) 2017-03-01 2018-09-07 Carrier Corporation Access control request manager based on learning profile-based access pathways
WO2018160687A1 (en) * 2017-03-01 2018-09-07 Carrier Corporation A framework for access provisioning in physical access control systems
WO2018160407A1 (en) 2017-03-01 2018-09-07 Carrier Corporation Compact encoding of static permissions for real-time access control
MX2020010982A (en) 2018-04-18 2021-03-09 Carrier Corp Visualization and management of access levels for access control based on al hierarchy.
CN109544892B (en) * 2018-12-04 2021-04-06 四川奥地建筑设计有限公司 Wisdom agricultural thing networking gateway system
CN109920119A (en) * 2019-04-17 2019-06-21 深圳市商汤科技有限公司 Gate inhibition's setting method and device
US11770372B2 (en) 2020-07-28 2023-09-26 Hewlett Packard Enterprise Development Lp Unified identity and access management (IAM) control plane for services associated with a hybrid cloud
CN111970698B (en) * 2020-08-07 2023-04-07 江苏海岸线互联网科技有限公司 Industrial field weak network environment optimization method
CN112804240B (en) * 2021-01-19 2023-04-18 深圳市天彦通信股份有限公司 Function control method, device, server, storage medium and product

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101297282A (en) * 2005-10-26 2008-10-29 思科技术公司 Unified network and physical premises access control server

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1982288A2 (en) * 2006-01-26 2008-10-22 Imprivata, Inc. Systems and methods for multi-factor authentication
US8549584B2 (en) * 2007-04-25 2013-10-01 Cisco Technology, Inc. Physical security triggered dynamic network authentication and authorization
US8533800B2 (en) * 2010-08-13 2013-09-10 International Business Machines Corporation Secure and usable authentication for health care information access

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101297282A (en) * 2005-10-26 2008-10-29 思科技术公司 Unified network and physical premises access control server

Also Published As

Publication number Publication date
CN106104548A (en) 2016-11-09
SG2013096227A (en) 2015-07-30
AU2014370501A1 (en) 2016-05-12
SG11201602975YA (en) 2016-07-28
WO2015099607A1 (en) 2015-07-02
SG10201805371VA (en) 2018-08-30

Similar Documents

Publication Publication Date Title
CN106104548B (en) Integrated access control and identity management system
EP3704642B1 (en) Methods and system for controlling access to enterprise resources based on tracking
CN109767534B (en) Access control access method, system, management terminal and access control terminal based on block chain
US7818783B2 (en) System and method for global access control
JP6081859B2 (en) Entrance / exit management system and entrance / exit management method
US20050273444A1 (en) Access administration system and method for a currency compartment
CN106652109A (en) Intelligent lock control method, device and lock management server
US7593919B2 (en) Internet Web shield
JP5513234B2 (en) Visitor management device
CN103971039B (en) Access control system and method with GPS location verification
JP2016224863A (en) Authentication device, authentication method, and authentication program
DE112020006933T5 (en) Authentication terminal and security system
CN109102600A (en) Cell access permission management method and system
CN108364376A (en) A kind of gate inhibition and integrated Work attendance method of checking card
JP4333842B2 (en) Entrance / exit management system, ID card, control unit, system management device.
JP2008305332A (en) Security management system
JP2006059161A5 (en)
JP2011002918A (en) Security management system
US8442277B1 (en) Identity authentication system for controlling egress of an individual visiting a facility
JP2005232754A (en) Security management system
US10229549B2 (en) System for authorization control and breath testing
Mills et al. Cybercrimes against consumers: could biometric technology be the solution?
EP3487200A1 (en) Behaviour-based authentication with fall-back position
KR20130042970A (en) Information providing control system using a bio information and method thereof
JP2004092057A (en) Entrance/exit management system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1228530

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190806

CF01 Termination of patent right due to non-payment of annual fee