CN107104931A - A kind of access control method and platform - Google Patents

A kind of access control method and platform Download PDF

Info

Publication number
CN107104931A
CN107104931A CN201610100346.8A CN201610100346A CN107104931A CN 107104931 A CN107104931 A CN 107104931A CN 201610100346 A CN201610100346 A CN 201610100346A CN 107104931 A CN107104931 A CN 107104931A
Authority
CN
China
Prior art keywords
tenant
role
management
user
platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610100346.8A
Other languages
Chinese (zh)
Inventor
童遥
申光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201610100346.8A priority Critical patent/CN107104931A/en
Priority to PCT/CN2017/074311 priority patent/WO2017143975A1/en
Publication of CN107104931A publication Critical patent/CN107104931A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The present invention discloses a kind of access control method and platform, including:The resource access request that user initiates to platform is received, the resource access request includes user account and target resource;Corresponding role and role-security in the tenant according to where the user account obtains user, then judge whether the role possesses the authority of access target resource according to the role-security, if possessing the authority of access target resource, target resource is provided to user, if not possessing the authority of access target resource, refusal provides target resource to user.By the implementation of the present invention, when user carries out resource access in platform, effectively the data of different tenants are isolated, so that each tenant data safety under ensureing identical platform.

Description

A kind of access control method and platform
Technical field
The present invention relates to a kind of security fields of cloud computation data center, more particularly to a kind of access control method And platform.
Background technology
In cloud computation data center field, SaaS (Software as a Service) is a kind of new software Application model, it considerably reduces input of the enterprise on information infrastructure.At present, SaaS patterns are general Level Four maturity can be divided into, when SaaS reaches the i.e. multi-tenant pattern of third level maturity, then SaaS is required Each self-configuring basic data of tenant and the data that can isolate between tenant are disclosure satisfy that, each rent is caused with this The data safe enough at family.Now, the pattern whether safe enough and with suitable manageability be urgently The problem of solution.Multi-tenant pattern causes the tenant data in same instance to have by other tenant's unauthorized access Risk.
In the access control method that presently, there are, what main flow was used has:Self contained navigation (DAC), pressure Access control (MAC), access control based roles (RBAC).But for SaaS patterns, current In research, traditional RBAC model is all based on mostly, and traditional RABC models are individual layer administrative model, i.e., Conducted interviews control for podium level.Platform role is divided into regular role and role of manager, and regular role is used for The business function of platform is performed, role of manager is used for establishment, the distribution of authority of role in management platform.But It is that distribution and Partition of role of traditional RBAC model to whole platform resource are all of overall importance, it is impossible to according to rent Family demand conduct interviews control strategy customization, can not by between each tenant rule, role of manager it is separated, And then the data of the different tenants of identical platform can not be subjected to Isolation Management;Meanwhile, platform administrator, which has, to be rented The part authority of family keeper, occurs the situation of platform administrator intervention tenant's business on permission inheritance, So as to influence the Information Security of tenant;Traditional RBAC model can not be provided according to tenant's demand to platform feature Source carries out personalized customization, causes tenant to need and is checked for unnecessary functional resources, so that reducing tenant expires Meaning degree.
The content of the invention
The main technical problem to be solved in the present invention is to provide a kind of access control method and platform, to solve The data of different tenants in identical platform can not be isolated in the prior art, cause the data of each tenant to be pacified The technical problem being effectively ensured completely without method.
In order to solve the above technical problems, the present invention provides a kind of access control method, including:
The resource access request that user initiates to platform is received, the resource access request includes user's account Number and target resource;
Corresponding role and role-security in the tenant according to where the user account obtains the user;
Judge whether the role possesses the authority for accessing the target resource according to the role-security;
If possessing the authority for accessing the target resource there is provided target resource to the user, if not possessing visit The authority of the target resource is asked, refusal provides target resource to the user.
In an embodiment of the present invention, before the resource access request that the reception user initiates to platform Also include:
Receive application for registration that the tenant initiates to platform and audited;
Examination & verification generates tenant keeper after passing through, and the resource selected the tenant keeper is authorized.
In an embodiment of the present invention, the examination & verification generates tenant keeper after passing through, and to the tenant The resource of keeper's selection, which carries out mandate, to be included:
The tenant keeper is generated for the tenant;
Role's establishment, authority distribution and resource selection are carried out by the tenant keeper;
Authorized according to the resource of selection.
In an embodiment of the present invention, the role that the tenant keeper creates include the regular role of tenant and Tenant role of manager, the tenant role of manager is managed to the regular role of the tenant.
In an embodiment of the present invention, after the resource selected the tenant keeper is authorized, And also include before receiving the resource access request that user initiates to platform:
The management request that management user initiates to platform is received, the management request bag is containing management user's account Number and objective management object;
Management user corresponding role and role in the tenant are obtained according to the management user account Authority;
The range of management of the management user is determined according to the role-security;
Judge whether the role possesses the authority for managing the objective management object according to the range of management;
If possessing the authority for managing the objective management object, it is allowed to which the management user is to objective management object It is managed, if not possessing the authority for managing the objective management object, refuses the management user to target Management object is managed.
In an embodiment of the present invention, the platform includes the regular role of platform and platform role of manager, institute Platform management role is stated to be managed the regular role of the platform.
Further, present invention also offers a kind of access control platform, including:
3rd receiving module, for receiving the resource access request that user initiates to platform, the resource is accessed Request bag contains the user account and target resource;
Corresponding angle in first acquisition module, tenant where for obtaining the user according to the user account Color and role-security;
First judge module, for judging whether the role possesses the access target and provide according to the role-security The authority in source;
First processing module, if being used for possessing the authority of access target resource there is provided target resource to described Family, if not possessing the authority of access target resource, refusal provides target resource to the user.
In an embodiment of the present invention, the resource that user initiates to platform is received in the 3rd receiving module Also include before access request:
First receiving module, for receiving application for registration that the tenant initiates to platform and being audited;
Authorization module, generates tenant keeper after passing through for examination & verification, and to tenant keeper selection Resource is authorized.
In an embodiment of the present invention, the authorization module includes:
Submodule is generated, for generating the tenant keeper for the tenant;
Submodule is configured, is selected for carrying out role's establishment, authority distribution and resource by the tenant keeper Select;
Submodule is authorized, is authorized for the resource according to selection.
In an embodiment of the present invention, after the authorization module is authorized according to the resource of selection, and institute Stating before the 3rd receiving module receives the resource access request that user initiates to platform also includes:
Second receiving module, is asked, the management request for receiving the management that management user initiates to platform Include the management user account and objective management object;
Second acquisition module, for obtaining the management user in the tenant according to the management user account In corresponding role and role-security;
Determining module, the range of management for determining the management user according to the role-security;
Second judge module, for judging whether the role possesses the management target according to the range of management Manage the authority of object;
Second processing module, if for possessing the authority of objective management object described in administration authority, it is allowed to described Management user is managed to objective management object, if not possessing the power of objective management object described in administration authority Limit, refuses the management user and objective management object is managed.
The beneficial effects of the invention are as follows:
The invention provides a kind of access control method and platform, including:Receive the money that user initiates to platform Source access request, the resource access request includes user account and target resource;Obtained according to the user account Whether corresponding role and role-security in tenant where user, then judge the role according to the role-security Possess the authority of access target resource, if possess access the authority of the target resource there is provided target resource to The user, if not possessing the authority for accessing the target resource, refusal provides target resource to the user. By the implementation of the present invention, when user carries out resource access in platform, pass through the angle of tenant where user Whether the color Authority Verification user possesses the authority for accessing the target resource, effectively by the data of different tenants Isolated, so as to ensure each tenant data safety under identical platform.And existing based role Access control model is individual layer administrative model, and its access control policy causes the distribution of whole system resource, angle The division of colour gradation is all of overall importance, causes tenant independently to carry out Partition of role, authority distribution and money Source is selected, while the data when carrying out resource access for the different tenants in identical platform can not be carried out Management is effectively isolated, so that the personal secrets of tenant can not be ensured.By contrast, the access that the application is provided Control method is by the way that the data of each tenant are isolated, the security of more flexible effective lifting tenant's privacy.
In addition, tenant's concept is introduced into Role-based access control model by the application, tenant's rule are added Then role and tenant role of manager, are two layer-management administrative models (i.e. podium level by individual layer management model extension With tenant's layer) so that partly separated between platform and tenant's administrative model, it is to avoid platform administrator is to tenant's Intervene, meanwhile, tenant can carry out differentiation customization according to self-demand, so as to avoid user from being unwanted Platform resource is checked.
Brief description of the drawings
Fig. 1 is the SaaS system structure diagrams that the embodiment of the present invention one is provided;
Fig. 2 is the user resources access control flow chart that the embodiment of the present invention one is provided;
Fig. 3 is the enterprises registration flow chart that the embodiment of the present invention one is provided;
Fig. 4 is the management user management control flow chart that the embodiment of the present invention one is provided;
Fig. 5 is the access control platform schematic diagram that the embodiment of the present invention two is provided.
Embodiment
The present invention is described in further detail below by embodiment combination accompanying drawing.
Embodiment one:
The invention provides a kind of access control method, SaaS system structure diagrams shown in Figure 1. In Fig. 1, following basic element is included:
Tenant, refers to the use enterprise of SaaS (Software as a Service, software is service) platform, It is denoted as T={ t1,t2,...,tn, represent the set of all tenants.
User, refers to the model that can only can permit with the main body of the resource in independent access platform, each user in tenant The resource of interior access platform is enclosed, U={ u are denoted as1,u2,...,un, represent the set of all users;In SaaS platforms In, tenant t user integrates as U (t), and SaaS platform administrators are U (Pa).
Role, refers to the work in tissue or task or post, and role includes the regular angle of tenant in SaaS platforms Color R, tenant role of manager AR, platform rule role PaR and platform role of manager PaAR.Wherein, R (t), AR (t) represents tenant t regular role set and role of manager's collection respectively.
Access rights, refer to the operations for allowing to carry out to resource, and access rights are divided into:
Tenant's relation access control:P={ p1,p2,...,pn}
Tenant's administration authority:AP={ ap1,ap2,...,apn}
Platform relation access control:PaP={ pap1,pap2,...,papn}
Platform management authority:PaAP={ paap1,paap2,...,paapn}
Represent tenant t relation access control collection and administration authority collection respectively with P (t), AP (t).
Resource, refer to it is in need set authority resource common name, such as certain partial data, be denoted as Res={ res1,res2,...,resn}.Wherein Res (t) represents tenant t resource collection.
Operation, refers to the operation to resource, such as deletes, increases, be denoted as Opera={ opera1,opera2,...,operan, Represent all operation sets, such as reading and writing, execution.Wherein Opera (t) represents tenant t operation set.
PaR/PaP (Platform Role/Platform Permission), refers to the regular role/authority of platform, These roles are responsible for platform regular maintenance, including the examination & verification of tenant's account, tenant's state pipe using these authorities Reason, tenant's expenses management, the management of tenant's authority.But platform administrator does not have any authority interference tenant Specific business, the enterprise for typically disposing the service can be just platform administrator.
PaAR/PaAP(Platform Administrative Role/Platform Administrative Permission), platform management role/authority is referred to, these roles carry out maintenance platform rule using these authorities Also there was only less several such roles in role etc., general whole SaaS platforms.
PaPAC/PaAPAC:Platform relation access control/platform management authority distribution constraint, defines platform relation access control Relevant constraint of/platform management the authority when distributing to regular role/role of manager.
PaUAC/PaAUAC, refers to the regular role-user/platform management role-user's assignment constraints of platform, definition Regular role/platform management the role of platform is distributed to relevant constraint during user.
T (Tenant), refers to tenant, and single tenant includes multiple regular role R, relation access control P, management angle Color AR, administration authority AP, and in session collection S, constraint set C it is the intersection of the respective session collection of all tenants. And because platform management role PaAR and tenant are not related, management of the platform to tenant passes through platform rule Role PaP is completed.Tenant part, relation and platform between regular role, role of manager and user Part is similar, repeats no more here.
In addition, terrace part and the 1 of tenant part:N relations, represent that the platform courses structure of the model only has One, and can have multiple tenant's control structures, voluntarily realized by each tenant.
Further, on the basis of above-mentioned basic element, Fig. 2 is referred to, Fig. 2 provides for the present embodiment User resources access control flow chart.In the present embodiment, the step of access control method is specific as follows:
S201, receives the resource access request that user initiates to platform, and resource access request includes user account And target resource;
Corresponding role and role-security in S202, the tenant according to where user account obtains user;
S203, judges whether the role possesses the authority of access target resource, if possessing according to the role-security The authority of the target resource is accessed, S204 steps please be transferred to, if not possessing the power for accessing the target resource Limit, please be transferred to S205 steps;
S204 gives the user there is provided target resource;
S205, refusal provides target resource to the user.
By the above method, platform obtains role and the corresponding angle of the role that user is assigned in tenant Color authority, determines that tenant distributes to the resource of user according to role-security, the resource be by tenant from system The resource of selection is provided, and then verifies whether the target resource that user's request is accessed distributes to user's in tenant In resource, if so, target resource access is then normally carried out, conversely, terminating to access.Effective checking user Whether possess the authority of access target resource, and then the data between each tenant are isolated, ensure tenant's number According to safety.
Further, before platform receives Client-initiated resource access request, tenant need to initiate to platform Application for registration, application can just be normally carried out resource by the user in rear tenant (i.e. enterprise) and access.It please join See Fig. 3, tenant is as follows in the register flow path of platform:
S301, receives the application for registration initiated to platform of tenant and is audited;
S302, examination & verification generates tenant keeper after passing through, and the resource selected tenant keeper is authorized.
Further, tenant to platform apply for the registration of when, including the lease relevant information such as tenant's enterprise name, And keeper's account is set, then platform side (i.e. operating service provider) audits to tenant, is examining Core by it is rear for tenant generate tenant keeper, the tenant keeper represents tenant, and is managed by the tenant Member carries out the initial works such as Partition of role, authority distribution and system resource selection to tenant.Specifically, Tenant keeper creates the regular role of tenant and tenant role of manager, and tenant role of manager is to the regular role of tenant It is managed, the regular role of different tenants and different tenant roles of manager assign corresponding role-security, Such as:Tenant role of manager divides to its range of management in tenant, and tenant rule role is renting to it Resource needed for family is selected, and then operating service provider selects according to the regular role of tenant from system The resource selected is charged, and the systemic-function for authorizing the regular role of tenant to use it to customize, last tenant enterprise Industry can be normally carried out tenant's business.By the register flow path, awarding on demand for system resource in platform is solved Give, system resource is mapped out into child resource pond to tenant by tenant's demand from total resources pond, then tenant couple Child resource pond is independently distributed, and this method is simple and is easy to the calculating of tenant's hire charge and collects, and can also avoid Tenant is that unnecessary resource is checked, so as to cause the situation of the wasting of resources.It should be noted that resource bag Include various basic datas and various systemic-functions.
Further, in tenant enterprise successful registration and after obtaining platform mandate, and platform is sent out in user Before playing resource access request, in addition to the flow verified of administration authority of user is managed tenant, this Manage control flow corresponding with the resources accessing control flow of domestic consumer, refer to Fig. 4, Fig. 4 is this reality The management user management control flow chart of example offer is applied, specific management control flow is as follows:
S401, receives the management request that management user initiates to platform, management request bag user's account containing management Number and objective management object;
S402, management user corresponding role and role-security in tenant are obtained according to management user account;
S403, determines to manage the range of management of user according to role-security;
S404, judges whether the role possesses the authority that management objectives manage object according to range of management, if tool The standby authority for managing the objective management object, please be transferred to S405 steps, if not possessing the management target tube The authority of object is managed, S406 steps please be transferred to;
S405, it is allowed to manage user and be managed to objective management object;
S406, refusal management user is managed to objective management object.
In above-mentioned management control flow, management user is the corresponding user of role of manager in tenant, common to use Family is the corresponding user of rule role in tenant, and management user carries out authority distribution, resource to domestic consumer and drawn Grade management.Platform includes management user when receiving management Client-initiated management request in management request Log-on message, management user account and objective management object, the objective management pair are contained in log-on message Corresponding information in the tenant as where its for management user's request management, corresponding information is including but not limited to general The role-security and role hierarchy at general family.Before management user is managed to the corresponding information, it is necessary first to Verified by platform, verify whether it possesses the authority for managing the corresponding information, that is, verify its management Whether objective management object exceedes its responsibility range of management.If checking does not pass through, platform refusal management user Management request, with it, effectively control tenant manage user range of management so that tenant's Administration behaviour is carried out all in the security domain of itself, and the tenant does not affect other tenants, certainly other rents Family does not affect the tenant in itself yet.
By the access control platform, each tenant enterprise easily can perform to tenant's business, right It is managed inside tenant.When some user's position changes in tenant enterprise, its administration authority also phase It should change, the method that the present embodiment is provided flexibly can be adjusted to the corresponding role of the user very much, manage Manage user and also assign corresponding authority to the role accordingly, really realize SaaS third level Capability Maturity Models, Realize being effectively isolated for tenant data.
Further include platform management angle there is provided the platform role in the operating service provider of platform service The regular role of color and platform, wherein, platform management role generally only has less several in whole SaaS platforms Individual, it is mainly managed to the regular role of platform;It is main to be responsible for and platform management role is relative some more To the regular maintenance of platform, including the examination & verification of tenant's account, tenant's condition managing, tenant's expenses management and rent The management of family authority, but platform administrator does not have any authority to interfere the specific business of tenant, typically disposes The enterprise of the service can be just platform administrator.In addition, introducing platform management user type and rent in a model Family manages user type, realizes the function separation of platform management, tenant's management, and then eliminates platform management Member and the inheritance of tenant's administrator right, realize that platform safety is managed.
Because the present embodiment introduces tenant's concept, tenant-user management is added respectively in Tenant system, rent Family-Role Management, tenant-rights management, by the administrative model, effectively to the difference in integrated system The data of tenant carry out Isolation Management, and the individual layer of role-base access control model is managed into model extension To two layers of administrative model (podium level to tenant's layer) so that be able to part point between platform and tenant's administrative model Open, to realize platform management person's can not intervene to tenant, the privacy of each tenant of effective guarantee.
In the present embodiment, above-mentioned flow be based on it is following rule definition performed, be defined as follows:
Tenant's Rule section is defined:
Wherein x ∈ { R, U, P };
Represent the many-one mapping collected from role set/user's collection/authority set to tenant.
Wherein x ∈ { U, P, R };
Represent the multi-to-multi mapping of collection/authority set/role set from role set to user.
Tenant's administrative section is defined:
Wherein x ∈ { AR, AP };
Represent the many-one mapping collected from role of manager's collection/administration authority collection to tenant.
Wherein x ∈ { U, AP, AR };
Represent the multi-to-multi mapping collected from role of manager to user/administration authority collection/role of manager's collection.
Platform Rule section is defined:
Wherein x ∈ { PaP, U, PaR };
Represent in certain SaaS applications, from the regular role set of SaaS platforms to SaaS platforms relation access control collection/use The multi-to-multi mapping of the regular role set of family/platform.
Platform management part is defined:
Wherein x ∈ { PaAP, U, PaAR };
Represent in certain SaaS applications, from SaaS platform managements role set to SaaS platform managements authority set/use The multi-to-multi mapping of family/platform management role set.
Mapping definition:
Permission:Opera->Res;
Operation is represented to the mapping relations of resource, with (opera, res) two element group representation, such as:
(Read, Res1) ∈ Permission, represent to have res1 and read authority.
Users:S->U;
Represent that session, to the mapping relations of user, is represented, such as with (session, user):
(session1, user1) ∈ Users, represent that session1 is the session for belonging to user user1.
Roles:Roles:S→2RT∪ART∪PaR∪PaAR
Represent that session, to the mapping relations of role set, is represented, such as with two tuples (session, roleset): (session1, roleset1) ∈ Roles, represent the corresponding role set that session1 has, and wherein roleset is represented The set of one group of role.And have:(when realizing, service provider can be considered as to a special tenant)
Wherein, session authority is as follows:
Because administration authority can only assign role of manager, relation access control can only assign regular role, so tenant Relation access control, tenant's administration authority, platform relation access control, platform management authority are two-by-two without common factor.
Embodiment two:
Refer to Fig. 5, the access control platform schematic diagram that Fig. 5 provides for the present embodiment;In addition, above-mentioned basic Element and rule definition are equally applicable to the present embodiment, no longer illustrate here.
In the present embodiment, access control platform 5 includes:
3rd receiving module 501, for receiving the resource access request that user initiates to platform, resource is accessed please Ask comprising user account and target resource;
Corresponding role and angle in first acquisition module 502, tenant where for obtaining user according to user account Color authority;
First judge module 503, for judging whether the role possesses access target resource according to the role-security Authority;
First processing module 504, if for possessing the authority of access target resource there is provided target resource to described User, if not possessing the authority of access target resource, refusal provides target resource to the user.
By above-mentioned access control platform 5, role and the role couple that user is assigned in tenant are being obtained After the role-security answered, determine that tenant distributes to the resource of user according to role-security, the resource is by tenant The resource selected from system is provided, and then verifies whether the target resource that user's request is accessed distributes in tenant To in the resource of user, if so, target resource access is then normally carried out, conversely, the visit of refusal target resource Ask, whether effective checking user possesses the authority of access target resource, and then the data between each tenant are entered Row isolation, ensures tenant data safety.
Further, before the 3rd receiving module 501 receives the resource access request that user initiates to platform, Tenant need to initiate application for registration to platform, and the user that application passes through in rear tenant (i.e. enterprise) just can normally enter Row resource is accessed, therefore is also included with lower module:
First receiving module 505, for receiving application for registration that the tenant initiates to platform and being audited;
Authorization module 506, generates tenant keeper after passing through for examination & verification, and to the money of tenant keeper selection Source is authorized.
Wherein, authorization module 506 includes:
Submodule 5061 is generated, for generating tenant keeper for tenant;
Submodule 5062 is configured, is selected for carrying out role's establishment, authority distribution and resource by tenant keeper Select;
Submodule 5063 is authorized, is authorized for the resource according to selection.
Above-mentioned submodule is specially:Tenant to platform apply for the registration of when, the information of registration includes tenant enterprise name The lease relevant information such as claim, while setting keeper's account, then platform side (i.e. operating service provider) Tenant is audited, it is tenant generation tenant management user that submodule 5061 is generated after examination & verification passes through, should Tenant manages user representative tenant, to the division of tenant's executive role, authority distribution and system resource selection etc. Initial work.Specifically, tenant management user creates the regular role of tenant and tenant role of manager, it is different The regular role of tenant and different tenant roles of manager assign corresponding role-security, such as tenant role of manager Its range of management in tenant is divided, tenant rule role enters to it in the resource needed for tenant Row selection.Then operating service provider is by authorizing submodule 5063 according to the regular role of tenant from system The resource of selection is charged, and the systemic-function for authorizing the regular role of tenant to use it to customize, last tenant Enterprise is normally carried out tenant's business so that system resource can be authorized on demand in platform, and system resource is pressed into tenant Demand maps out child resource pond to tenant from total resources pond, and then tenant is independently distributed sub- resource pool, Tenant is avoided to be checked for unnecessary resource, so as to cause the wasting of resources.
In addition, after authorization module 506 is authorized according to the resource of selection, and the 3rd receiving module 501 Also include before receiving the resource access request that user initiates to platform:
Second receiving module 507, is asked, the management please for receiving the management that management user initiates to platform Ask comprising the management user account and objective management object;
Second acquisition module 508, is rented for obtaining the management user according to the management user account described Corresponding role and role-security in family;
Determining module 509, the range of management for determining the management user according to the role-security;
Second judge module 510, for judging whether the role possesses the management mesh according to the range of management The authority of mark management object;
Second processing module 511, if for possessing the authority of objective management object described in administration authority, it is allowed to institute State management user to be managed objective management object, if not possessing objective management object described in administration authority Authority, refuses the management user and objective management object is managed.
In above-mentioned each module, management user is the corresponding user of role of manager in tenant, and domestic consumer is rent The corresponding user of rule role in family, management user carries out the pipes such as authority distribution, resource division to domestic consumer Reason.Platform includes the login of management user when receiving management Client-initiated management request in management request Containing management user account and objective management object in information, log-on message, the objective management object is pipe Corresponding information in tenant where managing its of user's request management, corresponding information includes but is not limited to domestic consumer Role-security and role hierarchy.Before management user is managed to the corresponding information, it is necessary first to by flat Platform is verified, verifies whether it possesses the authority for managing the corresponding information, that is, verifies the target tube of its management Manage whether object exceedes its responsibility range of management.If checking does not pass through, the management of platform refusal management user Request, with it, effectively control tenant manages the range of management of user so that the management row of tenant To be carried out all in the security domain of itself, the tenant do not affect other tenants, and other certain tenants are not yet The tenant can be interfered with itself.
Obviously, those skilled in the art should be understood that each module or each step of the invention described above can be used General computing device realizes that they can be concentrated on single computing device, or be distributed in multiple On the network that computing device is constituted, alternatively, they can with computing device can perform program code come Realize, it is thus possible to be stored in storage medium (ROM/RAM, magnetic disc, CD) by calculating dress Put to perform, and in some cases, can be shown or described to be performed different from order herein Step, they are either fabricated to each integrated circuit modules respectively or by multiple modules in them or Step is fabricated to single integrated circuit module to realize.So, the present invention is not restricted to any specific hardware Combined with software.
Above content is to combine specific embodiment further description made for the present invention, it is impossible to recognized The specific implementation of the fixed present invention is confined to these explanations.For the ordinary skill of the technical field of the invention For personnel, without departing from the inventive concept of the premise, some simple deduction or replace can also be made, Protection scope of the present invention should be all considered as belonging to.

Claims (10)

1. a kind of access control method, it is characterised in that including:
The resource access request that user initiates to platform is received, the resource access request includes user's account Number and target resource;
Corresponding role and role-security in the tenant according to where the user account obtains the user;
Judge whether the role possesses the authority for accessing the target resource according to the role-security;
If possessing the authority for accessing the target resource there is provided target resource to the user, if not possessing visit The authority of the target resource is asked, refusal provides target resource to the user.
2. access control method as claimed in claim 1, it is characterised in that the reception user to Also include before the resource access request that platform is initiated:
Receive application for registration that the tenant initiates to platform and audited;
Examination & verification generates tenant keeper after passing through, and the resource selected the tenant keeper is authorized.
3. access control method as claimed in claim 2, it is characterised in that the examination & verification is raw after passing through Into tenant keeper, and the resource progress mandate selected the tenant keeper includes:
The tenant keeper is generated for the tenant;
Role's establishment, authority distribution and resource selection are carried out by the tenant keeper;
Authorized according to the resource of selection.
4. access control method as claimed in claim 3, it is characterised in that the tenant keeper wound The role built includes the regular role of tenant and tenant role of manager, and the tenant role of manager advises to the tenant Then role is managed.
5. access control method as claimed in claim 2, it is characterised in that managed to the tenant After the resource of member's selection is authorized, and also wrapped before the resource access request initiated to platform of reception user Include:
The management request that management user initiates to platform is received, the management request bag is containing management user's account Number and objective management object;
Management user corresponding role and role in the tenant are obtained according to the management user account Authority;
The range of management of the management user is determined according to the role-security;
Judge whether the role possesses the authority for managing the objective management object according to the range of management;
If possessing the authority for managing the objective management object, it is allowed to which the management user is to objective management object It is managed, if not possessing the authority for managing the objective management object, refuses the management user to target Management object is managed.
6. the access control method as described in claim any one of 1-5, it is characterised in that the platform Comprising the regular role of platform and platform role of manager, the platform management role enters to the regular role of the platform Row management.
7. a kind of access control platform, it is characterised in that including:
3rd receiving module, for receiving the resource access request that user initiates to platform, the resource is accessed Request bag contains the user account and target resource;
Corresponding angle in first acquisition module, tenant where for obtaining the user according to the user account Color and role-security;
First judge module, for judging whether the role possesses the access target and provide according to the role-security The authority in source;
First processing module, if being used for possessing the authority of access target resource there is provided target resource to described Family, if not possessing the authority of access target resource, refusal provides target resource to the user.
8. access control platform as claimed in claim 7, it is characterised in that receive mould the described 3rd Block also includes before receiving the resource access request that user initiates to platform:
First receiving module, for receiving application for registration that the tenant initiates to platform and being audited;
Authorization module, generates tenant keeper after passing through for examination & verification, and to tenant keeper selection Resource is authorized.
9. access control platform as claimed in claim 8, it is characterised in that the authorization module includes:
Submodule is generated, for generating the tenant keeper for the tenant;
Submodule is configured, is selected for carrying out role's establishment, authority distribution and resource by the tenant keeper Select;
Submodule is authorized, is authorized for the resource according to selection.
10. access control platform as claimed in claim 8, it is characterised in that in the authorization module root After being authorized according to the resource of selection, and the 3rd receiving module receives the resource that user initiates to platform Also include before access request:
Second receiving module, is asked, the management request for receiving the management that management user initiates to platform Include the management user account and objective management object;
Second acquisition module, for obtaining the management user in the tenant according to the management user account In corresponding role and role-security;
Determining module, the range of management for determining the management user according to the role-security;
Second judge module, for judging whether the role possesses the management target according to the range of management Manage the authority of object;
Second processing module, if for possessing the authority of objective management object described in administration authority, it is allowed to described Management user is managed to objective management object, if not possessing the power of objective management object described in administration authority Limit, refuses the management user and objective management object is managed.
CN201610100346.8A 2016-02-23 2016-02-23 A kind of access control method and platform Pending CN107104931A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201610100346.8A CN107104931A (en) 2016-02-23 2016-02-23 A kind of access control method and platform
PCT/CN2017/074311 WO2017143975A1 (en) 2016-02-23 2017-02-21 Access control method and platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610100346.8A CN107104931A (en) 2016-02-23 2016-02-23 A kind of access control method and platform

Publications (1)

Publication Number Publication Date
CN107104931A true CN107104931A (en) 2017-08-29

Family

ID=59658459

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610100346.8A Pending CN107104931A (en) 2016-02-23 2016-02-23 A kind of access control method and platform

Country Status (2)

Country Link
CN (1) CN107104931A (en)
WO (1) WO2017143975A1 (en)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107659450A (en) * 2017-09-29 2018-02-02 深圳索信达数据技术股份有限公司 Distribution method, distributor and the storage medium of big data cluster resource
CN107682285A (en) * 2017-09-27 2018-02-09 国云科技股份有限公司 A kind of isomery cloud platform unified resource authorization method
CN107770173A (en) * 2017-10-20 2018-03-06 国信嘉宁数据技术有限公司 Subscriber Management System, related identification information creation method and request method of calibration
CN107808103A (en) * 2017-11-13 2018-03-16 北京中电普华信息技术有限公司 The control method and control device of a kind of data permission
CN107911465A (en) * 2017-11-28 2018-04-13 国云科技股份有限公司 A kind of resource granularity filter method of more cloud platforms
CN108540485A (en) * 2018-04-24 2018-09-14 珠海市新德汇信息技术有限公司 A kind of trans-regional data-sharing systems
CN109214151A (en) * 2018-09-28 2019-01-15 北京赛博贝斯数据科技有限责任公司 The control method and system of user right
CN109450984A (en) * 2018-10-16 2019-03-08 深信服科技股份有限公司 A kind of management method of cloud framework, equipment and computer readable storage medium
CN109471870A (en) * 2018-11-16 2019-03-15 北京金山云网络技术有限公司 Method, apparatus, electronic equipment and the computer-readable medium that resource data is read
CN109992416A (en) * 2019-03-20 2019-07-09 跬云(上海)信息科技有限公司 Multi-tenant method of servicing and device based on precomputation OLAP model
CN110414252A (en) * 2019-08-02 2019-11-05 湖南御家科技有限公司 A kind of method for processing business, system and electronic equipment and storage medium
CN110457932A (en) * 2019-08-19 2019-11-15 赛尔网络有限公司 Determine the method, apparatus, equipment and medium of resource access authority
CN110784433A (en) * 2018-07-31 2020-02-11 阿里巴巴集团控股有限公司 User access processing method, device and equipment
WO2020038273A1 (en) * 2018-08-20 2020-02-27 中兴通讯股份有限公司 Multi-tenant access control method and device and computer-readable storage medium
CN110968880A (en) * 2018-09-30 2020-04-07 北京国双科技有限公司 Account authority processing method and device
CN110968858A (en) * 2018-09-30 2020-04-07 北京国双科技有限公司 User authority control method and system
CN111177744A (en) * 2019-12-07 2020-05-19 杭州电子科技大学 Access control strategy storage and matching method based on binary tree
CN111324875A (en) * 2020-02-17 2020-06-23 支付宝(杭州)信息技术有限公司 User data operation authority control and account management method, device and system
CN113127887A (en) * 2019-12-30 2021-07-16 中移信息技术有限公司 Data permission isolation judgment method, device, equipment and storage medium
CN113285933A (en) * 2021-05-13 2021-08-20 京东数字科技控股股份有限公司 User access control method and device, electronic equipment and storage medium
CN113923023A (en) * 2021-10-09 2022-01-11 京东科技信息技术有限公司 Authority configuration and data processing method, device, electronic equipment and medium
CN115994036A (en) * 2023-03-22 2023-04-21 北京腾达泰源科技有限公司 Cloud platform tenant isolation method, device, equipment and storage medium

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109829336A (en) * 2019-02-12 2019-05-31 浪潮软件股份有限公司 A kind of management method and device of menu permission
CN111898868A (en) * 2020-07-06 2020-11-06 上海泛微网络科技股份有限公司 Resource occupation display method and device
CN111950024A (en) * 2020-08-14 2020-11-17 上海弘快科技有限公司 System platform capable of realizing electronic material management
CN112528251B (en) * 2020-12-18 2022-02-01 深圳竹云科技有限公司 User account authority management method, device, equipment and readable medium
CN112866293A (en) * 2021-03-05 2021-05-28 武汉思普崚技术有限公司 Gateway equipment system administrator authority management method and device
CN113239344B (en) * 2021-05-12 2023-05-05 中国建设银行股份有限公司 Access right control method and device
CN113542419A (en) * 2021-07-16 2021-10-22 深圳银兴智能数据有限公司 Cross-platform multi-tenant management and control system
CN114666126A (en) * 2022-03-21 2022-06-24 阿里云计算有限公司 Resource management method, device, server and system
CN115017484A (en) * 2022-08-04 2022-09-06 北京航天驭星科技有限公司 Access control method and device
CN115563117B (en) * 2022-10-14 2023-08-29 广州明动软件股份有限公司 Multi-tenant management application based on SaaS technology and implementation method thereof
CN116383783A (en) * 2022-12-28 2023-07-04 河北省气象服务中心(河北省气象影视中心) Data security management method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102611699A (en) * 2012-02-22 2012-07-25 浪潮(北京)电子信息产业有限公司 Method and system for access control in cloud operation system
CN102968599A (en) * 2012-10-25 2013-03-13 北京邮电大学 User-defined access control system and method based on resource publisher
CN103036856A (en) * 2011-10-09 2013-04-10 镇江金软计算机科技有限责任公司 Multi-tenant system achievement based on software as a service (SAAS) application

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231693A (en) * 2010-04-22 2011-11-02 北京握奇数据系统有限公司 Method and apparatus for managing access authority
CN104579726A (en) * 2013-10-16 2015-04-29 航天信息股份有限公司 Method and device for managing network resource use permission of user
CN103685463A (en) * 2013-11-08 2014-03-26 浪潮(北京)电子信息产业有限公司 Access control method and system in cloud computing system
CN104219326A (en) * 2014-09-23 2014-12-17 深圳市爱洁家环保科技有限公司 Resource sharing device and method in cleaning service information management system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103036856A (en) * 2011-10-09 2013-04-10 镇江金软计算机科技有限责任公司 Multi-tenant system achievement based on software as a service (SAAS) application
CN102611699A (en) * 2012-02-22 2012-07-25 浪潮(北京)电子信息产业有限公司 Method and system for access control in cloud operation system
CN102968599A (en) * 2012-10-25 2013-03-13 北京邮电大学 User-defined access control system and method based on resource publisher

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682285A (en) * 2017-09-27 2018-02-09 国云科技股份有限公司 A kind of isomery cloud platform unified resource authorization method
CN107659450A (en) * 2017-09-29 2018-02-02 深圳索信达数据技术股份有限公司 Distribution method, distributor and the storage medium of big data cluster resource
CN107659450B (en) * 2017-09-29 2020-07-14 深圳索信达数据技术有限公司 Method and device for allocating big data cluster resources and storage medium
CN107770173A (en) * 2017-10-20 2018-03-06 国信嘉宁数据技术有限公司 Subscriber Management System, related identification information creation method and request method of calibration
CN107808103A (en) * 2017-11-13 2018-03-16 北京中电普华信息技术有限公司 The control method and control device of a kind of data permission
CN107911465A (en) * 2017-11-28 2018-04-13 国云科技股份有限公司 A kind of resource granularity filter method of more cloud platforms
CN108540485B (en) * 2018-04-24 2021-01-19 珠海市新德汇信息技术有限公司 Cross-regional data sharing system
CN108540485A (en) * 2018-04-24 2018-09-14 珠海市新德汇信息技术有限公司 A kind of trans-regional data-sharing systems
CN110784433A (en) * 2018-07-31 2020-02-11 阿里巴巴集团控股有限公司 User access processing method, device and equipment
WO2020038273A1 (en) * 2018-08-20 2020-02-27 中兴通讯股份有限公司 Multi-tenant access control method and device and computer-readable storage medium
CN109214151A (en) * 2018-09-28 2019-01-15 北京赛博贝斯数据科技有限责任公司 The control method and system of user right
CN110968858B (en) * 2018-09-30 2022-04-01 北京国双科技有限公司 User authority control method and system
CN110968880A (en) * 2018-09-30 2020-04-07 北京国双科技有限公司 Account authority processing method and device
CN110968858A (en) * 2018-09-30 2020-04-07 北京国双科技有限公司 User authority control method and system
CN109450984A (en) * 2018-10-16 2019-03-08 深信服科技股份有限公司 A kind of management method of cloud framework, equipment and computer readable storage medium
CN109450984B (en) * 2018-10-16 2021-12-21 深信服科技股份有限公司 Cloud architecture management method and device and computer readable storage medium
CN109471870B (en) * 2018-11-16 2021-07-20 北京金山云网络技术有限公司 Method and device for reading resource data, electronic equipment and computer readable medium
CN109471870A (en) * 2018-11-16 2019-03-15 北京金山云网络技术有限公司 Method, apparatus, electronic equipment and the computer-readable medium that resource data is read
CN109992416B (en) * 2019-03-20 2022-03-18 跬云(上海)信息科技有限公司 Multi-tenant service method and device based on pre-calculation OLAP model
CN109992416A (en) * 2019-03-20 2019-07-09 跬云(上海)信息科技有限公司 Multi-tenant method of servicing and device based on precomputation OLAP model
CN110414252A (en) * 2019-08-02 2019-11-05 湖南御家科技有限公司 A kind of method for processing business, system and electronic equipment and storage medium
CN110457932A (en) * 2019-08-19 2019-11-15 赛尔网络有限公司 Determine the method, apparatus, equipment and medium of resource access authority
CN111177744B (en) * 2019-12-07 2022-02-11 杭州电子科技大学 Access control strategy storage and matching method based on binary tree
CN111177744A (en) * 2019-12-07 2020-05-19 杭州电子科技大学 Access control strategy storage and matching method based on binary tree
CN113127887A (en) * 2019-12-30 2021-07-16 中移信息技术有限公司 Data permission isolation judgment method, device, equipment and storage medium
CN111324875A (en) * 2020-02-17 2020-06-23 支付宝(杭州)信息技术有限公司 User data operation authority control and account management method, device and system
CN113285933A (en) * 2021-05-13 2021-08-20 京东数字科技控股股份有限公司 User access control method and device, electronic equipment and storage medium
CN113923023A (en) * 2021-10-09 2022-01-11 京东科技信息技术有限公司 Authority configuration and data processing method, device, electronic equipment and medium
CN113923023B (en) * 2021-10-09 2024-04-05 京东科技信息技术有限公司 Authority configuration and data processing method, device, electronic equipment and medium
CN115994036A (en) * 2023-03-22 2023-04-21 北京腾达泰源科技有限公司 Cloud platform tenant isolation method, device, equipment and storage medium

Also Published As

Publication number Publication date
WO2017143975A1 (en) 2017-08-31

Similar Documents

Publication Publication Date Title
CN107104931A (en) A kind of access control method and platform
CN103312721B (en) A kind of cloud platform accesses and controls framework and implementation method thereof
CN100502307C (en) Integrated user safety management method and device
CN102947797B (en) The online service using directory feature extending transversely accesses and controls
CN109643242A (en) Safe design and framework for multi-tenant HADOOP cluster
CN104660578B (en) A kind of system and method for realizing data safety storage and data access control
JP4903287B2 (en) User classification and leveling management system in image information management system
CN108259422B (en) Multi-tenant access control method and device
CN108092945A (en) Definite method and apparatus, the terminal of access rights
CN104243491B (en) A kind of control method and system of credible and secure service
WO2013138954A1 (en) Computer account management system and implementation method thereof
CN106411857A (en) Private cloud GIS service access control method based on virtual isolation mechanism
CN101453357B (en) Network management control method and network management control system
CN107153565A (en) Configure the method and its network equipment of resource
CN107682285A (en) A kind of isomery cloud platform unified resource authorization method
JP2010537285A5 (en)
CN109474632A (en) User is authenticated and the method, apparatus of rights management, system and medium
CN105989275B (en) Method and system for certification
CN109413080B (en) Cross-domain dynamic authority control method and system
Rathod An access control and authorization model with Open stack cloud for Smart Grid
CN103778379B (en) Application in management equipment performs and data access
CN106559389A (en) A kind of Service Source issue, call method, device, system and cloud service platform
CN111865943A (en) Multi-level tenant authentication method and device based on micro-service
CN107315950A (en) Automation division methods and access control method that a kind of cloud computing platform administrator right is minimized
CN106874351A (en) A kind of authority control method and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170829

RJ01 Rejection of invention patent application after publication