CN109033856A - A kind of access control policy synthetic method and system - Google Patents

A kind of access control policy synthetic method and system Download PDF

Info

Publication number
CN109033856A
CN109033856A CN201810797439.XA CN201810797439A CN109033856A CN 109033856 A CN109033856 A CN 109033856A CN 201810797439 A CN201810797439 A CN 201810797439A CN 109033856 A CN109033856 A CN 109033856A
Authority
CN
China
Prior art keywords
rule
access control
attribute
synthesized
control policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810797439.XA
Other languages
Chinese (zh)
Other versions
CN109033856B (en
Inventor
李春花
周可
谢伟睿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201810797439.XA priority Critical patent/CN109033856B/en
Publication of CN109033856A publication Critical patent/CN109033856A/en
Application granted granted Critical
Publication of CN109033856B publication Critical patent/CN109033856B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Automation & Control Theory (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of access control policy synthetic method and systems, comprising: obtains the regular collection being made of whole rules of all access control policies to be synthesized;The attribute of rule each in regular collection is encoded, so that the identical rule of the attribute attribute coding having the same and different rule of attribute has different attribute codings;Regular collection is divided into multiple rules subsets according to attribute coding, so that the identical rule of attribute coding is located in the same rules subset;For covering the rules subset of all access control policies to be synthesized, the conflict between the rule of same access control policy is wherein belonged to according to rule conflict algorithm process, and reject the rules subset for not covering all access control policies to be synthesized;According to policy conflict algorithm, merge remaining rules subset, to obtain composition rule set, is achieved in the synthesis of access control policy.The present invention can reduce storage consumption during synthesizing access control policy and improve aggregate velocity.

Description

A kind of access control policy synthetic method and system
Technical field
The invention belongs to computer information safety technique fields, more particularly, to a kind of access control policy synthesis side Method and system.
Background technique
With the fast development of e-commerce and e-government, more and more participants in ubiquitous calculating environment into Row cooperates, and the generation of data in cooperating process is transmitted and shares while carrying out.These cooperations are greatly promoted more mechanisms combines Validity and productivity.It should be noted that the data between process should be sensitive, and for security consideration and by Encryption.Each mechanism can independently specify access control policy according to respective demand, then be needed later by multi-party access control policy It is synthesized in pure strategy;System is responded to the access control policy finished has been synthesized, rather than to it is each strategy into Row verifying.For example, the access control policy of tissue A requires only have nurse that could read data, and organize the access control policy of B Describing a people must be that doctor could access, when the access control policy that each mechanism formulates generates conflict, to all The specified access control policy of mechanism be just particularly important with the compatible rule merging specified.The access control that different institutions are specified System strategy merges into the access control policy of the single overall situation, can in order to identify request whether accessible shared data, still, Due to none single strategy can be suitable for it is each there are the problem of, the synthesis of access control policy depends on applying journey The requirement of sequence and associated mechanisms and environment.
Be mixed with identity-based and multistage access control based on attribute in, as participant increases, access control plan It slightly often becomes increasingly complex, wherein including a large amount of duplicate interminable access control policies of the meaning of one's words.
Attribute is basis and the foundation of access control policy authorization judgement, and access requestor meets access control policy regulation Attribute conditions can be obtained the access authority of policy definition.So can include the rule of same alike result by identification, close And the access control policy where these rules.In 978-1-4673-7281-7/152015IEEE《Automated Policy Combination for Data Sharing Across Multiple Organizations " in propose one Kind of core concept be first by the rule of Different Strategies according to action attributes and conditional attribute it is whether identical be decomposed into it is multiple Classification is then combined with all identical classification of action attributes and conditional attribute to obtain the technology of compact global policies.Its point Class and combined method are based on comparing in multiple rules their action attributes and conditional attribute.This method can be realized access control The synthesis of strategy is made, but wherein the comparison procedure of a large amount of propertystring can occupy a large amount of CPU time, access control plan The time cost slightly synthesized is excessive will to cause access control system that can not respond access control request as early as possible;It is a large amount of simultaneously to belong to Property character string storage will occupy a large amount of internal memory space, the free memory for tying up access control system other business is empty Between.
Summary of the invention
In view of the drawbacks of the prior art and Improvement requirement, the present invention provides a kind of access control policy synthetic method and it is System, it is intended that access control policy is converted to binary form based on binary-coded method, to visit in synthesis Storage consumption is reduced during asking control strategy and improves aggregate velocity.
To achieve the above object, according to the invention in a first aspect, provide a kind of access control policy synthetic method, wrap Include following steps:
(1) regular collection being made of whole rules of all access control policies to be synthesized is obtained;
(2) attribute of rule each in regular collection is encoded, so that the identical rule of attribute is having the same Attribute coding, and the different rule of attribute has different attribute codings;
(3) regular collection is divided by multiple rules subsets according to attribute coding, so that the identical regular position of attribute coding In the same rules subset;
(4) for any one rules subset, if each access control policy to be synthesized is regular to belong to the rule Subset, then according to the conflict between the rule for belonging to same access control policy in the rule conflict algorithm process rules subset; Otherwise, the rules subset is rejected;
(5) according to policy conflict algorithm, merge remaining rules subset, to obtain composition rule set;Synthesis is advised Then gather the access control policy new as data-storage system to be stored, is achieved in the synthesis of access control policy.
Further, step (2) includes the following steps:
(21) conditional attribute and action attributes and all properties of each conditional attribute are extracted from regular collection The all properties key of key and each action attributes;
(22) for any one conditional attribute, two are carried out according to property key of the number of its property key to the conditional attribute Scale coding, to obtain the attribute key of each property key of the conditional attribute;For any one action attributes, according to it The number of property key carries out binary coding to the property key of the action attributes, to obtain each property key of the action attributes Attribute key;
(23) all conditions attribute and everything attribute are arranged by the first sequence, for indicating the attribute of rule;It is right Any one rule in regular collection, attribute key corresponding to its attribute is shifted and is summed, so that the rule Corresponding attribute key is arranged according to the first sequence, to obtain the attribute coding of the binary coded form of the rule;
Wherein, conditional attribute is for indicating user property, and all conditions attribute is used for identity user identity;Action attributes Operation for indicating that shared data can be performed;Property key is a value of conditional attribute or action attributes.
Further, in step (3), include by the method that regular collection is divided into multiple rules subsets according to attribute coding Following steps:
The total m of different attribute coding in regular collection is obtained, and creates m rules subset, respectively at m different categories Property coding correspond;
The rule in regular collection is ranked up according to the sequence of attribute coding from big to small or from small to large;
Regular collection after traversal sequence, is added sequentially to rules subset corresponding with its attribute coding for each rule In.
It is further preferred that according to the sequence of attribute coding from big to small or from small to large in regular collection rule into When row sequence, if the rule of one of them access control policy to be synthesized is orderly according to attribute coding in regular collection, and The fuzzy rules M of the access control policy to be synthesized of this in regular collection and fuzzy rules N to be sorted meet: 0 < M≤lg (N), Then collating sequence is identical as the rule ordering of the access control policy to be synthesized and sort algorithm is insertion sort;If one of them The rule of access control policy to be synthesized is orderly according to attribute coding in regular collection, and the visit to be synthesized of this in regular collection Ask that the fuzzy rules M and fuzzy rules N to be sorted of control strategy meet: lg (N) < M, then collating sequence and visit to be synthesized Ask that the rule ordering of control strategy is identical and sort algorithm is merger sequence;If according to attribute coding, all access controls to be synthesized The rule of system strategy is unordered in regular collection, then sort algorithm is merger sequence or count sort.
Further, in step (4), for any one rules subset, determine each access control policy to be synthesized The regular method for belonging to the rules subset includes:
According to the number of access control policy to be synthesized, binary system volume is carried out to the number of access control policy to be synthesized Code, to obtain the strategy coding of each access control policy to be synthesized, and by access control to be synthesized plan belonging to rule Strategy coding of the strategy coding slightly as the rule;
The sequence strategically encoded from small to large or from big to small is ranked up the rule in the rules subset;If should Regular strategy coding is continuous in rules subset, and maximum strategy coding and the smallest strategy encode respectively with needed Maximum strategy coding and the smallest strategy encode equal respectively in synthesis access control policy, then determine each visit to be synthesized It asks that control strategy is regular and belongs to the rules subset.
Further, in step (3), include by the method that regular collection is divided into multiple rules subsets according to attribute coding Following steps:
The total m of different attribute coding in regular collection is obtained, and creates m rules subset, respectively at m different categories Property coding correspond;
According to the number of access control policy to be synthesized, binary system volume is carried out to the number of access control policy to be synthesized Code, to obtain the strategy coding of each access control policy to be synthesized, and by access control to be synthesized plan belonging to rule Strategy coding of the strategy coding slightly as the rule;
The attribute coding of rule each in regular collection and strategy coding are arranged by the second sequence, to obtain the rule Rule encoding then, and make strategy coding positioned at the low level of rule encoding;
The rule in regular collection is ranked up according to the sequence of rule encoding from big to small or from small to large;
Each rule is added sequentially in rules subset corresponding with its attribute coding by traversal rule set.
It is further preferred that according to the sequence of rule encoding from big to small or from small to large in regular collection rule into When row sequence, if the rule of one of them access control policy to be synthesized is orderly according to rule encoding in regular collection, and The fuzzy rules M of the access control policy to be synthesized of this in regular collection and fuzzy rules N to be sorted meet: 0 < M≤lg (N), Then collating sequence is identical as the rule ordering of the access control policy to be synthesized and sort algorithm is insertion sort;If one of them The rule of access control policy to be synthesized is orderly according to rule encoding in regular collection, and the visit to be synthesized of this in regular collection Ask that the fuzzy rules M and fuzzy rules N to be sorted of control strategy meet: lg (N) < M, then collating sequence and visit to be synthesized Ask that the rule ordering of control strategy is identical and sort algorithm is merger sequence;If according to rule encoding, all access controls to be synthesized The rule of system strategy is unordered in regular collection, then sort algorithm is merger sequence or count sort.
Further, in step (4), for any one rules subset, judge whether each access control to be synthesized The regular method for belonging to the rules subset of strategy includes:
If regular strategy coding is continuous in the rules subset, and maximum strategy coding and the smallest strategy coding It is equal respectively with strategy coding maximum in all access control policies to be synthesized and the smallest strategy coding respectively, then determine every One access control policy to be synthesized is regular to belong to the rules subset.
Further, in step (4), according to belonging to same access control policy in rule conflict algorithm process rules subset Rule between conflict, comprising:
There is the rule of conflict for wherein any two, if the rule of access control policy to be synthesized belonging to two rules Then collision algorithm is license covering (PO), then the friendship of the first constraint condition Yu the second constraint condition is rejected from the second constraint condition Collection;If the rule conflict algorithm of access control policy to be synthesized belonging to two rules is refusal covering (DO), about from first The intersection of the first constraint condition Yu the second constraint condition is rejected in beam condition;
Wherein, the first rule is the rule that regular effect is affirmative, and Second Rule is the rule that regular effect is negative, the One constraint condition is the constraint condition of the first rule, and the second constraint condition is the constraint condition of Second Rule;Regular effect is used for Can instruction execute operation to shared data, if regular effect is affirmative, then it represents that can execute specified behaviour to shared data Make;If regular effect is negative, then it represents that specified operation cannot be executed to shared data.
Further, in step (5), according to policy conflict algorithm, merge remaining rules subset, to obtain synthesis rule Then gather, comprising:
For any one rules subset in remaining rules subset, by the pact for the rule that wherein regular effect is affirmative Beam condition merges to obtain constraint condition R'y, and be the regular constraint condition for negating by effect regular in the rules subset Merge to obtain constraint condition R'n;If policy conflict algorithm is to agree to preferential (PD), the affirmative of the rules subset constrains item Part are as follows: Ry=R'y, and the negative constraint condition of the rules subset are as follows: Rn=R'n-R'y;If policy conflict algorithm is that negative is preferential (DP), then the affirmative constraint condition of the rules subset are as follows: Ry=R'y-R'n, and the negative constraint condition of the rules subset are as follows: Rn =R'n;Thus composition rule is obtained, the attribute coding of composition rule is the corresponding attribute coding of the rules subset, regular effect To affirm, and constraint condition is affirmative constraint condition;Alternatively, the attribute coding of composition rule is the corresponding attribute of the rules subset Coding, regular effect is negative, and constraint condition is negative constraint condition;
The composition rule that each rules subset obtains is added in newly created set, to obtain by synthesizing rule The composition rule set then constituted.
Second aspect according to the invention provides a kind of access control policy synthesis system, comprising:
Regular collection obtains module, for obtaining the rule being made of whole rules of all access control policies to be synthesized Set;
Attribute coding's module is encoded for the attribute to rule each in regular collection, so that attribute is identical Rule attribute coding having the same, and the different rule of attribute has different attribute codings;
Regular collection is divided into multiple rules subsets according to attribute coding by rules subset division module, so that attribute is compiled The identical rule of code is located in the same rules subset;
Rule conflict processing module, for covering all access control policies to be synthesized according to rule conflict algorithm process Rules subset in belong to the conflict between the rule of same access control policy, and reject and do not cover all access to be synthesized and control Make the rules subset of strategy;
Policy conflict processing module, for merging the remaining rules subset after the processing of rule conflict processing module, thus Obtain composition rule set;
Policy storage unit, for depositing the composition rule set access control policy new as data-storage system Storage;
Wherein, for any one rules subset, if each access control policy to be synthesized is regular to belong to the rule Then subset, then the rules subset covers all access control policies to be synthesized;Otherwise, which, which does not cover, needs to be closed At access control policy.
In general, contemplated above technical scheme through the invention, can obtain it is following the utility model has the advantages that
(1) access control policy synthetic method provided by the present invention extracts the complete of all access control policies to be synthesized After portion's rule, the attribute of rule is encoded, and completes the synthesis of access control policy based on attribute coding, on the one hand, is used The comparison of numerical value effectively reduces the time complexity of method, provides access control policy instead of the comparison of character string Combined coefficient;On the other hand, the storage to rules properties is realized by way of storing attribute coding, can be effectively reduced access The carrying cost of control strategy is visited in control system.
(2) access control policy synthetic method provided by the present invention, respectively according to rule conflict algorithm and policy conflict Algorithm process conflict, can be effectively treated the conflict between the rule for belonging to same access control policy and processing belongs to not Conflict with access control policy between the identical rule of attribute, therefore the stability of access control system can be enhanced.
(3) access control policy synthetic method provided by the present invention selects specific sequence to calculate in different situations Method can guarantee that the algorithm complexity of sequence is lower, to improve sequence efficiency.
Detailed description of the invention
Fig. 1 is the flow chart of access control policy synthetic method provided in an embodiment of the present invention;
Fig. 2 is that rules properties provided in an embodiment of the present invention encode flow chart;
Fig. 3 is the schematic diagram of access control policy synthesis system provided in an embodiment of the present invention;
Fig. 4 is integrated with the application scenarios of access control policy synthesis system to be provided in an embodiment of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.As long as in addition, technical characteristic involved in the various embodiments of the present invention described below Not constituting a conflict with each other can be combined with each other.
Before the technical schemes of the invention are described in detail, first the relational language in the present invention is explained as follows:
Rule refers to the minimum unit to resource description of access control, including conditional attribute, action attributes, regular effect And constraint condition;
Conditional attribute is for indicating user property, and all conditions attribute is used for identity user identity;
Action attributes are used for the operation for indicating that shared data can be performed;
Can regular effect is used to indicate execute operation to shared data, if regular effect is affirmative, then it represents that can be right Shared data executes specified operation;If regular effect is negative, then it represents that specified operation cannot be executed to shared data;
Constraint condition, expression further limit user property.
For example, a rule X, corresponding shared data is all certain class patient's cases, and the description of regular X is as shown in table 1.
The description of 1 rule X of table
Conditional attribute Professional level: doctor, department: surgery
Action attributes Additions and deletions, which are looked into, to be changed
Regular effect Certainly
Constraint condition Age is greater than 40
Affiliated strategy P
Regular X indicates that professional level is doctor, and department is the object of surgery, can be to institute under conditions of meeting the age greater than 40 There is certain class patient's case to do operation additions and deletions and look into change.
For another example a rule Y, corresponding shared data is similarly all certain class patient's cases, the description of regular Y such as table Shown in 2.
The detailed description of 2 rule Y of table
Conditional attribute Professional level: doctor, department: surgery
Action attributes Additions and deletions, which are looked into, to be changed
Regular effect Negative
Constraint condition Age is less than 50
Affiliated strategy P
Regular Y indicates that professional level is doctor, and department is the object of surgery, can be to all under conditions of meeting the age and being less than Certain class patient's case, which is done operation additions and deletions and looked into, to be changed.
Access control policy refers to the unit to resource description of access control, includes a plurality of rule, and for handling it The rule conflict algorithm to conflict between rule;
There are four primitive rule combinational algorithms in XACML, are refusal covering (Deny Overrides, DO) respectively, are permitted (Permit Overrides, PO) can be covered, negate preferentially (Deny-unless-Permit, DP) and certainly preferential (Permit-unless-Deny, PD);A plurality of rule in one strategy can be assessed and be located according to these combinational algorithms Conflict between reason rule;
Negative covering (DO): if any one rule is assessed as " negating ", amalgamation result is " negative ";If not yet It is regular to be evaluated as " negating ", and at least one rule evaluation is " affirmative ", then and amalgamation result is " affirmative ";If all Rule evaluation is " not applicable ", then amalgamation result is " not applicable "
License covering (PO): if any one rule is assessed as " affirming ", amalgamation result is " affirmative ";If not yet It is regular to be evaluated as " affirming ", and at least one Policy evaluation is " negative ", then and amalgamation result is " negative ";If all Rule evaluation is " not applicable ", then amalgamation result is " not applicable ";
Negate preferential (DP): if any one strategy is assessed as " affirming ", amalgamation result is " affirmative ";Otherwise, Amalgamation result is " negative ";" not applicable " cannot be result;
Agree to preferential (PD): if any one strategy is assessed as " negating ", amalgamation result is " negative ";Otherwise, Amalgamation result is " affirmative ";" not applicable " cannot be result.
Include above-mentioned rule X and Y for example, for access control policy P, due to regular X and Y for the age positioned at (40, 50) the permission description of the object of this range is runed counter to, therefore there is conflict between rule X and rule Y, is needed according to strategy Conflict between rule conflict algorithm process the rule X and Y of P;
If the rule conflict algorithm of strategy P is license covering (PO), conflict the rule that effect is affirmative that partially comply with the rules Then, i.e. rule X, therefore, the results are shown in Table 3 for regular X and Y merging:
The amalgamation result of rule X and Y when 3 collision algorithm of table is license covering
If the rule conflict algorithm of strategy P is negative covering (DO), conflict the rule that effect is negative that partially comply with the rules Then, i.e. rule Y, therefore, the results are shown in Table 4 for regular X and Y merging:
The amalgamation result of rule X and Y when 4 collision algorithm of table is negative covering
In access control policy synthesis, numerous participation mechanisms can also formulate the strategy punching for conflicting between processing strategie Prominent algorithm, specific policy conflict algorithm is identical as rule conflict algorithm, is not repeated to describe herein.
The present invention is further described in detail below with reference to the accompanying drawings and embodiments.Access control provided by the present invention Tactful synthetic method is made, as shown in Figure 1, including the following steps:
(1) all rules of each access control policy to be synthesized of data-storage system are extracted, and successively will be each Whole rules of a access control policy to be synthesized are added in newly created set, to obtain being controlled by all access to be synthesized The regular collection that all rule is constituted of system strategy;
In the present embodiment, it shares 4 access control policies to need to synthesize, this 4 access control policies are successively Policy1~Policy4;Policy conflict algorithm is to agree to preferential (PD);
(2) attribute of rule each in regular collection is encoded, so that the identical rule of attribute is having the same Attribute coding, and the different rule of attribute has different attribute codings;
As described in Figure 2, in an optional embodiment, step (2) specifically comprises the following steps:
(21) conditional attribute and action attributes and all properties of each conditional attribute are extracted from regular collection The all properties key of key and each action attributes;
(22) for any one conditional attribute, two are carried out according to property key of the number of its property key to the conditional attribute Scale coding, to obtain the attribute key of each property key of the conditional attribute;For any one action attributes, according to it The number of property key carries out binary coding to the property key of the action attributes, to obtain each property key of the action attributes Attribute key;
The attribute key of each property key is as shown in table 5 after extracted attribute, property key and coding:
5 attribute key of table
(23) all conditions attribute and everything attribute are arranged by the first sequence, for indicating the attribute of rule;It is right Any one rule in regular collection, attribute key corresponding to its attribute is shifted and is summed, so that the rule Corresponding attribute key is arranged according to the first sequence, to obtain the attribute coding of the binary coded form of the rule;? In the present embodiment, the first sequence of attribute arrangement is that ATT3, ATT2, ATT1 are arranged successively;By coding, the category of each rule Property coding it is as shown in table 6:
6 rules properties of table coding
(3) regular collection is divided by multiple rules subsets according to attribute coding, so that the identical regular position of attribute coding In the same rules subset;
In an optional embodiment, step (3) is specifically included:
The total m of different attribute coding in regular collection is obtained, and creates m rules subset, respectively at m different categories Property coding correspond;
The rule in regular collection is ranked up according to the sequence of attribute coding from big to small or from small to large;
Regular collection after traversal sequence, is added sequentially to rules subset corresponding with its attribute coding for each rule In;
Wherein, the rule in regular collection is ranked up according to the sequence of attribute coding from big to small or from small to large When, if the rule of one of them access control policy to be synthesized is orderly according to attribute coding in regular collection, and rule set The fuzzy rules M of the access control policy to be synthesized of this in conjunction and fuzzy rules N to be sorted meet: 0 < M≤lg (N) then sorts Sequence and sort algorithm identical as the rule ordering of the access control policy to be synthesized is insertion sort;If one of them is to be synthesized The rule of access control policy is orderly according to attribute coding in regular collection, and the access control to be synthesized of this in regular collection The fuzzy rules M of strategy and fuzzy rules N to be sorted meet: lg (N) < M, then collating sequence and the access control to be synthesized The rule ordering of strategy is identical and sort algorithm is merger sequence;If according to attribute coding, all access control policies to be synthesized Rule it is unordered in regular collection, then sort algorithm be merger sequence or count sort;
(4) for any one rules subset, if each access control policy to be synthesized is regular to belong to the rule Subset, then according to the conflict between the rule for belonging to same access control policy in the rule conflict algorithm process rules subset; Otherwise, the rules subset is rejected;
In an optional embodiment, for any one rules subset, each access control to be synthesized is determined The regular method for belonging to the rules subset of strategy includes:
According to the number of access control policy to be synthesized, binary system volume is carried out to the number of access control policy to be synthesized Code, to obtain the strategy coding of each access control policy to be synthesized, and by access control to be synthesized plan belonging to rule Strategy coding of the strategy coding slightly as the rule;
The sequence strategically encoded from small to large or from big to small is ranked up the rule in the rules subset;If should Regular strategy coding is continuous in rules subset, and maximum strategy coding and the smallest strategy encode respectively with needed Maximum strategy coding and the smallest strategy encode equal respectively in synthesis access control policy, then determine each visit to be synthesized It asks that control strategy is regular and belongs to the rules subset;
According to the conflict between the rule for belonging to same access control policy in rule conflict algorithm process rules subset, packet It includes:
There is the rule of conflict for wherein any two, if the rule of access control policy to be synthesized belonging to two rules Then collision algorithm is license covering (PO), then the friendship of the first constraint condition Yu the second constraint condition is rejected from the second constraint condition Collection;If the rule conflict algorithm of access control policy to be synthesized belonging to two rules is refusal covering (DO), about from first The intersection of the first constraint condition Yu the second constraint condition is rejected in beam condition;
Wherein, the first rule is the rule that regular effect is affirmative, and Second Rule is the rule that regular effect is negative, the One constraint condition is the constraint condition of the first rule, and the second constraint condition is the constraint condition of Second Rule;
(5) according to policy conflict algorithm, merge remaining rules subset, to obtain composition rule set;Synthesis is advised Then gather the access control policy new as data-storage system to be stored, is achieved in the synthesis of access control policy;
In the present embodiment, according to policy conflict algorithm, merge remaining rules subset, specifically include:
For any one rules subset in remaining rules subset, by the pact for the rule that wherein regular effect is affirmative Beam condition merges to obtain constraint condition R'y, and be the regular constraint condition for negating by effect regular in the rules subset Merge to obtain constraint condition R'n;Since policy conflict algorithm is to agree to preferential (PD), the affirmative of the rules subset constrains item Part are as follows: Ry=R'y, and the negative constraint condition of the rules subset are as follows: Rn=R'n-R'y;Thus composition rule, composition rule are obtained Attribute coding be the corresponding attribute coding of the rules subset, regular effect be affirmative, and constraint condition be certainly constraint condition; Alternatively, the attribute coding of composition rule is the corresponding attribute coding of the rules subset, regular effect is negative, and constraint condition is It negate constraint condition;
The composition rule obtained by each rules subset is added in newly created set, to obtain by synthesizing The composition rule set that rule is constituted.
In an optional embodiment, in above-mentioned steps (3), regular collection is divided into according to attribute coding multiple The method of rules subset includes the following steps:
The total m that different attribute encodes in the regular collection is obtained, and creates m rules subset, respectively at m difference Attribute coding correspond;
According to the number of access control policy to be synthesized, binary system volume is carried out to the number of access control policy to be synthesized Code, to obtain the strategy coding of each access control policy to be synthesized, and by access control to be synthesized plan belonging to rule Strategy coding of the strategy coding slightly as the rule;
The attribute coding of rule each in the regular collection and strategy coding are arranged by the second sequence, to obtain The rule encoding of the rule, and make strategy coding positioned at the low level of rule encoding;
The rule in the regular collection is ranked up according to the sequence of rule encoding from big to small or from small to large;
The regular collection is traversed, each rule is added sequentially in rules subset corresponding with its attribute coding;
Wherein, the rule in regular collection is ranked up according to the sequence of rule encoding from big to small or from small to large When, if the rule of one of them access control policy to be synthesized is orderly according to rule encoding in regular collection, and rule set The fuzzy rules M of the access control policy to be synthesized of this in conjunction and fuzzy rules N to be sorted meet: 0 < M≤lg (N) then sorts Sequence and sort algorithm identical as the rule ordering of the access control policy to be synthesized is insertion sort;If one of them is to be synthesized The rule of access control policy is orderly according to rule encoding in regular collection, and the access control to be synthesized of this in regular collection The fuzzy rules M of strategy and fuzzy rules N to be sorted meet: lg (N) < M, then collating sequence and the access control to be synthesized The rule ordering of strategy is identical and sort algorithm is merger sequence;If according to rule encoding, all access control policies to be synthesized Rule it is unordered in regular collection, then sort algorithm be merger sequence or count sort;
And in above-mentioned steps (4), for any one rules subset, judge whether each access control plan to be synthesized The slightly regular method for belonging to the rules subset includes:
If regular strategy coding is continuous in the rules subset, and maximum strategy coding and the smallest strategy coding It is equal respectively with strategy coding maximum in all access control policies to be synthesized and the smallest strategy coding respectively, then determine every One access control policy to be synthesized is regular to belong to the rules subset.
In the above-described embodiments, since insertion sort time complexity is O (M*N), merger sorting time complexity is O ((M+N) * lg (M+N)), when M is 1, insertion sort time complexity is O (N), and merger sorting time complexity is O (N*lg (N)), insertion sort time complexity is lower than merger sorting time complexity at this time;When M is lgN, the insertion sort time is complicated Degree is O (N*lgN), and merger sorting time complexity is O ((N+lgN) * lg (N+lgN)), at this time insertion sort time complexity Lower than merger sorting time complexity;As M=N, insertion sort time complexity is O (N2), merger sorting time complexity For O ((2N) * lg (2N)), insertion sort time complexity is higher than merger sorting time complexity at this time;Therefore, when one of them Access control policy to be synthesized rule in regular collection according to attribute coding or orderly rule encoding when, not according to M and N Same value selects corresponding sort algorithm, can farthest optimize the time complexity of entire sequencer procedure;
Since the time complexity of merger sequence is O ((M+N) * lg (M+N)), the time complexity of count sort close to O (m), therefore, when according to attribute coding or rule encoding, the rule of all access control policies to be synthesized is in the regular collection In it is unordered when, using merger sequence or count sort, can guarantee that the time complexity of sequence is lower.
In conjunction with the embodiment of above-mentioned access control policy synthetic method, access control system provided by the invention, such as Fig. 3 institute Show, comprising:
Regular collection obtains module, for obtaining the rule being made of whole rules of all access control policies to be synthesized Set;
Attribute coding's module is encoded for the attribute to rule each in regular collection, so that attribute is identical Rule attribute coding having the same, and the different rule of attribute has different attribute codings;
Regular collection is divided into multiple rules subsets according to attribute coding by rules subset division module, so that attribute is compiled The identical rule of code is located in the same rules subset;
Rule conflict processing module, for covering all access control policies to be synthesized according to rule conflict algorithm process Rules subset in belong to the conflict between the rule of same access control policy, and reject and do not cover all access to be synthesized and control Make the rules subset of strategy;
Policy conflict processing module, for merging the remaining rules subset after the processing of rule conflict processing module, thus Obtain composition rule set;
Policy store module, for depositing the composition rule set access control policy new as data-storage system Storage;
Wherein, for any one rules subset, if each access control policy to be synthesized is regular to belong to the rule Then subset, then the rules subset covers all access control policies to be synthesized;Otherwise, which, which does not cover, needs to be closed At access control policy.
In access control policy synthesis system shown in Fig. 3, the specific implementation of each module can refer to above method reality The description in example is applied, this will not be repeated here.
Fig. 4 show one and is integrated with the application scenarios of access control policy synthesis system shown in Fig. 3, including: Certificate server, data owner, organizer, user, cloud storage system, strategy execution (Policy Enforcement Point, PEP) unit, strategic decision-making (Policy Decision Point, PDP) unit and access control policy synthesis system System;
Certificate server identifies the identity of each object according to attribute information;
Organizer and data owner can have multiple, and all organizers and data owner can participate in access control The formulation process of strategy;Its data can be also uploaded on cloud storage system to provide a user data by data owner;Pass through All access control policies formulated by organizer and data owner are obtained, therefrom extracting rule and rule set can be obtained It closes;Access control policy synthesis system is real by obtaining all access control policies formulated by organizer and data owner The synthesis of existing access control policy, the new access control policy after synthesis are stored in the policy store of access control synthesis system In module;
When user's sending requests access to the request in cloud storage system, strategy execution unit carries out user's request at conversion Reason, and the request after conversion is transferred to strategic decision-making unit;Plan of the strategic decision-making unit from access control policy synthesis system The access control policy by synthesis is slightly obtained in memory module, and thus verifying user whether can obtain it is corresponding with requesting Access authority;After strategic decision-making unit makes decisions, user's request is made according to the result of decision by strategy execution unit Response.
As it will be easily appreciated by one skilled in the art that the foregoing is merely illustrative of the preferred embodiments of the present invention, not to The limitation present invention, any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should all include Within protection scope of the present invention.

Claims (11)

1. a kind of access control policy synthetic method, which comprises the steps of:
(1) regular collection being made of whole rules of all access control policies to be synthesized is obtained;
(2) attribute of each rule in the regular collection is encoded, so that the identical rule of attribute is having the same Attribute coding, and the different rule of attribute has different attribute codings;
(3) regular collection is divided by multiple rules subsets according to attribute coding, so that the identical regular position of attribute coding In the same rules subset;
(4) for any one rules subset, if each access control policy to be synthesized is regular to belong to the rules subset, Then according to the conflict between the rule for belonging to same access control policy in the rule conflict algorithm process rules subset;Otherwise, Reject the rules subset;
(5) according to policy conflict algorithm, merge remaining rules subset, to obtain composition rule set;The synthesis is advised Then gather the access control policy new as data-storage system to be stored, is achieved in the synthesis of access control policy.
2. access control policy synthetic method as described in claim 1, which is characterized in that the step (2) includes following step It is rapid:
(21) conditional attribute and action attributes and all properties of each conditional attribute are extracted from the regular collection The all properties key of key and each action attributes;
(22) for any one conditional attribute, binary system is carried out according to property key of the number of its property key to the conditional attribute Coding, to obtain the attribute key of each property key of the conditional attribute;For any one action attributes, according to its attribute The number of key carries out binary coding to the property keys of the action attributes, to obtain the category of each property key of the action attributes Property key;
(23) all conditions attribute and everything attribute are arranged by the first sequence, for indicating the attribute of rule;For institute Any one rule in regular collection is stated, attribute key corresponding to its attribute is shifted and summed, so that the rule Corresponding attribute key is arranged according to first sequence, so that the attribute for obtaining the binary coded form of the rule is compiled Code;
Wherein, the conditional attribute is for indicating user property, and all conditions attribute is used for identity user identity;The movement Attribute is used for the operation for indicating that shared data can be performed;The property key is a value of conditional attribute or action attributes.
3. access control policy synthetic method as described in claim 1, which is characterized in that in the step (3), according to attribute Coding includes the following steps: the method that the regular collection is divided into multiple rules subsets
The total m that different attribute encodes in the regular collection is obtained, and creates m rules subset, respectively at m different categories Property coding correspond;
The rule in the regular collection is ranked up according to the sequence of attribute coding from big to small or from small to large;
The regular collection is traversed, each rule is added sequentially in rules subset corresponding with its attribute coding.
4. access control policy synthetic method as claimed in claim 3, which is characterized in that according to attribute coding from big to small or When sequence from small to large is ranked up the rule in the regular collection, if one of them access control policy to be synthesized Rule is orderly according to attribute coding in the regular collection, and the access control policy to be synthesized of this in the regular collection Fuzzy rules M and fuzzy rules N to be sorted meet: 0 < M≤lg (N), then collating sequence and the access control policy to be synthesized Rule ordering is identical and sort algorithm is insertion sort;If the rule of one of them access control policy to be synthesized is in the rule Then set in it is orderly according to attribute coding, and the fuzzy rules M of the access control policy to be synthesized of this in the regular collection with Fuzzy rules N to be sorted meets: lg (N) < M, then collating sequence is identical as the rule ordering of the access control policy to be synthesized And sort algorithm is merger sequence;If the rule of all access control policies to be synthesized is in the rule set according to attribute coding Unordered in conjunction, then sort algorithm is merger sequence or count sort.
5. access control policy synthetic method as described in claim 1, which is characterized in that in the step (4), for any One rules subset determines that the regular method for belonging to the rules subset of each access control policy to be synthesized includes:
According to the number of access control policy to be synthesized, binary coding is carried out to the number of access control policy to be synthesized, from And the strategy coding of each access control policy to be synthesized is obtained, and by the plan of access control policy to be synthesized belonging to rule Slightly encode the strategy coding as the rule;
The sequence strategically encoded from small to large or from big to small is ranked up the rule in the rules subset;If the rule Regular strategy coding is continuous in subset, and maximum strategy coding and the smallest strategy encode respectively with it is all to be synthesized Maximum strategy coding and the smallest strategy coding are equal respectively in access control policy, then determine each access control to be synthesized System strategy is regular to belong to the rules subset.
6. access control policy synthetic method as described in claim 1, which is characterized in that in the step (3), according to attribute Coding includes the following steps: the method that the regular collection is divided into multiple rules subsets
The total m that different attribute encodes in the regular collection is obtained, and creates m rules subset, respectively at m different categories Property coding correspond;
According to the number of access control policy to be synthesized, binary coding is carried out to the number of access control policy to be synthesized, from And the strategy coding of each access control policy to be synthesized is obtained, and by the plan of access control policy to be synthesized belonging to rule Slightly encode the strategy coding as the rule;
The attribute coding of rule each in the regular collection and strategy coding are arranged by the second sequence, to obtain the rule Rule encoding then, and make strategy coding positioned at the low level of rule encoding;
The rule in the regular collection is ranked up according to the sequence of rule encoding from big to small or from small to large;
The regular collection is traversed, each rule is added sequentially in rules subset corresponding with its attribute coding.
7. access control policy synthetic method as claimed in claim 6, which is characterized in that according to rule encoding from big to small or When sequence from small to large is ranked up the rule in the regular collection, if one of them access control policy to be synthesized Rule is orderly according to rule encoding in the regular collection, and the access control policy to be synthesized of this in the regular collection Fuzzy rules M and fuzzy rules N to be sorted meet: 0 < M≤lg (N), then collating sequence and the access control policy to be synthesized Rule ordering is identical and sort algorithm is insertion sort;If the rule of one of them access control policy to be synthesized is in the rule Then set in it is orderly according to rule encoding, and the fuzzy rules M of the access control policy to be synthesized of this in the regular collection with Fuzzy rules N to be sorted meets: lg (N) < M, then collating sequence is identical as the rule ordering of the access control policy to be synthesized And sort algorithm is merger sequence;If the rule of all access control policies to be synthesized is in the rule set according to rule encoding Unordered in conjunction, then sort algorithm is merger sequence or count sort.
8. access control policy synthetic method as claimed in claims 6 or 7, which is characterized in that in the step (4), for Any one rules subset judges whether the regular method for belonging to the rules subset of each access control policy to be synthesized Include:
If regular strategy coding is continuous in the rules subset, and maximum strategy coding and the smallest strategy coding difference It is equal respectively with strategy coding maximum in all access control policies to be synthesized and the smallest strategy coding, then determine each Access control policy to be synthesized is regular to belong to the rules subset.
9. access control policy synthetic method as described in claim 1, which is characterized in that in the step (4), according to rule Belong to the conflict between the rule of same access control policy in collision algorithm processing rules subset, comprising:
There is the rule of conflict for wherein any two, if the rule punching of access control policy to be synthesized belonging to two rules Prominent algorithm is license covering, then the intersection of the first constraint condition Yu the second constraint condition is rejected from the second constraint condition;If two The rule conflict algorithm of access control policy to be synthesized belonging to rule is refusal covering, then rejects from the first constraint condition The intersection of first constraint condition and the second constraint condition;
Wherein, first rule is the rule that regular effect is affirmative, and the Second Rule is the rule that regular effect is negative Then, first constraint condition is the constraint condition of first rule, and second constraint condition is the Second Rule Constraint condition;Can the rule effect be used to indicate and execute operation to shared data, if regular effect is affirmative, then it represents that energy It is enough that specified operation is executed to shared data;If regular effect is negative, then it represents that specified behaviour cannot be executed to shared data Make.
10. access control policy synthetic method as described in claim 1, which is characterized in that in the step (5), according to plan Slightly collision algorithm, merges remaining rules subset, to obtain composition rule set, comprising:
For any one rules subset in remaining rules subset, by the constraint item for the rule that wherein regular effect is affirmative Part merges to obtain constraint condition R'y, and the constraint condition for the rule that effect regular in the rules subset is negative is merged To obtain constraint condition R'n;If policy conflict algorithm is to agree to preferential (PD), the affirmative constraint condition of the rules subset Are as follows: Ry=R'y, and the negative constraint condition of the rules subset are as follows: Rn=R'n-R'y;If policy conflict algorithm is that negative is preferential (DP), then the affirmative constraint condition of the rules subset are as follows: Ry=R'y-R'n, and the negative constraint condition of the rules subset are as follows: Rn =R'n;Thus composition rule is obtained, the attribute coding of the composition rule is the corresponding attribute coding of the rules subset, rule Effect is affirmative, and constraint condition is the constraint condition certainly;Alternatively, the attribute coding of the composition rule is rule Collect corresponding attribute coding, regular effect is negative, and constraint condition is the negative constraint condition;
The composition rule obtained by each rules subset is added in newly created set, to obtain by composition rule The composition rule set of composition.
11. a kind of access control policy synthesis system characterized by comprising
Regular collection obtains module, for obtaining the rule set being made of whole rules of all access control policies to be synthesized It closes;
Attribute coding's module is encoded for the attribute to each rule in the regular collection, so that attribute is identical Rule attribute coding having the same, and the different rule of attribute has different attribute codings;
The regular collection is divided into multiple rules subsets according to attribute coding by rules subset division module, so that attribute is compiled The identical rule of code is located in the same rules subset;
Rule conflict processing module, for covering the rule of all access control policies to be synthesized according to rule conflict algorithm process Then belong to the conflict between the rule of same access control policy in subset, and rejects and do not cover all access control plans to be synthesized Rules subset slightly;
Policy conflict processing module, for merging the remaining rules subset after rule conflict processing module processing, thus Obtain composition rule set;
Policy storage unit, for depositing the composition rule set access control policy new as data-storage system Storage;
Wherein, for any one rules subset, if each access control policy to be synthesized is regular to belong to rule Collection, then the rules subset covers all access control policies to be synthesized;Otherwise, which does not cover all visits to be synthesized Ask control strategy.
CN201810797439.XA 2018-07-19 2018-07-19 Access control strategy synthesis method and system Active CN109033856B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810797439.XA CN109033856B (en) 2018-07-19 2018-07-19 Access control strategy synthesis method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810797439.XA CN109033856B (en) 2018-07-19 2018-07-19 Access control strategy synthesis method and system

Publications (2)

Publication Number Publication Date
CN109033856A true CN109033856A (en) 2018-12-18
CN109033856B CN109033856B (en) 2020-08-18

Family

ID=64643976

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810797439.XA Active CN109033856B (en) 2018-07-19 2018-07-19 Access control strategy synthesis method and system

Country Status (1)

Country Link
CN (1) CN109033856B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112256925A (en) * 2020-10-21 2021-01-22 西安电子科技大学 Multi-request-oriented scientific workflow data set storage method
CN113298173A (en) * 2021-06-10 2021-08-24 东南大学 Access control strategy abnormity detection method based on clustering idea

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090281977A1 (en) * 2005-08-23 2009-11-12 Allen Paul L Checking rule and policy representation
CN102932328A (en) * 2012-09-26 2013-02-13 上海交通大学 Access control policy synthesis method based on BSset (binary string set)
CN105099459A (en) * 2015-08-14 2015-11-25 北京标准信源科技有限公司 Digital coding method for vehicle identification number
CN108156140A (en) * 2017-12-13 2018-06-12 西安电子科技大学 A kind of multiple key that numerical attribute is supported to compare can search for encryption method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090281977A1 (en) * 2005-08-23 2009-11-12 Allen Paul L Checking rule and policy representation
CN102932328A (en) * 2012-09-26 2013-02-13 上海交通大学 Access control policy synthesis method based on BSset (binary string set)
CN105099459A (en) * 2015-08-14 2015-11-25 北京标准信源科技有限公司 Digital coding method for vehicle identification number
CN108156140A (en) * 2017-12-13 2018-06-12 西安电子科技大学 A kind of multiple key that numerical attribute is supported to compare can search for encryption method

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
LI DUAN ET AL: "Automated Policy Combination for Data Sharing across Multiple Organizations", 《2015 IEEE INTERNATIONAL CONFERENCE ON SERVICES COMPUTING》 *
LI DUAN ET AL: "Automated Policy Combination for Secure Data Sharing in Cross-Organizational Collaborations", 《IEEE ACCESS》 *
PRATHIMA RAO ET AL.: "Fine-grained integration of access control policies", 《COMPUTERS & SECURITY》 *
刘晨燕等: "基于二进制序列集合的策略合成代数框架", 《上海交通大学学报》 *
王聪等: "基于XACML的策略冲突检测与消解方法", 《计算机科学与探索》 *
王雅哲等: "一种XACML规则冲突及冗余分析方法", 《计算机学报》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112256925A (en) * 2020-10-21 2021-01-22 西安电子科技大学 Multi-request-oriented scientific workflow data set storage method
CN112256925B (en) * 2020-10-21 2022-10-04 西安电子科技大学 Multi-request-oriented scientific workflow data set storage method
CN113298173A (en) * 2021-06-10 2021-08-24 东南大学 Access control strategy abnormity detection method based on clustering idea

Also Published As

Publication number Publication date
CN109033856B (en) 2020-08-18

Similar Documents

Publication Publication Date Title
Mohammed et al. Secure two-party differentially private data release for vertically partitioned data
EP2631841B1 (en) Provisioning authorization claims using attribute-based access-control policies
CN104683362B (en) Access control system and access control method of fine-grained privacy security
CN107358116B (en) A kind of method for secret protection in multi-sensitive attributes data publication
CN109583885A (en) Bout controls rewritable block chain
EP3850498A1 (en) Transaction authentication system and related methods
CN109376549A (en) A kind of electricity transaction big data dissemination method based on difference secret protection
CN109117669B (en) Privacy protection method and system for MapReduce similar connection query
CN112364366B (en) Block chain-based alliance data sharing access control method and system
Crampton et al. Valued workflow satisfiability problem
WO2022021698A1 (en) Block chain using multiple information integration mode
CN109033856A (en) A kind of access control policy synthetic method and system
CN111611324A (en) Cross-domain access strategy optimization method and device
Swamy et al. Multiobjective optimization for politically fair districting: A scalable multilevel approach
CN114861224A (en) Medical data system based on risk and UCON access control model
Lodwick et al. Theoretical and semantic distinctions of fuzzy, possibilistic, and mixed fuzzy/possibilistic optimization
Erhan et al. A Conceptual Model for Blockchain-Based Software Project Information Sharing.
US20140317685A1 (en) System and method for performing partial evaluation in order to construct a simplified policy
CN113239255B (en) Heterogeneous data resource sharing method and device, computer equipment and medium
Bellomarini et al. Neither in the programs nor in the data: Mining the hidden financial knowledge with knowledge graphs and reasoning
CN114844702A (en) Access control method based on strategy examination and authorization extension
CN112822004A (en) Belief network-based targeted privacy protection data publishing method
Kreines et al. Multicriteria competitive games as models in operations research
Li et al. Efficient binary-encoding access control policy combination for large-scale collaborative scenarios
Delest et al. A quality measure for multi-level community structure

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant