CN106973031B - Resource access control method, device and system - Google Patents

Abstract

The invention discloses a resource access control method, a device and a system. In the method, an access control decision request sent by a PEP is received, wherein the access control decision request comprises a target object requesting access, and the target object comprises a resource attribute and/or a sub-resource; acquiring an access control strategy for judging the access authority of the access control decision request; wherein, the access control policy comprises a rule for judging the access authority of the target object; and judging the access authority of the access control decision request according to the acquired access control strategy, and returning an access authority judgment result to the PEP. By the method, the access of the initiator to the target resource can be controlled, and the access to the target resource can be more finely controlled, namely the specific attribute and the specific sub-resource of the access target resource can be controlled.

Description

A resource access control method, device and system

technical field

The present invention relates to the field of communications, and in particular, to a resource control access method, device and system.

Background technique

OneM2M, an IoT standardization organization, is committed to developing a series of technical specifications for constructing a common M2M (Machine-To-Machine, machine-to-machine communication) service layer. The core of oneM2M is data sharing, which is realized by sharing the data items on the resource tree defined in the oneM2M CSE (Common Services Entity, common service entity).

OneM2M realizes the sharing and interaction of service layer resources by operating the standardized resource tree. The oneM2M resource tree exists in the Common Service Entity (CSE) defined by the oneM2M system. According to the definition in the oneM2M functional architecture specification (oneM2M TS-0001: "Functional Architecture"), the form of the oneM2M resource tree is shown in Figure 1. OneM2M resources can be created (Create), query (Retrieve), modify (Update) and delete (Delete) operations.

The resource related to authorization among the resources defined by oneM2M is the access control policy resource <accessControlPolicy>, which is used to store ACP (Access Control Policy, access control policy). The <accessControlPolicy> resource is uniquely identified by the resource ID, and other resources specify the access control policy applicable to the resource through the accessControlPolicyIDs attribute in the resource. The privileges attribute in the <accessControlPolicy> resource is used to store the specific access control policy, and the selfPrivileges attribute is used to store and maintain the access control policy of the <accessControlPolicy> resource. The access control policy stored in the privileges or selfPrivileges attribute consists of a series of access control rules.

The structure of an access control policy is a 3-tuple, namely accessControlOriginators, accessControlContexts and accessControlOperations. Among them, accessControlOriginators is the initiator of the access, which can be the application entity identifier (AE-ID), the public service entity identifier (CSE-ID) or the resource identifier of the group; accessControlContexts is the context condition, such as time, location or IP address, etc.; accessControlOperations is the operation that the initiator requests to act on the target resource, such as create, query, update, delete, etc.

The access control policy resource <accessControlPolicy> can be assigned to the target resource directly or indirectly through the accessControlPolicyIDs attribute, and the oneM2M access control system determines the access control policy applicable to the target resource accordingly.

Currently oneM2M defines more than 20 resources that can have <accessControlPolicy> resources or accessControlPolicyIDs attributes. However, for those resources with more complex structure, the access control for the target resource is too rough to meet the actual needs.

SUMMARY OF THE INVENTION

Embodiments of the present invention provide a resource access control method, device, and system, so as to achieve more fine-grained control over the access of target resources.

The resource access control method provided by the embodiment of the present invention includes:

receiving an access control decision request sent by the policy enforcement point PEP, where the access control decision request includes a target object for which access is requested, and the target object includes resource attributes and/or sub-resources;

Acquiring an access control policy for performing access authority judgment on the access control decision request; wherein, the access control policy includes a rule for performing access authority judgment on the target object;

According to the obtained access control policy, an access authority judgment is performed on the access control decision request, and an access authority judgment result is returned to the PEP.

Specifically, performing an access authority judgment on the access control decision request according to the obtained access control policy includes:

If the resource attribute requested to be accessed is not among the resource attributes that are allowed to be accessed by the rule used for judging the access authority of the resource attribute of the target resource, the decision is to deny access to the target resource, and the target resource is the access control the target resource for which access is requested by the decision request; or,

If the sub-resource requested to be accessed is not among the sub-resources that are allowed to be accessed by the rule used for judging the access authority of the sub-resource of the target resource, the decision is to deny access to the target resource, and the target resource is the access control The target resource that the decision request requests access to.

Specifically, the rule for judging the access authority of the resource attribute includes a list of resource attributes that are allowed to access, and the list of resource attributes that is allowed to access includes one of the following contents:

One or more resource attributes or resource attributes that are allowed to be accessed;

An indication that all resource attributes are allowed to be accessed;

Indication used to indicate that access is not allowed for all resource properties.

Specifically, if the rule for judging the access authority of the resource attribute does not include a list of resource attributes that are allowed to be accessed, the rule indicates that all resource attributes are not allowed to be accessed.

Specifically, the rule for judging the access authority of the sub-resource includes a sub-resource list, and the sub-resource list includes one of the following contents:

One or more sub-resources or sub-resources that are allowed to be accessed;

An indication that all sub-resources are allowed to access;

An indication that all subresources are not allowed access.

Specifically, if the sub-resource list is not included in the rule for judging the access authority of the sub-resource, the rule indicates that all sub-resources are not allowed to be accessed.

Optionally, the access control decision request further includes indication information of the target resource requested to be accessed;

The access control policy for performing access authority judgment on the access control decision request further includes a list of target resources that are allowed to be accessed;

The performing authority judgment on the access control decision request according to the obtained access control policy, including:

If the indication information of the target resource in the access control decision request is not in the access-allowed target resource list, it is determined to deny access to the target resource requested by the access control decision request.

Optionally, the access control decision request further includes providing a suggestion indication;

The method also includes:

If it is determined that access to the target resource requested by the access control decision request is denied, according to the providing suggestion instruction, a list of target objects suggested to be accessed by the request is obtained, and the resource attributes and/or sub-resources contained in the list can be accessed by The initiator of the access control decision request is accessed;

The list of target objects for which the proposed request is to be accessed is sent to the PEP.

Preferably, the access control decision request further includes: initiator identification and operation type indication information, where the operation type indication information is used to indicate the operation type requested to act on the target resource;

The access control policy for performing access authority judgment on the access control decision request further includes: a list of permitted access initiators, a list of operations permitted to act on the target resource, and a list of contextual conditions;

The access authority judgment on the access control decision request according to the obtained access control policy includes:

If one of the following conditions is met, the decision is to deny access to the target resource requested by the access control decision request:

The initiator identifier is not in the allowed access initiator list;

The operation type indicated by the operation type indication information is not in the list of operations allowed to act on the target resource;

The access control decision request does not satisfy the context condition in the context condition list.

The policy decision point device provided by the embodiment of the present invention includes:

a receiving module, configured to receive an access control decision request sent by the policy enforcement point PEP, where the access control decision request includes a target object requested to be accessed, and the target object includes resource attributes and/or sub-resources;

an acquisition module, configured to acquire an access control policy for performing access authority judgment on the access control decision request; wherein, the access control policy includes a rule for performing access authority judgment on the target object;

A judgment module, configured to perform an access authority judgment on the access control decision request according to the obtained access control policy, and return an access authority judgment result to the PEP.

Specifically, the decision module is specifically used for:

If the resource attribute requested to be accessed is not among the resource attributes that are allowed to be accessed by the rule used for judging the access authority of the resource attribute of the target resource, the decision is to deny access to the target resource, and the target resource is the access control the target resource for which access is requested by the decision request; or,

If the sub-resource requested to be accessed is not among the sub-resources that are allowed to be accessed by the rule used for judging the access authority of the sub-resource of the target resource, the decision is to deny access to the target resource, and the target resource is the access control The target resource that the decision request requests access to.

Specifically, the rule for judging the access authority of the resource attribute includes a list of resource attributes that are allowed to access, and the list of resource attributes that is allowed to access includes one of the following contents:

One or more resource attributes or resource attributes that are allowed to be accessed;

An indication that all resource attributes are allowed to be accessed;

Indication used to indicate that access is not allowed for all resource properties.

Specifically, if the rule for judging the access authority of the resource attribute does not include a list of resource attributes that are allowed to be accessed, the rule indicates that all resource attributes are not allowed to be accessed.

Specifically, the rule for judging the access authority of the sub-resource includes a sub-resource list, and the sub-resource list includes one of the following contents:

One or more sub-resources or sub-resources that are allowed to be accessed;

An indication that all sub-resources are allowed to access;

An indication that all subresources are not allowed access.

Specifically, if the sub-resource list is not included in the rule for judging the access authority of the sub-resource, the rule indicates that all sub-resources are not allowed to be accessed.

Optionally, the access control decision request further includes indication information of the target resource requested to be accessed;

The access control policy for performing access authority judgment on the access control decision request further includes a list of target resources that are allowed to be accessed;

The judgment module is specifically used for:

If the indication information of the target resource in the access control decision request is not in the access-allowed target resource list, it is determined to deny access to the target resource requested by the access control decision request.

Optionally, the access control decision request further includes providing a suggestion indication;

The apparatus also includes an advice module for:

If it is determined that access to the target resource requested by the access control decision request is denied, according to the providing suggestion instruction, a list of target objects suggested to be accessed by the request is obtained, and the resource attributes and/or sub-resources contained in the list can be accessed by The initiator of the access control decision request is accessed;

The list of target objects for which the proposed request is to be accessed is sent to the PEP.

The resource access control system provided by the embodiment of the present invention includes: a policy enforcement point PEP and a policy decision point PDP;

The PEP is configured to receive a resource access request, and send an access control decision request to the PDP according to the resource access request, where the access control decision request includes a target object for requesting access, and the target object includes resource attributes and / or sub-resources;

The PDP is configured to obtain an access control policy for performing access authority judgment on the access control decision request, wherein the access control policy includes a rule for performing access authority judgment on the target object; and, According to the obtained access control policy, an access authority judgment is performed on the access control decision request, and an access authority judgment result is returned to the PEP.

Specifically, the PDP is specifically used for:

If the resource attribute requested to be accessed is not among the resource attributes that are allowed to be accessed by the rule for judging the access authority to the resource attribute for the target resource, the decision is to deny access to the target resource, and the target resource is the access control the target resource for which access is requested by the decision request; or,

If the sub-resource requested to be accessed is not among the sub-resources that are allowed to be accessed by the rule for judging the access authority to the sub-resource for the target resource, the decision is to deny access to the target resource, and the target resource is the access control The target resource that the decision request requests access to.

Specifically, the rule for judging the access authority of the resource attribute includes a list of resource attributes that are allowed to access, and the list of resource attributes that is allowed to access includes one of the following contents:

One or more resource attributes or resource attributes that are allowed to be accessed;

An indication that all resource attributes are allowed to be accessed;

A flag indicating that all resource attributes are not allowed to be accessed.

Specifically, if the rule for judging the access authority of the resource attribute does not include a list of resource attributes that are allowed to be accessed, the rule indicates that all resource attributes are not allowed to be accessed.

Specifically, the rule for judging the access authority of the sub-resource includes a sub-resource list, and the sub-resource list includes one of the following contents:

One or more sub-resources or sub-resources that are allowed to be accessed;

An indication that all sub-resources are allowed to access;

Flag indicating information that all child resources are not allowed to access.

Specifically, if the sub-resource list is not included in the rule for judging the access authority of the sub-resource, the rule indicates that all sub-resources are not allowed to be accessed.

Optionally, the access control decision request further includes indication information of the target resource requested to be accessed;

The access control policy for performing access authority judgment on the access control decision request further includes a list of target resources that are allowed to be accessed;

The PDP is specifically used for:

If the indication information of the target resource in the access control decision request is not in the access-allowed target resource list, it is determined to deny access to the target resource requested by the access control decision request.

In the above embodiments of the present invention, on the one hand, the access control decision request includes a target object of the target resource requested to be accessed, wherein the target object includes resource attributes and/or sub-resources of the target resource; The access control policy for the decision request to make an access right decision includes a rule for making an access right decision on the target object of the target resource. Therefore, when the access control decision request is judged according to the above rules, the access to the target resource can be realized. For more detailed control, it is possible to control access to specific attributes and specific sub-resources of the target resource.

Description of drawings

In order to illustrate the technical solutions in the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.

Fig. 1 is the oneM2M resource tree in the prior art;

2 is a schematic diagram of a resource access control architecture in the prior art;

3 is a schematic flowchart of a resource access control method according to an embodiment of the present invention;

4 is a schematic structural diagram of an apparatus for resource access control provided by an embodiment of the present invention;

FIG. 5 is a schematic structural diagram of another apparatus for resource access control provided by an embodiment of the present invention.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. . Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

The resource access control architecture given in the oneM2M Security Solutions Technical Specification (oneM2M TS-0003:Security Solutions) is shown in Figure 2. The required components in this architecture include:

Policy Enforcement Point (PEP): The PEP coexists with the application system that needs access control, and is called by the application system. The PEP will generate the corresponding access control request according to the access request of the initiator, and send it to the policy decision point. Then it is determined whether to execute the access request according to the access control response of the policy decision point.

Policy Decision Point (PDP): The PDP is responsible for judging whether to agree to access the target resource requested by the access control request sent by the PEP according to the access control policy, and returns the judgment result to the PEP through the access control response.

• Policy Retrieval Point (PRP): The PRP obtains the applicable access control policy according to the policy request provided by the PDP, and returns the obtained access control policy to the PDP.

Policy Information Point (PIP): PIP obtains attributes related to users, resources or environments according to the PDP request, such as the IP address of the accessing user, the creator of the resource, the current time, etc. This attribute is returned to the PDP.

The basic resource access control process of oneM2M is:

1) The initiator sends a resource access request (Access Request) to the PEP.

2) The PEP sends an access control decision request (DecisionRequest) to the PDP according to the user's resource access request.

3) The PDP sends an access control policy request (PolicyRequest) to the PRP according to the access control decision request of the PEP.

4) The PRP returns an access control policy response (Policy Response) to the PDP, and the access control policy response includes the access control policy.

5) The PDP analyzes and judges the content contained in the access control decision request and the access control policy; when analyzing and judging, if other attributes are required, send an access control attribute request (Attribute Request) to the PIP, otherwise go to step 7 .

6) The PIP sends an access control attribute response to the PDP, where the access control attribute response includes the access control-related attributes obtained according to the access control attribute request.

7) The PDP sends an access control decision response (Decision Response) to the PEP, and the control decision response includes the decision result.

8) The PEP decides whether to execute the initiator's visit according to the decision result in the access control decision response.

The embodiment of the present invention expands the content contained in the access control decision request and the rules contained in the access control policy in the above process, and improves the analysis and judgment process of the PDP according to the above expanded content, thereby realizing The access to the target resource is controlled in a more fine-grained manner, thereby realizing more detailed control of the access to the target resource.

Among them, in the access control decision request, add one or a combination of the following two kinds of information:

(1) Resource attribute access list (Access Attribute List, ATL): The list contains information related to the resource attributes requested to be accessed, such as attribute names.

(2) Access SubResource List (ASL): The list includes information related to the sub-resource requested to be accessed, such as the name of the sub-resource.

Optionally, on this basis, in the access control decision request, you can also add:

(3) Provide advice indication (Advice Requirement, ar): used to indicate whether the PDP provides its suggested resource attribute access list and/or sub-resource access list. The resource attributes contained in the proposed resource attribute access list can be accessed by the initiator of the access control decision request, and the sub-resources contained in the proposed sub-resource access list can be accessed by the initiator of the access control decision request. The providing advice indication may be represented by a binary value, for example: 0 means that no advice is required, and 1 means that advice is requested.

Preferably, all the above three types of information can be added to the access control decision request, so that the six-tuple information in the access control decision request is formed by combining the three types of information existing in the access control decision request. Among them, the three types of information already in the access control decision request include:

(1) Indication information of the target resource: that is, the "to" parameter, which is used to indicate the target resource requested to be accessed;

(2) Initiator identification: the "fr" parameter, used to indicate the initiator of the access control decision request;

(3) Operation type indication information: that is, the "op" parameter, which is used to indicate the operation type requested to act on the target resource, which can be one of create, query, update, and delete.

In the access control policy, add one or a combination of the following two rules:

(1) List of resource attributes allowed to be accessed (permittedAttributes): According to this list, the resource attributes that are allowed to be accessed can be obtained. The list of allowed resource properties includes one of the following:

-One or more resource attributes that are allowed to be accessed or the indication information of the resource attribute, wherein the indication information of the resource attribute may specifically be the name of the resource attribute;

-Indication information used to indicate that all resource attributes are allowed to access, for example, use "ALL" to indicate that access to all resource attributes is allowed;

-Indication information used to indicate that access to all resource attributes is not allowed, eg, "NULL" means that access to all resource attributes is not allowed.

In some embodiments, the access control policy may not include the "access-allowed resource attribute list". In this case, the access control policy indicates that all resource attributes are not allowed to be accessed.

(2) List of sub-resources allowed to be accessed (permittedSubResources): The sub-resources that are allowed to be accessed can be obtained according to this list. The list of allowed subresources includes one of the following:

-Indication information of one or more sub-resources or sub-resources that are allowed to be accessed, wherein the indication information of sub-resources may specifically be a sub-resource name;

-Indication information used to indicate that all sub-resources are allowed to access, for example, use "ALL" to indicate that access to all sub-resources is allowed;

-Indication information used to indicate that all sub-resources are not allowed to access, for example, "NULL" is used to indicate that access to all sub-resources is not allowed.

In some embodiments, the access control policy may not include the "access-allowed sub-resource list". In this case, the access control policy indicates that all sub-resources are not allowed to be accessed.

Optionally, in the access control policy, you can also add:

(3) Access ControlResources list (accessControlResources): the list may contain addresses or identifiers of the accessible target resources.

Preferably, all the above three rules can be added to the access control policy, and the three existing rules in the access control policy are added to form a 6-tuple access control policy. Among them, the three existing rules in access control decisions include:

(1) List of permitted access initiators (accessControlOriginators): This list contains the relevant information of the initiators who are allowed to initiate access to the target resource, for example, it can be AE-ID, CSE-ID or resource ID of the group;

(2) The list of operations allowed to act on the target resource (accessControlOperations): the list contains the indication information of the operation type allowed to act on the target resource, for example, the operation type can be one of create, obtain, update, delete, and notify;

(3) Context condition list (accessControlContexts): The list contains context conditions that limit the scope of application of the rule, such as the time of access, the location and IP address of the initiator, and so on.

According to the above six-tuple rule, when the context restrictions described in accessControlContexts are met, the permitted access initiator described in accessControlOriginators can access the resources described in accessControlResources. Subresources described in permittedSubResources perform the operations described in accessControlOperations.

In this embodiment of the present application, an access control policy includes a "access-allowed resource attribute list" and/or a "access-allowed sub-resource list". The "access-allowed resource attribute list" in an access control policy applies to access rights judgments for target resources with the same attributes and the same types of operations that can be performed on each attribute, and the "allowed access" in an access control policy "Sub-resource list" is applicable to the access permission judgment for the target resource that has the same sub-resource and that each sub-resource can perform the same type of operation.

Based on the resource access control architecture shown in FIG. 2 and the expansion of the access control decision request and the rules included in the access control policy, FIG. 3 shows a resource access control method provided by an embodiment of the present invention.

Referring to FIG. 3, it is a schematic flowchart of a resource access control method provided by an embodiment of the present invention. As shown in the figure, the method includes:

Step 301: The initiator sends a resource access request to the PEP.

The resource access request may include: indication information of the target resource (such as the address or identifier of the target resource), the identifier of the initiator, the indication information of the operation type, and the like. The resource access request may further include a content (content) parameter, which may include resource attributes and/or names or identifiers of sub-resources.

Step 302: After receiving the resource access request sent by the initiator, the PEP sends an access control decision request to the PDP.

Wherein, the access control decision request includes the target object of the target resource requested to be accessed. The target object includes resource properties of the target resource, or sub-resources of the target resource, or resource properties and sub-resources of the target resource.

The PEP may determine the target object of the target resource according to the resource access request sent by the initiator. Specifically, the target object of the target resource can be determined in the following two ways:

Mode 1: The PEP determines the target object of the target resource according to the content (content) parameter in the resource access request sent by the initiator. Wherein, the content parameter may contain the names or identifiers of resource attributes and/or sub-resources, and the PEP may determine the corresponding resource attributes and/or sub-resources according to the resource attributes and/or names or identifiers of sub-resources contained in the content parameter for the target object.

Mode 2: The PEP determines by itself which resource attributes and/or sub-resources should be determined as the target object according to the target resource in the resource access request sent by the initiator. For example, if the resource access request is used to request the creation of a sub-resource in the target resource, the sub-resource to be created can be determined as the target object; for another example, if the resource access request is used to request to query the target resource, the to-be-queried sub-resource can be determined as the target object; The resource attributes and/or sub-resources of the target resource are determined as the target object.

The above access control decision request may also include indication information of the target resource requested to be accessed (such as the address or identifier of the target resource), the identifier of the initiator of the access request, and the type of operation requested to act on the target resource.

Step 303: After receiving the access control decision request sent by the PEP, the PDP obtains an access control policy for performing access authority judgment on the access control decision request; wherein, the access control policy includes a target object for accessing the target resource. Rules for Judgment of Authority.

In the above steps, the PDP can send an access control policy request to the PRP according to the access control decision request, and then obtain the corresponding access control policy from the PRP; it can also obtain the corresponding access control policy from the cache area of the PDP according to the access control decision request access control policy.

In the above process, when the PDP obtains the access control policy, it can obtain the corresponding access control policy according to the target resource in the access control decision request, or obtain the corresponding access control policy according to the target resource and the initiator in the access control decision request. access control policy.

Further, the above-mentioned access control policy for making an access right decision on an access control decision request may also include a list of target resources that are allowed to be accessed.

Further, the access control policy used for the access control decision request to perform access authority judgment may further include: a list of permitted access initiators, a list of operations permitted to act on the target resource, and a list of context conditions.

Step 304: The PDP performs an access authority judgment on the access control decision request according to the obtained access control policy, and returns the access authority judgment result to the PEP.

In the above step 304, when making an access authority judgment on the access control decision request, a judgment is made for each rule in the access control policy, which may specifically include the following situations:

Case 1: "Resource attribute access list" is included in the access control decision request

In view of this situation, if the resource attribute of the target resource listed in the "resource attribute access list" in the access control decision request is not in the "access-allowed resource attribute list" in the access control policy, the decision is to deny Access the target resource requested by the access control decision request. If the resource attributes of the target resource requested to be accessed listed in the "resource attribute access list" in the access control decision request are in the "accessible resource attribute list" in the access control policy, it can be further combined with the access control policy. other rules for judgment.

Case 2: "Subresource Access List" is included in the access control decision request

In view of this situation, if the sub-resource of the target resource listed in the "sub-resource access list" in the access control decision request is not in the "access-allowed sub-resource list" in the access control policy, the decision is to deny Access the target resource requested by the access control decision request. If the sub-resources of the target resource listed in the "sub-resource access list" in the access control decision request are in the "access-allowed sub-resource list" in the access control policy, it can be further combined with the access control policy. other rules for judgment.

Case 3: "Indication information of target resource" is included in the access control decision request

In response to this situation, if the target resource indicated by the "target resource indication information" in the access control decision request is not in the "access-allowed target resource list" in the access control policy, the decision is to deny the access. Controls access to the target resource requested by the decision request. If the target resource indicated by the "Indication information of the target resource" in the access control decision request is in the "Access-allowed target resource list" in the access control policy, other rules in the access control policy can be further combined. make a judgment.

Case 4: "Originator ID" is included in the access control decision request

In view of this situation, if the initiator of the request for access indicated by the "initiator ID" in the access control decision request is not in the "allowed access initiator list" in the access control policy, the decision is to reject the access control decision Requests the requested target resource for access. If the initiator of the access request indicated by the "initiator ID" in the access control decision request is in the "allowed access initiator list" in the access control policy, the decision can be further combined with other rules in the access control policy .

Case 5: "Operation Type Indication" is included in the access control decision request

In response to this situation, if the operation type indicated by the "operation type indication information" in the access control decision request to act on the target resource is not in the "list of operations allowed to act on the target resource" in the access control policy, the decision is as follows: Deny access to the target resource requested by this access control decision request. If the operation type indicated by the "operation type indication information" in the access control decision request to act on the target resource is in the "list of operations allowed to act on the target resource" in the access control policy, the access control policy can be further combined other rules in the judgment.

Scenario 6: "Context Condition List" is included in the Access Control Policy

In response to this situation, if the access control decision request does not satisfy the context conditions contained in the "context condition list" in the access control policy, it is determined to deny access to the target resource requested by the access control decision request. If the access control decision request satisfies the context conditions included in the "context condition list" in the access control policy, the decision may be further combined with other rules in the access control policy.

In some embodiments, in step 301, the access control decision request sent by the PEP may include "provide a suggestion indication"; correspondingly, in step 304, the PDP obtains a list of target objects for which the suggestion is requested to be accessed, and the suggested targets The resource attributes and/or sub-resources contained in the object list can be accessed by the initiator of the access control decision request, and the list of target objects to be accessed by the proposed request is sent to the PEP. The resource attributes in the list of resource attributes that are suggested to be accessed may be the attributes of the resources that are allowed to be accessed, or the intersection of the attributes of the resources that are allowed to be accessed and the attributes of the resources that are requested to be accessed; the sub-resources in the list of sub-resources that are suggested to be accessed It can be the sub-resource that is allowed to access, or the intersection of the sub-resource that is allowed to access and the sub-resource that is requested to access. The resource attributes and/or sub-resources of the target resource suggested to be accessed above may be included in the decision result and sent to the PEP, or may be sent to the PEP alone, which is not limited in the present invention.

That is, the request provides the resource attributes and/or sub-resources of the target resource that is suggested to be accessed, in order to change the access control decision request, so that the changed access control decision request is allowed to access the requested target resource

In the above embodiments of the present invention, on the one hand, the access control decision request includes a target object of the target resource requested to be accessed, wherein the target object includes resource attributes and/or sub-resources of the target resource; The access control policy for the decision request to make an access right decision includes a rule for making an access right decision on the target object of the target resource. Therefore, when the access control decision request is judged according to the above rules, the access to the target resource can be realized. For more detailed control, it is possible to control access to specific attributes and specific sub-resources of the target resource.

In order to understand the above embodiments of the present invention more clearly, a specific implementation process of the above embodiments of the present invention is described below by taking a specific application scenario as an example.

Example 1: In the case of no need to provide suggestions

CSE1 represents a public service entity in the oneM2M system, and AE1, AE2, and AE3 represent three application entities in the oneM2M system, respectively.

After AE1 registers with CSE1, the resources allocated by CSE1 to AE1 are represented by <AE1>.

<ACP1> represents the access control policy resource. <ACP1> contains the access control policy set ACP1. ACP1 contains two strategies, RULE1 and RULE2. Each policy contains in turn: a list of target resources that are allowed to be accessed, a list of resource attributes that are allowed to be accessed, a list of sub-resources that are allowed to be accessed, a list of allowed access initiators, a list of actions that are allowed to act on the target resource, and a list of context conditions. Separate lists with semicolons.

The contents of RULE1 are:

[(<AE1>); (pointOfAccess, ontologyRef); (ALL); (AE1); (Create, Retrieve, Update, Delete); ()]

Among them, (<AE1>) indicates that the target resource that is allowed to access only contains <AE1>; (pointOfAccess, ontologyRef) indicates that the resource attribute that is allowed to access includes the pointOfAccess attribute and the ontologyRef attribute; (ALL) indicates that all sub-resources of the target resource are allowed to access; (AE1) indicates that AE1 is allowed to initiate access; (Create, Retrieve, Update, Delete) indicates that operations on the target resource are allowed to include creation, query, modification and deletion; () indicates that there is no restriction on context conditions.

The contents of RULE2 are:

[(<AE1>); (appName, App-ID, AE-ID, nodeLink); (<container>, <group>); (AE1, AE2, AE3); (Retrieve); ()]

Among them, (<AE1>) indicates that the target resource allowed to access only contains <AE1>; (appName, App-ID, AE-ID, nodeLink) indicates that the resource properties allowed to access include appName attribute, App-ID attribute, AE-ID Attributes and nodeLink attributes; (<container>, <group>) means allowing access to sub-resources of type container and group in the target resource; (AE1, AE2, AE3) means allowing AE1, AE2 and AE3 to initiate access; (Retrieve) means The operations that are allowed to act on the target resource only include queries; () means that there are no restrictions on contextual conditions.

The resource access process of access request 1 may include:

The initiator AE1 initiates a resource access request to the PEP. The content of the resource access request is:

(to="<AE1>"; fr="AE1"; op="Create"; "resourceType="container"; content="resourceName="CONTAINER1"; maxByteSize="1024"")

Among them, to="<AE1>" indicates that the target resource requested to access is <AE1>, fr="AE1" indicates that the initiator of the request is AE1, and op="Create" indicates that the request acts on the target resource. The type is to create a sub-resource, "resourceType="container" indicates that the type of the request to create the sub-resource is container, content="resourceName="CONTAINER1" maxByteSize="1024"" indicates that the name of the request to create the sub-resource is CONTAINER1, and the sub-resource is Occupies 1024 bits.

After receiving the resource access request sent by the AE1, the PEP sends an access control decision request to the PDP according to the resource access request. The content of the access control policy request is:

(to = "<AE1>"; fr = "AE1"; op = "Create"; ASL = "container"")

Among them, the target resource requested by to="<AE1>" is <AE1>, fr="AE1" indicates that the initiator of the request is AE1, and op="Create" indicates the operation type of the request on the target resource. To create a sub-resource, asl="container" means to access the sub-resource of type container in the sub-resource of <AE1>.

After receiving the access control decision request sent by the PEP, the PDP sends an access control policy request to the PRP. The PRP returns ACP1 to the PDP according to the request, and the PDP judges the access control decision request according to the following steps according to ACP1:

First, according to the to parameter and the fr parameter in the access control decision request, it is judged whether the policy in ACP1 is applicable to the access control decision request. Because the to parameter in the access control decision request indicates the request to access <AE1>, and the fr parameter indicates that the initiator is AE1; while both RULE1 and RULE2 in ACP1 allow access to <AE1>, and the allowed access initiators include AE1, so it is judged that The result is that both RULE1 and RULE2 apply.

Secondly, it is judged whether the access control decision request satisfies the context conditions in RULE1 and RULE2. Because neither RULE1 nor RULE2 is restricted by context conditions, the judgment result is that the access control decision request satisfies the context conditions in RULE1 and RULE2.

Then, according to the list of operations allowed to act on the target resource in RULE1 and RULE2, it is judged whether the operation type requested to act on the target resource in the access control decision request is allowed. Because the operation type requested to act on the target resource in the access control decision request is to create, and RULE1 allows the creation of the target resource, but RULE2 does not allow the creation of the target resource, so the access control decision request is only judged according to RULE1. .

Finally, it is judged whether the access-allowed sub-resource list in RULE1 includes all the sub-resources requested to be accessed. Because the sub-resources allowed to be accessed by the initiator in RULE1 are all sub-resources, the judgment result is that the content in the list of sub-resources allowed to be accessed by the initiator in RULE1 includes all the sub-resources requested to be accessed.

After the above judging steps, the decision result of the PDP on the access control decision request is that the access control decision request is allowed to be executed. Therefore, in the access control decision response sent by the PDP to the PEP, the content of the access control decision response is (decision="Permit").

The resource access process of access request 2 may include:

The initiator AE2 initiates a resource access request to the PEP. The content of the resource access request is:

(to="<AE1>"; fr="AE2"; op="Create"; "resourceType="container"; content="resourceName="CONTAINER1"; maxByteSize="1024"")

Among them, to="<AE1>" indicates that the target resource requested to access is <AE1>, fr="AE2" indicates that the initiator of the request is AE2, and op="Create" indicates that the request acts on the target resource. The type is to create a sub-resource, "resourceType="container" indicates that the type of the request to create the sub-resource is container, content="resourceName="CONTAINER1" maxByteSize="1024"" indicates that the name of the request to create the sub-resource is CONTAINER1, and the sub-resource is Occupies 1024 bits.

After receiving the resource access request sent by the AE2, the PEP sends an access control decision request to the PDP according to the resource access request. The content of the access control policy request is:

(to = "<AE1>"; fr = "AE2"; op = "Create"; asl = "container"")

Among them, to="<AE1>" the target resource requested to access is <AE1>, fr="AE2" indicates that the initiator of the request is AE2, and op="Create" indicates the operation type that the request acts on the target resource To create a sub-resource, asl="container" means to access the sub-resource of type container in the sub-resource of <AE1>.

After receiving the access control decision request sent by the PEP, the PDP sends an access control policy request to the PRP. The PRP returns ACP1 to the PDP according to the request, and the PDP judges the access control decision request according to the following steps according to ACP1:

First, according to the to parameter and the fr parameter in the access control decision request, it is judged whether the policy in ACP1 is applicable to the access control decision request. Because the to parameter in the access control decision request indicates the request to access <AE1>, and the fr parameter indicates that the initiator is AE2; while both RULE1 and RULE2 in ACP1 allow access to <AE1>, but only the access initiators allowed by RULE2 include AE2, Therefore, the judgment result is that only RULE2 is applicable.

Second, it is judged whether the access control decision request satisfies the context condition in RULE2. Because there is no context condition restriction in RULE2, the judgment result is that the access control decision request satisfies the context condition in RULE2.

Then, according to the list of operations allowed to act on the target resource in RULE2, it is determined whether the operation type that acts on the target resource in the access control decision request is allowed. Because the operation type that acts on the target resource in the access control decision request is to create, but RULE2 does not allow the creation of the target resource.

After the above judging steps, the PDP judges the access control decision request that the access control decision request is not allowed to be executed. Therefore, in the access control decision response sent by the PDP to the PEP, the content of the access control decision response is (decision="Not Permit").

Example 2: When it is necessary to provide advice and instructions

CSE1 represents a public service entity in the oneM2M system, and AE1, AE2, and AE3 represent three application entities in the oneM2M system, respectively.

After AE1 registers with CSE1, the resources allocated by CSE1 to AE1 are represented by <AE1>.

<ACP2> represents the access control policy resource. <ACP2> contains the access control policy set ACP2. ACP2 contains policy RULE3. The policy includes in turn: a list of target resources that are allowed to be accessed, a list of resource attributes that are allowed to be accessed, a list of sub-resources that are allowed to be accessed, a list of allowed access initiators, a list of actions that are allowed to act on the target resource, and a list of context conditions. Separate lists with semicolons.

<NODE1> indicates that <AE1> is associated with the <node> resource through the nodeLink attribute of the <AE1> resource.

The contents of RULE3 are:

[(<NODE1>);(ALL);(memory;battery;firmware;software;deviceInfo);(AE2,AE3);(Retrieve);()]

Among them, (<NODE1>) indicates that the target resource allowed to access only contains <NODE1>; (ALL) indicates that all resource attributes are allowed to be accessed; (memory; battery; firmware; software; deviceInfo) indicates that access to memory sub-resources and battery sub-resources is allowed. resources, firmware sub-resources, software sub-resources and deviceInfo sub-resources; (AE2, AE3) means that AE2 and AE3 are allowed to initiate access; (Retrieve) means that only operations acting on the target resource are allowed to be query operations; () means that there is no context condition limit.

The resource access process of access request 3 may include:

The initiator AE2 initiates a resource access request to the PEP. The content of the resource access request is:

(to="<NODE1>"; fr="AE2"; op="Retrieve")

Among them, to="<NODE1>" indicates that the target resource requested to access is <NODE1>, fr="AE2" indicates that the initiator of the request is AE2, and op="Retrieve" indicates that the request acts on the target resource. for query.

After receiving the resource access request sent by AE2, the PEP sends an access control decision request to the PDP according to the resource access request. The content of the access control policy request is:

(to="<NODE1>"; fr="AE2"; op="Retrieve"; ar="yes")

Among them, to="<NODE1>" the target resource requested to access is <NODE1>, fr="AE2" indicates that the originator of the request is AE2, and op="Retrieve" indicates that the operation of the request on the target resource is: Query, ar="yes" indicates a request to provide a suggestion indication.

After receiving the access control decision request sent by the PEP, the PDP sends an access control policy request to the PRP, and the PRP returns ACP2 to the PDP according to the request, and the PDP judges the access control decision request according to the following steps according to ACP2:

First, according to the to parameter and the fr parameter in the access control decision request, it is judged whether the policy in ACP2 is applicable to the access control decision request. Because the to parameter in the access control decision request indicates the request to access <NODE1>, and the fr parameter indicates that the initiator is AE2; while RULE3 in ACP2 allows access to <NODE1>, and the allowed access initiator includes AE2, so the judgment result is RULE3 Be applicable.

Second, it is judged whether the access control decision request satisfies the context condition in RULE3. Because there is no context condition restriction in RULE3, the judgment result is that the access control decision request satisfies the context condition in RULE3.

Then, according to the list of operations allowed to act on the target resource in RULE3, it is judged whether the operation requested to act on the target resource in the access control decision request is allowed. Because the operation of the request in the access control decision request acting on the target resource is a query, and RULE3 allows the query operation on the target resource, the judgment result is that the operation in the access control decision request is allowed.

Finally, according to the request to provide the suggestion indication in the access control decision request, the target object list of the target resource that is suggested to be accessed by the request is obtained. Because the initiator in RULE3 is allowed to access all resource attributes, and is allowed to access the memory sub-resource, battery sub-resource, firmware sub-resource, software sub-resource and deviceInfo sub-resource of the target resource, whether the list contains all the target resources requested to be accessed. A child resource of type container. Because the sub-resources of the target resource that the initiator is allowed to access in RULE1 are all sub-resources, it is recommended that the target object list requested for access includes all resource attributes and memory sub-resources, battery sub-resources, firmware sub-resources, software sub-resources, deviceInfo subresource.

After the above steps, the content of the judgment result sent by the PDP to the PEP is (decision="Permit withlimitation"; pal="ALL"; psl="memory; battery; firmware; software; deviceInfo"). Where decision="Permit with limitation" indicates that the access control decision request can access the target resource requested by the access control decision request, but the access has restrictions; pal="ALL" indicates that the access control decision request can access the access All resource attributes of the target resource requested by the control decision request are accessed; psl="memory; battery; firmware; software; deviceInfo" indicates that the access control decision request can request the memory sub-resource of the target resource requested by the access control decision request, The battery sub-resource, firmware sub-resource, software sub-resource, and deviceInfo sub-resource are accessed.

According to the same technical concept, an embodiment of the present invention also provides a policy decision point device. As shown in FIG. 4 , the device includes a receiving module 401 , an obtaining module 402 and a decision module 403 , and further, the device may also include suggestions Module 304.

The receiving module 401 is configured to receive an access control decision request sent by the PEP, where the access control decision request includes a target object requested to be accessed, and the target object includes resource attributes, sub-resources, or resource attributes and sub-resources.

The obtaining module 402 is used to obtain the access control policy for performing access authority judgment on the access control decision request; wherein, the access control policy includes a rule for the target object to perform access authority judgment;

The judgment module 403 is configured to perform an access authority judgment on the above access control decision request according to the obtained access control policy, and return the access authority judgment result to the PEP.

Specifically, the judgment module includes the following six situations when making an access authority judgment on an access control decision request:

Case 1: "Resource attribute access list" is included in the access control decision request

In view of this situation, if the resource attribute of the target resource listed in the "resource attribute access list" in the access control decision request is not in the "access-allowed resource attribute list" in the access control policy, the decision is to deny Access the target resource requested by the access control decision request. If the resource attributes of the target resource requested to be accessed listed in the "resource attribute access list" in the access control decision request are in the "accessible resource attribute list" in the access control policy, it can be further combined with the access control policy. other rules for judgment.

Case 2: "Subresource Access List" is included in the access control decision request

In view of this situation, if the sub-resource of the target resource listed in the "sub-resource access list" in the access control decision request is not in the "access-allowed sub-resource list" in the access control policy, the decision is to deny Access the target resource requested by the access control decision request. If the sub-resources of the target resource listed in the "sub-resource access list" in the access control decision request are in the "access-allowed sub-resource list" in the access control policy, it can be further combined with the access control policy. other rules for judgment.

Case 3: "Indication information of target resource" is included in the access control decision request

In response to this situation, if the target resource indicated by the "target resource indication information" in the access control decision request is not in the "access-allowed target resource list" in the access control policy, the decision is to deny the access. Controls access to the target resource requested by the decision request. If the target resource indicated by the "Indication information of the target resource" in the access control decision request is in the "Access-allowed target resource list" in the access control policy, other rules in the access control policy can be further combined. make a judgment.

Case 4: "Originator ID" is included in the access control decision request

In view of this situation, if the initiator of the request for access indicated by the "initiator ID" in the access control decision request is not in the "allowed access initiator list" in the access control policy, the decision is to reject the access control decision Requests the requested target resource for access. If the initiator of the access request indicated by the "initiator ID" in the access control decision request is in the "allowed access initiator list" in the access control policy, the decision can be further combined with other rules in the access control policy .

Case 5: "Operation Type Indication" is included in the access control decision request

In response to this situation, if the operation type indicated by the "operation type indication information" in the access control decision request to act on the target resource is not in the "list of operations allowed to act on the target resource" in the access control policy, the decision is as follows: Deny access to the target resource requested by this access control decision request. If the operation type indicated by the "operation type indication information" in the access control decision request to act on the target resource is in the "list of operations allowed to act on the target resource" in the access control policy, the access control policy can be further combined other rules in the judgment.

Scenario 6: "Context Condition List" is included in the Access Control Policy

In response to this situation, if the access control decision request does not satisfy the context conditions contained in the "context condition list" in the access control policy, it is determined to deny access to the target resource requested by the access control decision request. If the access control decision request satisfies the context conditions included in the "context condition list" in the access control policy, the decision may be further combined with other rules in the access control policy.

Specifically, a rule for determining access rights for resource attributes includes a resource attribute list, and the resource attribute list includes one of the following contents:

- One or more resource attributes that are allowed access or an indication of a resource attribute

- An indication that all resource properties are allowed access

- Indication to indicate that access is not allowed for all resource properties

If the above-mentioned rule for judging the access authority of the resource attribute does not include the resource attribute list, the rule indicates that all resource attributes are not allowed to be accessed.

Specifically, the rule for judging the access authority of the sub-resource includes a sub-resource list, and the sub-resource list includes one of the following contents:

-Indication of one or more sub-resources or sub-resources to which access is permitted

- An indication that all subresources are allowed access

- An indication that all subresources are not allowed access

If the above-mentioned rule for judging the access authority of the sub-resource does not include the sub-resource list, the rule indicates that all sub-resources are not allowed to be accessed.

Further, in the above access control decision request, it may also include providing a suggestion instruction, then the device further includes a suggestion module, which is used when the decision made by the judgment module 303 is to deny access to the target resource requested by the access control decision request. , according to the instruction of providing suggestions, obtain a list of target objects that are suggested to be accessed, and the resource attributes and/or sub-resources contained in the list can be accessed by the initiator of the access control decision request; and a list of target objects of the target resources that are suggested to be accessed Sent to PEP.

Based on the same technical idea, the embodiment of the present invention also provides a policy decision point device, which can implement the process of resource access control in the embodiment of the present invention.

Referring to FIG. 5 , which is a schematic structural diagram of a policy decision point apparatus provided by an embodiment of the present invention, the apparatus may include: a processor 501 , a memory 502 , a transceiver 503 , and a bus interface.

The processor 501 is responsible for managing the bus architecture and general processing, and the memory 502 may store data used by the processor 501 in performing operations. The transceiver 503 is used to receive and transmit data under the control of the processor 501 .

The bus architecture may include any number of interconnected buses and bridges, in particular one or more processors represented by processor 501 and various circuits of memory represented by memory 502 linked together. The bus architecture may also link together various other circuits, such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be described further herein. The bus interface provides the interface. Transceiver 503 may be a number of elements, ie, including a transmitter and a transceiver, providing a means for communicating with various other devices over a transmission medium. The processor 501 is responsible for managing the bus architecture and general processing, and the memory 502 may store data used by the processor 501 in performing operations.

The resource access control process disclosed in the embodiments of the present invention may be applied to the processor 501 or implemented by the processor 501 . In the implementation process, each step of the flow of resource access control can be completed by an integrated logic circuit of hardware in the processor 501 or an instruction in the form of software. The processor 501 may be a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, and may implement or execute the embodiments of the present invention. The disclosed methods, steps, and logical block diagrams of . A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in conjunction with the embodiments of the present invention may be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor. The software modules may be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other storage media mature in the art. The storage medium is located in the memory 502, and the processor 501 reads the information in the memory 502, and completes the steps of the resource access control flow in combination with its hardware.

Specifically, the processor 501, for reading the program in the memory 502, performs the following processes:

Receive an access control decision request sent by the PEP, where the access control decision request includes a target object to be accessed, and the target object includes resource attributes, sub-resources, or resource attributes and sub-resources.

Acquiring an access control policy for performing access authority judgment on an access control decision request; wherein, the access control policy includes a rule for the target object to perform access authority judgment;

According to the obtained access control policy, an access authority judgment is performed on the above access control decision request, and an access authority judgment result is returned to the PEP.

Specifically, the following six situations are included in the access permission judgment for an access control decision request:

Case 1: "Resource attribute access list" is included in the access control decision request

In view of this situation, if the resource attribute of the target resource listed in the "resource attribute access list" in the access control decision request is not in the "access-allowed resource attribute list" in the access control policy, the decision is to deny Access the target resource requested by the access control decision request. If the resource attributes of the target resource requested to be accessed listed in the "resource attribute access list" in the access control decision request are in the "accessible resource attribute list" in the access control policy, it can be further combined with the access control policy. other rules for judgment.

Case 2: "Subresource Access List" is included in the access control decision request

In view of this situation, if the sub-resource of the target resource listed in the "sub-resource access list" in the access control decision request is not in the "access-allowed sub-resource list" in the access control policy, the decision is to deny Access the target resource requested by the access control decision request. If the sub-resources of the target resource listed in the "sub-resource access list" in the access control decision request are in the "access-allowed sub-resource list" in the access control policy, it can be further combined with the access control policy. other rules for judgment.

Case 3: "Indication information of target resource" is included in the access control decision request

In response to this situation, if the target resource indicated by the "target resource indication information" in the access control decision request is not in the "access-allowed target resource list" in the access control policy, the decision is to deny the access. Controls access to the target resource requested by the decision request. If the target resource indicated by the "Indication information of the target resource" in the access control decision request is in the "Access-allowed target resource list" in the access control policy, other rules in the access control policy can be further combined. make a judgment.

Case 4: "Originator ID" is included in the access control decision request

In view of this situation, if the initiator of the request for access indicated by the "initiator ID" in the access control decision request is not in the "allowed access initiator list" in the access control policy, the decision is to reject the access control decision Requests the requested target resource for access. If the initiator of the access request indicated by the "initiator ID" in the access control decision request is in the "allowed access initiator list" in the access control policy, the decision can be further combined with other rules in the access control policy .

Case 5: "Operation Type Indication" is included in the access control decision request

In response to this situation, if the operation type indicated by the "operation type indication information" in the access control decision request to act on the target resource is not in the "list of operations allowed to act on the target resource" in the access control policy, the decision is as follows: Deny access to the target resource requested by this access control decision request. If the operation type indicated by the "operation type indication information" in the access control decision request to act on the target resource is in the "list of operations allowed to act on the target resource" in the access control policy, the access control policy can be further combined other rules in the judgment.

Scenario 6: "Context Condition List" is included in the Access Control Policy

In response to this situation, if the access control decision request does not satisfy the context conditions contained in the "context condition list" in the access control policy, it is determined to deny access to the target resource requested by the access control decision request. If the access control decision request satisfies the context conditions included in the "context condition list" in the access control policy, the decision may be further combined with other rules in the access control policy.

Specifically, the rule for determining access rights for resource attributes includes a resource attribute list, and the attribute list includes one of the following contents:

- One or more resource attributes that are allowed access or an indication of a resource attribute

- An indication that all resource properties are allowed access

- Indication to indicate that access is not allowed for all resource properties

If the above-mentioned rule for judging the access authority of the resource attribute does not include the resource attribute list, the rule indicates that all resource attributes are not allowed to be accessed.

Specifically, the rule for judging the access authority of the sub-resource includes a sub-resource list, and the sub-resource list includes one of the following contents:

-Indication of one or more sub-resources or sub-resources to which access is permitted

- An indication that all subresources are allowed access

- An indication that all subresources are not allowed access

If the above-mentioned rule for judging the access authority of the sub-resource does not include the sub-resource list, the rule indicates that all sub-resources are not allowed to be accessed.

Further, in the above-mentioned access control decision request, it may also include providing a suggestion instruction, and when it is determined that the access to the target resource requested by the access control decision request is refused, according to the providing suggestion instruction, obtain the target object list of the suggestion request access, the The resource attributes and/or sub-resources contained in the list can be accessed by the initiator of the access control decision request; and the target object list of the target resources suggested to be accessed by the request is sent to the PEP.

According to the same technical idea, an embodiment of the present invention also provides a resource access control system, as shown in FIG. 2 , the system includes PEP and PDP.

The PEP is used to receive resource access requests and send access control decision requests to the PDP according to the resource access requests.

The PDP is configured to receive an access control decision request sent by the PEP, where the access control decision request includes a target object of the target resource requested to be accessed, and the target object includes resource attributes, sub-resources, or resource attributes and sub-resources of the target resource. Acquiring an access control policy for performing access authority judgment on an access control decision request; wherein, the access control policy includes a rule for performing access authority judgment on the target object of the target resource; the access control policy is obtained according to the acquired access control policy The control decision request is made for access right decision, and the access right decision result is returned to the PEP.

Specifically, when the PDP decides the access authority for the access control decision request, it decides on each rule in the access control policy, which may include the following situations:

Case 1: "Resource attribute access list" is included in the access control decision request

In view of this situation, if the resource attribute of the target resource listed in the "resource attribute access list" in the access control decision request is not in the "access-allowed resource attribute list" in the access control policy, the decision is to deny Access the target resource requested by the access control decision request. If the resource attributes of the target resource requested to be accessed listed in the "resource attribute access list" in the access control decision request are in the "accessible resource attribute list" in the access control policy, it can be further combined with the access control policy. other rules for judgment.

Case 2: "Subresource Access List" is included in the access control decision request

In view of this situation, if the sub-resource of the target resource listed in the "sub-resource access list" in the access control decision request is not in the "access-allowed sub-resource list" in the access control policy, the decision is to deny Access the target resource requested by the access control decision request. If the sub-resources of the target resource listed in the "sub-resource access list" in the access control decision request are in the "access-allowed sub-resource list" in the access control policy, it can be further combined with the access control policy. other rules for judgment.

Case 3: "Indication information of target resource" is included in the access control decision request

In response to this situation, if the target resource indicated by the "target resource indication information" in the access control decision request is not in the "access-allowed target resource list" in the access control policy, the decision is to deny the access. Controls access to the target resource requested by the decision request. If the target resource indicated by the "Indication information of the target resource" in the access control decision request is in the "Access-allowed target resource list" in the access control policy, other rules in the access control policy can be further combined. make a judgment.

Case 4: "Originator ID" is included in the access control decision request

In view of this situation, if the initiator of the request for access indicated by the "initiator ID" in the access control decision request is not in the "allowed access initiator list" in the access control policy, the decision is to reject the access control decision Requests the requested target resource for access. If the initiator of the access request indicated by the "initiator ID" in the access control decision request is in the "allowed access initiator list" in the access control policy, the decision can be further combined with other rules in the access control policy .

Case 5: "Operation Type Indication" is included in the access control decision request

In response to this situation, if the operation type indicated by the "operation type indication information" in the access control decision request to act on the target resource is not in the "list of operations allowed to act on the target resource" in the access control policy, the decision is as follows: Deny access to the target resource requested by this access control decision request. If the operation type indicated by the "operation type indication information" in the access control decision request to act on the target resource is in the "list of operations allowed to act on the target resource" in the access control policy, the access control policy can be further combined other rules in the judgment.

Scenario 6: "Context Condition List" is included in the Access Control Policy

In response to this situation, if the access control decision request does not satisfy the context conditions contained in the "context condition list" in the access control policy, it is determined to deny access to the target resource requested by the access control decision request. If the access control decision request satisfies the context conditions included in the "context condition list" in the access control policy, the decision may be further combined with other rules in the access control policy.

Specifically, the rule used to judge the access authority of the resource attribute of the target resource includes a resource attribute list, and the resource attribute list includes one of the following contents:

- one or more resource attributes that are allowed access or an indication of a resource attribute;

- an indication that all resource attributes are allowed access;

- Indication used to indicate that access is not allowed for all resource properties.

If the above-mentioned rule for determining the access authority of the resource attribute of the target resource does not include the resource attribute list, the rule indicates that all resource attributes are not allowed to be accessed.

Specifically, the rule for judging the access rights of the sub-resources of the target resource includes a sub-resource list, and the sub-resource list includes one of the following contents:

- One or more sub-resources or sub-resources that are allowed to be accessed;

- an indication that all sub-resources are allowed access;

- An indication that all subresources are not allowed access.

If the above-mentioned rule for determining the access authority of the sub-resource of the target resource does not include the sub-resource list, the rule indicates that all sub-resources are not allowed to be accessed.

Further, in the above-mentioned access control decision request, it may also include providing a suggestion instruction, and the PDP is also used to: if the decision is to deny access to the target resource requested by the access control decision request, then according to the providing suggestion instruction, obtain the suggestion request. The target object list of the accessed target resource, the target object of the target resource included in the list can be accessed by the initiator of the access control decision request; send the target object list of the target resource that is suggested to be accessed to the PEP.

Specifically, the PEP determines the target object according to a content parameter in the resource access request, where the content parameter includes the resource attribute and/or sub-resource requested to be accessed; or, according to the target resource in the resource access request and the requested operation acting on the target resource Determine the target audience.

The system may further include a PRP, wherein the PRP is used to store an access control policy for making an access right decision for an access control decision request.

The PDP may obtain from the PRP an access control policy for determining the access authority for the access control decision request according to the access control decision request.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

Although preferred embodiments of the present invention have been described, additional changes and modifications to these embodiments may occur to those skilled in the art once the basic inventive concepts are known. Therefore, the appended claims are intended to be construed to include the preferred embodiment and all changes and modifications that fall within the scope of the present invention.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit and scope of the invention. Thus, provided that these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include these modifications and variations.

Claims (24)

1. a resource access control method, is characterized in that, comprises: Receive an access control decision request sent by the policy enforcement point PEP, where the access control decision request includes a target object requested to be accessed, and the target object includes a resource attribute access list of the target resource requested to be accessed and/or a child of the target resource. resource access list; Acquiring an access control policy for judging access rights for the access control decision request; wherein, the access control policy includes rules for judging access rights for the target object, and the rules include resources that are allowed to be accessed Attribute access lists and/or access lists of subresources to which access is permitted; According to the obtained access control policy, an access authority judgment is performed on the access control decision request, and an access authority judgment result is returned to the PEP. 2. The method according to claim 1, wherein the access control decision request is judged according to the obtained access control policy, comprising: If the resource attribute requested to be accessed is not among the resource attributes that are allowed to be accessed by the rule used for judging the access authority of the resource attribute of the target resource, the decision is to deny access to the target resource, and the target resource is the access control the target resource for which access is requested by the decision request; or, If the sub-resource requested to be accessed is not among the sub-resources that are allowed to be accessed by the rule used for judging the access authority of the sub-resource of the target resource, the decision is to deny access to the target resource, and the target resource is the access control The target resource that the decision request requests access to. 3. The method according to claim 1, wherein the access list of resource attributes allowed to access includes one of the following contents: One or more resource attributes or resource attributes that are allowed to be accessed; An indication that all resource attributes are allowed to be accessed; Indication used to indicate that access is not allowed for all resource properties. 4. The method of claim 3, wherein, if the rule for performing access authority judgment on resource attributes does not include a resource attribute access list that allows access, the rule indicates that all resource attributes are not allowed access. 5. The method of claim 1, wherein the sub-resource access list includes one of the following contents: One or more sub-resources or sub-resources that are allowed to be accessed; An indication that all sub-resources are allowed to access; An indication that all subresources are not allowed access. 6 . The method of claim 5 , wherein, if the rule for judging the access authority of the sub-resource does not include a sub-resource access list, the rule indicates that all sub-resources are not allowed to access. 7 . 7. The method of claim 1, wherein the access control decision request further comprises indication information of the target resource requested to be accessed; The access control policy for performing access authority judgment on the access control decision request further includes a list of target resources that are allowed to be accessed; The performing authority judgment on the access control decision request according to the obtained access control policy, including: If the indication information of the target resource in the access control decision request is not in the access-allowed target resource list, it is determined to deny access to the target resource requested by the access control decision request. 8. The method of claim 1, wherein the access control decision request further comprises providing a suggestion indication; The method also includes: If it is determined that access to the target resource requested by the access control decision request is denied, according to the providing suggestion instruction, a list of target objects suggested to be accessed by the request is obtained, and the resource attributes and/or sub-resources contained in the list can be accessed by The initiator of the access control decision request is accessed; The list of target objects for which the proposed request is to be accessed is sent to the PEP. 9. The method according to any one of claims 1 to 8, wherein the access control decision request further comprises: initiator identification and operation type indication information, wherein the operation type indication information is used to indicate the request The type of operation that acts on the target resource; The access control policy for performing access authority judgment on the access control decision request further includes: a list of permitted access initiators, a list of operations permitted to act on the target resource, and a list of contextual conditions; The access authority judgment on the access control decision request according to the obtained access control policy includes: If one of the following conditions is met, the decision is to deny access to the target resource requested by the access control decision request: The initiator identifier is not in the allowed access initiator list; The operation type indicated by the operation type indication information is not in the list of operations allowed to act on the target resource; The access control decision request does not satisfy the context condition in the context condition list. 10. A strategy decision point device, comprising: The receiving module is configured to receive an access control decision request sent by the policy enforcement point PEP, where the access control decision request includes a target object requested to be accessed, and the target object includes a resource attribute access list and/or an access list of the target resource requested to be accessed. The sub-resource access list of the target resource; an obtaining module, configured to obtain an access control policy used to judge the access authority for the access control decision request; wherein, the access control policy includes a rule used to judge the access authority of the target object, and the rule Include the access list of resource attributes that are allowed to access and/or the access list of sub-resources that are allowed to access; A judgment module, configured to perform an access authority judgment on the access control decision request according to the obtained access control policy, and return an access authority judgment result to the PEP. 11. The apparatus of claim 10, wherein the decision module is specifically configured to: If the resource attribute requested to be accessed is not among the resource attributes that are allowed to be accessed by the rule used for judging the access authority of the resource attribute of the target resource, the decision is to deny access to the target resource, and the target resource is the access control the target resource for which access is requested by the decision request; or, If the sub-resource requested to be accessed is not among the sub-resources that are allowed to be accessed by the rule used for judging the access authority of the sub-resource of the target resource, the decision is to deny access to the target resource, and the target resource is the access control The target resource that the decision request requests access to. 12. The apparatus according to claim 10, wherein the access-allowed resource attribute access list includes one of the following contents: One or more resource attributes or resource attributes that are allowed to be accessed; An indication that all resource attributes are allowed to be accessed; Indication used to indicate that access is not allowed for all resource properties. 13. The apparatus according to claim 12, wherein, if the rule for judging access rights to resource attributes does not include a resource attribute access list that allows access, the rule indicates that all resource attributes are not allowed access. 14. The apparatus according to claim 10, wherein the sub-resource access list includes one of the following contents: One or more sub-resources or sub-resources that are allowed to be accessed; An indication that all sub-resources are allowed to access; An indication that all subresources are not allowed access. 15. The apparatus according to claim 14, wherein, if the rule for judging the access authority of the sub-resource does not include a sub-resource access list, the rule indicates that all sub-resources are not allowed to be accessed. 16. The apparatus of claim 10, wherein the access control decision request further comprises indication information of the target resource requested to be accessed; The access control policy for performing access authority judgment on the access control decision request further includes a list of target resources that are allowed to be accessed; The decision module is specifically used for: If the indication information of the target resource in the access control decision request is not in the access-allowed target resource list, it is determined to deny access to the target resource requested by the access control decision request. 17. The apparatus of claim 10, wherein the access control decision request further comprises providing a suggestion indication; The apparatus also includes an advice module for: If it is determined that access to the target resource requested by the access control decision request is denied, according to the providing suggestion instruction, a list of target objects suggested to be accessed by the request is obtained, and the resource attributes and/or sub-resources contained in the list can be accessed by The initiator of the access control decision request is accessed; The list of target objects for which the proposed request is to be accessed is sent to the PEP. 18. A resource access control system, comprising: a policy enforcement point PEP and a policy decision point PDP; The PEP is configured to receive a resource access request, and send an access control decision request to the PDP according to the resource access request, where the access control decision request includes a target object for requesting access, and the target object includes a request for access. The resource attribute access list of the target resource and/or the sub-resource access list of the target resource; The PDP is configured to obtain an access control policy for performing access authority judgment on the access control decision request, wherein the access control policy includes a rule for performing access authority judgment on the target object, the The rule includes a resource attribute access list that allows access and/or a sub-resource access list that allows access; and, according to the obtained access control policy, the access control decision request is subjected to an access authority judgment, and an access authority judgment is returned to the PEP result. 19. The system of claim 18, wherein the PDP is specifically used to: If the resource attribute requested to be accessed is not among the resource attributes that are allowed to be accessed by the rule for judging the access authority to the resource attribute for the target resource, the decision is to deny access to the target resource, and the target resource is the access control the target resource for which access is requested by the decision request; or, If the sub-resource requested to be accessed is not among the sub-resources that are allowed to be accessed by the rule for judging the access authority to the sub-resource for the target resource, the decision is to deny access to the target resource, and the target resource is the access control The target resource that the decision request requests access to. 20. The system according to claim 18, wherein the access list of resource attributes allowed to be accessed includes one of the following contents: One or more resource attributes or resource attributes that are allowed to be accessed; An indication that all resource attributes are allowed to be accessed; Indication used to indicate that access is not allowed for all resource properties. 21. The system according to claim 20, wherein, if the rule for performing access authority judgment on resource attributes does not include a resource attribute access list that allows access, the rule indicates that all resource attributes are not allowed access. 22. The system of claim 18, wherein the sub-resource access list includes one of the following: One or more sub-resources or sub-resources that are allowed to be accessed; An indication that all sub-resources are allowed to access; An indication that all subresources are not allowed access. 23. The system according to claim 22, wherein, if the rule for judging the access rights of the sub-resources does not include a sub-resource access list, the rule indicates that all sub-resources are not allowed to be accessed. 24. The system of claim 18, wherein the access control decision request further comprises indication information of the target resource requested to be accessed; The access control policy for performing access authority judgment on the access control decision request further includes a list of target resources that are allowed to be accessed; The PDP is specifically used for: If the indication information of the target resource in the access control decision request is not in the access-allowed target resource list, it is determined to deny access to the target resource requested by the access control decision request.

Images