CN108521411A - Access control method, apparatus and system based on access control policy - Google Patents
Access control method, apparatus and system based on access control policy Download PDFInfo
- Publication number
- CN108521411A CN108521411A CN201810282557.7A CN201810282557A CN108521411A CN 108521411 A CN108521411 A CN 108521411A CN 201810282557 A CN201810282557 A CN 201810282557A CN 108521411 A CN108521411 A CN 108521411A
- Authority
- CN
- China
- Prior art keywords
- enterprise
- role
- access
- permission
- identity type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of access control method, apparatus and system based on access control policy, this method include:Receive the Operational Visit request of enterprise;It is enterprise configuration identity type to the access rights of business according to the enterprise;Wherein, the identity type refers to a variety of identity for same business division difference enterprise;The access permission collection of enterprise described in permission build according to the identity type to business, the access permission collection include the corresponding permission of responsibility of different identity type;According to the access permission collection of the enterprise, identity type, organizational structure, the role of business participant and the corresponding responsibility of each role, the access permission permission of the user of enterprises, the role of user and role are determined using access control based roles strategy;Wherein, the access permission permission inheritance of role is in the access permission collection of enterprise.Using the present invention, different enterprises may be implemented, the different access of same business division is controlled with different identity.
Description
Technical field
The present invention relates to service data visitation technologies, especially with regard to a kind of access control based on access control policy
Method, apparatus and system.
Background technology
Access control based roles (Role-Based Access Control, RBAC) are the permission moulds of a set of maturation
Type has a wide range of applications in practice.Traditional access control model mainly has self contained navigation and forced symmetric centralization.
In traditional authority models, usually user is directly assigned permission.And in RBAC, the concept of role is increased, user is passed through
It is associated with permission with role association, role, simplifies the management of permission.In being organized at one, role is to complete various works
Make and create, user is endowed role according to responsibility, and user easily can be assigned to another role from a role.
The demand of role Ke Yixin and assign new permission, and permission also can as needed and be recycled from role.
RBAC supports following three security doctrine:Minimum right principle, responsibility degree principle and the data principle of abstraction.
(1) its role can be configured to it and complete the minimum authority set that required by task is wanted by minimum right principle, RBAC;
(2) responsibility degree principle, RBAC can complete sensitive appoint jointly by setting the role of mutual indepedent mutual exclusion
Business, such as requires accounting clerk and financial management person to participate in same posting altogether;
(3) data abstraction principle, RBAC can be embodied by the abstract of permission, such as financial operations with borrow money, deposit
Abstract permission, and without the typical reading and writing of operating system offer, execution permission;
Although RBAC has the advantage of itself, when multiple and different enterprises need to limit in different access permissions with different identity
It makes when accessing the same business division, RBAC can face problems with:
1) since RBAC is the access control based on user role, lack the control management of enterprise identity.When multiple enterprises
Need to establish the unified management of enterprise identity type and specific transactions main body when the access for participating in same business division jointly, no
The different access control for same business division is represent with enterprise identity.
2) since the access permission of RBAC is set based on operation and object, operation and object are all subordinated to specific transactions
Under body items, lack the access control management of higher level business division.When requiring the operation in access permission and client's all bases
Under same business division item, only business division inspection control pass through after, the business could be accessed according to access permission
Information under body items.
3) user is subordinated to enterprise, and the access control of enterprise's own user needs to conform to enterprise for specific transactions main body
Access control, lack and restriction to user access control controlled based on accessed enterprise.
Invention content
To solve the above problem in the prior art, an object of the present invention is to provide one kind being based on access control plan
Access control method slightly, apparatus and system, the constraint of the user access control by building based role, realize different enterprises
The different access of same business division is controlled with different identity.
To achieve the goals above, the embodiment of the present invention proposes a kind of access control side based on access control policy
Method, including:
Receive the Operational Visit request of enterprise;
It is enterprise configuration identity type to the access rights of business according to the enterprise, different enterprises correspond to different identity
Type;Wherein, the identity type refers to a variety of identity for same business division difference enterprise;
The access permission collection of enterprise described in permission build according to the identity type to business, the access permission Ji Bao
Include the corresponding permission of responsibility of different identity type;
According to the access permission collection of the enterprise, identity type, organizational structure, the role of business participant and each role
Corresponding responsibility determines the visit of the user of enterprises, the role of user and role using access control based roles strategy
Ask permissions.
To achieve the goals above, the embodiment of the present invention proposes a kind of access control dress based on access control policy
It sets, including:
Request reception unit, the Operational Visit for receiving enterprise are asked;
Dispensing unit, for being enterprise configuration identity type, different enterprises to the access rights of business according to the enterprise
Corresponding different identity type;Wherein, the identity type refers to a variety of identity for same business division difference enterprise;
License collection generation unit, the access permission for enterprise described in the permission build according to the identity type to business
Collection, the access permission collection includes the corresponding permission of responsibility of different identity type;
Access information determination unit, for according to the access permission collection of the enterprise, identity type, organizational structure, business
The role of participant and the corresponding responsibility of each role, the use of enterprises is determined using access control based roles strategy
The access permission permission at family, the role of user and role.
To achieve the goals above, the embodiment of the present invention proposes a kind of access control system based on access control policy
System, including:
Enterprises level, is provided with enterprise, enterprise identity type and business division, and the enterprises level is used to receive the business of enterprise
Access request is enterprise configuration identity type to the access rights of business according to the enterprise, and according to the identity type pair
The access permission collection of enterprise described in the permission build of business, the access permission collection include that the responsibility of different identity type is corresponding
Permission;Wherein, the identity type refers to a variety of identity for same business division difference enterprise;
Client layer, is provided with the access permission permission of user, the role of user and role, and the client layer is used for according to institute
Access permission collection, identity type, organizational structure, the role of business participant and the corresponding responsibility of each role of enterprise are stated, profit
The access permission power of the user of enterprises, the role of user and role are determined with access control based roles strategy
Limit;Wherein, the access permission permission inheritance of role is in the access permission collection of enterprise.
To achieve the goals above, the embodiment of the present invention proposes a kind of computer equipment, including memory, processor and
The computer program that can be run on a memory and on a processor is stored, the processor executes real when the computer program
Existing following steps:
Receive the Operational Visit request of enterprise;
It is enterprise configuration identity type to the access rights of business according to the enterprise, different enterprises correspond to different identity
Type;Wherein, the identity type refers to a variety of identity for same business division difference enterprise;
The access permission collection of enterprise described in permission build according to the identity type to business, the access permission Ji Bao
Include the corresponding permission of responsibility of different identity type;
According to the access permission collection of the enterprise, identity type, organizational structure, the role of business participant and each role
Corresponding responsibility determines the visit of the user of enterprises, the role of user and role using access control based roles strategy
Ask permissions.
To achieve the goals above, the embodiment of the present invention proposes a kind of computer readable storage medium, is stored thereon with
Computer program, the computer program realize following steps when being executed by processor:
Receive the Operational Visit request of enterprise;
It is enterprise configuration identity type to the access rights of business according to the enterprise, different enterprises correspond to different identity
Type;Wherein, the identity type refers to a variety of identity for same business division difference enterprise;
The access permission collection of enterprise described in permission build according to the identity type to business, the access permission Ji Bao
Include the corresponding permission of responsibility of different identity type;
According to the access permission collection of the enterprise, identity type, organizational structure, the role of business participant and each role
Corresponding responsibility determines the visit of the user of enterprises, the role of user and role using access control based roles strategy
Ask permissions.
By the above technical solution provided in an embodiment of the present invention as it can be seen that the present invention is accessed by building the user of based role
The constraint of control realizes that different enterprises control the different access of same business division with different identity.
The additional aspect of the present invention and advantage will be set forth in part in the description, and will partly become from the following description
It obtains obviously, or recognized by the practice of the application.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Obtain other attached drawings according to these attached drawings.
Fig. 1 is access control method flow chart of the embodiment of the present invention based on access control policy;
Fig. 2 is access control apparatus structure diagram of the embodiment of the present invention based on access control policy;
Fig. 3 is the structure diagram of access information determination unit of the embodiment of the present invention;
Fig. 4 is access control system structure diagram of the embodiment of the present invention based on access control policy.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
According to background technology it is found that existing RBAC technologies have the disadvantage that:
1) since RBAC is the access control based on user role, lack the control management of enterprise identity.When multiple enterprises
Need to establish the unified management of enterprise identity type and specific transactions main body when the access for participating in same business division jointly, no
The different access control for same business division is represent with enterprise identity.
2) since the access permission of RBAC is set based on operation and object, operation and object are all subordinated to specific transactions
Under body items, lack the access control management of higher level business division.When requiring the operation in access permission and client's all bases
Under same business division item, only business division inspection control pass through after, the business could be accessed according to access permission
Information under body items.
3) user is subordinated to enterprise, and the access control of enterprise's own user needs to conform to enterprise for specific transactions main body
Access control, lack and restriction to user access control controlled based on accessed enterprise.
To solve the above-mentioned problems, a kind of access control method based on access control policy is present embodiments provided, such as
Shown in Fig. 1, which includes the following steps:
S101:Receive the Operational Visit request of enterprise.The conjunction of enterprise can be examined by discriminating (authentication)
Method identity.
Enterprise will carry out the access of some business, it usually needs send Operational Visit request, background server is according to business
Access request carries out relevant treatment.
S102:It is enterprise configuration identity type to the access rights of business according to the enterprise.Wherein, the identity type
Refer to a variety of identity for same business division difference enterprise.
According to whole operation flow it is found that analyzing different enterprises for same business division (such as investor, administrator, support
Pipe people etc.) different access permission, for different enterprises set different identity type, the identity type include investor, mandator,
One or more of administrators etc., invention is not limited thereto.
S103:The access permission collection of enterprise described in permission build according to the identity type to business, the access are permitted
The corresponding permission of responsibility including different identity type can be collected.
Specifically, the access of the enterprise can be generated to the operating right of specific transactions main body according to enterprise identity type
License collection, the access permission collection includes different bodies under the corresponding specific addressable business division of enterprise and the business division item
The corresponding access rights of part type.
Different identity type for same business division different access permission, there are different access permission collection, according to
Different identity type can be that different enterprises generate or set different access for the different access permission of same business division
License collection.
S104:According to the access permission collection of the enterprise, identity type, organizational structure, business participant role and
The corresponding responsibility of each role, the user of enterprises, the role of user and angle are determined using access control based roles strategy
The access permission permission of color;Wherein, the access permission permission inheritance of role is in the access permission collection of enterprise.
All there are mapping relations between enterprise and identity type and between identity type and access permission collection, the application can
To establish the mapping relations of enterprise and identity type and the mapping relations of enterprise+identity type and access permission collection.
According to the mapping relations of enterprise and identity type, the mapping relations of identity type and access permission collection, the group of enterprise
The whole permission of stretching frame structure, the role of business participant and the corresponding responsibility of each role, user will be inherited in the access of enterprise
License collection, utilizes access control based roles strategy (RBAC), it may be determined that the user of enterprises, the role of user and angle
The access permission permission of color.
The invention participates in same business division management activity with different identity in multiple enterprises in same concentration plateform system
When, it can effectively meet the access control requirement of different participant.
When the access control of the present invention at least can be adapted for following scene:
1) centralized accessed enterprise control;
2) a variety of enterprises participate in the access of same business division with different identity;
3) different enterprise identity types has same business division different access control requirements.
In order to better illustrate the access control method of the present invention, below with the visit of different parties in assets management business
It asks and illustrates for controlling:
Asset management business generally has the direct party of tripartite, respectively investor (trustee), mandator and administrator,
Not Tongfang in tripartite corresponds to a kind of identity type.
Trustee is the practical owner (access permission collection) for entrusting assets, the investment return of commission assets (business division)
It is enjoyed or is undertaken by trustee with risk.Administrator is the user's (access permission collection) for entrusting assets, by investment agreement requirement
The responsibility for fulfiling management of investment realizes value preserving, the increment of assets.Mandator is the custodian's (access permission collection) for entrusting assets,
Keeping and the running of supervision and management people are carried out to the property of trustee mandatory administration people, take precautions against commission asset risk and according to assets
The characteristics of running, provides the financial services such as corresponding investment clearance, valuation of assets, information report.
For example, if using social security council as trustee, social insurance funds can be split into the friendship of multiple assets governing plan
Investment operation is carried out to different administrators.Mandator needs with each asset management plan (business division) for unit, with control
The online service access rights of trustee and administrator.The access service that mandator provides all is using assets governing plan as industry
Be engaged in main body, including each asset management plan item under instruction management, corporate action, clearing and settlement, investment oversight, accounting,
Financial valuation, performance evaluation etc..Social security council is required to access the items of its asset management plan under one's name as trustee
Information.Administrator can only access the respective service for itself being responsible for asset management plan.Due to the body of social security council and administrator
Part responsibility is different, and certain services under asset management plan item can only be to one party developing and opening, and such as investment instruction manages can only
Administrator is opened.Meanwhile social security council and administrator have organizational structure and the user access control requirement of itself, social security
Council and administrator need whole trustee, administrator whole access control under, for corresponding asset management plan
Respectively carry out user, role, permission maintenance management, specific permission be corresponding asset management plan item under instruction management,
Corporate action feedback etc..
It is enterprise configuration identity type to the access rights of business according to enterprise, and according to the identity in foregoing description
The access permission collection of enterprise described in permission build of the type to business, access permission collection include the corresponding addressable business master of enterprise
The corresponding permission of the responsibility of body and different identity type.
It is corresponded to according to above-mentioned access permission collection, identity type, organizational structure, the role of business participant and each role
Responsibility, the whole permission of user will inherit in the access permission collection of enterprise, utilize access control based roles strategy, so that it may
To determine the access permission permission of the user of enterprises, the role of user and role.
Based on same inventive concept, the embodiment of the present application also provides a kind of, and the access control based on access control policy fills
It sets, method described in above-described embodiment is can be used to implement, as described in the following examples.Due to being based on access control policy
The principle that solves the problems, such as of access control apparatus it is similar to the access control method based on access control policy, therefore based on accessing
The implementation of the access control apparatus of control strategy may refer to the implementation of the access control method based on access control policy, repeat
Place repeats no more.Used below, the software and/or hardware of predetermined function may be implemented in term " unit " or " module "
Combination.Although system described in following embodiment is preferably realized with software, hardware or software and hardware
The realization of combination is also that may and be contemplated.
Fig. 2 is access control apparatus structure diagram of the embodiment of the present invention based on access control policy, as shown in Fig. 2, should
Access control apparatus includes:
Request reception unit 201, the Operational Visit for receiving enterprise are asked.Pass through discriminating (authentication)
The legal identity of enterprise can be examined.
Dispensing unit 202, for being enterprise configuration identity type to the access rights of business according to the enterprise;Wherein,
The identity type refers to a variety of identity for same business division difference enterprise;
Specifically, enterprise pair can be assigned by mandate (authorization) according to the identity type of the enterprise
The identity type of a certain business division, different enterprises correspond to different identity types.
License collection generation unit 203, the access for enterprise described in the permission build according to the identity type to business
License collection, the access permission collection include that the responsibility of the corresponding addressable business division of enterprise and different identity type is corresponding
Permission;
Access information determination unit 204, for according to the access permission collection of the enterprise, identity type, organizational structure, industry
The role of business participant and the corresponding responsibility of each role, the use of enterprises is determined using access control based roles strategy
The access permission permission at family, the role of user and role;Wherein, the access permission permission inheritance of role is in the access permission of enterprise
Collection.
In one embodiment, the identity type includes one or more of following types:Investor, mandator, management
People and income people.
In one embodiment, as shown in figure 3, access information determination unit 204 includes:
Relationship establishes module 301, mapping relations, identity type and access permission collection for establishing enterprise and identity type
Mapping relations.Wherein, enterprise determines that the business division accessed, identity type determine the permission accessed.
Access information determining module 302, for according to the mapping relations of enterprise and identity type, enterprise and identity type with
The mapping relations of access permission collection, the organizational structure of the enterprise, the role of business participant and the corresponding responsibility of each role,
The whole permission of user will be inherited in the access permission collection of enterprise, and enterprises are determined using access control based roles strategy
User, the role of user and the access permission permission of role.
Based on same inventive concept, the embodiment of the present application also provides a kind of access control system based on access control policy
System, can be used to implement method described in above-described embodiment, as described in the following examples.Due to being based on access control policy
The principle that solves the problems, such as of access control system it is similar to the access control method based on access control policy, therefore based on accessing
The implementation of the access control system of control strategy may refer to the implementation of the access control method based on access control policy, repeat
Place repeats no more.Although system described in following embodiment is preferably realized with software, hardware or software and
The realization of the combination of hardware is also that may and be contemplated.
The present invention is based on user's access that the progress of RBAC extends at many levels, and it includes enterprise that user access control, which is divided into two layers,
Industry layer and client layer.Wherein, enterprises level is responsible for setting the general requirement of different accessed enterprise controls, and client layer is restricted in enterprises level
On the basis of build user role access control.
Fig. 4 is access control system structure diagram of the embodiment of the present invention based on access control policy, as shown in figure 4,
The access control system includes:
Enterprises level, is provided with enterprise, enterprise identity type and business division, and the enterprises level is used to receive the business of enterprise
Access request is enterprise configuration identity type to the access rights of business according to the enterprise, and according to the identity type pair
The access rights of specific transactions main body generate the access permission collection of the enterprise, and the access permission collection includes that enterprise is corresponding can
The corresponding permission of the responsibility of access service main body and different identity type;Wherein, the identity type refers to for same business
A variety of identity of main body difference enterprise;
Client layer, is provided with the access permission permission of user, the role of user and role, and the client layer is used for according to institute
Access permission collection, identity type, organizational structure, the role of business participant and the corresponding responsibility of each role of enterprise are stated, profit
The access permission power of the user of enterprises, the role of user and role are determined with access control based roles strategy
Limit.
An embodiment of the present invention provides a kind of computer equipment, including memory, processor and storage are on a memory simultaneously
The computer program that can be run on a processor, the processor realize following steps when executing the computer program:
Receive the Operational Visit request of enterprise;The legal body of enterprise can be examined by discriminating (authentication)
Part.
It is enterprise configuration identity type to the access rights of business according to the enterprise;Wherein, the identity type refers to pair
In a variety of identity of same business division difference enterprise;
The access permission collection of enterprise described in permission build according to the identity type to business, the access permission Ji Bao
Include the corresponding access rights of responsibility of different identity type;
According to the access permission collection of the enterprise, identity type, organizational structure, the role of business participant and each role
Corresponding responsibility determines the visit of the user of enterprises, the role of user and role using access control based roles strategy
Ask permissions;Wherein, the access permission permission inheritance of role is in the access permission collection of enterprise.
An embodiment of the present invention provides a kind of computer readable storage mediums, are stored thereon with computer program, the meter
Calculation machine program realizes following steps when being executed by processor:
Receive the Operational Visit request of enterprise;The legal body of enterprise can be examined by discriminating (authentication)
Part.
It is enterprise configuration identity type to the access rights of business according to the enterprise;Wherein, the identity type refers to pair
In a variety of identity of same business division difference enterprise;
The access permission collection of enterprise described in permission build according to the identity type to business, the access permission Ji Bao
Include the corresponding permission of responsibility of different identity type;
According to the access permission collection of the enterprise, identity type, organizational structure, the role of business participant and each role
Corresponding responsibility determines the visit of the user of enterprises, the role of user and role using access control based roles strategy
Ask permissions;Wherein, the access permission permission inheritance of role is in the access permission collection of enterprise.
The present invention realizes different enterprises with different identity to same by the constraint of the user access control of structure based role
The different access of one business division controls.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, the present invention can be used in one or more wherein include computer usable program code computer
The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram
The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided
Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real
The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to
Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or
The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Specific embodiment is applied in the present invention, and principle and implementation of the present invention are described, above example
Explanation be merely used to help understand the present invention method and its core concept;Meanwhile for those of ordinary skill in the art,
According to the thought of the present invention, there will be changes in the specific implementation manner and application range, in conclusion in this specification
Appearance should not be construed as limiting the invention.
Claims (9)
1. a kind of access control method based on access control policy, which is characterized in that including:
Receive the Operational Visit request of enterprise;
It is enterprise configuration identity type to the access rights of business according to the enterprise, different enterprises correspond to different identity classes
Type;Wherein, the identity type refers to a variety of identity for same business division difference enterprise;
The access permission collection of enterprise described in permission build according to the identity type to business, the access permission collection include not
The corresponding permission with the responsibility of identity type;
It is corresponded to according to the access permission collection of the enterprise, identity type, organizational structure, the role of business participant and each role
Responsibility, determine that the access of the user of enterprises, the role of user and role are permitted using access control based roles strategy
It can permission;Wherein, the access permission permission inheritance of role is in the access permission collection of enterprise.
2. access control method according to claim 1, which is characterized in that the identity type includes in following types
It is one or more of:Investor, mandator, administrator and income people.
3. access control method according to claim 1, which is characterized in that according to access permission collection, the body of the enterprise
Part type, organizational structure, the role of participant and the corresponding responsibility of each role, it is true using access control based roles strategy
Determine the access permission permission of the user of enterprises, the role of user and role, including:
Establish the mapping relations of enterprise and identity type, the mapping relations of identity type and access permission collection;
According to the mapping relations of enterprise and identity type, the mapping relations of identity type and access permission collection, the group of the enterprise
Stretching frame structure, the role of business participant and the corresponding responsibility of each role are determined using access control based roles strategy and are looked forward to
The access permission permission of the user in portion, the role of user and role in the industry.
4. a kind of access control apparatus based on access control policy, which is characterized in that including:
Request reception unit, the Operational Visit for receiving enterprise are asked;
Dispensing unit, for being enterprise configuration identity type to the access rights of business according to the enterprise, different enterprises correspond to
Different identity types;Wherein, the identity type refers to a variety of identity for same business division difference enterprise;
License collection generation unit, is used for the access permission collection of enterprise described in the permission build according to the identity type to business,
The access permission collection includes the corresponding permission of responsibility of different identity type;
Access information determination unit, for being participated according to the access permission collection of the enterprise, identity type, organizational structure, business
The role of personnel and the corresponding responsibility of each role determine the user of enterprises using access control based roles strategy, use
The role at family and the access permission permission of role;Wherein, the access permission permission inheritance of role is in the access permission collection of enterprise.
5. access control apparatus according to claim 4, which is characterized in that the identity type includes in following types
It is one or more of:Investor, mandator, administrator and income people.
6. access control apparatus according to claim 4, which is characterized in that the access information determination unit includes:
Relationship establishes module, the mapping of mapping relations, identity type and access permission collection for establishing enterprise and identity type
Relationship;
Access information determining module, for according to the mapping relations of enterprise and identity type, identity type and access permission collection
Mapping relations, the organizational structure of the enterprise, the role of business participant and the corresponding responsibility of each role, utilize based role
Access control policy determine the access permission permission of the user of enterprises, the role of user and role.
7. a kind of access control system based on access control policy, which is characterized in that including:
Enterprises level, is provided with enterprise, enterprise identity type and business division, and the enterprises level is used to receive the Operational Visit of enterprise
Request is enterprise configuration identity type to the access rights of business according to the enterprise, and according to the identity type to business
Permission build described in enterprise access permission collection, the access permission collection includes the corresponding power of responsibility of different identity type
Limit;Wherein, the identity type refers to a variety of identity for same business division difference enterprise;
Client layer, is provided with the access permission permission of user, the role of user and role, and the client layer is used for according to the enterprise
Access permission collection, identity type, organizational structure, the role of business participant and the corresponding responsibility of each role of industry, utilize base
The access permission permission of the user of enterprises, the role of user and role are determined in the access control policy of role.
8. a kind of computer equipment, including memory, processor and storage are on a memory and the meter that can run on a processor
Calculation machine program, which is characterized in that the processor realizes following steps when executing the computer program:
Receive the Operational Visit request of enterprise;
It is enterprise configuration identity type to the access rights of business according to the enterprise, different enterprises correspond to different identity classes
Type;Wherein, the identity type refers to a variety of identity for same business division difference enterprise;
The access permission collection of enterprise described in permission build according to the identity type to business, the access permission collection include not
The corresponding permission with the responsibility of identity type;
It is corresponded to according to the access permission collection of the enterprise, identity type, organizational structure, the role of business participant and each role
Responsibility, determine that the access of the user of enterprises, the role of user and role are permitted using access control based roles strategy
It can permission;Wherein, the access permission permission inheritance of role is in the access permission collection of enterprise.
9. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program quilt
Processor realizes following steps when executing:
Receive the Operational Visit request of enterprise;
It is enterprise configuration identity type to the access rights of business according to the enterprise, different enterprises correspond to different identity classes
Type;Wherein, the identity type refers to a variety of identity for same business division difference enterprise;
The access permission collection of enterprise described in permission build according to the identity type to business, the access permission collection include not
The corresponding permission with the responsibility of identity type;
It is corresponded to according to the access permission collection of the enterprise, identity type, organizational structure, the role of business participant and each role
Responsibility, determine that the access of the user of enterprises, the role of user and role are permitted using access control based roles strategy
It can permission;Wherein, the access permission permission inheritance of role is in the access permission collection of enterprise.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810282557.7A CN108521411A (en) | 2018-04-02 | 2018-04-02 | Access control method, apparatus and system based on access control policy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810282557.7A CN108521411A (en) | 2018-04-02 | 2018-04-02 | Access control method, apparatus and system based on access control policy |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108521411A true CN108521411A (en) | 2018-09-11 |
Family
ID=63431520
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810282557.7A Pending CN108521411A (en) | 2018-04-02 | 2018-04-02 | Access control method, apparatus and system based on access control policy |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108521411A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112182619A (en) * | 2020-09-30 | 2021-01-05 | 澳优乳业(中国)有限公司 | Service processing method and system based on user permission, electronic device and medium |
CN117938547A (en) * | 2024-03-22 | 2024-04-26 | 恒丰银行股份有限公司 | Data asset security control method, equipment and medium |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1885297A (en) * | 2006-06-02 | 2006-12-27 | 石杰 | Method for role-based access control model with precise access control strategy |
CN101588242A (en) * | 2008-05-19 | 2009-11-25 | 北京亿企通信息技术有限公司 | Method and system for realizing authority management |
CN103617485A (en) * | 2013-11-15 | 2014-03-05 | 中国航空无线电电子研究所 | Uniform authority management and deployment system |
US20160248777A1 (en) * | 2014-10-20 | 2016-08-25 | International Business Machines Corporation | Policy access control lists attached to resources |
CN106055967A (en) * | 2016-05-24 | 2016-10-26 | 福建星海通信科技有限公司 | SAAS platform user organization permission management method and system |
CN106302492A (en) * | 2016-08-23 | 2017-01-04 | 唐山新质点科技有限公司 | A kind of access control method and system |
US20170111367A1 (en) * | 2010-05-05 | 2017-04-20 | Microsoft Technology Licensing, Llc | Data driven role based security |
CN106991302A (en) * | 2016-12-31 | 2017-07-28 | 融捷科技(武汉)有限公司 | Company's authority mandatory system based on supply chain financial service platform |
-
2018
- 2018-04-02 CN CN201810282557.7A patent/CN108521411A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1885297A (en) * | 2006-06-02 | 2006-12-27 | 石杰 | Method for role-based access control model with precise access control strategy |
CN101588242A (en) * | 2008-05-19 | 2009-11-25 | 北京亿企通信息技术有限公司 | Method and system for realizing authority management |
US20170111367A1 (en) * | 2010-05-05 | 2017-04-20 | Microsoft Technology Licensing, Llc | Data driven role based security |
CN103617485A (en) * | 2013-11-15 | 2014-03-05 | 中国航空无线电电子研究所 | Uniform authority management and deployment system |
US20160248777A1 (en) * | 2014-10-20 | 2016-08-25 | International Business Machines Corporation | Policy access control lists attached to resources |
CN106055967A (en) * | 2016-05-24 | 2016-10-26 | 福建星海通信科技有限公司 | SAAS platform user organization permission management method and system |
CN106302492A (en) * | 2016-08-23 | 2017-01-04 | 唐山新质点科技有限公司 | A kind of access control method and system |
CN106991302A (en) * | 2016-12-31 | 2017-07-28 | 融捷科技(武汉)有限公司 | Company's authority mandatory system based on supply chain financial service platform |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112182619A (en) * | 2020-09-30 | 2021-01-05 | 澳优乳业(中国)有限公司 | Service processing method and system based on user permission, electronic device and medium |
CN117938547A (en) * | 2024-03-22 | 2024-04-26 | 恒丰银行股份有限公司 | Data asset security control method, equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Baset et al. | Hands-on blockchain with Hyperledger: building decentralized applications with Hyperledger Fabric and composer | |
Tobin et al. | The inevitable rise of self-sovereign identity | |
US20180322588A1 (en) | Implementation of payroll smart contract on a distributed ledger | |
CN110474865B (en) | Block chain user authority system and implementation method | |
CN108805703A (en) | Right management system | |
US11636469B2 (en) | Data access management with non-fungible tokens | |
AU2018100340A4 (en) | Private Permissioned Blockchain, Distributed Ledger Technology (DLT), Smart Contract & IoT based Technology Risk Compliance Management, Regulatory Compliance Reporting and IT Asset Management solutions for the banking & financial industry. | |
CN102073817A (en) | Dynamic access control improvement method on basis of RBAC (Role-Based policies Access Control) model | |
CN112364366A (en) | Block chain-based alliance data sharing access control method and system | |
Anthony Jnr | Investigating the decentralized governance of distributed ledger infrastructure implementation in extended enterprises | |
Kwame et al. | V-chain: A blockchain-based car lease platform | |
CN108521411A (en) | Access control method, apparatus and system based on access control policy | |
US20230342849A1 (en) | Method, apparatus, and computer-readable medium for compliance aware tokenization and control of asset value | |
George et al. | IF/THEN Democracy: Exploring the World of Decentralized Autonomous Organizations (DAOs) | |
CN113159956A (en) | Account data processing method, device, equipment and storage medium | |
Upadhyaya et al. | Revolutionizing healthcare systems of a developing country using blockchain | |
US20140304009A1 (en) | System and method for management of insurable assets | |
Hendrischke | Networks as business networks | |
Bauvars | Applicability of blockchain technology in securities settlement. | |
Schlarb et al. | Using blockchain technology to manage membership and legal contracts in a distributed data market | |
Wall | Blockchain challenges and governance | |
Fuchs | Blockchain | |
Yuan | Legal model construction approach of big data transaction management in the digital information perspective | |
Mattarocci et al. | The evolution of proptech | |
Fiorentino et al. | New governance perspectives on the sharing economy. A blockchain application for the ‘Smart’management of co-working spaces with a return for local authorities |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180911 |
|
RJ01 | Rejection of invention patent application after publication |