CN108900484A - A kind of generation method and device of access authority information - Google Patents

A kind of generation method and device of access authority information Download PDF

Info

Publication number
CN108900484A
CN108900484A CN201810621380.9A CN201810621380A CN108900484A CN 108900484 A CN108900484 A CN 108900484A CN 201810621380 A CN201810621380 A CN 201810621380A CN 108900484 A CN108900484 A CN 108900484A
Authority
CN
China
Prior art keywords
user
access authority
authority information
user identifier
resource group
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810621380.9A
Other languages
Chinese (zh)
Other versions
CN108900484B (en
Inventor
王国利
孙京京
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201810621380.9A priority Critical patent/CN108900484B/en
Publication of CN108900484A publication Critical patent/CN108900484A/en
Application granted granted Critical
Publication of CN108900484B publication Critical patent/CN108900484B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the present application provides the generation method and device of a kind of access authority information, it can receive the logging request of first terminal transmission, the first user identifier and the first user property are carried in logging request, is judged in preset access authority information, if there are the first user identifiers.If the first user identifier is not present in preset access authority information, according to the first user property, from preset user property and the corresponding relationship of resource group, determine the corresponding first resource group of the first user identifier, by the first user identifier and first resource group, it is added in preset access authority information, to generate the corresponding access authority information of the first user identifier.Based on above-mentioned processing, the corresponding access authority information of user identifier can be automatically generated, and then the formation efficiency of access authority information can be improved.

Description

A kind of generation method and device of access authority information
Technical field
This application involves fields of communication technology, more particularly to the generation method and device of a kind of access authority information.
Background technique
With VPN (the Virtual Private based on SSL (Secure Sockets Layer, Secure Socket Layer) Network, Virtual Private Network) technology, the authentication based on certificate of ssl protocol offer is provided, data encryption and is disappeared Integrity verification mechanism is ceased, it being capable of connection setup secure connection between application layer.Based on SSL VPN technologies, the member of enterprise The internal network that terminal through internet is safely linked into enterprise can be used in work, accesses the resource of internal network.
However, the access authority of different employees is different, need to distribute the employee accessible resource for each employee.It is existing Have in technology, technical staff needs in advance for the corresponding access authority information of each employee's manual configuration, and access authority information can With include employee user identifier and allow the employee access resource group corresponding relationship.When employee needs to access resource, Terminal can be used and send logging request to gateway, the certificate of the terminal is carried in logging request, is carried in certificate The user identifier of the user identifier of the employee, the employee is usually the user name of the employee.Gateway can be asked according to login The user identifier in book is solved, in local access authority information, determines the corresponding resource group of the user identifier, is somebody's turn to do with determining The accessible resource of employee.
Technical staff needs the resource group being able to access that for each employee's manual configuration, to generate the access authority of the employee Information can expend the technology high-ranking official a large amount of time if the quantity of the employee of enterprise is larger, the generation effect of access authority information Rate is not high.
Summary of the invention
The generation method and device for being designed to provide a kind of access authority information of the embodiment of the present application, to improve access The formation efficiency of authority information.Specific technical solution is as follows:
In a first aspect, in order to achieve the above object, the embodiment of the present application discloses a kind of generation side of access authority information Method, the method includes:
Receive the logging request that first terminal is sent, wherein the first user identifier and the are carried in the logging request One user property;
Judge in preset access authority information, if there are first user identifiers, wherein the preset access Authority information includes the corresponding relationship of user identifier and resource group;
If first user identifier is not present in the preset access authority information, belonged to according to first user Property, from preset user property and the corresponding relationship of resource group, determine the corresponding first resource group of first user identifier;
It is added to first user identifier and the first resource group in the preset access authority information, with Generate the corresponding access authority information of first user identifier.
Optionally, the method also includes:
Receive the logout message that second terminal is sent, wherein second user mark is carried in the logout message;
By second user mark and corresponding Secondary resource group, deleted from the preset access authority information, Corresponding access authority information is identified to delete the second user.
Optionally, the method also includes:
If there are first user identifiers in the preset access authority information, by the preset access authority The resource that resource group corresponding with first user identifier includes in information is determined as allowing first user identifier corresponding The first user access resource.
Optionally, the method also includes:
Receive the addition instruction of user's input, wherein carry third user identifier and third money in the addition instruction Source group;
It is added to the third user identifier and the information resources group in the preset access authority information, with Generate the corresponding access authority information of the third user identifier.
Optionally, the method also includes:
Receive the deletion instruction of user's input, wherein carry fourth user mark in the deletion instruction;
By fourth user mark and corresponding 4th resource group, deleted from the preset access authority information, Corresponding access authority information is identified to delete the fourth user.
Optionally, the preset access authority information includes the corresponding relationship of service type, user identifier and resource group, It is described that first user identifier and the first resource group are added in the preset access authority information, including:
The corresponding first service type of the logging request is determined, by first user identifier, the first resource group It is added in the corresponding access authority information of first user identifier with the corresponding relationship of the first service type.
Second aspect, in order to achieve the above objectives, the embodiment of the present application also disclose a kind of generation dress of access authority information It sets, described device includes:
Receiving module, for receiving the logging request of first terminal transmission, wherein carry first in the logging request User identifier and the first user property;
Judgment module, for judging in preset access authority information, if there are first user identifiers, wherein The preset access authority information includes the corresponding relationship of user identifier and resource group;
First determining module, if for first user identifier to be not present in the preset access authority information, According to first user property, from preset user property and the corresponding relationship of resource group, the first user mark is determined Know corresponding first resource group;
Generation module, for being added to the preset access for first user identifier and the first resource group In authority information, to generate the corresponding access authority information of first user identifier.
Optionally, described device further includes:
Cancellation module, for receiving the logout message of second terminal transmission, wherein carry second in the logout message User identifier;
By second user mark and corresponding Secondary resource group, deleted from the preset access authority information, Corresponding access authority information is identified to delete the second user.
Optionally, described device further includes:
Second determining module, if for there are first user identifiers in the preset access authority information, it will The resource that resource group corresponding with first user identifier includes in the preset access authority information is determined as allowing institute State the resource of the corresponding first user access of the first user identifier.
Optionally, described device further includes:
Adding module, for receiving the addition instruction of user's input, wherein carry third user in the addition instruction Mark and information resources group;
It is added to the third user identifier and the information resources group in the preset access authority information, with Generate the corresponding access authority information of the third user identifier.
Optionally, described device further includes:
Removing module, for receiving the deletion instruction of user's input, wherein carry fourth user in the deletion instruction Mark;
By fourth user mark and corresponding 4th resource group, deleted from the preset access authority information, Corresponding access authority information is identified to delete the fourth user.
Optionally, the preset access authority information includes the corresponding relationship of service type, user identifier and resource group, The generation module is specifically used for determining the corresponding first service type of the logging request, by first user identifier, institute The corresponding relationship for stating first resource group and the first service type is added to the corresponding access authority of first user identifier In information.
The third aspect, in order to achieve the above objectives, the embodiment of the present application also disclose a kind of electronic equipment, including processor and Machine readable storage medium, the machine readable storage medium are stored with the executable finger of the machine that can be executed by the processor It enables, the processor is promoted by the machine-executable instruction:Realize method and step described in first aspect.
Fourth aspect, in order to achieve the above objectives, the embodiment of the present application also disclose a kind of machine readable storage medium, storage There is machine-executable instruction, when being called and being executed by processor, the machine-executable instruction promotes the processor:It realizes Method and step described in first aspect.
The generation method and device of a kind of access authority information provided by the embodiments of the present application can receive first terminal hair The logging request sent, wherein the first user identifier and the first user property can be carried in logging request, judge preset visit It asks in authority information, if there are the first user identifiers, if the first user identifier is not present in preset access authority information, According to the first user property, from preset user property and the corresponding relationship of resource group, determine that the first user identifier is corresponding First user identifier and first resource group are added in preset access authority information by first resource group, are used with generating first Family identifies corresponding access authority information.Based on above-mentioned processing, the corresponding access authority information of user identifier can be automatically generated, And then the formation efficiency of access authority information can be improved.
Certainly, any product or method for implementing the application must be not necessarily required to reach all the above excellent simultaneously Point.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of application for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of structure chart of networking frame provided by the embodiments of the present application;
Fig. 2 is a kind of flow chart of the generation method of access authority information provided by the embodiments of the present application;
Fig. 3 is a kind of exemplary flow chart of the generation method of access authority information provided by the embodiments of the present application;
Fig. 4 is a kind of exemplary flow chart of the generation method of access authority information provided by the embodiments of the present application;
Fig. 5 is a kind of structure chart of the generating means of access authority information provided by the embodiments of the present application;
Fig. 6 is the structure chart of a kind of electronic equipment provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall in the protection scope of this application.
The embodiment of the present application provides the generation method and device of a kind of access authority information, can be applied to network and sets Standby, which can be router, firewall box or other gateways.It is the embodiment of the present application referring to Fig. 1, Fig. 1 A kind of structure chart of the networking frame provided.The networking includes:The network equipment, server and multiple terminals.It can be in server Storage resource can store preset access authority information in the network equipment.It, can be with when a certain user needs to access resource Logging request is sent to the network equipment by terminal, can carry the certificate of the terminal in logging request, in the certificate of terminal Record has the first user identifier and the first user property.When the first user identifier is not present in preset access authority information, The network equipment from preset user property and the corresponding relationship of resource group, can determine the first use according to the first user property Family identifies corresponding first resource group, and the resource that first resource group includes is determined as the accessible resource of the user, meanwhile, First user identifier and first resource group are added in preset access authority information by the network equipment, to generate the first user Identify corresponding access authority information.
As it can be seen that the embodiment of the present application can register automatically new user when user first logs into, equipment manager is not necessarily to hand Work configuration, repetitive operation, save human cost.
Referring to fig. 2, Fig. 2 is a kind of flow chart of the generation method of access authority information provided by the embodiments of the present application, can To be applied to the network equipment, which can be router, firewall box or other gateways, and gateway can be with For SSLVPN gateway etc..This method may comprise steps of.
S201:Receive the logging request that first terminal is sent.
Wherein, which can be sent by the first user by first terminal.Logging request includes that first terminal makes Certificate includes the first user identifier, the first user property in the certificate that first terminal uses.First terminal can pass through Ukey (electron key) or mobile phone SIM (Subscriber Identification Module, subscriber identification module) card obtain Evidence obtaining book.
First user identifier is the user identifier of the first user, can for user name or other be used to distinguish the mark of user Know, for example, the work number of employee.
User property is used to determine the permission of the first user access resources.Illustratively, it is accessed for employee's using terminal The case where resource of enterprise servers, as employee access resource permission usually can the department as belonging to the employee, and Company belonging to the department determines, correspondingly, the user property in the certificate of the terminal may include department belonging to the employee Department mark and the department belonging to company logo.
In an implementation, when a certain user needs to access the resource of server, terminal can be used and sent to the network equipment Carry the logging request of certificate.The network equipment then can receive the logging request, and according to carrying in the logging request Certificate shake hands connecting with the terminal.
S202:Judge in preset access authority information, if there are the first user identifiers.
Wherein, the network equipment locally can store preset access authority information, and preset access authority information includes using The corresponding relationship of family mark and resource group.It is preset that preset access authority information can be technical staff, is also possible to network Equipment is generated according to the logging request that the terminal that the last time receives is sent.Resource group may include a resource, can also be with Including multiple resources.
In an implementation, after the network equipment receives logging request, it can parse the logging request, obtain in logging request The certificate of the first terminal of carrying, then, the network equipment can parse the certificate, obtain the user identifier carried in certificate (i.e. First user identifier), and inquired in preset access authority information, judge whether there is the first user identifier.
S203:If the first user identifier is not present in preset access authority information, according to the first user property, from pre- If user property and resource group corresponding relationship in, determine the corresponding first resource group of the first user identifier.
Wherein, the network equipment locally can store the corresponding relationship of preset user property and resource group, user property and The corresponding relationship of resource group can be configured by technical staff according to business demand.Illustratively, for employee's using terminal Corresponding close of the case where accessing the resource of enterprise servers, user property and resource group can be with reference table (1).
Table (1)
Logo Department's mark Resource group
H3C Safety pgroup1
UNIS Safety pgroup2
UNIS Big data pgroup3
User property includes logo and department's mark, the correspondence of user property and resource group in table (1) in table (1) Relationship is the corresponding relationship of logo, department mark and resource group.If a certain employee is H3C public it can be seen from table (1) The employee of the security department of department, the then resource that the accessible resource group pgroup1 of the employee includes;If a certain employee is UNIS The employee of the security department of company, the then resource that the accessible resource group pgroup2 of the employee includes;If a certain employee is The employee of the big data department of UNIS company, the then resource that the accessible resource group pgroup3 of the employee includes.
In an implementation, when the network equipment determines that the first user identifier is not present in preset access authority information, network Equipment can be closed according to the user property (i.e. the first user property) in certificate, corresponding in local user property and resource group It is inquired in system, determines the corresponding resource group of the first user property (i.e. first resource group).
S204:It is added to the first user identifier and first resource group in preset access authority information, to generate first The corresponding access authority information of user identifier.
In an implementation, after the network equipment determines first resource group, the first user identifier can be added to preset access In authority information, and it is first resource group that corresponding resource group, which is arranged, to generate the corresponding access authority letter of the first user identifier Breath, so that the network equipment is receiving stepping on for the certificate for carrying terminal that the first user is sent by the terminal next time When record request, it can be inquired in preset access authority information, directly according to the first user identifier carried in certificate The corresponding first resource group of the first user identifier is determined, to confirm money that the accessible first resource group of first user includes Source.Herein, the first user is the corresponding user of the first user identifier.
Optionally, the network equipment can also directly determine the accessible resource of user.Specifically, the above method can be with Include the following steps:If there are the first user identifiers in preset access authority information, will be in preset access authority information The resource that resource group corresponding with the first user identifier includes is determined as allowing corresponding first user of first user identifier The resource of access.
In an implementation, when the network equipment determines in preset access authority information that network is set there are when the first user identifier It is standby to determine the corresponding resource group of the first user identifier, and include by the resource group in preset access authority information Resource is determined as the accessible resource of the first user, herein, that is, it is accessible using first terminal to be determined as the first user Resource.The resource can also be sent to first terminal by the network equipment, so that first terminal browsing money can be used in the first user Source.
Optionally, the network equipment can also be updated local access authority information, specifically, can take following Mode.
Mode one receives the logout message that second terminal is sent;By second user mark and corresponding Secondary resource group, from It is deleted in preset access authority information, identifies corresponding access authority information to delete second user.
Wherein, logout message includes the certificate that second terminal uses, and includes second user in the certificate that second terminal uses Mark.
In an implementation, the corresponding access authority information of terminal deletion can be used in user, specifically, technical staff can be Log out button is set in the login page of server.When a certain user needs to delete corresponding access authority information, the user Terminal (i.e. second terminal) can be used and click log out button in login page, the network equipment, which then can receive, carries Then the logout message of the certificate of two terminals parses the logout message, obtain the certificate of second terminal, and obtains and take in the certificate The user identifier (i.e. second user mark) of band, then, the network equipment can identify second user and corresponding Secondary resource Group is deleted from preset access authority information, identifies corresponding access authority information to delete second user.
Mode two receives the addition instruction of user's input;By third user identifier and information resources group, it is added to preset In access authority information, to generate the corresponding access authority information of third user identifier.
Wherein, third user identifier and information resources group are carried in addition instruction.
In an implementation, when technical staff needs to add access authority information, for example, when there is New Hire Onboarding in enterprise, Technical staff can input addition instruction to the network equipment, the network equipment then can receive by the input part of the network equipment It is instructed to the addition, and parses addition instruction, obtained the corresponding third user identifier of the employee and the employee is accessible Information resources group, then, third user identifier can be added in preset access authority information by the network equipment, and be arranged Corresponding resource group is information resources group, to generate the corresponding access authority information of third user identifier.
Mode three receives the deletion instruction of user's input;By fourth user mark and corresponding 4th resource group, from default Access authority information in delete, identify corresponding access authority information to delete fourth user.
Wherein, it deletes and carries fourth user mark in instruction.
In an implementation, when technical staff needs to delete access authority information, for example, when an employee leaves office from enterprise When, technical staff can input to the network equipment by the input part of the network equipment and delete instruction, the network equipment can then connect Deletion instruction is received, and parses deletion instruction, obtains the corresponding fourth user mark of the employee, then, the network equipment can To delete, fourth user mark and corresponding 4th resource group to delete fourth user from preset access authority information Identify corresponding access authority information.
Optionally, corresponding service type can also be arranged in the network equipment.Specifically, preset access authority information includes The corresponding relationship of service type, user identifier and resource group, correspondingly, step S204 may include following treatment process:It determines The corresponding first service type of logging request, by the corresponding relationship of the first user identifier, first resource group and first service type It is added in the corresponding access authority information of the first user identifier.
Wherein, service type can for SSLVPN, PPP (Point to Point Protocol, point-to-point protocol), Portal (entrance), IKE (Internet Key Exchange, the Internet Key Exchange) or other service types.
In an implementation, the network equipment can parse logging request, determine the corresponding service type of logging request (the i.e. first clothes Service type), and by the corresponding relationship of first service type, the first user identifier and first resource group, it is added to the first user mark Know in corresponding access authority information.For example, the network equipment parses logging request, determine that the corresponding service type of logging request is SSLVPN, the network equipment can be arranged corresponding with the first user identifier and first resource group in preset access authority information Service type be SSLVPN, to generate the local user of SSLVPN service type.
As seen from the above, the network equipment can also be according to the corresponding service type of logging request, to the local user of generation It is configured, with the logging request for the different service types for supporting user's using terminal to send.
In addition, when the network equipment need to terminal carry out local authentication (such as the network equipment according to the oneself signature of terminal demonstrate,prove Book authenticates terminal) when, the network equipment can also authenticate terminal according to the local user of above-mentioned generation.
Referring to Fig. 3, Fig. 3 is a kind of exemplary process of the generation method of access authority information provided by the embodiments of the present application Figure, method can be applied to the network equipment, which can be router, firewall box or other gateways, be somebody's turn to do Method may comprise steps of.
S301:The network equipment receives the logging request that first terminal is sent.
Wherein, logging request includes the certificate that first terminal uses, and includes the first user in the certificate that first terminal uses Mark and the first user property.
S302:The network equipment judges in preset access authority information, if there are the first user identifiers, if preset The first user identifier is not present in access authority information, S303-S304 is executed, if there are first for preset access authority information User identifier executes S305.
Wherein, preset access authority information includes the corresponding relationship of user identifier and resource group.
S303:The network equipment is according to the first user property, from preset user property and the corresponding relationship of resource group, really The fixed corresponding first resource group of first user identifier.
S304:First user identifier and first resource group are added in preset access authority information by the network equipment, with Generate the corresponding access authority information of the first user identifier.
S305:The money that resource group corresponding with the first user identifier in preset access authority information is included by the network equipment Source is determined as the resource for allowing corresponding first user of the first user identifier to access.
Referring to fig. 4, Fig. 4 is a kind of exemplary process of the generation method of access authority information provided by the embodiments of the present application Figure, the present embodiment are illustrated so that user " Zhang San " is first logged into using first terminal as an example, and method can be applied to network and set Standby, which can access network by SSLVPN for router, firewall box or other gateways, first terminal Equipment, this method may comprise steps of.It should be understood that access service type can also include Portal, PPP, IKE Deng this is illustrated for sentencing SSLVPN.
S401:The network equipment receives the logging request that first terminal is sent.
Wherein, logging request is that Zhang San is sent using first terminal, and logging request includes the certificate that first terminal uses. The certificate that first terminal uses includes the first user identifier (i.e. user name " Zhang San ") and the first user property (public affairs belonging to Zhang San The department of department belonging to the logo " H3C " of department and Zhang San identifies " safety ").Specifically, the logging request is SSL report Text, the certificate that SSL message carries includes OU field and O field, wherein OU field is to carry the field of logo, and O field is The field of carrying department mark.The certificate further includes the CN field for carrying user identifier.
S402:The network equipment determines that the first user identifier (Zhang San) is not present in preset access authority information.
Wherein, preset access authority information includes the corresponding relationship of service type, user identifier and resource group.It is preset Access authority information can be as shown in table (2).
Table (2)
User identifier Service type Resource group
Li Si SSLVPN pgroup2
Zhao five SSLVPN pgroup3
S403:The network equipment is according to the first user property (logo " H3C " and department mark " safety "), from preset In user property and the corresponding relationship of resource group, the corresponding first resource group (pgroup1) of the first user identifier (Zhang San) is determined.
Wherein, preset user property and the corresponding relationship of resource group can be as shown in table (3).
Table (3)
Logo Department's mark Resource group
H3C Safety pgroup1
UNIS Safety pgroup3
UNIS Big data Pgroup3
As it can be seen that the network equipment is carried out according to the certificate of terminal when using terminal sends logging request to a certain user for the first time When certification, the corresponding access authority information of the user (generating the corresponding local user of the user) can be generated.
S404:The network equipment is by service type SSLVPN, the first user identifier (Zhang San) and first resource group (pgroup1), it is added in preset access authority information, to generate the corresponding access authority information of the first user identifier.
Specifically, the access authority information as shown in table (4) can be obtained as table (2).
Table (4)
User identifier Service type Resource group
Li Si SSLVPN pgroup2
Zhao five SSLVPN pgroup3
Zhang San SSLVPN pgroup1
It follows that the network equipment automatically creates the new user " Zhang San " of a SSLVPN type, realize to the new use Family " Zhang San " first logs into certification and authorization, while registration generates a new user.
S405:When the network equipment receives the logging request of first terminal transmission again, the network equipment determines preset There are the first user identifier (Zhang San) in access authority information.
S406:The network equipment is by resource corresponding with the first user identifier (Zhang San) in preset access authority information (pgroup1) resource for including is determined as the resource for allowing the first user (Zhang San) to access.
It is found by the applicant that:The resource group that authorization can not be confirmed when registering user currently based on SSLVPN, causes temporarily without registration The method of user.The embodiment of the present application determines the resource of authorization by the characteristic value (such as user identifier and user property) of certificate Group, when user first logs into, the network equipment is registered automatically generates a new user (local user), when the user steps on again When record, the network equipment can carry out automated validation to the user according to local user, not need to obtain what the user used again The certificate verification of terminal, certification speed faster, can be improved the efficiency of certification.
As it can be seen that the embodiment of the present application can register automatically new user when user first logs into, equipment manager is not necessarily to hand Work configuration, repetitive operation, save human cost.Speed is authenticated faster when logging on, and can be improved the efficiency of certification.Also, For the new user of creation, as long as all the new user can be used to handle for business related to user.For example, the network equipment can To carry out local authentication to user according to the local user of above-mentioned generation.
In addition, the user of the embodiment of the present application creation can be used not only as SSLVPN certification, if other access services, which have, to be needed It asks, can also use the user after easy configuration access service type, other access services include Portal, PPP, IKE etc., then table It (2) can be as shown in following table (5).
Table (5)
User identifier Service type Resource group
Li Si SSLVPN、Portal、PPP、IKE pgroup2
Zhao five SSLVPN、Portal、PPP、IKE pgroup3
The generation method of access authority information based on the embodiment of the present application, the network equipment can receive first terminal transmission Logging request, carry the first user identifier and the first user property in logging request.The network equipment may determine that preset In access authority information, if there are the first user identifiers.If there is no the first users to mark in preset access authority information Know, the network equipment can determine first from preset user property and the corresponding relationship of resource group according to the first user property First user identifier and first resource group are added to preset access authority information by the corresponding first resource group of user identifier In, to generate the corresponding access authority information of the first user identifier.Based on above-mentioned processing, the network equipment can automatically generate user Corresponding access authority information is identified, and then the formation efficiency of access authority information can be improved.
Corresponding with the embodiment of the method for Fig. 2, referring to Fig. 5, Fig. 5 is a kind of access authority letter provided by the embodiments of the present application The generating means of breath, the apparatus may include:
Receiving module 501, for receiving the logging request of first terminal transmission, wherein carried in the logging request First user identifier and the first user property;
Judgment module 502, for judging in preset access authority information, if there are first user identifier, In, the preset access authority information includes the corresponding relationship of user identifier and resource group;
First determining module 503, if for there is no first users to mark in the preset access authority information Know, according to first user property, from preset user property and the corresponding relationship of resource group, determines first user Identify corresponding first resource group;
Generation module 504, for being added to the preset visit for first user identifier and the first resource group It asks in authority information, to generate the corresponding access authority information of first user identifier.
Optionally, described device further includes:
Cancellation module, for receiving the logout message of second terminal transmission, wherein carry second in the logout message User identifier;
By second user mark and corresponding Secondary resource group, deleted from the preset access authority information, Corresponding access authority information is identified to delete the second user.
Optionally, described device further includes:
Second determining module, if for there are first user identifiers in the preset access authority information, it will The resource that resource group corresponding with first user identifier includes in the preset access authority information is determined as allowing institute State the resource of the corresponding first user access of the first user identifier.
Optionally, described device further includes:
Adding module, for receiving the addition instruction of user's input, wherein carry third user in the addition instruction Mark and information resources group;
It is added to the third user identifier and the information resources group in the preset access authority information, with Generate the corresponding access authority information of the third user identifier.
Optionally, described device further includes:
Removing module, for receiving the deletion instruction of user's input, wherein carry fourth user in the deletion instruction Mark;
By fourth user mark and corresponding 4th resource group, deleted from the preset access authority information, Corresponding access authority information is identified to delete the fourth user.
Optionally, the preset access authority information includes the corresponding relationship of service type, user identifier and resource group, The generation module 504 is specifically used for determining the corresponding first service type of the logging request, first user is marked The corresponding relationship of knowledge, the first resource group and the first service type is added to the corresponding access of first user identifier In authority information.
As seen from the above, the generating means of the access authority information based on the embodiment of the present application, can receive first terminal The logging request of transmission carries the first user identifier and the first user property in logging request.Judge preset access authority In information, if there are the first user identifiers.If the first user identifier is not present in preset access authority information, according to the One user property determines corresponding first money of the first user identifier from preset user property and the corresponding relationship of resource group First user identifier and first resource group are added in preset access authority information by source group, to generate the first user identifier Corresponding access authority information.Based on above-mentioned processing, the network equipment can automatically generate the corresponding access authority letter of user identifier Breath, and then the formation efficiency of access authority information can be improved.
The embodiment of the present application also provides a kind of electronic equipment, as shown in fig. 6, include processor 601, communication interface 602, Memory 603 and communication bus 604, wherein processor 601, communication interface 602, memory 603 are complete by communication bus 604 At mutual communication,
Memory 603, for storing computer program;
Processor 601, when for executing the program stored on memory 603, so that electronic equipment executes following steps, The step includes:
Receive the logging request that first terminal is sent, wherein the first user identifier and the are carried in the logging request One user property;
Judge in preset access authority information, if there are first user identifiers, wherein the preset access Authority information includes the corresponding relationship of user identifier and resource group;
If first user identifier is not present in the preset access authority information, belonged to according to first user Property, from preset user property and the corresponding relationship of resource group, determine the corresponding first resource group of first user identifier;
It is added to first user identifier and the first resource group in the preset access authority information, with Generate the corresponding access authority information of first user identifier.
Optionally, above-mentioned steps further include:
Receive the logout message that second terminal is sent, wherein second user mark is carried in the logout message;
By second user mark and corresponding Secondary resource group, deleted from the preset access authority information, Corresponding access authority information is identified to delete the second user.
Optionally, above-mentioned steps further include:
If there are first user identifiers in the preset access authority information, by the preset access authority The resource that resource group corresponding with first user identifier includes in information is determined as allowing first user identifier corresponding The first user access resource.
Optionally, above-mentioned steps further include:
Receive the addition instruction of user's input, wherein carry third user identifier and third money in the addition instruction Source group;
It is added to the third user identifier and the information resources group in the preset access authority information, with Generate the corresponding access authority information of the third user identifier.
Optionally, above-mentioned steps further include:
Receive the deletion instruction of user's input, wherein carry fourth user mark in the deletion instruction;
By fourth user mark and corresponding 4th resource group, deleted from the preset access authority information, Corresponding access authority information is identified to delete the fourth user.
Optionally, the preset access authority information includes the corresponding relationship of service type, user identifier and resource group, It is described that first user identifier and the first resource group are added in the preset access authority information, including:
The corresponding first service type of the logging request is determined, by first user identifier, the first resource group It is added in the corresponding access authority information of first user identifier with the corresponding relationship of the first service type.
Machine readable storage medium may include RAM (Random Access Memory, random access memory), can also To include NVM (Non-Volatile Memory, nonvolatile memory), for example, at least a magnetic disk storage.In addition, machine Device readable storage medium storing program for executing can also be that at least one is located remotely from the storage device of aforementioned processor.
Above-mentioned processor can be general processor, including CPU (Central Processing Unit, central processing Device), NP (Network Processor, network processing unit) etc.;Can also be DSP (Digital Signal Processing, Digital signal processor), ASIC (Application Specific Integrated Circuit, specific integrated circuit), FPGA (Field-Programmable Gate Array, field programmable gate array) or other programmable logic device are divided Vertical door or transistor logic, discrete hardware components.
As seen from the above, in the embodiment of the present application, the logging request that can receive first terminal transmission, in logging request The first user identifier and the first user property are carried, is judged in preset access authority information, if there are the first user marks Know.If the first user identifier is not present in preset access authority information, according to the first user property, belong to from preset user In the corresponding relationship of property and resource group, the corresponding first resource group of the first user identifier is determined, by the first user identifier and first Resource group is added in preset access authority information, to generate the corresponding access authority information of the first user identifier.Based on upper Processing is stated, the corresponding access authority information of user identifier can be automatically generated, and then the generation of access authority information can be improved Efficiency.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device, For electronic equipment, machine readable storage medium embodiment, since it is substantially similar to the method embodiment, so the comparison of description Simply, the relevent part can refer to the partial explaination of embodiments of method.
The foregoing is merely the preferred embodiments of the application, are not intended to limit the protection scope of the application.It is all Any modification, equivalent replacement, improvement and so within spirit herein and principle are all contained in the protection scope of the application It is interior.

Claims (10)

1. a kind of generation method of access authority information, which is characterized in that the method includes:
Receive the logging request that first terminal is sent, wherein carry the first user identifier and first in the logging request and use Family attribute;
Judge in preset access authority information, if there are first user identifiers, wherein the preset access authority Information includes the corresponding relationship of user identifier and resource group;
If first user identifier is not present in the preset access authority information, according to first user property, From preset user property and the corresponding relationship of resource group, the corresponding first resource group of first user identifier is determined;
It is added to first user identifier and the first resource group in the preset access authority information, to generate The corresponding access authority information of first user identifier.
2. the method according to claim 1, wherein the method also includes:
Receive the logout message that second terminal is sent, wherein second user mark is carried in the logout message;
It deletes, second user mark and corresponding Secondary resource group to delete from the preset access authority information Except the second user identifies corresponding access authority information.
3. the method according to claim 1, wherein the method also includes:
If there are first user identifiers in the preset access authority information, by the preset access authority information In resource group corresponding with first user identifier resource that includes, be determined as allowing first user identifier corresponding The resource of one user access.
4. the method according to claim 1, wherein the method also includes:
Receive the addition instruction of user's input, wherein carry third user identifier and information resources group in the addition instruction;
It is added to the third user identifier and the information resources group in the preset access authority information, to generate The corresponding access authority information of the third user identifier.
5. the method according to claim 1, wherein the method also includes:
Receive the deletion instruction of user's input, wherein carry fourth user mark in the deletion instruction;
It deletes, fourth user mark and corresponding 4th resource group to delete from the preset access authority information Except the fourth user identifies corresponding access authority information.
6. the method according to claim 1, wherein the preset access authority information include service type, The corresponding relationship of user identifier and resource group, it is described by first user identifier and the first resource group, it is added to described In preset access authority information, including:
The corresponding first service type of the logging request is determined, by first user identifier, the first resource group and institute The corresponding relationship for stating first service type is added in the corresponding access authority information of first user identifier.
7. a kind of generating means of access authority information, which is characterized in that described device includes:
Receiving module, for receiving the logging request of first terminal transmission, wherein carry the first user in the logging request Mark and the first user property;
Judgment module, for judging in preset access authority information, if there are first user identifiers, wherein described Preset access authority information includes the corresponding relationship of user identifier and resource group;
First determining module, if for first user identifier to be not present in the preset access authority information, according to First user property determines first user identifier pair from preset user property and the corresponding relationship of resource group The first resource group answered;
Generation module, for being added to the preset access authority for first user identifier and the first resource group In information, to generate the corresponding access authority information of first user identifier.
8. device according to claim 7, which is characterized in that described device further includes:
Second determining module, if for there are first user identifiers in the preset access authority information, it will be described The resource that resource group corresponding with first user identifier includes in preset access authority information is determined as allowing described The resource of the corresponding first user access of one user identifier.
9. device according to claim 7, which is characterized in that the preset access authority information include service type, The corresponding relationship of user identifier and resource group, the generation module are specifically used for determining corresponding first clothes of the logging request The corresponding relationship of first user identifier, the first resource group and the first service type is added to institute by service type It states in the corresponding access authority information of the first user identifier.
10. a kind of electronic equipment, which is characterized in that including processor and machine readable storage medium, the machine readable storage Media storage has the machine-executable instruction that can be executed by the processor, and the processor is by the machine-executable instruction Promote:Realize any method and step of claim 1-6.
CN201810621380.9A 2018-06-15 2018-06-15 Access right information generation method and device Active CN108900484B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810621380.9A CN108900484B (en) 2018-06-15 2018-06-15 Access right information generation method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810621380.9A CN108900484B (en) 2018-06-15 2018-06-15 Access right information generation method and device

Publications (2)

Publication Number Publication Date
CN108900484A true CN108900484A (en) 2018-11-27
CN108900484B CN108900484B (en) 2021-05-25

Family

ID=64345189

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810621380.9A Active CN108900484B (en) 2018-06-15 2018-06-15 Access right information generation method and device

Country Status (1)

Country Link
CN (1) CN108900484B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109614778A (en) * 2018-12-12 2019-04-12 苏州思必驰信息科技有限公司 Dynamic Configuration, gateway and the system of user right
CN110516452A (en) * 2019-08-07 2019-11-29 浙江大搜车软件技术有限公司 RBAC access authorization for resource distribution method, device, electronic equipment and storage medium
CN110661817A (en) * 2019-10-25 2020-01-07 新华三大数据技术有限公司 Resource access method and device and service gateway
CN111931140A (en) * 2020-07-31 2020-11-13 支付宝(杭州)信息技术有限公司 Authority management method, resource access control method and device and electronic equipment
CN113992476A (en) * 2021-11-18 2022-01-28 北京自如信息科技有限公司 SSLVPN opening method and device
CN114915453A (en) * 2022-04-14 2022-08-16 浙江网商银行股份有限公司 Access response method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080109898A1 (en) * 2006-11-03 2008-05-08 Microsoft Corporation Modular enterprise authorization solution
CN105488383A (en) * 2014-09-17 2016-04-13 北大方正集团有限公司 Permission management method and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080109898A1 (en) * 2006-11-03 2008-05-08 Microsoft Corporation Modular enterprise authorization solution
CN105488383A (en) * 2014-09-17 2016-04-13 北大方正集团有限公司 Permission management method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
安伟莲: "RBAC模型在J2EE平台下的实现与应用", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109614778A (en) * 2018-12-12 2019-04-12 苏州思必驰信息科技有限公司 Dynamic Configuration, gateway and the system of user right
CN110516452A (en) * 2019-08-07 2019-11-29 浙江大搜车软件技术有限公司 RBAC access authorization for resource distribution method, device, electronic equipment and storage medium
CN110661817A (en) * 2019-10-25 2020-01-07 新华三大数据技术有限公司 Resource access method and device and service gateway
CN110661817B (en) * 2019-10-25 2022-08-26 新华三大数据技术有限公司 Resource access method and device and service gateway
CN111931140A (en) * 2020-07-31 2020-11-13 支付宝(杭州)信息技术有限公司 Authority management method, resource access control method and device and electronic equipment
CN113992476A (en) * 2021-11-18 2022-01-28 北京自如信息科技有限公司 SSLVPN opening method and device
CN114915453A (en) * 2022-04-14 2022-08-16 浙江网商银行股份有限公司 Access response method and device

Also Published As

Publication number Publication date
CN108900484B (en) 2021-05-25

Similar Documents

Publication Publication Date Title
CN108900484A (en) A kind of generation method and device of access authority information
US8676916B2 (en) Method and apparatus for connection to virtual private networks for secure transactions
CN101647254B (en) Method and system for the provision of services for terminal devices
EP3641265B1 (en) Method, apparatus, and network system for identifying website
DE102004045147A1 (en) A setting information distribution apparatus, method, program and medium, authentication setting transfer apparatus, method, program and medium, and setting information receiving program
US10862890B2 (en) Method and system related to authentication of users for accessing data networks
CN106921636A (en) Identity identifying method and device
CN103067337B (en) Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
Berbecaru et al. Providing login and Wi-Fi access services with the eIDAS network: A practical approach
CN104159225A (en) Wireless network based real-name registration system management method and system
WO2010123385A1 (en) Identifying and tracking users in network communications
CN109361753A (en) A kind of Internet of things system framework and encryption method
CN106685785B (en) Intranet access system based on IPsec VPN proxy
CN108011873A (en) A kind of illegal connection determination methods based on set covering
CN107528712A (en) The determination of access rights, the access method of the page and device
CN108834146A (en) A kind of Bidirectional identity authentication method between terminal and authentication gateway
CN109302397A (en) A kind of network safety managing method, platform and computer readable storage medium
US20090271852A1 (en) System and Method for Distributing Enduring Credentials in an Untrusted Network Environment
CN107295510A (en) The method, equipment and system of Home eNodeB access control are realized based on OCSP
CN109067729A (en) A kind of authentication method and device
KR20120044381A (en) Method and system for subscriber to log in internet content provider(icp) website in identity/location separation network and login device thereof
Nguyen et al. An SDN‐based connectivity control system for Wi‐Fi devices
US10560478B1 (en) Using log event messages to identify a user and enforce policies
JP6075885B2 (en) Authentication system and online sign-up control method
CN104717062B (en) The method and device that a kind of visitor based on BYOD management systems quickly accesses

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant