CN107103230A - A kind of authority control method and system - Google Patents
A kind of authority control method and system Download PDFInfo
- Publication number
- CN107103230A CN107103230A CN201710272381.2A CN201710272381A CN107103230A CN 107103230 A CN107103230 A CN 107103230A CN 201710272381 A CN201710272381 A CN 201710272381A CN 107103230 A CN107103230 A CN 107103230A
- Authority
- CN
- China
- Prior art keywords
- called
- authority
- call
- session
- access rights
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The embodiment of the invention discloses a kind of authority control method and system, this method includes:When the process progress system of application program is called, obtain the system and call affiliated session information;System itself access rights of system call carry out scope check to system according to where the corresponding session authority of session information and process;When system is called and meets session authority and system itself access rights, then perform current system and call, and carry out system and call return.The inspection for introducing session authority is called to carry out itself access rights of coupled system system for carrying out authority progress inspection verification when system is called in server for the demand for system of application program, to control the execution authority of application program, the control for realizing the attribute that process user and file are not limited to when process execution system is called and carrying out authority.
Description
Technical field
The present invention relates to access rights administrative skill field, more particularly to a kind of authority control method and system.
Background technology
With the development of science and technology, increasing Internet user obtains extranets by way of remote access
The shared resource of network.Want to realize remote access, it is necessary to which the client of user is connected to service by way of Telnet
Device, is then back to client by the corresponding information in server called data storehouse.
However, in the Internet, applications, server provides different services, i.e., different client tools for different users
There are different corresponding access rights.Each client can only obtain the information in database in the access authority range of itself.It is logical
In the case of often, when user is being remotely accessed, server carries out the judgement that system calls authority, directly makees under normal circumstances
Data (file and catalogue) and database for file system are connected, and so-called system calls the process of referring to be absorbed in operation system
System kernel execution system function is called, such as establishment file, modification file and configuration processor.And System Privileges be commonly referred to as be
Authority when system is called, in typical case, the owning user group that authority is generally run by file attribute and process are determined.Work as process
Execution system will be limited to when calling by the attribute of process user and file.
Thus, how to realize the attribute that process user and file are not limited to when process execution system is called and weighed
The control of limit, is the current technical issues that need to address of those skilled in the art.
The content of the invention
It is an object of the invention to provide a kind of authority control method and system, it is possible to achieve when process execution system is called
It is not limited to the attribute of process user and file and carries out the control of authority.
In order to solve the above technical problems, the invention provides following technical scheme:
A kind of authority control method, including:
When the process progress system of application program is called, obtain the system and call affiliated session information;
System itself access rights pair of system according to where the corresponding session authority of the session information and the process
The system calls carry out scope check;
When the system is called and meets the session authority and itself access rights of the system, then current system is performed
Call, and carry out system and call return.
Preferably, the system itself of the system according to where the corresponding session authority of the session information and the process
Access rights call carry out scope check to the system, including:
Judge that current system is called whether in the corresponding session authority of the session information;
If so, then judging that the current system is called whether in the system itself access rights of system.
Preferably, it is described when the system is called and meets the session authority and itself access rights of the system, then
Perform current system to call, and carry out system and call return, including:
If it is determined that the current system is invoked in the system itself access rights of system, then performs current system and adjust
With;
System is carried out after the completion of the current system is called and calls return.
Preferably, after the execution current system is called, in addition to:
Judge result that the current system calls whether in the session authority;
If so, then carrying out system calls return;
If it is not, then clearing systems call returned data, and carry out system and call return.
A kind of authority control system, including:
Acquisition module, when being called for the process progress system in application program, obtains the system and calls affiliated session
Information;
Scope check module, for being according to system where the corresponding session authority of the session information and the process
Itself access rights of uniting call carry out scope check to the system;
Performing module, for when the system is called and meets the session authority and itself access rights of the system,
Perform current system to call, and carry out system and call return.
Preferably, the scope check module includes:
First judging unit, for judging that whether current system is called in the corresponding session authority of the session information
It is interior;
Second judging unit, for judging that current system is invoked at the session information correspondence in first judging unit
The session authority in when, judge that the current system is called whether in the system itself access rights of system.
Preferably, the performing module includes:
System call unit, for judging that the current system is invoked at the system of system in second judging unit
When in itself access rights of uniting, perform current system and call;
Returning unit is called, return is called for carrying out system after the completion of being called in the current system.
Preferably, the performing module also includes:
3rd judging unit, after being called in system call unit execution current system, judges described current
The result that system is called whether in the session authority, and judge result that the current system is called it is described can right of speech
Returning unit transmission system is called to call return control signal to described when in limit;
Data empty unit, for judging result that the current system calls not described in the 3rd judging unit
When in session authority, clearing systems call returned data, and call returning unit transmission system to call return control letter to described
Number.
Compared with prior art, above-mentioned technical proposal has advantages below:
A kind of authority control method that the embodiment of the present invention is provided, including:System tune is carried out in the process of application program
Used time, obtain the system and call affiliated session information;The system according to where the corresponding session authority of session information and process
System itself access rights call carry out scope check to system;Called in system and meet session authority and system itself access right
In limited time, then perform current system to call, and carry out system and call return.Call and introduce for the demand for system of application program
Checking for session authority carrys out itself access rights of coupled system system for carrying out authority progress when system is called in server
Verification is checked, to control the authority of application program, realizes and process user and Wen is not limited to when process execution system is called
The attribute of part and the control for carrying out authority.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are the present invention
Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
These accompanying drawings obtain other accompanying drawings.
The authority control method flow chart that Fig. 1 is provided by a kind of embodiment of the invention;
The authority control system structural representation that Fig. 2 is provided by a kind of embodiment of the invention.
Embodiment
The core of the present invention is to provide a kind of authority control method and system, it is possible to achieve when process execution system is called
It is not limited to the attribute of process user and file and carries out the control of authority.
In order that the above objects, features and advantages of the present invention can become apparent it is understandable, below in conjunction with the accompanying drawings to this hair
Bright embodiment is described in detail.
Detail is elaborated in the following description to fully understand the present invention.But the present invention can with it is a variety of not
It is same as other manner described here to implement, those skilled in the art can do class in the case of without prejudice to intension of the present invention
Like popularization.Therefore the present invention is not limited by following public embodiment.
It refer to Fig. 1, the authority control method flow chart that Fig. 1 is provided by a kind of embodiment of the invention.
A kind of embodiment of the present invention provides a kind of authority control method, including:
S11:When the process progress system of application program is called, obtain the system and call affiliated session information.
S12:System itself access rights of system are to system according to where the corresponding session authority of session information and process
Call carry out scope check.
S13:When system is called and meets session authority and system itself access rights, then perform current system and call, and
Carry out system calls return.
In the present embodiment, when client by default application program accesses server, to obtain in database
Data when, the session called on system can be set up between client and server.The session information of the session is obtained herein,
The session information can indicate that the session belongs to which role, i.e. client belonging to the session or user, and different angles
The identity of color in systems possesses one group of operating right configuration.The different respective session authorities of session information correspondence.Work as user
When desired carry out system is called, it is necessary to the detection of the authority that conversates and service system itself access rights, passing through can right of speech
The inspection of limit judges the data access authority of the corresponding role of the session, and the inspection of service system itself access rights is used for
Judgement system can be supplied to the data access authority of the role, only when the data that system is called can be by session authority
Check, now can just perform current system by the inspections of system itself access rights of system and call, when current system is adjusted again
Return is called with system is carried out after the completion of execution, new system is performed and calls.
Wherein, session authority is the access rights for illustrating the corresponding role of the session, so that being called in judgement system is
It is not no when meeting authority, the attribute without removing the judgement system file attribute called and the owning user run again, greatly
Simplify the deterministic process of authority.Call for the demand for system of application program and introduce the inspection of session authority and match somebody with somebody syzygy
Itself access rights of system system carry out inspection verification for carrying out authority when system is called in server, to control application program
Authority, the control for realizing the attribute that process user and file are not limited to when process execution system is called and carrying out authority
System.
It should be noted that during whole Communications service herein, system, which is called, mainly includes application program pair
Disk file system carries out file read-write system and called, and the system that application program connects read-write to the database of database program
Call.The inspection for carrying out carrying out authority in both cases when system is called judges.
It should also be noted that, system, which is called, also includes the system that database program carries out reading and writing data to database data
Call, due to having little significance for technically scope check, therefore, in the present embodiment, system herein can not be adjusted
Judged with scope check is carried out.
In one embodiment of the invention, it is according to system where the corresponding session authority of session information and process
Itself access rights of uniting call carry out scope check to system, including:Judge that whether current system is called in session information correspondence
Session authority in;If so, then judging that current system is called whether in system itself access rights of system.
When system is called and meets session authority and system itself access rights, then perform current system and call, and carry out
System calls return, including:If it is determined that current system is invoked in the system of system itself access rights, then current system is performed
Call;System is carried out after the completion of current system is called and calls return.
In the present embodiment, after the session information that the system of obtaining is called, first determine whether that current system is called
Whether in session authority, i.e., the extent of competence for whether being in the corresponding role of the session is called by session authority detecting system
It is interior, judge that current system is called if by detection and whether be in system itself access rights of system, i.e., whether system is right
The corresponding role of the session has opened corresponding authority, if also by inspection, performing current system and calling.
It should be noted that if it is determined that current system is called not in the corresponding session authority of session information, then it represents that inspection
Failure is looked into, the system of being directly entered calls return.
Further, in one embodiment of the invention, after execution current system is called, in addition to:
Judge result that current system calls whether in session authority;
If so, then carrying out system calls return;
If it is not, then clearing systems call returned data, and carry out system and call return.
In the present embodiment, it is certain due to that can occur in the call result that is obtained after execution system is called and before calling
Change, and system call after result may be unsatisfactory for session authority and/or system itself call authority, therefore, holding
After the system of having gone is called, the verification of authority is also carried out by the result called to current system.Called with further sophisticated systems
Control of authority.
It should be noted that when clearing systems call returned data, carry out system calls return, refers to adjusting system
Content is returned, in order to follow-up processing etc..
It should also be noted that, in the present invention, can also be first after the session information that the system of obtaining is called
The inspection of itself access rights of system system, passes through, direct-execution system is called if checking, the result then called to system is carried out
The inspection of session authority.The attribute that process user and file are not limited to when process execution system is called can also be realized and entered
The control of row authority.
It refer to Fig. 2, the authority control system structural representation that Fig. 2 is provided by a kind of embodiment of the invention.
Correspondingly, present invention also offers a kind of authority control system, including:
Acquisition module 1, when being called for the process progress system in application program, obtains the system and calls affiliated session
Information;
Scope check module 2, the system itself for the system according to where the corresponding session authority of session information and process
Access rights call carry out scope check to system;
Performing module 3, for when system is called and meets session authority and system itself access rights, performing current system
Call, and carry out system and call return.
In the present embodiment, session authority is the access rights for illustrating the corresponding role of the session, so as to check
System is called when whether meeting authority, the category without removing the inspection system file attribute called and the owning user run again
Property, greatly simplifie the deterministic process of authority.Call for the demand for system of application program and introduce the inspection of session authority
Look into and carry out itself access rights of coupled system system for carrying out authority progress inspection verification when system is called in server, to control
The authority of application program processed, realizes the attribute that process user and file are not limited to when process execution system is called and carries out
The control of authority.
In one embodiment of the invention, scope check module includes:First judging unit, for judging current system
Whether system is called in the corresponding session authority of session information;Second judging unit, for judging current in the first judging unit
When system is invoked in the corresponding session authority of session information, judge current system call whether system system itself access
In authority.
Performing module includes:System call unit, for judging that current system is invoked at system in the second judging unit
When in system itself access rights, perform current system and call;Returning unit is called, for calling completion laggard in current system
Row system calls return.
In the present embodiment, after the session information that the system of obtaining is called, first determine whether that current system is called
Whether in session authority, i.e., the extent of competence for whether being in the corresponding role of the session is called by session authority detecting system
It is interior, judge that current system is called if by detection and whether be in system itself access rights of system, i.e., whether system is right
The corresponding role of the session has opened corresponding authority, if also by inspection, performing current system and calling.
Further, performing module also includes:3rd judging unit, is adjusted for performing current system in system call unit
After, result that current system calls is judged whether in session authority, and is judging result that current system is called in meeting
Right of speech limit in when to call returning unit send system call return control signal;Data empty unit, for judging the 3rd
When unit judges the result called of current system not in session authority, clearing systems call returned data, and to calling return
Unit sends system and calls return control signal.
In the present embodiment, because certain change can occur for the data after execution system is called, therefore, performing
After complete system is called, the verification of authority is also carried out by the result called to current system.Called with further sophisticated systems
Control of authority.
In summary, authority control method provided by the present invention and system, when user, which wants carry out system, to be called, just
Needed to conversate the detection of authority and service system itself access rights, and the session pair is judged by the inspection of session authority
The data access authority of the role answered, and the inspection of service system itself access rights is used for judging that system can be supplied to the angle
The data access authority of color, the data only called when system can be again by system by the inspection of session authority
The inspection for itself access rights of uniting, now just performs current system and calls, system is carried out after the completion of current system calls execution
Return is called, new system is performed and calls.Without removing the file attribute that judgement system is called and the owning user run again
Attribute, greatly simplifie the deterministic process of authority.Call for the demand for system of application program and introduce session authority
Check come itself access rights of coupled system system in server carry out system call when authority carry out inspection verification,
To control the authority of application program, realize attribute that process user and file are not limited to when process execution system is called and
Carry out the control of authority.
A kind of authority control method provided by the present invention and system are described in detail above.Tool used herein
Body example is set forth to the principle and embodiment of the present invention, and the explanation of above example is only intended to help and understands this hair
Bright and its core concept.It should be pointed out that for those skilled in the art, not departing from the principle of the invention
Under the premise of, some improvement and modification can also be carried out to the present invention, these are improved and modification also falls into the claims in the present invention
In protection domain.
Claims (8)
1. a kind of authority control method, it is characterised in that including:
When the process progress system of application program is called, obtain the system and call affiliated session information;
System itself access rights of system are to described according to where the corresponding session authority of the session information and the process
System calls carry out scope check;
When the system is called and meets the session authority and itself access rights of the system, then perform current system and adjust
With, and carry out system and call return.
2. according to the method described in claim 1, it is characterised in that it is described according to the corresponding session authority of the session information and
System itself access rights of system call carry out scope check to the system where the process, including:
Judge that current system is called whether in the corresponding session authority of the session information;
If so, then judging that the current system is called whether in the system itself access rights of system.
3. method according to claim 2, it is characterised in that it is described the system call meet the session authority and
During itself access rights of the system, then perform current system and call, and carry out system and call return, including:
If it is determined that the current system is invoked in the system itself access rights of system, then performs current system and call;
System is carried out after the completion of the current system is called and calls return.
4. the method according to any one of claims 1 to 3, it is characterised in that after the execution current system is called,
Also include:
Judge result that the current system calls whether in the session authority;
If so, then carrying out system calls return;
If it is not, then clearing systems call returned data, and carry out system and call return.
5. a kind of authority control system, it is characterised in that including:
Acquisition module, when being called for the process progress system in application program, obtains the system and calls affiliated session information;
Scope check module, the system for the system according to where the corresponding session authority of the session information and the process is certainly
Body access rights call carry out scope check to the system;
Performing module, for when the system is called and meets the session authority and itself access rights of the system, performing
Current system is called, and is carried out system and called return.
6. system according to claim 5, it is characterised in that the scope check module includes:
First judging unit, for judging that current system is called whether in the corresponding session authority of the session information;
Second judging unit, for judging that current system is invoked at the corresponding institute of the session information in first judging unit
When stating in session authority, judge that the current system is called whether in the system itself access rights of system.
7. system according to claim 6, it is characterised in that the performing module includes:
System call unit, for judging that the current system is invoked at the system of system certainly in second judging unit
When in body access rights, perform current system and call;
Returning unit is called, return is called for carrying out system after the completion of being called in the current system.
8. the system according to any one of claim 5 to 7, it is characterised in that the performing module also includes:
3rd judging unit, after being called in system call unit execution current system, judges the current system
Whether the result called is judging result that the current system is called in the session authority in the session authority
When to it is described call returning unit send system call return control signal;
Data empty unit, for judging result that the current system calls not in the session in the 3rd judging unit
When in authority, clearing systems call returned data, and call returning unit transmission system to call return control signal to described.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710272381.2A CN107103230A (en) | 2017-04-24 | 2017-04-24 | A kind of authority control method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710272381.2A CN107103230A (en) | 2017-04-24 | 2017-04-24 | A kind of authority control method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107103230A true CN107103230A (en) | 2017-08-29 |
Family
ID=59656383
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710272381.2A Pending CN107103230A (en) | 2017-04-24 | 2017-04-24 | A kind of authority control method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107103230A (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1773413A (en) * | 2004-11-10 | 2006-05-17 | 中国人民解放军国防科学技术大学 | Character constant weight method |
CN1854961A (en) * | 2005-04-28 | 2006-11-01 | 中国科学院软件研究所 | Strategy and method for realizing minimum privilege control in safety operating system |
EP2194456A1 (en) * | 2008-12-05 | 2010-06-09 | NTT DoCoMo, Inc. | Method and apparatus for performing a file operation |
CN104052775B (en) * | 2013-03-14 | 2016-11-23 | 腾讯科技(深圳)有限公司 | Right management method, device and the system of a kind of cloud platform service |
-
2017
- 2017-04-24 CN CN201710272381.2A patent/CN107103230A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1773413A (en) * | 2004-11-10 | 2006-05-17 | 中国人民解放军国防科学技术大学 | Character constant weight method |
CN1854961A (en) * | 2005-04-28 | 2006-11-01 | 中国科学院软件研究所 | Strategy and method for realizing minimum privilege control in safety operating system |
EP2194456A1 (en) * | 2008-12-05 | 2010-06-09 | NTT DoCoMo, Inc. | Method and apparatus for performing a file operation |
CN104052775B (en) * | 2013-03-14 | 2016-11-23 | 腾讯科技(深圳)有限公司 | Right management method, device and the system of a kind of cloud platform service |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108683604B (en) | Concurrent access control method, terminal device, and medium | |
US7320141B2 (en) | Method and system for server support for pluggable authorization systems | |
US8087060B2 (en) | Chaining information card selectors | |
KR101076911B1 (en) | System and method for providing security to an application | |
CN109981619A (en) | Data capture method, device, medium and electronic equipment | |
US11392675B2 (en) | Request authorization using recipe-based service coordination | |
US9077704B2 (en) | Multiple authentication support in a shared environment | |
CN107133516A (en) | A kind of authority control method and system | |
US10891357B2 (en) | Managing the display of hidden proprietary software code to authorized licensed users | |
WO2020156135A1 (en) | Method and device for processing access control policy and computer-readable storage medium | |
CN107819743B (en) | Resource access control method and terminal equipment | |
CN107257337A (en) | A kind of shared authority control method of multiterminal and its system | |
CN111062028B (en) | Authority management method and device, storage medium and electronic equipment | |
CN105373714B (en) | A kind of user authority control method and device | |
CN101702724A (en) | Safe control method and device of network access | |
CN111447273B (en) | Cloud processing system and data processing method based on cloud processing system | |
CN112463266A (en) | Execution policy generation method and device, electronic equipment and storage medium | |
CN112417402B (en) | Authority control method, authority control device, authority control equipment and storage medium | |
CN107103230A (en) | A kind of authority control method and system | |
CN107018140A (en) | A kind of authority control method and system | |
CN112261072B (en) | Service calling method, device, equipment and storage medium | |
CN105376265A (en) | Use method and use device of network exhaustible resource | |
CN101291333B (en) | Controlling method of used node number by network software | |
CN105430043A (en) | Virtualized-instance-oriented launch configuration implementation method | |
CN107105036A (en) | A kind of movable source tracing method and system for server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170829 |