CN106254328A - A kind of access control method and device - Google Patents

A kind of access control method and device Download PDF

Info

Publication number
CN106254328A
CN106254328A CN201610606766.3A CN201610606766A CN106254328A CN 106254328 A CN106254328 A CN 106254328A CN 201610606766 A CN201610606766 A CN 201610606766A CN 106254328 A CN106254328 A CN 106254328A
Authority
CN
China
Prior art keywords
user
account information
resource pool
standard grade
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610606766.3A
Other languages
Chinese (zh)
Other versions
CN106254328B (en
Inventor
张立
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Hangzhou Huawei Digital Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Huawei Digital Technologies Co Ltd filed Critical Hangzhou Huawei Digital Technologies Co Ltd
Priority to CN201610606766.3A priority Critical patent/CN106254328B/en
Publication of CN106254328A publication Critical patent/CN106254328A/en
Application granted granted Critical
Publication of CN106254328B publication Critical patent/CN106254328B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/567Integrating service provisioning from a plurality of service providers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiment of the present invention provides a kind of access control method and device, relates to cloud resources technology field, it is possible to allow friendly user newly to reach the standard grade resource pool by having the terminal access of any IP address.The specific scheme is that the corresponding resource pool of newly reaching the standard grade of an exclusive IAM module, and preserve the account information of user in friendly user's group that the resource pool of newly reaching the standard grade corresponding with exclusive IAM module is corresponding, method includes: exclusive IAM module receives the first account information that portal server sends, first account information is the account information that request accesses the logged-in user of resource pool of newly reaching the standard grade corresponding to exclusive IAM module, and logged-in user is the user having logged in portal server;According to the account information of the user in the friendly user's group preserved, the first account information is authenticated;Sending certification instruction message to portal server, certification instruction message for instruction the first account information, whether pass through by certification.The embodiment of the present invention is used for accessing control.

Description

A kind of access control method and device
Technical field
The present embodiments relate to cloud resources technology field, particularly relate to a kind of access control method and device.
Background technology
In cloud service scene, the most publicly-owned cloud scene, same cloud project there will be the resource pool and old of newly reaching the standard grade Resource pool situation about depositing.Resource pool of newly reaching the standard grade refers to just release, the resource pool that on-line time is shorter;Old resource pool refers to relatively Early release, the resource pool that on-line time is longer.Resource pool of newly reaching the standard grade typically requires the maintenance several months, as the friendly user test phase. Within the friendly user test phase of resource pool of newly reaching the standard grade, all users can access old resource pool, but only allows the friend selected Good user sees and accesses the resource of resource pool of newly reaching the standard grade.It is thus possible to the problem exposed is controlled at friendly user scope In, it is to avoid risk expands, and according to the problem exposed and the feedback of friendly user, rectifies and improves resource pool of newly reaching the standard grade, simultaneously The experience of friendly user can also be ensured, it is to avoid disturbed by the use of other users.
In actual application, identity and Access Management Access (Identity and Access Management, IAM) server lead to It is usually used in being responsible for, all users to the resource pool all new, old in the request same cloud project of access, does uniform registration and identity Authentication management.Non-friendly user so will be caused can also to access resource pool of newly reaching the standard grade, thus to risk control and friendly use The use at family causes severe jamming.
A solution of the prior art is, arranges network on the fire wall on resource pool control station border of newly reaching the standard grade Agreement (Internet Protocol, IP) address white list, only allows friendly user to access resource pool of newly reaching the standard grade, but this kind of side Strict restriction has been done in IP address by formula, and friendly user only could access, by the terminal specifying IP address, resource pool of newly reaching the standard grade, Resource pool of newly reaching the standard grade can not be accessed by other IP address;Further, if IP address changes, then weight on fire wall is needed Newly configure, thus cause the experience of user poor.
Summary of the invention
The embodiment of the present invention provides a kind of access control method and device, it is possible to allow friendly user by having any IP The terminal access of address is newly reached the standard grade resource pool.
For reaching above-mentioned purpose, embodiments of the invention adopt the following technical scheme that
First aspect, the embodiment of the present invention provides a kind of access control method, is applied to exclusive IAM module, and one exclusive The corresponding resource pool of newly reaching the standard grade of IAM module, and preserve the close friend that newly the reach the standard grade resource pool corresponding with exclusive IAM module is corresponding The account information of the user in user's group, the method includes: first, and exclusive IAM module receives first that portal server sends Account information.Wherein, the first account information is the logged-in user that request accesses resource pool of newly reaching the standard grade corresponding to exclusive IAM module Account information, logged-in user is the user having logged in portal server.Secondly, exclusive IAM module is according to the close friend preserved The account information of the user in user's group, is authenticated the first account information.Then, exclusive IAM module is to portal server Sending certification instruction message, certification instruction message for instruction the first account information, whether pass through by certification.
Owing to exclusive IAM module is newly the reach the standard grade resource pool corresponding to exclusive IAM module according to " account information ", corresponding Friendly user's group in logged-in user carry out authentication rather than " IP address " according to user place terminal carry out Certification, thus it is positioned at the user in friendly user's group of anywhere, all can be according to account information by any IP address Terminal access newly reach the standard grade resource pool, and do not limited by IP address of terminal, thus improve the experience of user.
In a kind of possible design, in the account information according to the user in the friendly user's group preserved, to the first account Before number information is authenticated, method also includes: exclusive IAM module receives the second account information that global I AM module sends.Its In, the account of the user in friendly user's group that resource pool of newly reaching the standard grade that the second account information is corresponding with exclusive IAM module is corresponding Number information.The mode of the account information of this user arranged in exclusive IAM module in friendly user's group is relatively simple convenient.
In a kind of possible design, when the on-line time of resource pool of newly reaching the standard grade is more than or equal to preset time threshold Time, the method also includes: exclusive IAM module receives the account information of all users that global I AM module sends.Thus, exclusive IAM module is preserved the account information of all users, request can be accessed the resource of newly reaching the standard grade that this exclusive IAM module is corresponding All logged-in users in pond, carry out authentication.
Second aspect, the embodiment of the present invention provides one to control access method, is applied to global I AM module, global I AM mould Block preserves the log-on message of all users, and log-on message includes that account information, the method include: global I AM module receives door The first account information that family server sends.Wherein, the first account information is the logged-in user that request accesses old resource pool Account information.Then, the first account information, according to the log-on message of all users preserved, is authenticated by global I AM module. Further, global I AM module is respectively by the user's in friendly user's group corresponding with each resource pool of newly reaching the standard grade in all users Account information, in the exclusive IAM module that transmission to resource pool of newly reaching the standard grade is corresponding.
Thus, the account information of the logged-in user that all requests access old resource pool can be carried out by global I AM module Certification.Further, global I AM module is respectively by the use in friendly user's group corresponding with each resource pool of newly reaching the standard grade in all users The account information at family, the exclusive IAM module that transmission to resource pool of newly reaching the standard grade is corresponding, can be simply and easily in exclusive IAM module The account information of the middle user arranged in friendly user's group.
In a kind of possible design, the method also includes: when the on-line time of resource pool of newly reaching the standard grade is more than or equal to During preset time threshold, global I AM module is by exclusive IAM corresponding for the account information transmission of all users to resource pool of newly reaching the standard grade In module, so that exclusive IAM module can be preserved the account information of all users, thus request can be accessed and be somebody's turn to do All logged-in users of the resource pool of newly reaching the standard grade that exclusive IAM module is corresponding, carry out authentication.
In a kind of possible design, log-on message also includes encrypted message, and method also includes: first, global I AM module Receive the second account information and encrypted message that portal server sends.Wherein, the second account information and encrypted message are request Log in account information and the encrypted message of the user of portal server.Secondly, global I AM module is according to all users' preserved Log-on message, is authenticated the second account information and encrypted message.Then, global I AM module sends to portal server and recognizes Card instruction message, certification instruction message for indicating the second account information and encrypted message, whether pass through by certification.Thus, the overall situation The identity of all users that request logs in portal server can be authenticated by IAM module.
The third aspect, it is provided that a kind of access control method, is applied to portal server, and the method includes: first, and door takes Business device is after user logs in portal server, and instruction terminal shows resource pool list to logged-in user.Secondly, portal server Receiving the resource pool access request of newly reaching the standard grade that terminal sends, resource pool access request of newly reaching the standard grade includes the account letter of logged-in user Breath and resource pool mark of newly reaching the standard grade to be visited.Then, the account information of logged-in user is sent to be visited by portal server The exclusive identity of resource pool of newly reaching the standard grade mark correspondence and Access Management Access IAM module.Afterwards, portal server receives exclusive IAM mould The first certification instruction message that block sends, the first certification instruction message is for indicating the account information whether certification of logged-in user Pass through.Finally, when the first certification indicates message instruction certification to pass through, it is allowed to logged-in user accesses resource of newly reaching the standard grade to be visited Pond.
So, when logged-in user desires access to newly reach the standard grade resource pool, portal server can be by logged-in user Account information is sent to newly go up the exclusive IAM module that resource pool is corresponding, so that exclusive IAM module is to use according to the close friend preserved " account information " of the user in the group of family logged-in user is carried out authentication rather than according to user place terminal " IP address " is authenticated, thus is positioned at the user in friendly user's group of anywhere, all can pass through according to account information The arbitrarily terminal access of IP address is newly reached the standard grade resource pool, and is not limited by IP address of terminal, thus improves the use of user Experience.
In a kind of possible design, the most also include: also included before method: first, portal service Device receives the login request message that terminal sends, and login request message includes that request logs in the account letter of the user of portal server Breath and encrypted message.Secondly, account information and the encrypted message of the user of request login portal server are sent out by portal server Give global I AM module.Then, portal server receives the second certification instruction message that global I AM module sends.Wherein, Two certification instruction message for indicating the account information asking to log in the user of portal server and encrypted message, whether lead to by certification Cross.Then, if the second certification instruction message instruction certification is passed through, then portal server allows user to log in.Thus, global I AM The identity of all users that request logs in portal server can be authenticated by module.
In a kind of possible design, portal server instruction terminal includes to logged-in user display resource pool list: When do not exist on-line time more than or equal to preset time threshold newly reach the standard grade resource pool time, portal server instruction terminal exist In resource pool list, show that the user in had been friends in the past resource pool and corresponding friendly user's group includes logging in logged-in user All resource pools of newly reaching the standard grade of user.
So, the user in friendly user's group can see in terminal and click on newly reach the standard grade resource pool and old resource pool, Thus ask to access newly reach the standard grade resource pool and old resource pool.Rather than the user in close friend's user's group only can see also in terminal Click on old resource pool, without seeing resource pool of newly reaching the standard grade, thus cannot ask and access resource pool of newly reaching the standard grade, resource of newly reaching the standard grade The account information of the user in non-friendly user's group also would not be authenticated by exclusive IAM module corresponding to pond, thus reduces The workload of exclusive IAM module.
In a kind of possible design, when there is the on-line time resource of newly reaching the standard grade more than or equal to preset time threshold Chi Shi, portal server instruction terminal, in resource pool list, shows had been friends in the past resource pool and on-line time to logged-in user More than or equal to all resource pools of newly reaching the standard grade of preset time threshold, and on-line time less than preset time threshold new on In line resource pool, the corresponding user in friendly user's group includes all resource pools of newly reaching the standard grade of logged-in user.It is thus possible to When resource pool of newly reaching the standard grade is by the friendly user test phase, resource pool of this newly being reached the standard grade is open to all users, and be not only right User in friendly user's group is open.
In a kind of possible design, the method also includes: portal server receives the old resource pool access that terminal sends Request, old resource pool access request includes account information and the old resource pool to be visited mark of logged-in user.Then, door clothes The account information of logged-in user is sent to global I AM module by business device, request is accessed old resource by global I AM module The account information of the logged-in user in pond is authenticated.
Another aspect, embodiments provides a kind of system, this system include above-mentioned aspect can realize exclusive The device of the function of IAM module, the device of the function of global I AM module can be realized and the function of portal server can be realized Device.
Another further aspect, embodiments provides a kind of computer-readable storage medium, is used for saving as above-mentioned exclusive IAM mould Computer software instructions used by block, it comprises for performing the program designed by above-mentioned aspect.
Another further aspect, embodiments provides a kind of computer-readable storage medium, is used for saving as above-mentioned global I AM mould Computer software instructions used by block, it comprises for performing the program designed by above-mentioned aspect.
Another further aspect, embodiments provides a kind of computer-readable storage medium, is used for saving as above-mentioned portal service Computer software instructions used by device, it comprises for performing the program designed by above-mentioned aspect.
Compared to prior art, in the scheme that the embodiment of the present invention provides, exclusive IAM module is according to the friendly user preserved In group, the account information of user carries out authentication rather than is authenticated according to " IP address " logged-in user, thus position User in friendly user's group of anywhere, all can be according to account information by the terminal access of any IP address newly Line resource pool, thus improve the experience of user.
In order to make it easy to understand, the explanation giving part concept related to the present invention of example is for reference.As follows:
Portal website: refer to lead to the comprehensive internet information resource of certain class and the application system about information service is provided, It it is the website of portal server management.
Resource pool: refer to the cloud resource pool under cloud service scene in the embodiment of the present invention, is the set of multiple cloud resource.This In cloud resource can include cloud computing resources, cloud storage resource etc., the cloud resource in resource pool typically requires by multiple things Reason load bearing equipment is carried.
Single-sign-on: in multiple application systems, user has only to log in and the most just can access all mutual trusts Application system.
Control station: be the framework of storage and managenent instrument, including file and other containers, webpage and other management item.Control Platform processed is with window, and these windows are provided that control station tree view and the management attribute caused by the item in control station tree, service And the view of event.
Accompanying drawing explanation
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below will be in embodiment or description of the prior art The required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only some realities of the present invention Execute example, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to according to these accompanying drawings Obtain other accompanying drawing.
A kind of basic framework schematic diagram accessing control system that Fig. 1 provides for the embodiment of the present invention;
The basic framework schematic diagram of the access control system of a kind of improvement that Fig. 2 provides for the embodiment of the present invention;
A kind of access control method flow chart that Fig. 3 provides for the embodiment of the present invention;
The another kind of access control method flow chart that Fig. 4 provides for the embodiment of the present invention;
The method flow of a kind of portal server instruction terminal demonstration resource pool list that Fig. 5 provides for the embodiment of the present invention Figure;
A kind of terminal demonstration interface schematic diagram that Fig. 6 A provides for the embodiment of the present invention;
The another kind of terminal demonstration interface schematic diagram that Fig. 6 B provides for the embodiment of the present invention;
The another kind of access control method flow chart that Fig. 7 provides for the embodiment of the present invention;
The another kind of access control method flow chart that Fig. 8 provides for the embodiment of the present invention;
The structural representation of a kind of exclusive IAM module that Fig. 9 provides for the embodiment of the present invention;
The structural representation of a kind of global I AM module that Figure 10 provides for the embodiment of the present invention;
The structural representation of a kind of portal server that Figure 11 provides for the embodiment of the present invention;
The structural representation of the another kind exclusive IAM module that Figure 12 A provides for the embodiment of the present invention;
The structural representation of the another kind exclusive IAM module that Figure 12 B provides for the embodiment of the present invention;
The structural representation of the another kind of global I AM module that Figure 13 A provides for the embodiment of the present invention;
The structural representation of the another kind of global I AM module that Figure 13 B provides for the embodiment of the present invention;
The structural representation of the another kind of portal server that Figure 14 A provides for the embodiment of the present invention;
The structural representation of the another kind of portal server that Figure 14 B provides for the embodiment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Describe wholely.Obviously, described embodiment is only a part of embodiment of the present invention rather than whole embodiments.Based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under not making creative work premise Embodiment, broadly falls into the scope of protection of the invention.
Fig. 1 provides under a kind of cloud service scene, and resource pool accesses the basic framework schematic diagram of control system.This resource pool Access control system and include terminal, portal server, access control apparatus, fire wall, control station and physical carrier equipment.Its In, portal server can be connected with at least one terminal, to receive logging request or the resource pool that user is sent by terminal Access request;Portal server is also connected with access control apparatus, with by the logging request of user or resource pool access request The identity information of the user carried, is sent to access control apparatus and is authenticated;Portal server can also be with multiple control stations Being connected, the corresponding resource pool of each control station, to be redirected to resource pool pair to be asked by the resource pool access request of user The control station answered, thus access resource pool to be asked;Each control station can be connected with at least one physical carrier equipment, and this is extremely Few physical carrier equipment is for carrying the resource pool that this control station is corresponding.Concrete, access control apparatus here is concrete Can be IAM server, terminal here can be specifically the physical equipments such as computer, mobile phone, iPad.As it is shown in figure 1, a cloud Can there is multiple resource pool in project, different resource pond may be located at different geographical position simultaneously, such as Beijing, Shanghai, Shenzhen etc..Here resource pool specifically can include multiple old resource pool relatively early released and the resource of newly reaching the standard grade of multiple firm release Pond.User can pass through single-sign-on portal server in terminal, i.e. logs in the mode of portal website, accesses in this cloud project All resource pools.
On the prior art fire wall by the control station border corresponding at the resource pool of newly reaching the standard grade shown in Fig. 1, IP is set Address white list, so that within the friendly user test phase of resource pool of newly reaching the standard grade, only allowing the user in friendly user's group to visit Ask resource pool of newly reaching the standard grade.Strict restriction has been done in IP address by this kind of mode, and the user in friendly group is only by white list middle finger The terminal that fixed IP address is corresponding, could access resource pool of newly reaching the standard grade, and can not pass through the terminal access that other IP address is corresponding Newly reach the standard grade resource pool, thus reduce user's experience.
For the problems referred to above, the embodiment of the present invention proposes the access control system of a kind of improvement, and its basic framework is illustrated Figure may refer to Fig. 2.Wherein, compared with framework shown in Fig. 1, in the framework shown in Fig. 2, access control apparatus includes the overall situation IAM module and at least one exclusive IAM module, different IAM modules can be respectively arranged in different physical equipments, it is also possible to It is integrated in same physical equipment, is not specifically limited here.Wherein, global I AM module is preserved the note of all users Volume information, this log-on message includes the identity information of the user such as account information and encrypted message.It is right that global I AM module is used for being responsible for Request logs in the user of portal server and carries out authentication, and the user that request accesses had been friends in the past resource pool carries out identity and recognizes Card.Here logged-in user refers to the user of Successful login portal server.Each exclusive IAM module correspondence one is new Reaching the standard grade resource pool, such as, as in figure 2 it is shown, resource pool 1 of newly reaching the standard grade is corresponding to exclusive IAM module 1, resource pool 2 of newly reaching the standard grade corresponds to Exclusive IAM module 2 etc..Exclusive IAM module is only preserved the close friend that resource pool of newly reaching the standard grade corresponding to this exclusive IAM module is corresponding The account information of user in user's group, exclusive IAM module is for being responsible for stepping on of newly the reach the standard grade resource pool corresponding to request access The account information employing family is authenticated.
Wherein, exclusive IAM module is according to " the account of the user in friendly user's group corresponding to resource pool of newly reaching the standard grade preserved Information ", " account information " of the logged-in user that request accesses resource pool of newly reaching the standard grade corresponding to this exclusive IAM module recognizes Demonstrate,prove rather than according to " IP address ", logged-in user carried out authentication, thus being positioned at friendly user's group of anywhere In user, can access and newly reach the standard grade resource pool by having the terminal of any IP address, without being limited by IP address System, such that it is able to improve the experience of user.
In conjunction with the basic framework schematic diagram shown in Fig. 2, embodiments provide a kind of access control method, see figure 3, the method may include that
301, after user logs in portal server, portal server instruction terminal is to logged-in user display resource pool row Table.
Wherein, logged-in user here refers to log in the user of portal server, has the most logged in portal server pipe The user of the portal website of reason.After user is by terminal and browser Successful login portal server, portal server can To indicate terminal demonstration resource pool list.Resource pool list is for presenting, to logged-in user, the resource pool that can access.
302, portal server receives the resource pool access request of newly reaching the standard grade that terminal sends, resource pool access request of newly reaching the standard grade Account information and resource pool mark of newly reaching the standard grade to be visited including logged-in user.
303, the account information of logged-in user is sent to resource pool mark correspondence of newly reaching the standard grade to be visited by portal server Exclusive IAM module.
When in logged-in user request access resource pool list newly reaches the standard grade resource pool, login user can pass through Terminal sends to portal server and newly reaches the standard grade resource pool access request, and carries this in resource pool access request of newly reaching the standard grade and step on Employ the account information at family and resource pool mark of newly reaching the standard grade to be visited.Wherein, resource pool of newly reaching the standard grade to be visited identifies for uniquely Identify this resource pool of newly reaching the standard grade to be visited.
In step 302-303, the logged-in user that portal server accesses, in the request of receiving, resource pool of newly reaching the standard grade is sent out Send newly reach the standard grade resource pool access request time, can by the accounts information of logged-in user in resource pool access request of newly reaching the standard grade, It is transmitted to the exclusive IAM module that resource pool mark of newly reaching the standard grade to be visited is corresponding.
304, exclusive IAM module is after receiving the first account information that portal server sends, and uses according to the close friend preserved The account information of the user in the group of family, is authenticated the first account information.
Wherein, the first account information here refers to what portal server sent in step 303, and request accesses exclusive The account information of the logged-in user of the resource pool of newly reaching the standard grade that IAM module is corresponding.Receiving the account information of logged-in user After, the exclusive IAM module newly reaching the standard grade resource pool mark correspondence to be visited can be according to the user's in the friendly user's group preserved Account information, is authenticated this first account information.
As user during logged-in user is friendly user's group that resource pool of newly reaching the standard grade to be visited is corresponding, this has logged in use The account information at family can be by the certification of exclusive IAM module;When logged-in user is that resource pool of newly reaching the standard grade to be visited is corresponding During user in non-friendly user's group, the account information of this logged-in user can not be by the certification of exclusive IAM module.
305, exclusive IAM module sends certification instruction message to portal server, and certification instruction message is for instruction first Account information whether pass through by certification.
After first account information is authenticated by exclusive IAM module in step 304, authentication result can be passed through certification Instruction message is sent to portal server, to notify portal server the first account information whether pass through by certification.
306, portal server is after receiving the first certification instruction message that exclusive IAM module sends, when the first certification refers to Show when message instruction certification is passed through, it is allowed to logged-in user accesses resource pool of newly reaching the standard grade to be visited.
After receiving the first certification instruction message that exclusive IAM module sends, when the first certification indicates message instruction certification By time, portal server allow logged-in user access resource pool of newly reaching the standard grade to be visited;When the first certification indicates message instruction Unverified by time, portal server do not allow logged-in user access resource pool of newly reaching the standard grade to be visited.
Concrete, when portal server allow logged-in user access to be visited newly reach the standard grade resource pool time, can will step on Employ the resource pool access request of newly reaching the standard grade that family is sent by terminal, be redirected to the control that resource pool of newly reaching the standard grade to be visited is corresponding Platform, thus access resource pool of newly reaching the standard grade to be visited by control station.
In the access control method that the embodiment of the present invention provides, exclusive IAM module is responsible for request is accessed the new of correspondence The account information of logged-in user of resource pool of reaching the standard grade is authenticated, when logged-in user request accesses and newly reaches the standard grade resource pool, The exclusive IAM module that resource pool of newly reaching the standard grade is corresponding may determine that the account information of this logged-in user, if preserves with self Certain account information of user in friendly user's group matches.If coupling, then illustrate that this log-on message is friendly user's group In user, this logged-in user passes through authentication, it is possible to access this resource pool of newly reaching the standard grade.If not mating, then explanation is specially Belonging to the account information not preserving this logged-in user in IAM module, it is corresponding that this logged-in user belongs to this resource pool of newly reaching the standard grade Non-friendly user's group in user, thus authentication can not be passed through, also cannot access this resource pool of newly reaching the standard grade.
Therefore, if request accesses the logged-in user of this resource pool of newly reaching the standard grade, for the user in non-friendly user's group, the most The account information of login user by the certification of this exclusive IAM module, thus cannot cannot access this resource pool of newly reaching the standard grade;And work as Request accesses the logged-in user of this resource pool of newly reaching the standard grade, during for user in friendly user's group, then and the account of logged-in user Information can be by the certification of this exclusive IAM module, such that it is able to access this resource pool of newly reaching the standard grade.Thus, resource of reaching the standard grade when newly When the service of the offer in pond, function or operation system go wrong, the problem that resource pool of newly reaching the standard grade exposes can be controlled In friendly user scope, it is to avoid risk expands, and according to the problem exposed and the feedback of friendly user, resource pool of newly reaching the standard grade is entered Row rectification, at the same time it can also be ensure the experience of friendly user, it is to avoid the use interference of non-friendly user.
Further, due to exclusive IAM module be according to " account information " logged-in user carried out authentication rather than It is authenticated according to " IP address ", thus is positioned at the user in friendly user's group of anywhere, all can believe according to account Cease and newly reached the standard grade resource pool by the terminal access of any IP address, i.e. can reach the effect of " account white list ", and by eventually The restriction of end IP address, even if the IP address of terminal there occurs change, does not interferes with the positive frequentation of user in friendly user's group yet Ask resource pool of newly reaching the standard grade, thus improve the experience of user.
It should be noted that in embodiments of the present invention, the friend that in exclusive IAM module, the resource pool of newly reaching the standard grade of preservation is corresponding The account information of the user in good user's group, specifically can pre-set, it is also possible to be by global I AM module or other Equipment or device are sent to exclusive IAM module, the most specifically limit.
Alternatively, seeing Fig. 4, before above-mentioned steps 304, the method can also include:
307, global I AM module is respectively by friendly user's group corresponding with each resource pool of newly reaching the standard grade in all users The account information of user, in the exclusive IAM module that transmission to resource pool of newly reaching the standard grade is corresponding.
Owing to preserving the log-on message of all users in global I AM module, log-on message includes account information, thus Can be sent to specially by global I AM module by the account information of the user in friendly user's group corresponding for resource pool of newly reaching the standard grade Belong to IAM module, and this kind of mode is the most simple and convenient.
Corresponding with step 307, exclusive IAM module can receive " the second account information " that global I AM module sends, this In " the second account information " be that global I AM module sends in step 307, newly the reach the standard grade money corresponding with exclusive IAM module The account information of the user in friendly user's group that pond, source is corresponding.Receiving the second account information that global I AM module sends And after preserving, request can be accessed new according to the account information of the user in the friendly user's group preserved by exclusive IAM module The account information of logged-in user of resource pool of reaching the standard grade is authenticated.
Concrete, in above-mentioned steps 301, portal server instruction terminal shows resource pool list to logged-in user, Can include step 3011 as shown in Figure 5 and step 3012:
3011, when do not exist on-line time more than or equal to preset time threshold newly reach the standard grade resource pool time, door take Business device instruction terminal, in resource pool list, shows in had been friends in the past resource pool and corresponding friendly user's group to logged-in user User includes all resource pools of newly reaching the standard grade of logged-in user.
Wherein, this preset time threshold can be the duration of the friendly user test phase preset.When there is not on-line time More than or equal to preset time threshold newly reach the standard grade resource pool time, each new upper resource pool all within the friendly user test phase, this Time can to logged-in user show had been friends in the past resource pool and correspondence friendly user's group in user include logged-in user All resource pools of newly reaching the standard grade.So, the user in friendly user's group can see and click on the money of newly reaching the standard grade of correspondence in terminal Yuan Chi and old resource pool, thus ask to access corresponding newly reach the standard grade resource pool and old resource pool.Rather than the use in close friend's user's group Family only can be seen in terminal and click on old resource pool, without seeing resource pool of newly reaching the standard grade, thus cannot ask and access Newly reaching the standard grade resource pool, the exclusive IAM module that resource pool of newly reaching the standard grade is corresponding also would not be to the account of the user in non-friendly user's group Number information is authenticated, thus decreases the workload of exclusive IAM module.
Exemplary, if user 1 is friendly user's group of resource pool 1 (Shanghai resource pool) correspondence of newly reaching the standard grade shown in Fig. 2 In user, but be not the user in friendly user's group that the resource pool 2 (Beijing resource pool) of newly reaching the standard grade of Fig. 2 is corresponding, then see Terminal demonstration interface shown in Fig. 6 A, after user 1 logs in portal server by terminal, can arrange at the resource pool of terminal demonstration In table, it is seen that newly reach the standard grade resource pool 1 (Shanghai resource pool) and had been friends in the past resource pool, but resource pool 2 (Beijing of newly reaching the standard grade cannot be seen Resource pool).User 1 can click on the resource pool of display in terminal, to conduct interviews it.
Additionally, when do not exist on-line time more than or equal to preset time threshold newly reach the standard grade resource pool time, door take Business device also can indicate that terminal shows all resource pools to logged-in user in resource pool list, if logged-in user is not certain User in friendly user's group that individual resource pool of newly reaching the standard grade is corresponding, then this display mode newly reaching the standard grade resource pool is different from other money The display mode in pond, source, and click on nothing response after this resource pool of newly reaching the standard grade.So, although the user in non-friendly user's group is permissible Terminal is seen resource pool of newly reaching the standard grade, but cannot ask and access resource pool of newly reaching the standard grade.
Exemplary, see Fig. 6 B, after user 1 is logged in by terminal, all moneys shown in Fig. 2 can be seen in terminal Pond, source, but the display format of the icon of resource pool 2 (Beijing resource pool) of newly reaching the standard grade is different from the display of icon of other resource pool Without response after form, and click, user 1 cannot access the resource newly reached the standard grade in resource pool 2.
3012, when exist on-line time more than or equal to preset time threshold newly reach the standard grade resource pool time, portal service To logged-in user, device instruction terminal, in resource pool list, shows that had been friends in the past resource pool and on-line time are more than or equal to pre- If all resource pools of newly reaching the standard grade of time threshold, and on-line time less than preset time threshold newly reach the standard grade in resource pool, right User in the friendly user's group answered includes all resource pools of newly reaching the standard grade of logged-in user.
When the on-line time of resource pool of newly reaching the standard grade is more than or equal to preset time threshold, this has newly reached the standard grade resource pool By the friendly user test phase, service, function and operation system etc. that this resource pool of newly reaching the standard grade provides have tended towards stability, now Resource pool of can this newly being reached the standard grade is open to all users, and is not only the user in friendly user's group open.Thus, door Server may indicate that terminal in resource pool list, to logged-in user show had been friends in the past resource pool and on-line time be more than or Person is equal to all resource pools of newly reaching the standard grade of preset time threshold, and on-line time is less than the resource of newly reaching the standard grade of preset time threshold Chi Zhong, the corresponding user in friendly user's group includes all resource pools of newly reaching the standard grade of logged-in user.
Further, when the on-line time of resource pool of newly reaching the standard grade is more than or equal to preset time threshold, the method is also May include that global I AM module is by exclusive IAM module corresponding for the account information transmission of all users to resource pool of newly reaching the standard grade In.
As such, it is possible to make on-line time be more than or equal to corresponding exclusive of the resource pool of newly reaching the standard grade of preset time threshold In IAM module, preserve the account information of all users.When logged-in user request access this newly reach the standard grade resource pool time, no matter This logged-in user be the user in friendly user's group be also the user in non-friendly user's group, as long as this logged-in user is The validated user of registration, its account information all by the certification of this exclusive IAM module, thus can allow this logged-in user to visit Ask this resource pool of newly reaching the standard grade.
It should be noted that saved, before in exclusive IAM module, the friend that corresponding resource pool of newly reaching the standard grade is corresponding The account information of the user of good user group, thus the on-line time of resource pool of ought newly reaching the standard grade is more than or equal to preset time threshold Time, global I AM module can be sent to new only by the account information of the user of non-friendly user's group corresponding for resource pool of newly reaching the standard grade The exclusive IAM module that resource pool of reaching the standard grade is corresponding, so that can preserve the account information of all users in exclusive IAM module.
Additionally, when the on-line time of resource pool of newly reaching the standard grade is more than or equal to preset time threshold, if there being new user to enter Row registration, then global I AM module can preserve the log-on message of new user, and by the account information synchronized transmission of new user to being somebody's turn to do In the exclusive IAM module that resource pool of newly reaching the standard grade is corresponding.
Further, seeing Fig. 7, before above-mentioned steps 301, the method can also include:
701, portal server receives the login request message that terminal sends, and login request message includes that request logs in door The account information of the user of server and encrypted message.
702, account information and the encrypted message of the user of request login portal server are sent to entirely by portal server Office's IAM module.
703, global I AM module is after the second account information receiving portal server transmission and encrypted message, according to guarantor The log-on message of all users deposited, is authenticated the second account information and encrypted message.
Wherein, the second account information and encrypted message here refer to, portal server sends in a step 702, please Ask account information and the encrypted message of the user logging in portal server.
704, global I AM module sends certification instruction message to portal server, and certification instruction message is for instruction second Whether certification is passed through for account information and encrypted message.
705, after receiving the second certification instruction message that global I AM module sends, if the second certification instruction message refers to Show that certification is passed through, then portal server allows user to log in.
Wherein, " the second certification instruction message " that in step 705, portal server receives, it is in step 704 overall situation " the certification instruction message " that IAM module sends, for indicating account information and the password of the user of request login portal server Information whether pass through by certification.
If passing through additionally, the second certification instruction message instruction is unverified, then portal server does not allow user to log in.
It should be noted that in embodiments of the present invention, request logs in the account information of the user of portal server and close The identity informations such as code information are authenticated by global I AM module.
Further, after above-mentioned steps 705, seeing Fig. 8, the method that the embodiment of the present invention provides can also include:
801, portal server receives the old resource pool access request that terminal sends, and old resource pool access request includes stepping on Employ account information and the old resource pool to be visited mark at family.
802, the account information of logged-in user is sent to global I AM module by portal server.
What portal server determined that logged-in user desires access to according to old resource pool to be visited mark is old resource pool, because of And the account information of logged-in user can be sent to global I AM module and be authenticated.
803, after receiving the first account information that portal server sends, global I AM module is all according to preserve The log-on message of user, is authenticated the first account information.
" the first account letter it should be noted that different from " the first account information " in step 304, in step 803 Breath " refer to what portal server sent in step 802, request accesses the account information of the logged-in user of old resource pool.
Visible, in embodiments of the present invention, global I AM module is responsible for logging in request the logged-in user of portal server Account information and encrypted message verify, and the account information of logged-in user that request accesses old resource pool is recognized Card;Exclusive IAM module then accesses the logged-in user of resource pool of newly reaching the standard grade corresponding to this exclusive IAM module specially to request Account information is authenticated.
It should be noted that global I AM module and each exclusive IAM module can be respectively arranged at different physics and set In Bei, and when exclusive IAM module is positioned at same geographic location with corresponding resource pool, it is possible to reduce the access of user controls Time delay, thus improve user's experience.Such as, the exclusive IAM module that Shanghai resource pool is corresponding can be arranged on Shanghai, Beijing The exclusive IAM module that resource pool is corresponding can be arranged on Beijing.Certainly, global I AM module and all exclusive IAM modules can also It is integrated in a physical equipment, is not especially limited here.
As it is shown in figure 9, the embodiment of the present invention provides the apparatus structure schematic diagram of a kind of exclusive IAM module 900.This is exclusive IAM module 900 may include that reception unit 901, for receiving the first account information that portal server sends, the first account Information is the account information that request accesses the logged-in user of resource pool of newly reaching the standard grade corresponding to exclusive IAM module, logged-in user For logging in the user of portal server;Authentication ' unit 902, for the account letter according to the user in the friendly user's group preserved Breath, is authenticated the first account information;Transmitting element 903, for sending certification instruction message to portal server, certification refers to Show whether pass through by certification for indicating the first account information for message.
Further, what during the device shown in Fig. 9 may be used for execution said method flow process, exclusive IAM module performed is arbitrary Flow process.
As shown in Figure 10, the embodiment of the present invention provides the apparatus structure schematic diagram of a kind of global I AM module 1000.This is exclusive IAM module 1000 may include that reception unit 1001, for receiving the first account information that portal server sends, the first account Number information is the account information that request accesses the logged-in user of old resource pool;Authentication ' unit 1002, for according to the institute preserved There is the log-on message of user, the first account information is authenticated;Transmitting element 1003, for respectively by all users with every The account information of the user in friendly user's group that individual resource pool of newly reaching the standard grade is corresponding, sends to corresponding exclusive of resource pool of newly reaching the standard grade In IAM module.
Further, what during the device shown in Figure 10 may be used for execution said method flow process, global I AM module performed appoints One flow process.
As shown in figure 11, the embodiment of the present invention provides the apparatus structure schematic diagram of a kind of portal server 1100.This door Server 1100 may include that indicating member 1101, and for after user logs in portal server, instruction terminal is to logging in use Family display resource pool list;Receive unit 1102, for receiving the resource pool access request of newly reaching the standard grade that terminal sends, money of newly reaching the standard grade Pond, source access request includes the account information of logged-in user and resource pool mark of newly reaching the standard grade to be visited;Transmitting element 1103, uses In the account information of logged-in user being sent to exclusive identity corresponding to resource pool mark of newly reaching the standard grade to be visited and Access Management Access IAM module;Receive unit 1102 to be additionally operable to, receive the first certification instruction message that exclusive IAM module sends, the first certification instruction Message for indicating the account information of logged-in user, whether pass through by certification;Processing unit 1104, for when the first certification instruction When message instruction certification is passed through, it is allowed to logged-in user accesses resource pool of newly reaching the standard grade to be visited.
Further, what during the device shown in Figure 11 may be used for execution said method flow process, portal server performed is arbitrary Flow process.
The scheme that the embodiment of the present invention is provided by above-mentioned angle the most mutual between each network element is described.Can To be understood by, each network element, the most exclusive IAM module, global I AM module and portal server etc. are in order to realize above-mentioned merit Can, it comprises the execution corresponding hardware configuration of each function and/or software module.Those skilled in the art should be easy to meaning Knowledge is arrived, the unit of each example described in conjunction with the embodiments described herein and algorithm steps, the present invention can with hardware or The combining form of hardware and computer software realizes.Certain function drives the side of hardware actually with hardware or computer software Formula performs, and depends on application-specific and the design constraint of technical scheme.Professional and technical personnel can to each specifically Should be used for using different methods to realize described function, but this realization is it is not considered that beyond the scope of this invention.
The embodiment of the present invention can be according to said method example to exclusive IAM module, global I AM module and portal service Devices etc. carry out the division of functional module, for example, it is possible to each function corresponding divides each functional module, it is also possible to by two or two Individual above function is integrated in a processing module.Above-mentioned integrated module both can realize to use the form of hardware, it is possible to To use the form of software function module to realize.It should be noted that the division to module is schematic in the embodiment of the present invention , it is only a kind of logic function and divides, actual can have other dividing mode when realizing.
In the case of using integrated unit, Figure 12 A shows exclusive IAM module involved in above-described embodiment A kind of possible structural representation.Exclusive IAM module 1200 includes: processing module 1202 and communication module 1203.Processing module 1202 for being controlled management to the action of exclusive IAM module, and such as, processing module 1202 is used for supporting exclusive IAM module Perform the process 304 in Fig. 3 and Fig. 4, and/or other process for techniques described herein.Communication module 1203 is used for Support the communication of exclusive IAM module and other network entities, such as with the functional module shown in Fig. 2, Fig. 3, Fig. 4 or Fig. 7 or Communication between network entity.Exclusive IAM module can also include memory module 1201, for storing the journey of exclusive IAM module Sequence code and data.
Wherein, processing module 1202 can be processor or controller, such as, can be central processing unit (Central Processing Unit, CPU), general processor, digital signal processor (Digital Signal Processor, DSP), Special IC (Application-Specific Integrated Circuit, ASIC), field programmable gate array (Field Programmable Gate Array, FPGA) or other PLDs, transistor logic, hard Part parts or its combination in any.It can realize or perform various exemplary the patrolling combined described by the disclosure of invention Collect square frame, module and circuit.Described processor can also be the combination realizing computing function, such as, comprise one or more micro-place Reason device combination, combination of DSP and microprocessor etc..Communication module 1203 can be communication interface, transmission circuit etc..Storage mould Block 1201 can be memorizer.
When processing module 1202 is processor, and communication module 1203 is communication interface, when memory module 1201 is memorizer, Exclusive IAM module involved by the embodiment of the present invention can be for the exclusive IAM module shown in Figure 12 B.
Refering to shown in Figure 12 B, this exclusive IAM module 1210 includes: processor 1212, communication interface 1213, memorizer 1211 and bus 1214.Wherein, communication interface 1213, processor 1212 and memorizer 1211 are interconnected by bus 1214 phase Connect;Bus 1214 can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI) bus Or EISA (Extended Industry Standard Architecture, EISA) bus etc..Described always Line can be divided into address bus, data/address bus, control bus etc..For ease of representing, Figure 12 B only represents with a thick line, but It is not offered as only a bus or a type of bus.
In the case of using integrated unit, Figure 13 A shows global I AM module involved in above-described embodiment A kind of possible structural representation.Global I AM module 1300 includes: processing module 1302 and communication module 1303.Processing module 1302 for being controlled management to the action of global I AM module, and such as, processing module 1302 is used for supporting global I AM module Perform the process 703 in Fig. 7, the process 703 and 803 in Fig. 8, and/or other process for techniques described herein.Logical Letter module 1303 for supporting the communication of global I AM module and other network entities, such as, is shown with Fig. 2, Fig. 4, Fig. 7 or Fig. 8 Communication between the functional module or the network entity that go out.Global I AM module can also include memory module 1301, for storage The program code of Unit one and data.
Wherein, processing module 1302 can be processor or controller, such as, can be central processor CPU, general place Reason device, digital signal processor DSP, application-specific integrated circuit ASIC, on-site programmable gate array FPGA or other able to programme patrol Collect device, transistor logic, hardware component or its combination in any.It is open interior that it can realize or perform to combine the present invention Various exemplary logic block described by appearance, module and circuit.Described processor can also be the group realizing computing function Close, such as, comprise combination of one or more micro processor combination, DSP and microprocessor etc..Communication module 1303 can be Communication interface, transmission circuit etc..Memory module 1301 can be memorizer.
When processing module 1302 is processor, and communication module 1303 is communication interface, when memory module 1301 is memorizer, Global I AM module involved by the embodiment of the present invention can be for the global I AM module shown in Figure 13 B.
Refering to shown in Figure 13 B, this global I AM module 1310 includes: processor 1312, communication interface 1313, memorizer 1311 and bus 1314.Wherein, communication interface 1313, processor 1312 and memorizer 1311 are interconnected by bus 1314 phase Connect;Bus 1314 can be Peripheral Component Interconnect standard PCI bus or EISA eisa bus etc..Described bus Address bus, data/address bus, control bus etc. can be divided into.For ease of representing, Figure 13 B only represents with a thick line, but also Do not indicate that only a bus or a type of bus.
In the case of using integrated unit, Figure 14 A shows portal server involved in above-described embodiment A kind of possible structural representation.Portal server 1400 includes: processing module 1402 and communication module 1403.Processing module 1402 for being controlled management to the action of portal server, and such as, processing module 1402 is used for supporting that portal server is held Process 306 in row Fig. 3 and Fig. 4, the process 306 in Fig. 7 or process 705, the process 705 in Fig. 8, and/or for institute herein Other process of the technology described.Communication module 1403 is for supporting the communication of portal server and other network entities, such as And the communication between the functional module shown in Fig. 2, Fig. 3, Fig. 4, Fig. 5, Fig. 7 or Fig. 8 or network entity.Portal server also may be used To include memory module 1401, for storing program code and the data of first module.
Wherein, processing module 1402 can be processor or controller, such as, can be central processor CPU, general place Reason device, digital signal processor DSP, application-specific integrated circuit ASIC, on-site programmable gate array FPGA or other able to programme patrol Collect device, transistor logic, hardware component or its combination in any.It is open interior that it can realize or perform to combine the present invention Various exemplary logic block described by appearance, module and circuit.Described processor can also be the group realizing computing function Close, such as, comprise combination of one or more micro processor combination, DSP and microprocessor etc..Communication module 1403 can be Communication interface, transmission circuit etc..Memory module 1401 can be memorizer.
When processing module 1402 is processor, and communication module 1403 is communication interface, when memory module 1401 is memorizer, Portal server involved by the embodiment of the present invention can be for the portal server shown in Figure 14 B.
Refering to shown in Figure 14 B, this portal server 1410 includes: processor 1412, communication interface 1413, memorizer 1411 And bus 1414.Wherein, communication interface 1413, processor 1412 and memorizer 1411 are connected with each other by bus 1414; Bus 1414 can be Peripheral Component Interconnect standard PCI bus or EISA eisa bus etc..Described bus can To be divided into address bus, data/address bus, control bus etc..For ease of representing, Figure 14 B only represents with a thick line, but not Represent and only have a bus or a type of bus.
Another embodiment of the present invention provides a kind of system, and its basic structure schematic diagram may refer to Fig. 2, and this system can be wrapped Include at least one exclusive IAM module as depicted, global module as depicted, and portal server as depicted. Wherein, exclusive IAM module, global I AM module and portal server are for performing the access provided in said method embodiment Control method.
Concrete, a corresponding resource pool of newly reaching the standard grade of exclusive IAM module, and preserve and described exclusive IAM module The account information of the user in friendly user's group that corresponding resource pool of newly reaching the standard grade is corresponding.Exclusive IAM module may be used for receiving The first account information that portal server sends, described first account information is that the request described exclusive IAM module of access is corresponding Newly reaching the standard grade the account information of logged-in user of resource pool, described logged-in user is the use having logged in described portal server Family;According to the account information of the user in the friendly user's group preserved, described first account information is authenticated;To described door Family server sends certification instruction message, and described certification instruction message is used for indicating described first account information, and whether certification is led to Cross.
Wherein, global I AM module preserves the log-on message of all users, and described log-on message includes account information, can For receiving the first account information that portal server sends, described first account information is that request has accessed old resource pool The account information of login user;According to the log-on message of all users preserved, described first account information is authenticated;Point Not by the account information of the user in friendly user's group corresponding with each resource pool of newly reaching the standard grade in all users, send to described In the exclusive IAM module that resource pool of newly reaching the standard grade is corresponding.
Portal server may be used for, and after user logs in portal server, instruction terminal is to logged-in user display money Source pool list;Receiving the resource pool access request of newly reaching the standard grade that terminal sends, described resource pool access request of newly reaching the standard grade includes stepping on Employ the account information at family and resource pool mark of newly reaching the standard grade to be visited;The account information of described logged-in user is sent to described The exclusive identity of resource pool mark correspondence of newly reaching the standard grade to be visited and Access Management Access IAM module;Receive described exclusive IAM module to send The first certification instruction message, described first certification instruction message is to deny for indicating the account information of described logged-in user Card passes through;When described first certification instruction message instruction certification is passed through, it is allowed to described logged-in user accesses described to be visited Newly reach the standard grade resource pool.
Step in conjunction with the method described by the disclosure of invention or algorithm can realize in the way of hardware, it is possible to Realize in the way of being to be performed software instruction by processor.Software instruction can be made up of corresponding software module, software mould Block can be stored on random access memory (Random Access Memory, RAM), flash memory, read only memory (Read Only Memory, ROM), Erasable Programmable Read Only Memory EPROM (Erasable Programmable ROM, EPROM), electricity can EPROM (Electrically EPROM, EEPROM), depositor, hard disk, portable hard drive, read-only optical disc (CD-ROM) or in the storage medium of other form any well known in the art.A kind of exemplary storage medium coupled to place Reason device, thus enable a processor to from this read information, and information can be write to this storage medium.Certainly, storage Medium can also be the ingredient of processor.Processor and storage medium may be located in ASIC.It addition, this ASIC can position In core network interface equipment.Certainly, processor and storage medium can also be present in core network interface as discrete assembly and set In Bei.
Those skilled in the art it will be appreciated that in said one or multiple example, merit described in the invention Can be able to realize by hardware, software, firmware or their combination in any.When implemented in software, can be by these functions It is stored in computer-readable medium or is transmitted as the one or more instructions on computer-readable medium or code. Computer-readable medium includes computer-readable storage medium and communication media, and wherein communication media includes being easy to from a place to separately One local any medium transmitting computer program.Storage medium can be universal or special computer can access any Usable medium.
Above-described detailed description of the invention, has been carried out the purpose of the present invention, technical scheme and beneficial effect further Describe in detail, be it should be understood that the detailed description of the invention that the foregoing is only the present invention, be not intended to limit the present invention Protection domain, all on the basis of technical scheme, any modification, equivalent substitution and improvement etc. done, all should Within being included in protection scope of the present invention.

Claims (21)

1. an access control method, it is characterised in that be applied to exclusive identity and Access Management Access IAM module, an exclusive IAM The corresponding resource pool of newly reaching the standard grade of module, and preserve the friend that newly the reach the standard grade resource pool corresponding with described exclusive IAM module is corresponding The account information of the user in good user's group, described method includes:
Receiving the first account information that portal server sends, described first account information accesses described exclusive IAM mould for request The account information of the logged-in user of the resource pool of newly reaching the standard grade that block is corresponding, described logged-in user is for logging in described portal service The user of device;
According to the account information of the user in the friendly user's group preserved, described first account information is authenticated;
Sending certification instruction message to described portal server, described certification instruction message is used for indicating described first account information Whether certification is passed through.
Method the most according to claim 1, it is characterised in that described according to the user's in the friendly user's group preserved Account information, before being authenticated described first account information, described method also includes:
Receiving the second account information that global I AM module sends, described second account information is corresponding with described exclusive IAM module Friendly user's group corresponding to resource pool of newly reaching the standard grade in the account information of user.
Method the most according to claim 1 and 2, it is characterised in that when the described on-line time newly reaching the standard grade resource pool is more than Or during equal to preset time threshold, described method also includes:
Receive the account information of all users that global I AM module sends.
4. an access control method, it is characterised in that be applied to overall situation identity and Access Management Access IAM module, described global I AM Module preserves the log-on message of all users, and described log-on message includes that account information, described method include:
Receiving the first account information that portal server sends, described first account information is that request accesses stepping on of old resource pool Employ the account information at family;
According to the log-on message of all users preserved, described first account information is authenticated;
Respectively by the account information of the user in friendly user's group corresponding with each resource pool of newly reaching the standard grade in all users, send To the exclusive IAM module that described resource pool of newly reaching the standard grade is corresponding.
Method the most according to claim 4, it is characterised in that described method also includes:
When the on-line time of described resource pool of newly reaching the standard grade is more than or equal to preset time threshold, the account of all users is believed Breath sends in the exclusive IAM module that extremely described resource pool of newly reaching the standard grade is corresponding.
6. according to the method described in claim 4 or 5, it is characterised in that described log-on message also includes encrypted message, described side Method also includes:
Receive the second account information and encrypted message, described second account information and encrypted message that described portal server sends Account information and the encrypted message of the user of described portal server is logged in for request;
According to the log-on message of all users preserved, described second account information and encrypted message are authenticated;
Sending certification instruction message to described portal server, described certification instruction message is used for indicating described second account information Whether certification is passed through with encrypted message.
7. an access control method, it is characterised in that be applied to portal server, described method includes:
After user logs in portal server, instruction terminal shows resource pool list to logged-in user;
Receiving the resource pool access request of newly reaching the standard grade that described terminal sends, described resource pool access request of newly reaching the standard grade includes logging in The account information of user and resource pool mark of newly reaching the standard grade to be visited;
The account information of described logged-in user is sent to the exclusive identity that described resource pool mark of newly reaching the standard grade to be visited is corresponding With Access Management Access IAM module;
Receiving the first certification instruction message that described exclusive IAM module sends, described first certification instruction message is used for indicating institute Whether certification is passed through to state the account information of logged-in user;
When described first certification instruction message instruction certification is passed through, it is allowed to described logged-in user access described to be visited new on Line resource pool.
Method the most according to claim 7, it is characterised in that also included before described method:
Receiving the login request message that described terminal sends, described login request message includes that request logs in described portal server The account information of user and encrypted message;
Account information and encrypted message that described request logs in the user of described portal server are sent to global I AM module;
Receiving the second certification instruction message that described global I AM module sends, described second certification instruction message is used for indicating institute Request of stating logs in the account information of user of described portal server and encrypted message, and whether certification is passed through;
If described second certification instruction message instruction certification is passed through, then described user is allowed to log in.
9. according to the method described in claim 7 or 8, it is characterised in that described instruction terminal shows resource to logged-in user Pool list includes:
When do not exist on-line time more than or equal to preset time threshold newly reach the standard grade resource pool time, indicate described terminal money In the pool list of source, show that the user in had been friends in the past resource pool and corresponding friendly user's group includes to described logged-in user described All resource pools of newly reaching the standard grade of logged-in user;
When exist on-line time more than or equal to preset time threshold newly reach the standard grade resource pool time, indicate described terminal in resource In pool list, show that had been friends in the past resource pool and on-line time are more than or equal to preset time threshold to described logged-in user All resource pools of newly reaching the standard grade, and on-line time newly reaches the standard grade in resource pool less than preset time threshold, corresponding friendly user User in group includes all resource pools of newly reaching the standard grade of described logged-in user.
10. according to the method described in any one of claim 7-9, it is characterised in that described method also includes:
Receiving the old resource pool access request that described terminal sends, described old resource pool access request includes the account of logged-in user Number information and old resource pool to be visited mark;
The account information of described logged-in user is sent to described global I AM module.
11. 1 kinds of exclusive identity and Access Management Access IAM module, it is characterised in that including:
Receiving unit, for receiving the first account information that portal server sends, described first account information accesses for request The account information of the logged-in user of the resource pool of newly reaching the standard grade that described exclusive IAM module is corresponding, described logged-in user is for step on Record the user of described portal server;
Authentication ' unit, for the account information according to the user in the friendly user's group preserved, enters described first account information Row certification;
Transmitting element, for sending certification instruction message to described portal server, described certification instruction message is used for indicating institute Whether certification is passed through to state the first account information.
12. exclusive IAM modules according to claim 11, it is characterised in that in described authentication ' unit according to the friend preserved The account information of the user in good user's group, before being authenticated described first account information, described reception unit is additionally operable to:
Receiving the second account information that global I AM module sends, described second account information is corresponding with described exclusive IAM module Friendly user's group corresponding to resource pool of newly reaching the standard grade in the account information of user.
13. according to the exclusive IAM module described in claim 11 or 12, it is characterised in that when described the upper of resource pool of newly reaching the standard grade When the line time is more than or equal to preset time threshold, described reception unit is additionally operable to:
Receive the account information of all users that global I AM module sends.
14. 1 kinds of overall identity and Access Management Access IAM module, it is characterised in that including:
Receiving unit, for receiving the first account information that portal server sends, described first account information accesses for request The account information of the logged-in user of old resource pool;
Authentication ' unit, for the log-on message according to all users preserved, is authenticated described first account information;
Transmitting element, for respectively by the user's in friendly user's group corresponding with each resource pool of newly reaching the standard grade in all users Account information, sends in the exclusive IAM module that extremely described resource pool of newly reaching the standard grade is corresponding.
15. global I AM modules according to claim 14, it is characterised in that described transmitting element is additionally operable to:
When the on-line time of described resource pool of newly reaching the standard grade is more than or equal to preset time threshold, the account of all users is believed Breath sends in the exclusive IAM module that extremely described resource pool of newly reaching the standard grade is corresponding.
16. according to the global I AM module described in claims 14 or 15, it is characterised in that described log-on message also includes password Information;
Described reception unit is additionally operable to, and receives the second account information and encrypted message that described portal server sends, and described the Two account information and encrypted message are account information and the encrypted message that request logs in the user of described portal server;
Described authentication ' unit is additionally operable to, according to the log-on message of all users preserved, to described second account information and password Information is authenticated;
Described transmitting element is additionally operable to, and sends certification instruction message to described portal server, and described certification instruction message is used for Whether certification is passed through to indicate described second account information and encrypted message.
17. 1 kinds of portal servers, it is characterised in that including:
Indicating member, for after user logs in portal server, instruction terminal shows resource pool list to logged-in user;
Receiving unit, for receiving the resource pool access request of newly reaching the standard grade that described terminal sends, described resource pool of newly reaching the standard grade accesses Request includes the account information of logged-in user and resource pool mark of newly reaching the standard grade to be visited;
Transmitting element, right for the account information of described logged-in user being sent to described resource pool mark of newly reaching the standard grade to be visited The exclusive identity answered and Access Management Access IAM module;
Described reception unit is additionally operable to, and receives the first certification instruction message that described exclusive IAM module sends, described first certification Instruction message for indicating the account information of described logged-in user, whether pass through by certification;
Processing unit, for when described first certification instruction message instruction certification is passed through, it is allowed to described logged-in user accesses Described resource pool of newly reaching the standard grade to be visited.
18. portal servers according to claim 17, it is characterised in that described reception unit is additionally operable to, receive described The login request message that terminal sends, described login request message includes that request logs in the account of the user of described portal server Information and encrypted message;
Described transmitting element is additionally operable to, and described request logs in account information and the encrypted message of the user of described portal server It is sent to global I AM module;
Described reception unit is additionally operable to, and receives the second certification instruction message that described global I AM module sends, described second certification Instruction message logs in the whether certification of the account information of user of described portal server and encrypted message for indicating described request Pass through;
Described processing unit is additionally operable to, if described second certification instruction message instruction certification is passed through, then allows described user to log in.
19. according to the portal server described in claim 17 or 18, it is characterised in that described indicating member specifically for:
When do not exist on-line time more than or equal to preset time threshold newly reach the standard grade resource pool time, indicate described terminal money In the pool list of source, show that the user in had been friends in the past resource pool and corresponding friendly user's group includes to described logged-in user described All resource pools of newly reaching the standard grade of logged-in user;
When exist on-line time more than or equal to preset time threshold newly reach the standard grade resource pool time, indicate described terminal in resource In pool list, show that had been friends in the past resource pool and on-line time are more than or equal to preset time threshold to described logged-in user All resource pools of newly reaching the standard grade, and on-line time newly reaches the standard grade in resource pool less than preset time threshold, corresponding friendly user User in group includes all resource pools of newly reaching the standard grade of described logged-in user.
20. according to the portal server described in any one of claim 17-19, it is characterised in that described reception unit is additionally operable to, Receiving the old resource pool access request that described terminal sends, described old resource pool access request includes the account letter of logged-in user Breath and old resource pool to be visited identify;
Described transmitting element is additionally operable to, and the account information of described logged-in user is sent to described global I AM module.
21. 1 kinds of systems, it is characterised in that include the exclusive identity as described in any one of claim 11-13 and Access Management Access IAM module, global I AM module as described in any one of claim 14-16 and as described in any one of claim 17-20 Portal server;Wherein, to preserve newly the reach the standard grade resource pool corresponding with described exclusive IAM module corresponding for described exclusive IAM module Friendly user's group in the account information of user, described global I AM module preserves the log-on message of all users, described note Volume information includes account information;Described exclusive IAM module, described global I AM module and described portal server, for performing such as Method described in any one of claim 1-10.
CN201610606766.3A 2016-07-27 2016-07-27 A kind of access control method and device Active CN106254328B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610606766.3A CN106254328B (en) 2016-07-27 2016-07-27 A kind of access control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610606766.3A CN106254328B (en) 2016-07-27 2016-07-27 A kind of access control method and device

Publications (2)

Publication Number Publication Date
CN106254328A true CN106254328A (en) 2016-12-21
CN106254328B CN106254328B (en) 2019-10-18

Family

ID=57604515

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610606766.3A Active CN106254328B (en) 2016-07-27 2016-07-27 A kind of access control method and device

Country Status (1)

Country Link
CN (1) CN106254328B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110290138A (en) * 2019-06-27 2019-09-27 苏宁消费金融有限公司 Limitation login method and system suitable for test database
CN110308985A (en) * 2019-05-17 2019-10-08 平安科技(深圳)有限公司 The exclusive server resource management method, apparatus of cloud, equipment and storage medium
CN112350982A (en) * 2019-09-06 2021-02-09 北京京东尚科信息技术有限公司 Resource authentication method and device
CN114500221A (en) * 2021-12-28 2022-05-13 阿里巴巴(中国)有限公司 Cloud system, public cloud control method, equipment and storage medium
CN117411725A (en) * 2023-12-13 2024-01-16 深圳竹云科技股份有限公司 Portal application authentication method and device and computer equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8010786B1 (en) * 2006-10-30 2011-08-30 Citigroup Global Markets Inc. Systems and methods for managing digital certificate based communications
CN102307114A (en) * 2011-09-21 2012-01-04 北京神州绿盟信息安全科技股份有限公司 Management method of network
CN102318314A (en) * 2011-07-29 2012-01-11 华为技术有限公司 Method and devices for handling access authorities
CN104069637A (en) * 2002-04-26 2014-10-01 索尼电脑娱乐美国有限责任公司 Method and system for user management in multi-user network game environment
CN104243154A (en) * 2013-06-07 2014-12-24 腾讯科技(深圳)有限公司 Server user authority centralized control system and server use authority centralized control method
CN105721450A (en) * 2016-01-27 2016-06-29 网易(杭州)网络有限公司 Method, device and system for logging in network game
CN105721420A (en) * 2015-12-11 2016-06-29 中国地质调查局发展研究中心 Access authority control method and reverse agent server

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104069637A (en) * 2002-04-26 2014-10-01 索尼电脑娱乐美国有限责任公司 Method and system for user management in multi-user network game environment
US8010786B1 (en) * 2006-10-30 2011-08-30 Citigroup Global Markets Inc. Systems and methods for managing digital certificate based communications
CN102318314A (en) * 2011-07-29 2012-01-11 华为技术有限公司 Method and devices for handling access authorities
CN102307114A (en) * 2011-09-21 2012-01-04 北京神州绿盟信息安全科技股份有限公司 Management method of network
CN104243154A (en) * 2013-06-07 2014-12-24 腾讯科技(深圳)有限公司 Server user authority centralized control system and server use authority centralized control method
CN105721420A (en) * 2015-12-11 2016-06-29 中国地质调查局发展研究中心 Access authority control method and reverse agent server
CN105721450A (en) * 2016-01-27 2016-06-29 网易(杭州)网络有限公司 Method, device and system for logging in network game

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110308985A (en) * 2019-05-17 2019-10-08 平安科技(深圳)有限公司 The exclusive server resource management method, apparatus of cloud, equipment and storage medium
CN110308985B (en) * 2019-05-17 2023-09-19 平安科技(深圳)有限公司 Cloud exclusive server resource management method, device, equipment and storage medium
CN110290138A (en) * 2019-06-27 2019-09-27 苏宁消费金融有限公司 Limitation login method and system suitable for test database
CN110290138B (en) * 2019-06-27 2021-12-21 苏宁消费金融有限公司 Restricted login method and system suitable for test database
CN112350982A (en) * 2019-09-06 2021-02-09 北京京东尚科信息技术有限公司 Resource authentication method and device
CN114500221A (en) * 2021-12-28 2022-05-13 阿里巴巴(中国)有限公司 Cloud system, public cloud control method, equipment and storage medium
CN114500221B (en) * 2021-12-28 2024-04-26 阿里巴巴(中国)有限公司 Cloud system, public cloud management and control method, public cloud management and control equipment and storage medium
CN117411725A (en) * 2023-12-13 2024-01-16 深圳竹云科技股份有限公司 Portal application authentication method and device and computer equipment
CN117411725B (en) * 2023-12-13 2024-04-30 深圳竹云科技股份有限公司 Portal application authentication method and device and computer equipment

Also Published As

Publication number Publication date
CN106254328B (en) 2019-10-18

Similar Documents

Publication Publication Date Title
CN109639740B (en) Login state sharing method and device based on equipment ID
US9853978B2 (en) Domain join and managed directory support for virtual computing environments
CN104025539B (en) The method and apparatus for promoting single-sign-on services
US10298560B2 (en) Methods, systems, devices and products for error correction in computer programs
US9736159B2 (en) Identity pool bridging for managed directory services
US9882940B2 (en) Method for logging in a website hosted by a server by multi-account and the client
US9407615B2 (en) Single set of credentials for accessing multiple computing resource services
CN105024975B (en) The method, apparatus and system that account logs in
CN104113551B (en) A kind of platform authorization method, platform service end and applications client and system
CN106416125B (en) Automatic directory join for virtual machine instances
CN106254328A (en) A kind of access control method and device
US8847729B2 (en) Just in time visitor authentication and visitor access media issuance for a physical site
CN108200099A (en) Mobile application, personal status relationship management
US20220294788A1 (en) Customizing authentication and handling pre and post authentication in identity cloud service
CN105516133A (en) User identity verification method, server and client
CN106331003B (en) The access method and device of application door system on a kind of cloud desktop
CN106465113A (en) Venue-specific wi-fi connectivity notifications
WO2015027907A1 (en) Methods and systems for visiting user groups
US10509663B1 (en) Automatic domain join for virtual machine instances
US11206699B2 (en) Registering network devices using known host devices
US20160381160A1 (en) System and Computer Implemented Method of Personal Monitoring
US9124946B1 (en) Plug and play method and system of viewing live and recorded contents
US20230097763A1 (en) Maintaining sessions information in multi-region cloud environment
CN106878353A (en) Smart machine obtains the methods, devices and systems of business datum
US9094439B2 (en) End network decider

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20200426

Address after: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee after: HUAWEI TECHNOLOGIES Co.,Ltd.

Address before: 301, A building, room 3, building 301, foreshore Road, No. 310052, Binjiang District, Zhejiang, Hangzhou

Patentee before: Hangzhou Huawei Digital Technology Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220221

Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province

Patentee after: Huawei Cloud Computing Technologies Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20221212

Address after: 518129 Huawei Headquarters Office Building 101, Wankecheng Community, Bantian Street, Longgang District, Shenzhen, Guangdong

Patentee after: Huawei Cloud Computing Technologies Co.,Ltd.

Address before: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province

Patentee before: Huawei Cloud Computing Technologies Co.,Ltd.

TR01 Transfer of patent right