CN106650508A - Method and device for determining data access permission of user group for data element group - Google Patents
Method and device for determining data access permission of user group for data element group Download PDFInfo
- Publication number
- CN106650508A CN106650508A CN201611141689.5A CN201611141689A CN106650508A CN 106650508 A CN106650508 A CN 106650508A CN 201611141689 A CN201611141689 A CN 201611141689A CN 106650508 A CN106650508 A CN 106650508A
- Authority
- CN
- China
- Prior art keywords
- user
- group
- resource
- computer
- given
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Automation & Control Theory (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for determining user access permission for the computer resource of one storage unit. The method comprises the following steps of: grouping users into a plurality of user groups, wherein all group members of at least one user group have at least almost same user/ resource access permission for the computer resources; grouping the resources into a plurality of resource groups, wherein all parts of at least one resource group have at least almost same resource/ user access permission; determining whether a given user is a group member in one user group or not, and if the given user is the group member in one user group, enabling the user/ resource access permission of the user group to belong to the given user; and determining whether a given resource belongs to one part of one resource group, and if the given resource belongs to one part of the resource group, enabling the resource/ user access permission of the resource group to belong to the given resource.
Description
Technical field
The present invention relates to data security arts, more particularly to the data peace of the ample resources in large organization and user
Entirely.
Background technology
Following United States Patent (USP) is considered as to represent the present state of the art:U.S. Patent number 6772350, United States Patent (USP)
Numbers 6308173 and U.S. Patent number 5889952.
The content of the invention
It is an object of the invention to provide a kind of for determining user to the large organization with ample resources and user
In computer resource access rights method and system.
Therefore, according to a preferred embodiment of the present invention, there is provided one kind determines that one first multi-user is stored at least one
The method of the access rights of one second multiplex computer resource in unit, methods described includes:
By the user grouping in first multi-user into one first many groups, wherein the institute of the least one set of more than first group
There is group member to there is at least almost identical user/resource to visit the second multiplex computer resource of at least one memory cell
Ask authority;
Resource in the second multiplex computer resource is grouped into one second many groups, wherein at least the one of more than second group
All parts of group have at least almost identical resource/access privilege;
Determine that whether a given user is a group member of the one of which of more than described first group;
If the given user is a group member of the one of which of more than described first group, by more than first group
The user/resource access rights of the one of which be attributed to the given user,
Determine that whether a given resource is a part for the one of which of more than described second group, and
If the given resource is a part for the one of which of more than described second group, by more than second group
The resource/access privilege of the one of which be attributed to the given resource.
According to a preferred embodiment of the present invention, the grouping user step includes validating that one group of user security group, Mei Yisuo
State user security group to an at least memory cell at least described in one second multiplex computer resource there are access rights;For institute
Each user of the first multi-user is stated, a subset of the user security group is confirmed, wherein in the son of the user security group
Concentrate, the user is a group member;And if one first subset of the user security group is same as the user security group
One yield in the second subset, then relative to an at least memory cell, in single group in more than first group, by one
One user and a second user are grouped;Wherein, in one first subset of the user security group, reuse described first more
The first user at family is a group member;In a yield in the second subset of the user security group, the second use of first multi-user
Family is a group member.
According to a preferred embodiment of the present invention, the grouping user step is included the second multiplex computer resource
Be divided at least two parts, and in first multi-user by the user grouping into more than first group, wherein
The computer resource of a portion during all group members of the one of which of individual group are to being included at least two parts more than described first
With at least almost identical user/resource access rights.
Another preferred embodiment of the invention, the partiting step includes each use to first multi-user
Family, calculates the sub-fraction resource that the user has the second multiplex computer resource of access rights, and compares institute
State fraction resource and a threshold value;By the fraction resource less than each user of the threshold value, come with a degradation secure group
Represent;And it is the set of all computer resources to define a Part I of the second multiplex computer resource, wherein institute
State access rights of the computer resource including any one degradation secure group.
Another preferred embodiment of the invention, the computer resource in the second multiplex computer resource is pacified
In coming computer resource layering.It is preferred that the grouping resources step include for computer resource layering in it is each
Resource, retrieves the resource/access privilege of the resource in computer resource layering, and in the computer
Resource/the access privilege of the lineal stock (immediate ancestor) of of the resource in resource hierarchy;And
If resource/the access privilege of the lineal stock is same as the resource/access privilege of the resource, described second
In single group in multiple groups, the resource and the lineal stock are grouped.Additionally or alternatively, the packet
Resources step includes providing a pointer, and by the resource the lineal stock is pointed to, and extends and point to the pointer of the resource extremely
Point to the lineal stock.
According to another preferred embodiment of the invention, additionally provide a kind of for determining one first multi-user at least one
The method of the access rights of one second multiplex computer resource of memory cell, methods described includes:More than described first are reused
User grouping in family is one first many groups, wherein more than described first the least one set of group all group members to it is described at least
The second multiplex computer resource of one memory cell has at least almost identical user/resource access rights;Determine one
Whether given user is a group member of the one of which of more than described first group, and if the given user is described first
One group member of multiple groups of the one of which, by the user/resource of the one of which of more than described first groups institute is attributed to
State given user.
According to another preferred embodiment of the invention, the grouping user step includes:Confirm one group of user security group, it is each
The user security group has access rights to the second multiplex computer resource at least described in of an at least memory cell;
For each user of first multi-user, a subset of the user security group is confirmed, wherein in the user security
In the subset of group, the user is a group member;And if one first subset of the user security group is same as user's peace
One yield in the second subset of full group, then relative to an at least memory cell, in single group in more than first group,
One first user and a second user are grouped;Wherein in one first subset of the user security group, described first
The first user of multi-user is a group member;In a yield in the second subset of the user security group, first multi-user
Second user is a group member.
Another preferred embodiment of the invention, the grouping user step includes providing second multiplex computer
Source is divided at least two parts, and in first multi-user by the user grouping into more than first group, wherein
The calculating of a portion during all group members of the one of which of group are to being included in described at least two parts more than described first
There is machine resource at least almost identical user/resource to access resource.It is preferred that the partiting step includes:To described first
Each user of multi-user, calculates the little portion that the user has the second multiplex computer resource of access rights
Divide resource, and relatively more described fraction resource and a threshold value;The fraction resource is less than into each user of the threshold value, with
One degradation secure group is representing;And a Part I of definition the second multiplex computer resource is all computer resources
Set, wherein the access rights of the computer resource including any one degradation secure group.
Another preferred embodiment of the invention, additionally provides a kind of for determining one first multi-user at least
The method of the access rights of one second multiplex computer resource of one memory cell, methods described includes:It is multiple by described second
Resource in computer resource is grouped into more than one group, wherein all parts of the least one set in the plurality of group have at least
Almost identical resource/access privilege;Determine that whether a given resource is a part for the plurality of group of one of which;
And if the given resource is a part for the plurality of group of the one of which, by described in the plurality of group its
In one group of resource/access privilege be attributed to the given resource.
Another preferred embodiment of the invention, the computer resource in the second multiplex computer resource is pacified
In coming computer resource layering.It is preferred that the grouping resources step includes:For in computer resource layering
Each resource, retrieves the resource/access privilege of the resource in computer resource layering, and in the meter
Resource/the access privilege of the lineal stock of of the resource in calculation machine resource hierarchy;And if the lineal stock
Resource/access privilege is same as the resource/access privilege to the resource, and one is single in more than second group
In group, the resource and the lineal stock are grouped.
According to a preferred embodiment of the present invention, the grouping resources step includes:One pointer is provided, is referred to by the resource
To the lineal stock, and extend and point to the pointer of the resource to pointing to the lineal stock.
Another preferred embodiment of the invention, there is provided one kind is stored for determining one first multi-user at least one
The device of the access rights of one second multiplex computer resource in unit, described device includes:
User grouping function, one first many groups will be grouped into first multi-user, wherein more than described first
All group members of the least one set in group have at least to the second multiplex computer resource of an at least memory cell
Almost identical user/resource access rights;
Computer resource block functions, the computer resource in the second multiplex computer resource is grouped into one second
Multiple groups, wherein all parts of the group of at least one of individual group more than described second have at least almost identical resource/user
Access rights;
Access privilege belongs to function, to determine whether a given user is more than described first one of which organized
One group member, if the given user is a group member of the one of which of more than described first groups, more than described first
The user of the one of which in individual group/resource access rights are attributed to the given user;And
Computer resource access rights belong to function, for determining whether a given computer resource is more than second group
One of which a part, if the given computer resource is of the one of which of group more than described second
Point, then resource/the access privilege of the one of which in more than second group is attributed into the given computer
Resource.
According to a preferred embodiment of the present invention, the user grouping function includes:User security group acknowledge function, to
Confirm more than one user security group, each user security group is to an at least memory cell at least described in one more than second
Re-computation machine resource has access rights;User security group subset confirms function, to for the every of first multi-user
One user, confirms a subset of the user security group, wherein in the subset of the user security group, the user is one group
Member;And user's subset comparing function, if being same as the user security group to one first subset of the user security group
A yield in the second subset, then relative to an at least memory cell, in single group of more than described first group, by one the
One user and a second user are grouped;Wherein, in one first subset of the user security group, the first user is
One group member;In a yield in the second subset of the user security group, the second user is a group member.
According to a preferred embodiment of the invention, described device also includes a computer resource partition functionality, to by institute
State the second multiplex computer resource and be divided at least two parts, wherein the user grouping function more than described first to reuse
By user grouping into more than first group in family, wherein all group members of the one of which of more than described first group are to being included in
The computer resource of a portion in described at least two parts has at least almost identical user/resource access rights.
According to a preferred embodiment of the invention, the computer resource partition functionality includes:Fraction Resource Calculation work(
Can, to each user to first multi-user, calculate the user and there is the described second multiple of access rights
The sub-fraction resource of computer resource, and relatively more described fraction resource and a threshold value;User represents function, to will be described
Fraction resource is represented less than each user of threshold value with a degradation secure group;And part defined function, to define
The Part I for stating the second multiplex computer resource is the set of all computer resources, wherein the computer resource includes
The access rights of any one degradation secure group.It is preferred that the computer resource in the second multiplex computer resource is pacified
In coming computer resource layering.
According to another preferred embodiment of the invention, the computer resource block functions include:Resource/user's access right
Limit search function, for each resource in computer resource layering, to retrieve in computer resource layering
The resource resource/access privilege, and of the resource in computer resource layering lineal begins
Resource/the access privilege in source;Resource/access privilege comparing function, visits to the resource/user of relatively more described resource
Resource/the access privilege of authority and the lineal stock is asked, if the access resource phase of the resource/user of the lineal stock
The access rights of the resource/user of the given resource are same as, in single group in more than second group, by the money
Source and the lineal stock are grouped.
Another preferred embodiment of the invention, the resource/access privilege comparing function, to provide a finger
Pin, by the resource the lineal stock is pointed to, and is extended and pointed to the pointer of the resource to pointing to the lineal stock.
Another preferred embodiment of the invention, additionally provides a kind of for determining one first multi-user at least
The device of the access rights of one second multiplex computer resource of one memory cell, described device includes user grouping function, uses
With by the user grouping in first multi-user as one first many groups, wherein the least one set in more than first group
All group members the second multiplex computer resource of an at least memory cell is had at least almost identical user/
The access rights of resource;And access privilege ownership function, to determine whether a given user is more than described first
One group member of individual group of one of which, if the given user is a group of the one of which of more than described first group
User/resource the access rights of the one of which of more than described first groups are attributed to the given user by member.
According to a preferred embodiment of the present invention, the user grouping function includes:User security group acknowledge function, to
Confirm more than one user security group, each user security group is to an at least memory cell at least described in one more than second
Re-computation machine resource has access rights;User security group subset confirms function, to for the every of first multi-user
One user, confirms a subset of the user security group, wherein in the subset of the user security group, the user is one group
Member;User's subset comparing function, if being same as the one of the user security group to one first subset of the user security group
Yield in the second subset, then relative to an at least memory cell, in single group of more than described first group, one first is used
Family and a second user are grouped, wherein in one first subset of the user security group, the first user is one group
Member;In a yield in the second subset of the user security group, the second user is a group member.
Another preferred embodiment of the invention, described device also includes a computer resource partition functionality, to incite somebody to action
The second multiplex computer resource is divided at least two parts, wherein the user grouping function is to multiple described first
By user grouping into more than first group in user, wherein all group members of the one of which of more than described first group are to including
The computer resource of a portion in described at least two parts has at least almost identical user/resource access right
Limit.It is preferred that the computer resource partition functionality includes fraction Resource Calculation function, to first multi-user
Each user, calculate the fraction resource that the user has the second multiplex computer resource of access rights, and
The comparison fraction resource and a threshold value;User represents function, to the fraction resource is every less than the threshold value
One user, is represented with a degradation secure group;And part defined function, to define the second multiplex computer resource
One Part I is the set of all computer resources, wherein the computer resource includes the access of any one degradation secure group
Authority.
Another preferred embodiment of the invention, additionally provides a kind of for determining one first multi-user at least
The device of the access rights of one second multiplex computer resource of one memory cell, described device includes that computer resource is grouped work(
Can, the resource in the second multiplex computer resource is grouped into one second many groups, wherein more than second group
In least one set all parts have at least almost identical resource/access privilege;And computer resource access right
Limit ownership function, to determine that whether a given computer resource is a part for the one of which of more than described second group,
If the given computer resource is a part for the one of which of more than described second group, by more than second group
The resource/access privilege of the one of which be attributed to the given computer resource.It is preferred that more than described second
Computer resource in re-computation machine resource is arranged in computer resource layering.
Another preferred embodiment of the invention, the computer resource block functions include:Resource/user's access right
Limit search function, for each resource in computer resource layering, to retrieve in computer resource layering
Resource/access privilege, and the resource/use of a lineal stock of the resource in computer resource layering
Family access rights;And resource/access privilege comparing function, to the resource/access privilege of relatively more described resource
With the resource/access privilege of the lineal stock, if the resource/access privilege of the lineal stock be same as it is described
Resource/the access privilege of resource, in single group of more than described second group, by the resource and the lineal stock
It is grouped.
Another preferred embodiment of the invention, the resource/access privilege comparing function, to provide a finger
Pin, by the resource the lineal stock is pointed to, and is extended and pointed to the pointer of the resource to pointing to the lineal stock.
Description of the drawings
With reference to the present invention is will be more fully understood and understood with reference to following drawings and detailed description, wherein:
Fig. 1 is that a preferred embodiment of the present invention represents the brief signal in a large organization with substantial amounts of resource and user
Figure;
Fig. 2 is that a preferred embodiment of the present invention represents a kind of for determining in a large organization with substantial amounts of resource and user
Brief schematic flow sheet of the middle user to the method for the access rights of resource;
Fig. 3 A and Fig. 3 B is the Part Methods of Fig. 2 methods describeds, represents together for the visit in a large organization based on user
The brief schematic flow sheet of the method for asking authority to be grouped user;
Fig. 4 A and Fig. 4 B is the Part Methods of Fig. 2 methods describeds, represents together for the resource-based visit in a large organization
The brief schematic flow sheet of the method for asking authority to be grouped resource;And
Fig. 5 A, 5B and 5C are the Part Methods of Fig. 2 methods describeds, and the inquiry response for calculating access rights is represented together
The brief schematic flow sheet of method.
Specific embodiment
Data Security generally determines that who is able to access that the data of a tissue, and the data are typically stored in different meters
In calculation machine system.These strategies are seldom static, and some reasons come from the user of the tissue, such as employee, conjunction
The threat that partner people or contractor can cause to sensitive data is serious as the threat come outside self-organizing.Accordingly, as
Constitute structure and the personnel of organizational change, it should make corresponding adjustment to security strategy.Information technology sector is frequently found protecting
While shield enterprise's sensitive data, manage the access rights of user data and guarantee that the convenient information needed that obtains is difficult.
The operated computer system of large enterprise's tissue includes a large amount of servers, and the server is typically Regional Distribution
's.A large number of users can access the memory element in computer system.The different crowd being associated with data access entitlement includes
Information technologist, operating personnel such as account manager, and third party commentator such as legal adviser, to particular data
Access privilege needs to make daily inquiry.
It is existing that one traditional local or distributed data base maintenance (maintenance) can overwhelm (overwhelm)
The most complicated data administrator ability having, wherein local or distributed data base is applied to any special user or user
The inquiry response of the access rights of group, or on the contrary, for relative to the access of a special memory element or sets of memory elements
The inquiry response of authority.Store and retrieve as inquiry service desired data, the memory capacity of different server may be had
Negative effect.In addition, performing such inquiry may affect the performance of server, computer system may be then reduced
Whole efficiency.Further, the catalogue by multiple file servers and its access control are generally needed due to processing inquiry response
List processed to carry out a comprehensive iterative search, therefore for the time of such a inquiry response becomes unacceptable
It is long.
Access control technology is not most preferably implemented in the system using various access control models.To system manager
For, it is desirable to which user is authorized to and can access each specific data item in the environment of knowing like this, in prior art
In the case of there is not yet simple method.Therefore, in many tissues, having more than the number of users of inappropriate access rights to make
People cannot receive.Also lack a kind of for redundant access authority and the phase of the orphan account of the personnel for being no longer belong to tissue simultaneously
The solution of pass problem.Accordingly, it would be desirable to improved on control access privilege, so that data safety, prevents fraud
Behavior and the production efficiency of improvement company.Further, those are responsible for personnel's meeting of simplification and the automation of security of system
Concern misuse data access authority, what even authorized user was misapplied.
With reference to shown in Fig. 1, a large organization with one first multi-user and one second multiplex computer resource is represented,
The computer resource such as computer documents there may be in multiple file servers.The user and file server may
It is distributed by region independently of their function.
According to a preferred embodiment of the present invention, when the inquiry of access rights is responded, the second multiplex computer money
One hierarchy in source, and/or a group of first multi-user is according to their relative meters being stored in a particular server
The access rights of calculation machine resource and be deployed, then have the more preferable response time to such a inquiry.
With regard to a given user, term " user/resource access rights " is related to be located in a particular server or storage list
Series of computation machine resource in unit, wherein given user has access rights to the computer resource.Therefore, relatively
In a specific server or memory cell, if two users have identical user/resource access rights, then described two
User to being stored in above-mentioned server or memory cell in computer resource list there are identical access rights.
Further it is to be understood that in the context of the present invention, term " access rights " is related to read authority, write power
Limit and execution authority, or any of which combination.For example, if a given user has the power of reading to given resource
Limit, even if the user does not have write authority or performs authority to given resource, then the given user still has visit
Ask authority.
According to a preferred embodiment of the present invention, as shown in Figure 1, there is provided one kind is used to determine first multi-user pair
The method of the access rights of the second multiplex computer resource of an at least memory cell, wherein, the first multi-user reference number
Word 102 is represented that the second multiplex computer resource reference numeral 104 is represented that memory cell reference numeral 106 gives
To represent, the memory cell is preferably multiple file servers.
It is preferred that the one first many user's groups defined in the first multi-user 102, wherein more than first user's group
In all group members of each user's group there is at least almost identical use to the computer resource of a given file server 106
Family/resource access rights.
For example, as shown in figure 1, in the personnel of Accounting Department, either in India, Brazil or Canada, they are probably
The group member of same user's group, is designated as alphabetical A herein.Similarly, in the personnel of research and development department, either in Spain, bar
West or India, they are probably the group member of same user's group, and alphabetical D is designated as herein.
Similarly, the one second many computer resources defined in the second multiplex computer resource, wherein described
All parts of each computer resource in two multiplex computer resources have at least almost identical resource/user's access right
Limit, for example an identical user's group or almost identical user's group can access each computer documents in a given group.
For example, as shown in figure 1, the All Files for being related to accounts payable can be the part of same computer resource group, this
Place is designated as alphabetical " a ".Similarly, the All Files for developing Yishanmen can be the part of same computer resource group, this
Place is designated as letter ' d '.
It should be understood that all group members of each user's group have at least almost identical user/resource access right
Limit.For example, all group members of user's group A can access the account of company, and all group members of user's group D can access engineering text
Part.
Similarly, it should which all parts for being understandable that each computer resource group have at least almost identical money
Source/access privilege, for example, bookkeeper can access all parts of computer resource group " a ", and design engineer can visit
Ask all parts of computer resource group " d ".
In response to an inquiry or on the contrary in order to prepare one to show the access rights of specific user or computer resource
The report of overview, it is possible to quickly to confirm that whether a given user is the one of which in more than first user's group
One group member, if if, quickly the user of the one of which in more than first user's group/resource access rights are attributed into institute
State given user.Similarly, it is possible to quickly to confirm whether a given computer resource is more than described second and calculates
A part for one of which in machine resource group, if if, quickly by more than the second computer resource group wherein
One group of resource/access privilege is attributed to the given computer resource.
Therefore, time-consuming iterative processing used in the prior art can be avoided.
It should be understood that embodiments of the invention have only been divided into user's group or computer resource group, but not
Meeting user's group and computer resource group are all within protection scope of the present invention.
With reference to shown in Fig. 2, by explanation according to a preferred embodiment of the present invention, the method to perform following steps.
With reference now to Fig. 2, it is represented according to a preferred embodiment of the present invention, has that ample resources and user's is big one
In type tissue, brief schematic flow sheet of the user to the commonsense method of the access rights of computer resource is determined.
As shown in Fig. 2 in one first preproduction phase, the user in the tissue gives according to it relative in the tissue one
The access rights of fixed server and be grouped, as shown at step 200.Especially, for each server, in the tissue
User be divided into multiple user's groups, wherein the file in the user's corresponding service device in each group have it is similar or most
Good identical access rights.With reference to reference to shown in Fig. 3, the method being grouped to user below will be described in closer detail.
As shown in step 202, in one second preproduction phase, the computer resource in the tissue is according to the access to it
Authority and be grouped.Especially, in a hierarchical server system, indicate unless there are other, a computer resource should be straight with it
It is that stock equally has identical access rights.Therefore, computer resource can be grouped, so that each sub- level computer resource
The accesses control list of its parent computer resource is pointed to, rather than replicates accesses control list, the sub- level computer of each of which
The access rights that resource has are same as the access rights of parent computer resource.With reference to reference to shown in Fig. 4, will have more below
The method that the explanation of body ground is grouped to computer resource.
It should be understood that the step of being grouped to user 200 and the step of be grouped to computer resource
202 can be performed with any one order, or executed in parallel, or are preferably periodically executed, so as in the tissue to
Family access rights and/or the change of hierarchical structure of computer resource make explanations.
In one first processing stage, its group member or institute after the above-mentioned preparatory stage, typically via the tissue
The department for stating tissue proposes the inquiry of an access rights, as indicated in step 204.One typical inquiry potentially includes user
Collection and a memory element subset.A such a inquiry response will be listed for each user in user's subset to institute
State the access rights of each memory element in memory element subset.
For example, an inquiry can include all users in the tissue as user's subset, given by one
Computer resource is used as the memory element subset.The inquiry response will can determine whether which user has access institute in all users
State the authority of given computer resource.In another example, the inquiry can include providing in all computers of the tissue
Source is used as the memory element subset, and the user that is given is used as user's subset.The inquiry response will can determine whether
Which memory element can be accessed by the given user in all memory elements.
As depicted at step 206, inquiry is processed, and calculates its response.Typically, each user for row in queries,
Inquiry response includes that the user-accessible arranges the list of a subgroup of computer resource in queries.With reference to reference to Fig. 5 institutes
Show, the method calculated to inquiry response below will be described in closer detail.Then, the inquiry response is ported to proposition access rights
The personal or team of inquiry, as indicated in step 208.
Referring now to shown in Fig. 3 A and Fig. 3 B, it is represented together for the access rights in a large organization based on user
The brief schematic flow sheet of the method to be grouped to user, and the method constitutes the first preparation rank of method shown in Fig. 2
Section 200.The purpose of so packet is in order to create user's group, wherein the user in sole user's group is stored in one relatively giving
Server in computer resource there are similar or preferably identical access rights.
The prerequisite for creating such user's group is to define user security group, and it is preferentially implemented in first shown in Fig. 3 A
Step 300.The pre-defined user security group of system manager.Typically, user security group and the different departments in the tissue
It is corresponding.User security group can include a such as accounting user security group, a research and development user security group etc..Each respective user
Secure group belongs to the user of the corresponding department of the user security group including those.User may belong to the use of at least more than one
Family secure group.For example, the secretary of a research and development department may belong to a management user security group and a research and development user security group.
Each user security group has preallocated access rights for the computer resource of a given server.One gives
The accesses control list of computer resource is list of the user security group to the access rights of the computer resource.
As shown in Figure 3A, a server is chosen, as shown at step 300.It is to be understood that be, it is only relative to be stored in the quilt
The access privilege of the computer resource in server chosen and user is grouped.
Subsequently, the accesses control list of the computer resource being stored in the selected server will be reviewed, so as to
(extract) those user security groups are extracted, therefore those belong to the user of its user security group at least some computer money
Source has access rights, and wherein computer resource is stored in server, as shown in step 302.
For a pair of any given users are listed in any one described user security group being extracted belonging to it, compare it
The access privilege of the computer resource being stored in the selected server, to check them relative to all storages
Whether the computer resource in the selected server is identical, as judged shown in step 304.If this couple of user is to storage
Computer resource in the selected server is respectively provided with identical access rights, relative to the selected service
Device, they are allocated to identical initial user group, as shown at step 306.Otherwise, relative to the selected server,
They are allocated to two different initial user groups, as depicted in step 308.
These initial user groups are that methods described is intended to create the leading person of user's group.The initial user group may need
Further refinement, as described below, to obtain the end user's group wanted.It should be understood that two users can be right
The selected server has very similar access rights, except the access of one or two specific computer resource
Authority is different.This it may happen that, for example, when the root of the server including some users, in this case,
Two users may have identical to access all computer resources in the server in addition to the root
Authority, each of which user may have access rights to his or she specific root, but may be generally to other
The root of user does not have access rights.
Even if there are the bigger potential initial user group with the closely similar access rights although differing, this feelings
Condition may result in the server, and to be grouped into multiple small-sized initial user groups even single (singletons).Following article
It is described, by the virtual server that the computer resource in the server is virtually divided at least two, to solve
The certainly situation.
Therefore, user distributed to initial user group below, as shown in step 304, step 306 and step 308, and is audited
Produced initial user group quantity and initial user group size.It is preferred that the quantity of initial user group is presetting with one first
Threshold value compare, as judged shown in step 310, the quantity of single initial user group is compared with one second presetting threshold value
Compared with as judged shown in step 312.If the quantity of the initial user group is not less than the first threshold, and described single initial
The quantity of user's group terminates not less than Second Threshold, then user's distribution.At present, the initial user group and single initial use
Family group constitutes user's group, refers to the above, especially the step 200 in Fig. 2.
Go to Fig. 3 B, it can be seen that if the quantity of initial user group exceedes the first threshold, if and/or single initial use
The quantity of family group exceedes the Second Threshold, then the server is divided into two virtual servers, such as step 314 institute
Show.According to an embodiment, a virtual grate of the server is performed, for each specific user or user security group, storage
The quantity of the computer resource in the server is determined, and wherein specific user or user security group allow to access the clothes
Business device, as shown in step 316.Then, calculating the specific user or user security group allows the computer resource of access
Sub-fraction resource, and compare with sub-fraction resource threshold, such as 1%, such as judge step 318.
If a specific user or user security group allow the fraction resource of the computer resource for accessing less than described little
Part resource threshold value, the user or user security group represent with a degradation secure group, as shown at step 320.Otherwise, it is described
User or user security group represent with an important safety group, as denoted by step 322.
The set of the computer resource of the access rights comprising the degradation secure group is defined as a virtual server, and
Represented with an inorganization virtual server, as depicted at step 324.The inorganization virtual server is believed to comprise a small amount of tool
There are the computer resource of similar accesses control list, and/or the user with identical access rights on a small quantity.Based on the inorganization
Computer resource in virtual server, user is distributed to initial user group, and this is possible to that substantial amounts of initial user can be produced
Group and/or single initial user group, are inefficient, therefore are non-essential.
Will not belong to the computer resource in the server of the inorganization virtual server and be defined as one second virtual clothes
Business device, and represented with a tissue virtual server, as shown at step 326.The tissue virtual server is believed to comprise tool
There is the file of similar accesses control list, so that the access rights based on computer resource, user is distributed to initial user group,
This is possible to produce an a small amount of tissue initial user group.
Then, the server is divided into two virtual servers, the tissue virtual server is selected, and conduct
Can be allocated relative to user to the server of initial user group, as shown in step 328.Subsequently, based on to being stored in described group
The access rights of the computer resource in virtual server are knitted, again distributes user to initial user group, with reference to reference to above-mentioned
Step 302 is to step 308.At present, these initial user groups and single initial user group constitute user's group, with reference to the above,
The especially step 200 shown in Fig. 2.
Referring now to shown in Fig. 4 A and Fig. 4 B, it is represented together for the resource-based access rights in a large organization
The brief schematic flow sheet of the method to be grouped to computer resource, and the method constitutes second of method shown in Fig. 2
Preparatory stage 202.
As shown in Figure 4 A, the node of the computer resource layering is chosen, to process, as shown by step 400.Preferably
Ground, computer resource layering is processed by leaf to root, in this case, chooses the first node for processing to be
The node of the bottom in leaf, or computer resource layering.
For selected node, check whether a lineal stock is stored in layering, as judged shown in step 402.If quilt
There is no a lineal stock in the node chosen, can derive that it is the root in the layering.The node is designated as a phase heteromerism
Point, as indicated by a step 404, and process terminates.Otherwise, the accesses control list of the node will be extracted, as shown at 405, is taken out
The accesses control list of the lineal stock of selected node is taken, as shown at step 406.Subsequently, selected node is compared
The accesses control list of accesses control list and the lineal stock of selected interior joint, as judged shown in step 408.
If it should be understood that be associated with node being processed without clear and definite accesses control list, just by
The node of process inherits the accesses control list being associated with the lineal stock, and the process proceeds, such as step 410 institute
Show.
Go to Fig. 4 B, it can be seen that if the lineal stock of the accesses control list of selected node and selected node
Accesses control list be identical, a pointer is added in the layering, and wherein the pointer is pointed to selected by selected node
The accesses control list of the lineal stock of interior joint, as indicated at step 410.In addition, pointing to the access control row of selected interior joint
All pointers of table move to the accesses control list of the lineal stock for pointing to selected interior joint, as shown at step 41.One represents institute
State the processed process of node to indicate to be added to selected node, as as-shown at step 414.
If the accesses control list of selected node is different from the access control row of the lineal stock of selected node
Table, the node is designated as a different node, and as indicated in step 416, one represents that the process that the node has been processed represents quilt
Selected node is added to, as indicated in step 418.
Subsequently, the rank of layering is reviewed belonging to selected node, to determine whether there is untreated in that rank
Node, as judged shown in step 420.If having untreated node in the rank of selected node, choose other in that one-level
New node, as shown in step 422, the process of that node as described above and is combined and proceeded with reference to step 402-418.It is no
Then, a node is chosen, its rank in the layering is higher than the rank of selected node, the node is, for example, selected
The lineal stock of node, as indicated at 424, the process of the node is as described above and with reference to reference to the continuation of step 402-418
Carry out.
Referring now to shown in Fig. 5 A, Fig. 5 B and Fig. 5 C, it represents together the method for the inquiry response for calculating an access rights
Brief schematic flow sheet, 206 the step of the method constitutes Fig. 2 methods describeds.
Referring to shown in Fig. 5 A, a computer resource group to be processed is defined, as shown at 500.When start to process one
Inquiry, the computer resource group is typically empty, and is just filled when the inquiry is processed.
As shown in Figure 5A, for comprising each computer resource in queries, execution step 501, it is included in checking
All different computer resource nodes in inquiry.
Shown in step 502, for each computer resource for including in queries, detect whether to include the computer money
One different node of source layering.
If computer resource is really including the different node of computer resource layering, then it is added to be processed
Computer resource group, as indicated in step 504, if computer resource does not include a different node, pointer associated there is followed
One source node, the wherein source node include a different node, as shown in step 506.
In step 508 is judged, it is determined that including source node computer resource whether be previously added to it is to be processed
Computer resource group, the wherein source node include a different node.If including source node computer resource previously not by
Add to computer resource group to be processed, then be added into the computer resource group now, as indicated in step 510.If bag
The computer resource for including source node had previously been added to computer resource group to be processed, and this would not again be added to this
Group, but in computer resource group to be processed, can be associated with currently processed computer resource, so as to provide
One complete inquiry response, as illustrated in step 512., typically by a pointer is defined come what is completed, the pointer is by currently for this
The computer resource of reason points to the entity of lineal stock, wherein the lineal stock is included in computer resource group to be processed
It is interior.
As shown in step 513, a user being included in inquiry is chosen, the access rights of the user will be to be processed.
Go to shown in Fig. 5 B, as shown in step 514, choose a computer resource, it is included in resource group to be processed
It is interior, and determine that it is present in which physical server, as shown in step 515.Subsequently, relative to the clothes existing for computer resource
Business device, determines the particular group of users belonging to the user, as shown at stage 516.Then, in the process for processing the computer resource
In, the access rights for calculating another user for belonging to identical particular group of users are checked whether, such as judge step 518.
If access rights of another user to given computer resource had previously been had calculated that, and another user belongs to
Identical particular group of users, then the access rights for being calculated are allocated to the active user, as indicated in step 520.Otherwise,
Access rights of the user to computer resource, and/or the user's group belonging to the user are extracted from accesses control list to meter
The access rights of calculation machine resource, wherein the accesses control list is associated with the computer resource, as shown in step 522.
Subsequently, check that any computer resource being included in described group whether there is, wherein being included in described group
Computer resource is not yet processed relative to selected user, such as judges step 524.
Referring to shown in Fig. 5 C, if there is a such a computer resource, the computer resource is chosen, such as step 526 institute
Show.Relative to selected user, the process of the computer resource is entered as described above and with reference to step 512 to step 522
OK.If there is no a such a computer resource, any user comprising in queries will be checked whether there is, wherein user
Access rights are not yet calculated, referring to judging shown in step 528.If there is a such a user, the user is chosen, such as walked
Shown in rapid 530, the access rights of user are processed as described above and with reference to step 514 to step 522.
Referring to shown in step 532, relative to each computer resource being included in computer resource group to be processed,
When the access rights of all users in having calculated that inquiry, an inquiry response is generated, it includes a paired list, the list
Including one in pairs, for being included in original query in user and computer resource.It should be understood that when generation is as this
During one inquiry response of sample, the result of each computer resource is repeatedly provided, so as to comprising each computer in queries
Resource provides an inquiry response, and each of which computer resource includes a different source node, at least one and is included in
Computer resource in inquiry.
Those skilled in the art be to be understood that the present invention be not limited to above especially it is represented and
Description.The scope of the present invention not only includes the set of different characteristic above and time set, is also readding including those of ordinary skill
Read the improvement done to feature after foregoing description, and the improved feature is not present in prior art.
Claims (1)
1. a kind of for determining method of the user to the access rights of the computer resource in an at least memory cell, its feature exists
In methods described includes using a non-transitory tangible computer computer-readable recording medium, computer program is stored in the medium and is referred to
Order, the instruction makes computer when being read by computer:
Regularly, at regular intervals, by user grouping into a multi-user group, wherein the user provides to the computer
Source has at least a portion identical user/resource access rights;
Regularly, at regular intervals, the computer resource is grouped into a multiple resources group, wherein computer money
Source has at least a portion identical resource/access privilege;
Whether response one has the inquiry of access rights with regard to a multi-user to a multiple resources, performs following action:
At least one first given money in determining at least first user in the multi-user whether to the multiple resources
Source has user/resource access rights, and described at least one first given user be in the multi-user group at least one
The group member of first user group, and described at least one first given resource is the group member of an at least first resource group;
If at least first user in the multi-user to the multiple resources at least one first given money
Source has user/resource access rights, and described at least one first given user be in the multi-user group at least one
The group member of first user group, and described at least one first given resource is the group member of an at least first resource group, then will be described
The access rights of at least group member of a first user group belong to the group member of an at least first resource group;
At least one second given money in determining at least second user in the multi-user whether to the multiple resources
Source has user/resource access rights, and described at least one second given user be in the multi-user group at least one
The group member of second user group, and described at least one second given resource is the group member of an at least Secondary resource group;
If at least second user in the multi-user to the multiple resources at least one second given money
Source has user/resource access rights, and described at least one first given user be in the multi-user group at least one
The group member of second user group, and described at least one second given resource is the group member of an at least Secondary resource group, then will be described
The access rights of at least group member of a second user group belong to the group member of an at least Secondary resource group.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611141689.5A CN106650508A (en) | 2010-12-29 | 2010-12-29 | Method and device for determining data access permission of user group for data element group |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611141689.5A CN106650508A (en) | 2010-12-29 | 2010-12-29 | Method and device for determining data access permission of user group for data element group |
CN201080071011.9A CN103299268B (en) | 2010-12-29 | 2010-12-29 | For determining user's group method and device to the data access authority of data elements groups |
PCT/IL2010/001090 WO2012090189A1 (en) | 2010-12-29 | 2010-12-29 | Method and apparatus for ascertaining data access permission of groups of users to groups of data elements |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201080071011.9A Division CN103299268B (en) | 2010-12-29 | 2010-12-29 | For determining user's group method and device to the data access authority of data elements groups |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106650508A true CN106650508A (en) | 2017-05-10 |
Family
ID=46382381
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201080071011.9A Active CN103299268B (en) | 2010-12-29 | 2010-12-29 | For determining user's group method and device to the data access authority of data elements groups |
CN201611141689.5A Pending CN106650508A (en) | 2010-12-29 | 2010-12-29 | Method and device for determining data access permission of user group for data element group |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201080071011.9A Active CN103299268B (en) | 2010-12-29 | 2010-12-29 | For determining user's group method and device to the data access authority of data elements groups |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP2659351A4 (en) |
CN (2) | CN103299268B (en) |
WO (1) | WO2012090189A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110140124A (en) * | 2017-12-29 | 2019-08-16 | 华为技术有限公司 | Grouping is using same key sharing data |
CN112465476A (en) * | 2020-12-17 | 2021-03-09 | 中国农业银行股份有限公司 | Access control method, device, equipment and medium |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CA2849570A1 (en) | 2010-09-28 | 2012-04-05 | Atsushi Matsunaga | Systems and methods for medical data collection and display |
US9251363B2 (en) | 2013-02-20 | 2016-02-02 | Varonis Systems, Inc. | Systems and methodologies for controlling access to a file system |
CN104598778B (en) * | 2013-10-30 | 2018-03-23 | 中国移动通信集团江苏有限公司 | Authority dispatching method and device |
CN105528553A (en) * | 2014-09-30 | 2016-04-27 | 中国移动通信集团公司 | A method and a device for secure sharing of data and a terminal |
CN105653962B (en) * | 2014-11-14 | 2018-07-31 | 中国科学院沈阳计算技术研究所有限公司 | A kind of user role access authorization for resource model management method of object-oriented |
WO2018160407A1 (en) | 2017-03-01 | 2018-09-07 | Carrier Corporation | Compact encoding of static permissions for real-time access control |
WO2018160560A1 (en) | 2017-03-01 | 2018-09-07 | Carrier Corporation | Access control request manager based on learning profile-based access pathways |
US10891816B2 (en) | 2017-03-01 | 2021-01-12 | Carrier Corporation | Spatio-temporal topology learning for detection of suspicious access behavior |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6772350B1 (en) * | 1998-05-15 | 2004-08-03 | E.Piphany, Inc. | System and method for controlling access to resources in a distributed environment |
US20020026592A1 (en) * | 2000-06-16 | 2002-02-28 | Vdg, Inc. | Method for automatic permission management in role-based access control systems |
US7260555B2 (en) * | 2001-12-12 | 2007-08-21 | Guardian Data Storage, Llc | Method and architecture for providing pervasive security to digital assets |
US9697373B2 (en) * | 2004-11-05 | 2017-07-04 | International Business Machines Corporation | Facilitating ownership of access control lists by users or groups |
US7606801B2 (en) * | 2005-06-07 | 2009-10-20 | Varonis Inc. | Automatic management of storage access control |
US9407662B2 (en) * | 2005-12-29 | 2016-08-02 | Nextlabs, Inc. | Analyzing activity data of an information management system |
-
2010
- 2010-12-29 CN CN201080071011.9A patent/CN103299268B/en active Active
- 2010-12-29 WO PCT/IL2010/001090 patent/WO2012090189A1/en active Application Filing
- 2010-12-29 CN CN201611141689.5A patent/CN106650508A/en active Pending
- 2010-12-29 EP EP10861449.6A patent/EP2659351A4/en not_active Withdrawn
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110140124A (en) * | 2017-12-29 | 2019-08-16 | 华为技术有限公司 | Grouping is using same key sharing data |
CN110140124B (en) * | 2017-12-29 | 2021-04-20 | 华为技术有限公司 | Packet applications share data using the same key |
CN112465476A (en) * | 2020-12-17 | 2021-03-09 | 中国农业银行股份有限公司 | Access control method, device, equipment and medium |
Also Published As
Publication number | Publication date |
---|---|
EP2659351A1 (en) | 2013-11-06 |
CN103299268B (en) | 2016-12-28 |
CN103299268A (en) | 2013-09-11 |
EP2659351A4 (en) | 2014-09-10 |
WO2012090189A1 (en) | 2012-07-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103299268B (en) | For determining user's group method and device to the data access authority of data elements groups | |
US9641334B2 (en) | Method and apparatus for ascertaining data access permission of groups of users to groups of data elements | |
EP2718854B1 (en) | Role-based security for an object-oriented database system | |
Yan et al. | Applying centrality measures to impact analysis: A coauthorship network analysis | |
EP1669904B1 (en) | Verifying dynamically generated operations on a data store | |
AU735365B2 (en) | A method and apparatus for document management utilizing a messaging system | |
US6192378B1 (en) | Method and apparatus for combining undo and redo contexts in a distributed access environment | |
Cho et al. | Optimizing the secure evaluation of twig queries | |
US11030334B2 (en) | Compartment-based data security | |
CN101572630B (en) | Privilege management system and method based on objects | |
JP5707250B2 (en) | Database access management system, method, and program | |
US7503075B2 (en) | Access trimmed user interface | |
CN107766249A (en) | A kind of software quality comprehensive estimation method of Kernel-based methods monitoring | |
US7797339B2 (en) | Security architecture for content management systems | |
CN106778310A (en) | A kind of data managing method and system | |
Weippl et al. | Content-based Management of Document Access Control. | |
Sharma | Overview of the Database Management System. | |
Blanco et al. | Implementing multidimensional security into OLAP tools | |
Skinner et al. | Defining and protecting meta privacy: a new conceptual framework within information privacy | |
CN108683581A (en) | Mail triggering method and device, electronic equipment and computer readable storage medium | |
JP6824303B2 (en) | Data reference authority management device, data reference authority management method and data reference authority management program | |
Kieseberg et al. | Structural limitations of B+-tree forensics | |
Kvet et al. | Performance study of the index structures in audited environment | |
Castano | An approach to deriving global authorizations in federated database systems | |
JPH06103498B2 (en) | Document classification and access method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170510 |
|
WD01 | Invention patent application deemed withdrawn after publication |