CN110879899A - Script-based attribute-based access policy representation and execution method and system - Google Patents
Script-based attribute-based access policy representation and execution method and system Download PDFInfo
- Publication number
- CN110879899A CN110879899A CN201911059491.6A CN201911059491A CN110879899A CN 110879899 A CN110879899 A CN 110879899A CN 201911059491 A CN201911059491 A CN 201911059491A CN 110879899 A CN110879899 A CN 110879899A
- Authority
- CN
- China
- Prior art keywords
- script
- attribute
- rule
- strategy
- expression
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
The invention discloses a script-based attribute-based access strategy representation and execution method and a system thereof, wherein the method comprises the following steps: 1) adopting a script language based on operation codes to describe a strategy judgment logic in the attribute-based access control model, and using a markup language to package a strategy hierarchical structure to generate an access strategy based on a stack structure script; 2) and for the access request, the script interpreter determines and executes an access strategy based on the stack structure script corresponding to the access request according to the attribute-based access control model to obtain a judgment result of the access request. The invention ensures that the access strategy retains the original high flexibility, high expansibility and high expression capability and effectively improves the execution efficiency.
Description
Technical Field
The invention mainly belongs to the technical field of information, and particularly relates to a script-based attribute-based access policy representation and execution method and system.
Background
The attribute-based access control technology (ABAC) is a powerful policy-based method for protecting shared resources, and has the characteristics of high flexibility, high extensibility, high expression capability and the like. Extensible access control markup language (XACML) is a common standard for ABAC that uses rich logical expressions to record different policies and rules and allows the owner of the resource (vendor or enterprise) to apply access control using a specified architecture and workflow for policy's evaluation requests.
However, XACML employs hypertext markup language (XML) to describe the decision logic of the access policy, which makes the structure of the access policy very redundant and requires expensive computational and memory resources to parse, which also greatly limits the application scope of XACML. Meanwhile, the XML policy is only description of the policy and does not contain execution procedures and instructions of the policy.
Disclosure of Invention
Aiming at the technical problems in the prior art, the invention writes the decision logic of the access strategy by utilizing the existing script language, so that the access strategy can be directly interpreted and executed without compiling operation and has higher flexibility and readability. A scripting language is a dynamic language that is widely available in various computer systems, including blockchains, office software, databases, virtual machines, operating systems, etc., and is usually stored in text form and interpreted only when called.
The invention adopts script language to describe the decision logic of the strategy and uses mark-up language to package the strategy hierarchy. In the technology, the script language is easy to develop and deploy, and the characteristic of direct interpretation and execution of the script language ensures that the process of constructing a strategy decision tree in the traditional XACML realization is not needed during strategy judgment, and simultaneously, the markup language also ensures the hierarchical structure of the strategy. The method ensures that the access strategy retains the original high flexibility, high expansibility and high expression capability, and effectively improves the execution efficiency.
The invention provides a script-based access strategy representation and execution method and system, which comprises the following steps:
1) the script interpreter has an instruction system and its running environment.
2) A script-based access policy representation method is a combination of a script and a markup language aiming at an attribute-based access policy model.
3) The script-based access strategy execution method is a judgment process for an access request by using a script-based access strategy in a script interpreter.
In the method, the script is a piece of code saved in a text form, and is composed of an operation code and an operand, wherein:
1) operation code: the method comprises the following steps of performing a series of operations on data, wherein the operations comprise a logic comparison operation code, a numerical operation code, a process control operation code and an entity attribute acquisition operation code;
2) operand: is an input parameter to the opcode, and the types include string, constant, boolean, floating point, and reference.
The script interpreter includes an instruction system and corresponding operation environment, including strategy memory area, operation memory area, addressing unit and operation unit. Wherein:
1) an instruction system: is the implementation of a set of opcodes and their corresponding operations.
2) An addressing unit: is responsible for replacing operands of the referenced type with actual data.
3) An operation storage area: a data stack structure is maintained that is responsible for storing opcodes and operands during script interpretation execution.
4) A policy storage area: and the buffer is responsible for caching the input access strategy and the output judgment result.
5) An arithmetic unit: for performing the logical and arithmetic operations defined in the opcode.
The data stack structure has two types of operations of stack pushing and stack popping, and the data in the stack has the characteristic of last-in first-out.
The entity attribute obtaining operation code comprises a subject attribute obtaining operation code, an object attribute obtaining operation code, a behavior attribute obtaining operation code and an environment attribute obtaining operation code, and is used for obtaining a corresponding attribute value of the access control entity and injecting the attribute value into the script, and the specific execution process comprises three stages:
① checking whether the stack top height is greater than 1, if not throwing an exception;
② popping up the top element as the attribute name and requesting the strategy information point according to the attribute name to obtain the attribute value corresponding to the entity;
③ if the attribute value is not empty, the attribute value is pushed onto the stack, otherwise an exception is thrown.
The policy information point is a standard component in the access control model and is used for storing entity attributes and providing attribute value query and acquisition services.
In the method, the policy decision logic is composed of predicate logic, Boolean logic and policy rule combination logic.
In the method, the strategy hierarchical structure refers to a hierarchical inclusion relationship composed of strategies, rules, conditions and predicates.
In the method, the markup language: the method is a coding mode which combines text and text related information, identifies the information by using marks and displays a data structure.
In the method, the attribute-based access policy model comprises:
1) the entity set X consists of four types of entities, including a subject S, an object O, a behavior A and an environment E, and the entities are respectively described by a group of attributes.
2) The attribute acquisition function ATTR X → V: is the mapping of an entity set X to an attribute value set V;
3) the expression e ∈ Expr: is a boolean logic expression that satisfies the following form:
wherein the content of the first and second substances,
means that the binary predicate is equal to ≠ is not equal to ∈ belongs to ∈ does not belong to ≠ does
Is greater than>Is less than<More than or equal to and less than or equal to;
4) a decision result D of the rule or policy is { Permit, Deny };
5) rule r: is a bigram (e, eff) comprising an expression e belonging to Expr and a rule effect eff belonging to D;
6) strategy p: is a triplet (t, r)cComb), comprising a policy target t ∈ Expr, an ordered set of rules rc={r1,...,rmAnd a rule combination algorithm comb for combining a plurality of rule decision results. The policy target t is also an expression used for matching the policy and the access request; the expression e in the rule is used for policy decision.
In the method, the policy rule combining logic is logic that combines the execution results of a plurality of rules into one result using a rule combining algorithm comb.
In the method, the script-based access policy expression method: the method is an expression of a strategy in an attribute-based access strategy model by adopting a combination mode of a script and a markup language, and comprises an attribute script, an expression script, a rule script, an object and the strategy.
In the method, the property script: is a script representation of the attribute acquisition function ATTR X → V, including subject, object, behavior and environment attribute acquisition.
In the method, the expression script: is the script expression of the expression e ∈ Expr and the output is "true" or "false", which specifically includes: a field for storing the expression of the script and a field for storing the unique identifier of the expression. Expression scripts are divided into three types:
1) type one expression script: a binary predicate expression script which only contains one attribute script and is used for comparing the relationship between the entity attribute value and the static attribute value;
2) type two expression script: the dual predicate expression scripts comprise two attribute scripts and are used for comparing the attribute relations of the two entities;
3) type three expression script: and the expression script represents Boolean logic relation (AND, OR, NOT) between the two types of expression scripts.
Wherein the type one and type two expression scripts are collectively referred to as conditional scripts.
In the method, a Rule script (Rule): is a representation of a script in conjunction with a markup language of a rule r, including: a rule identification field, a rule effect field and an expression field for storing a script, wherein:
1) the type of the expression is a three-type expression;
2) when the output of the script in the expression is 'true', the output result of the rule is the effect field effect of the rule;
in the method, the Target (Target): the system comprises a policy target t epsilon Expr and a policy and access request matching unit, wherein the policy target t epsilon Expr is used for matching the policy and the access request and comprises attribute fields of a group of entities and corresponding attribute value fields, and the attribute field of each entity and the corresponding attribute value field thereof jointly represent whether the attribute of the corresponding entity is tested to be equivalent to the attribute value field.
In the method, Policy (Policy): equivalent to the policy p, includes a policy identification field, a Target field, a condition array, a rule array, and a rule combination algorithm.
In the method, the script-based access policy execution method is a process for judging an access request by using a script-based access policy in a script interpreter, and comprises the following steps:
1) and (3) a policy execution process: the script interpreter loads the strategy and executes the rules in the strategy in turn according to the rule combination algorithm defined in the strategy, each rule is executed according to the rule script execution process 2), and then the judgment results of all the rules are combined and the combined result is output as the strategy judgment result.
2) And a rule script execution process: the script interpreter calls a conditional script executing process 3) to execute the conditional script quoted in the rule script, substitutes the execution result of the conditional script into the rule script and executes the rule script, and finally outputs the judgment result of the rule according to the execution result of the rule script and the rule effect defined in the rule script.
3) And (3) a conditional script executing process: and the script interpreter executes the conditional script in sequence, if the script is data, the data is pressed into a data stack structure, otherwise, the operation corresponding to the script operation code is executed.
The invention has the beneficial technical effects that:
(1) one feature of the present invention is the use of a scripting language to represent property-based access control policy logic and execution procedures.
(2) It is a feature of the present invention to provide a script-based access policy model.
(3) One characteristic of the invention is that the mark-up language and the script language are combined to jointly express the attribute-based access strategy, so that the access strategy has the characteristics of mark-up language structurization and the script language endows the strategy with the capability of direct interpretation and execution.
(4) One feature of the present invention is that the script-based access policy can provide the ability to define and execute access policies for systems with script execution capabilities, including blockchains, operating systems, and the like.
Drawings
Fig. 1 is a policy structure diagram in an embodiment of the present invention.
FIG. 2 is a schematic diagram of the overall relationship of the policy decision algorithm
FIG. 3 is a flowchart illustrating script execution according to an embodiment of the present invention.
FIG. 4 is a diagram illustrating rule execution according to an embodiment of the present invention.
FIG. 5 is a flowchart illustrating policy enforcement according to an embodiment of the present invention.
FIG. 6 is a block diagram of the system of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
On the contrary, the invention is intended to cover alternatives, modifications, equivalents and alternatives which may be included within the spirit and scope of the invention as defined by the appended claims. Furthermore, in the following detailed description of the present invention, certain specific details are set forth in order to provide a better understanding of the present invention. It will be apparent to one skilled in the art that the present invention may be practiced without these specific details.
The embodiment of the invention provides a stack-based Forth language-like script with an inverse Polish order structure for expressing an access strategy, wherein the script comprises:
1) the operation code defines a series of operations on data in the stack, starts with 'OP _', and is spliced with a specific operation name, including a logic comparison operation, a numerical operation, a flow control operation, a stack data operation and an entity attribute acquisition operation;
2) the operands are surrounded by "< >" and the operand types include character strings, constants, boolean values, floating point numbers.
The embodiment of the invention adopts JavaScript object markup language (JSON) to encapsulate a strategy structure, and the strategy structure has two types of structures, including:
1) object: is a set of key-value pairs wrapped with "{ }";
2) array: is a list wrapped with "[ ]", and the types of elements in the list can be character strings, numerical values, objects, Boolean values, arrays or null.
The script operations involved in accessing the policy logic expression include:
1) the opcodes are logically compared, including a logical AND OP _ BOOLAND, a logical OR OP _ BOOLOR, and a logical NOT OP _ NOT. Specific examples are as follows:
< a > < b > OP _ BOOLAND means that the logic compares a and b if satisfied, if yes, returns 1, otherwise returns 0;
2) the numerical comparison operation code comprises OP _ NUMEEQUAL, OP _ LESSTHAN, OP _ GREATERTHAN, OP _ GREATERTHANEQUAL and OP _ LESSTHANEQUAL, and the specific examples are as follows:
< a > < b > OP _ GREATERTHAN represents that whether a is larger than b or not is judged, if yes, 1 is returned, and if not, 0 is returned;
3) the entity attribute obtaining operation code comprises a subject attribute obtaining OP _ SUBATTR, an object attribute obtaining OP _ OBJATTR, a behavior attribute obtaining OP _ ACTATTR and an environment attribute obtaining OP _ ENVATTR, and specific examples are as follows:
< a > OP _ subbattr indicates that the attribute value of the body attribute a is acquired;
the JSON format script-based access strategy has a structure shown in FIG. 1 and comprises
1) Attribute Script (Attribute Script): x → V, where the equation ATTR (X) ═ V indicates that the attribute value of the attribute ATTR of the entity X is V, the specific example is as follows:
< a > OP _ OBJATTR denotes acquiring an attribute value of the object attribute a;
2) expression script (Expression): is a given expression e ∈ Expr script in combination with JSON markup language representation in the form:
{id:<ExprId>,expr:<Script>},
the field id is an expression identifier, the field Expr is a script representation of an expression e belonging to the Expr, and the expression script can be divided into three types:
① type I script expression only contains one attribute acquisition script, describing the relationship between entity attribute and static value, the concrete examples are as follows:
{id:“expr1”,expr:<Role>OP_SUBATTR<doctor>OP_EQUAL}
expression "expr 1" is used to determine whether the role of the subject is equal to a doctor;
{id:“expr2”,expr:<ID>OP_OBJATTR<MedicalRecord>OP_EQUAL}
expression "expr 2" is expressed to judge whether the ID attribute of the object is equal to the medical record.
The ② type script expression contains two attribute acquisition scripts for describing the attribute relationship between two entities, and the specific examples are as follows:
{id:“expr3”,expr:<Level>OP_SUBATTR<Level>OP_OBJATTR OP_LESSTHAN}
the expression "expr 3" is expressed to judge whether or not the level attribute of the subject is smaller than the level attribute of the object.
The ③ ternary expression describes the Boolean logic relationship between the first two types of expressions, and the specific examples are as follows:
{id:“expr4”,expr:<expr1><expr2>OP_BOOLAND}
expression "expr 4" is indicated for determining whether or not both expression "expr 1" and expression "expr 2" are true at the same time.
3) Rule script (Rule): is a script of a given rule r in conjunction with a representation of the JSON markup language, in the form:
{id:<RuleId>,effect:<eff>,expr:<Expression>}
wherein the field id is used for uniquely identifying the rule, the field effect is the rule effect ("Permit" or "Deny"), and the field expr is the expression script, and the specific examples are as follows:
{id:“rule1”,effect:“Deny”,expr:<expr1><expr2>
OP_BOOLAND<expr3>OP_BOOLOR}
it is indicated that the rule "rule 1" outputs "Deny" if and only if the expression "expr 1" and the expression "expr 2" are true at the same time, or the expression "expr 3" is true.
4) Target (Target): the script which is a policy target t is combined with the expression of JSON markup language and is used for matching the policy and the access request, and comprises an attribute field attr and a corresponding attribute value field value of a group of entities. The attribute field attr is formed by splicing an attribute name and an Entity type Entity E { Sub, Obj, Act } by a symbol "#", and the attribute value field value is a static attribute value. Specific examples are as follows:
[{attr:“Role#Sub”,value:“doctor”},
{attr:“Id#Act,value:“read”},
{attr:“Id#Act”,value:“write”}],
the representation policy is applied to "read or write requests from the physician", i.e. equivalent to the expression role ^ id (a) e { read, write }.
The evaluation rule of the Target (Target) can be divided into three parts, including:
① an empty target value may match any request, but the request must contain the attributes in this target;
② the target decision result is "true", if and only if all non-homonymous attributes and requests match, otherwise the decision result is "false";
③ for multiple like attributes, an access request is considered to match one of the attributes as long as the access request matches that attribute.
5) Policy (Policy): is the representation of the script of the policy p in combination with the JSON markup language, and the form is as follows:
{id:<PolicyId>,target:[<Target>],condition:[<Expression>,…,],
rule:[<Rule>,…],ruleCombingMethod:<comb>},
the field Id is used for uniquely identifying the policy, the field target is an array of a policy target, the field condition is an array of type one and type two expression scripts, the field rule is an array of a rule script, and the field rule combining method represents a rule combining algorithm. Specific examples are as follows:
the rule combination algorithm is used for merging the decision results of multiple rules in the policy, including but not limited to "permission first", "rejection first", and "first rule first", and specific examples are as follows:
1) permission priority: if any rule output in the policy is permission, the decision result of the policy is permission.
2) Rejection priority: and if the output of any rule in the strategy is rejection, the judgment result of the strategy is rejection.
3) The first rule takes precedence: the strategy judgment result is the judgment result output by the first rule in the strategy.
The execution process of the access strategy based on the script is divided into three layers, including a strategy execution process, a rule script execution process and a condition script execution process, the relationship among the three processes is shown in fig. 2, wherein the strategy execution process is the top layer of a judgment algorithm, the strategy execution process calls each rule in the rule execution process judgment strategy, and the rule execution process calls a script expression in the script execution process judgment rule.
The policy enforcement procedure is shown in fig. 3 and includes:
1) the script interpreter loads the strategy and executes the rule combination algorithm defined in the strategy;
2) judging whether the rule combination algorithm meets the stop requirement, if so, executing the step 4), otherwise, executing the step 3);
3) judging whether an unexecuted rule exists, if so, calling a rule script execution process to execute the rule script and executing the step 2), and if not, executing the step 4);
4) the script interpreter merges all the acquired rule execution results and outputs the results.
The rule script execution process is shown in fig. 4 and includes:
1) the script interpreter loads the rule script into the memory and sets a script pointer to point to an element positioned at the leftmost end of the script;
2) judging whether the element pointed by the script pointer is the reference of the conditional script, if so, entering the step 3), otherwise, entering the step 5);
3) searching a corresponding condition script according to the reference of the condition script, if the condition script exists, calling a condition script execution process to execute the condition script and entering the step 4), and otherwise, outputting rejection;
4) the script interpreter replaces the reference of the rule script to the condition script with the execution result of the condition script;
5) the script pointer moves backward by one bit, if the element pointed to currently is not empty, step 2) is executed, otherwise step 6) is executed;
6) and calling a script execution flow to execute the rule script, and outputting a rule judgment result according to the defined rule effect.
The conditional script execution process is shown in fig. 5, and includes:
1) loading the condition script into a memory by the script interpreter, and setting a script pointer to point to a first element in the script;
2) judging whether the element type pointed by the script pointer at present is an operation code, if so, executing the step 3), otherwise, executing the step 4);
3) the script interpreter executes the operation defined by the operation code, if the operation code defines the input parameters, popping up a set number of stack top elements as the input of the operation code, wherein the number of the popped stack top elements is predefined in the operation code, then pressing the execution result of the operation code into the stack, and executing the step 5);
4) the script interpreter pushes operands into a stack;
5) the script pointer is shifted backwards by one bit, if the element pointed to currently is not null, step 2) is executed, otherwise, step is executed
6);
6) And outputting a script execution result.
The system block diagram is shown in fig. 6, wherein the policy decision algorithm controls the script interpreter to execute the access policy decision and output the decision result by sending a control signal, the policy information point is responsible for storing the entity attribute and providing the query interface, and the script interpreter is responsible for implementing the decision process, including:
1) an instruction system: the operation code collection and the realization of the corresponding operation are responsible for reading the operation code from the operation storage area and executing the corresponding realization;
2) an addressing unit: the operation unit is responsible for replacing the operand of the reference type with actual data, providing the operand required by the operation for the operation unit and storing the result generated by the operation unit into the operation storage area;
3) an operation storage area: maintaining a data structure in a stack form, and storing operation codes and operands in the process of script interpretation and execution;
4) a policy storage area: the system is responsible for caching the input access strategy and the output judgment result;
5) an arithmetic unit: for performing the logical and arithmetic operations defined in the opcode.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A script-based attribute-based access policy representation and execution method includes the steps:
1) adopting a script language based on operation codes to describe a strategy judgment logic in the attribute-based access control model, and using a markup language to package a strategy hierarchical structure to generate an access strategy based on a stack structure script;
2) and for the access request, the script interpreter determines and executes an access strategy based on the stack structure script corresponding to the access request according to the attribute-based access control model to obtain a judgment result of the access request.
2. The method of claim 1, wherein the scripting language includes an entity attribute acquisition opcode; the entity attribute obtaining operation code comprises a subject attribute obtaining operation code, an object attribute obtaining operation code, a behavior attribute obtaining operation code and an environment attribute obtaining operation code, and is used for obtaining a corresponding attribute value of the access control entity and injecting the corresponding attribute value into the script.
3. The method of claim 2, wherein the script interpreter executes the entity attribute get opcode by: the script interpreter pops up a stack top element in a data stack structure as an attribute name and requests a strategy information point according to the attribute name to obtain an attribute value corresponding to an entity; and if the attribute value is not null, pressing the attribute value into the stack, otherwise throwing the exception.
4. The method of claim 1, wherein the stack structure script based access policies include attribute scripts, expression scripts, rule scripts, targets, and policies; the strategy decision logic is composed of predicate logic, Boolean logic and strategy rule combination logic; the strategy hierarchical structure refers to a hierarchical inclusion relation consisting of strategies, rules, conditions and predicates.
5. The method of claim 4, wherein the expression script includes a field for storing an expression of the script and a field for storing a unique identifier of the expression; the expression script is a type I expression script, a type II expression script or a type III expression script; wherein, the first type expression script and the second type expression script are collectively called as a condition script; the type III expression script is an expression script of Boolean logic relations among a plurality of condition scripts; the first-type expression script only contains one attribute script and is a binary predicate expression script used for comparing the relationship between the entity attribute value and the static attribute value; the two-type expression script contains two attribute scripts and is a binary predicate expression script used for comparing the attribute relationship of two entities.
6. A method according to claim 4 or 5, wherein the property script is a script representation of a property capture function, including subject, object, behavior or environment property capture.
7. The method of claim 5, wherein the rule script comprises a rule identification field, a rule effect field, and an expression field for storing the script; the expression in the rule script is a three-type expression script.
8. The method of claim 4, wherein the target comprises an attribute field and a corresponding attribute value field for a set of entities; the strategy comprises a strategy identification field, a target field, a condition array, a rule array and a rule combination algorithm; the policy rule combining logic is logic that combines the execution results of a plurality of rules into one result using a rule combining algorithm.
9. The method of claim 5, wherein in step 2), the method for the script interpreter to execute the script-based access policy corresponding to the access request is as follows:
21) the script interpreter loads the access strategy based on script and executes the rules in the access strategy in turn according to the rule combination algorithm defined in the access strategy, each rule is executed according to the rule script execution process of step 22), and then the judgment results of all the rules are combined and the combined result is output as the judgment result of the access strategy;
22) and a rule script execution process: the script interpreter executes the condition script execution process in the step 23), executes the condition script quoted in the rule script, substitutes the execution result of the condition script into the rule script and executes the rule script, and finally outputs the judgment result of the rule according to the execution result of the rule script and the rule effect defined in the rule script;
23) and (3) a conditional script executing process: and the script interpreter executes the conditional script in sequence, if the script is data, the data is pressed into a data stack structure, otherwise, the operation corresponding to the script operation code is executed.
10. A script-based attribute-based access policy representation and execution system is characterized by comprising an attribute-based access policy representation module and a script interpreter; wherein the content of the first and second substances,
the attribute-based access strategy representation module is used for describing a strategy decision logic in the attribute-based access control model by adopting an operation code-based script language, and packaging a strategy hierarchical structure by using a markup language to generate an access strategy based on a stack structure script of the attribute-based access control model;
and the script interpreter is used for executing the access strategy based on the script corresponding to the access request and obtaining the judgment result of the access request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911059491.6A CN110879899A (en) | 2019-11-01 | 2019-11-01 | Script-based attribute-based access policy representation and execution method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911059491.6A CN110879899A (en) | 2019-11-01 | 2019-11-01 | Script-based attribute-based access policy representation and execution method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110879899A true CN110879899A (en) | 2020-03-13 |
Family
ID=69728201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911059491.6A Pending CN110879899A (en) | 2019-11-01 | 2019-11-01 | Script-based attribute-based access policy representation and execution method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110879899A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112350863A (en) * | 2020-10-30 | 2021-02-09 | 北京科技大学 | Decentralized access control method and system based on transaction |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101771683A (en) * | 2009-01-07 | 2010-07-07 | 北京航空航天大学 | Method and device for generating access controlling policy |
| CN106487538A (en) * | 2015-08-25 | 2017-03-08 | 中国电信股份有限公司 | Business accelerating method, policy control platform and system |
| CN106845246A (en) * | 2016-12-22 | 2017-06-13 | 北京聆云信息技术有限公司 | A kind of security strategy adaptation frameworks and its method |
| US20170223057A1 (en) * | 2016-02-01 | 2017-08-03 | General Electric Company | System and method for access control services |
| US20190281137A1 (en) * | 2016-02-01 | 2019-09-12 | General Electric Company | System and method for scoped attributes |
-
2019
- 2019-11-01 CN CN201911059491.6A patent/CN110879899A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101771683A (en) * | 2009-01-07 | 2010-07-07 | 北京航空航天大学 | Method and device for generating access controlling policy |
| CN106487538A (en) * | 2015-08-25 | 2017-03-08 | 中国电信股份有限公司 | Business accelerating method, policy control platform and system |
| US20170223057A1 (en) * | 2016-02-01 | 2017-08-03 | General Electric Company | System and method for access control services |
| US20190281137A1 (en) * | 2016-02-01 | 2019-09-12 | General Electric Company | System and method for scoped attributes |
| CN106845246A (en) * | 2016-12-22 | 2017-06-13 | 北京聆云信息技术有限公司 | A kind of security strategy adaptation frameworks and its method |
Non-Patent Citations (1)
| Title |
|---|
| 斯里尼瓦桑: "《高级Perl语言》", 31 March 2001 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112350863A (en) * | 2020-10-30 | 2021-02-09 | 北京科技大学 | Decentralized access control method and system based on transaction |
| CN112350863B (en) * | 2020-10-30 | 2022-08-23 | 北京科技大学 | Decentralized access control method and system based on transaction |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10353751B2 (en) | Memory model for a layout engine and scripting engine | |
| US9582479B2 (en) | Security model for a layout engine and scripting engine | |
| US7757282B2 (en) | System and method for distinguishing safe and potentially unsafe data during runtime processing | |
| JP5420734B2 (en) | Software system with controlled access to objects | |
| US9336018B2 (en) | Mechanism for class data sharing using extension and application class-loaders | |
| US8095557B2 (en) | Type system for access control lists | |
| US20120311531A1 (en) | Optimizing an object-oriented program by transforming invocations of synthetic accessor methods | |
| CN109960597B (en) | Dynamic registration method and related device of application layer interface | |
| CN110879899A (en) | Script-based attribute-based access policy representation and execution method and system | |
| WO2014107390A2 (en) | Managing authorization of actions associated with data objects | |
| US8745605B2 (en) | Execution contexts with polymorphic type implementations | |
| US7752153B2 (en) | Forward chaining and identifying rule dependencies and rule triggering side effects in terms of data objects accessed by rules in a ruleset | |
| CN113296910B (en) | File system calling method and device, terminal equipment and readable storage medium | |
| US9870468B1 (en) | System and method for segregating data in a dynamic programming language | |
| CN116010100A (en) | Contract calling method, device, equipment and storage medium in block chain system | |
| Lu et al. | Java Mobile Code Dynamic Verification by Bytecode Modification for Host Confidentiality. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200313 |