CN111464487A - Access control method, device and system - Google Patents
Access control method, device and system Download PDFInfo
- Publication number
- CN111464487A CN111464487A CN201910059731.6A CN201910059731A CN111464487A CN 111464487 A CN111464487 A CN 111464487A CN 201910059731 A CN201910059731 A CN 201910059731A CN 111464487 A CN111464487 A CN 111464487A
- Authority
- CN
- China
- Prior art keywords
- access
- policy
- information
- access policy
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The application provides an access control method, device and system, wherein the method comprises the following steps: determining mapping relation information according to a plurality of strategy information, wherein each strategy information is used for indicating an access strategy corresponding to at least one parameter group, and the mapping relation information is used for indicating the access strategy corresponding to each parameter; when a first access request comprising a plurality of target parameters is received, determining a target access policy according to the mapping relation information, wherein the target access policy is an access policy corresponding to each target parameter; and performing access control on the first access request according to the target access policy. According to the method and the device, the attribute information does not need to be called for many times through a remote interface in the access control process, and therefore the access control efficiency is improved.
Description
Technical Field
The present application relates to the field of access control in information security, and in particular, to an access control method, apparatus, and system.
Background
Access control is an indispensable security mechanism in network management, and is typically used to control user access to certain information items, such as servers, directories, files, and other network resources, through predefined access control policies. With the rapid development of emerging technologies such as big data, cloud computing, internet of things and the like, large integration of enterprise applications and gradual disappearance of application boundaries, the traditional Role-Based Access Control (RBAC) does not meet the use requirement, and the Attribute-Based Access Control (ABAC) is produced as a new generation of Access Control technology.
The basic principle of the ABAC technique is: whether to grant the access control request is determined based on the attributes of the user, the attributes of the resource, the dynamically changing environment variables, and the access control rules using the attributes. Fig. 1 shows a basic architecture of the existing ABAC technology, where a request direction initiates a resource access request to a Policy Enforcement Point (PEP), the Policy Enforcement Point establishes an access control request based on the resource access request and sends the access control request to a Policy Decision Point (PDP), and the Policy Decision Point selects a corresponding access Policy from a Policy acquisition Point according to the access control request, acquires attribute information required in a Decision process from a Policy information Point, and then makes a Decision, and feeds back a Decision result to the Policy Enforcement Point. In the process, the policy decision point needs to call the remote interface for multiple times to obtain the required attribute information from the remote policy information point, thereby causing low decision efficiency.
Disclosure of Invention
The application provides an access control method, device and system, and related attribute information is acquired without calling a remote interface for many times in the access control process, so that the decision-making efficiency can be greatly improved.
In a first aspect, an access control method is provided, including:
determining mapping relationship information according to a plurality of pieces of policy information, wherein each piece of policy information is used for indicating an access policy corresponding to at least one parameter group, each parameter group comprises at least one parameter, and the mapping relationship information is used for indicating an access policy corresponding to each parameter, wherein a first access policy corresponding to a first parameter is an access policy corresponding to the parameter group to which the first parameter belongs;
when a first access request comprising a plurality of target parameters is received, determining a target access policy according to the mapping relation information, wherein the target access policy is an access policy corresponding to each target parameter;
and performing access control on the first access request according to the target access policy.
Here, the plurality of policy information may be all policy information within the policy repository, and the access control of the first access request may include making a decision on the first access request, for example, by the access request, or denying the access request. A restricted pass through the access request may also be included, such as allowing a view of a resource but not allowing a download of the resource.
According to the technical scheme provided by the embodiment of the application, the target access strategy of the access request can be determined according to the mapping relation information determined in advance and the target parameters in the access request, then the access request can be subjected to access control according to the target access strategy, and the attribute information in the remote database does not need to be called for many times through a remote interface in the access control process, so that the access control efficiency can be greatly improved.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: determining a plurality of access policy sets according to the mapping relation information, wherein the access policy sets correspond to the target parameters one by one, and each access policy set comprises an access policy corresponding to the corresponding target parameter; determining a target access policy from the intersection of the multiple access policy sets.
With reference to the first aspect, in some implementations of the first aspect, when the intersection of the multiple access policy sets includes multiple access policies, the determining a target access policy from the intersection of the multiple access policy sets includes: determining a priority for each access policy in an intersection of the plurality of sets of access policies; and determining a target access strategy according to the priority.
Optionally, the access policy with the highest priority may be determined as the target access policy.
With reference to the first aspect, in certain implementations of the first aspect, the policy information is specifically configured to indicate an access policy corresponding to an index of at least one parameter group, and the determining, according to a plurality of policy information, the mapping relationship information includes: sending first query request information, wherein the first query request information comprises an index of each parameter group; receiving first query response information, wherein the first query response information comprises parameters included in each parameter group; and determining the mapping relation information according to the first query response information and the strategy information.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: sending second query request information, wherein the second query request information comprises indexes of each parameter group corresponding to the updated access policy before and after updating; receiving second query response information, wherein the second query response information comprises parameters included in each parameter group corresponding to the updated access policy before and after updating; and updating the mapping relation information according to the second query response information and the strategy information.
In a second aspect, an access control apparatus is provided for performing the first aspect or any one of the possible implementations of the first aspect. In particular, the access control device may comprise means for performing the method of the first aspect or any one of the possible implementations of the first aspect.
In a third aspect, an access control apparatus is provided, including: a memory for storing a computer program, a processor for calling and running the computer program from the memory, and a communication interface, so that the access control apparatus performs the method of the first aspect or any of the possible implementations of the first aspect.
In a fourth aspect, there is provided a computer program product comprising: computer program (also called code, or instructions), which when run on a computer causes the computer to perform the method of the first aspect or any of the possible implementations of the first aspect.
In a fifth aspect, a computer-readable storage medium is provided for storing a computer program comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect.
In a sixth aspect, there is provided an access control system comprising: the access control apparatus in any possible implementation manner of the second aspect or the third aspect.
According to the method and the device, the mapping relation information is determined in advance through the plurality of strategy information and is used for indicating the access strategy corresponding to each parameter, when the access request comprising the plurality of target parameters is received, the target access strategy can be determined directly according to the mapping relation information and the plurality of target parameters, then the access request can be subjected to access control according to the target access strategy, the access control process is completely performed locally, and the attribute information in the attribute library does not need to be called for many times through a remote interface, so that the access control time is shortened, and the access control efficiency is improved.
Drawings
Fig. 1 is a schematic diagram of a system architecture to which an access control method provided in an embodiment of the present application is applied;
fig. 2 is a schematic flow chart of an access control method provided in an embodiment of the present application;
fig. 3 is a schematic block diagram of an access control device provided in an embodiment of the present application;
fig. 4 is a schematic structural diagram of an access control device according to an embodiment of the present application.
Detailed Description
The technical solution in the present application will be described below with reference to the accompanying drawings.
As used in this application, the terms "component," "module," "system," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution. For example, a component may be, but is not limited to being, a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a computing device and the computing device can be a component. One or more components can reside within a process and/or thread of execution and a component can be localized on one computer and/or distributed between 2 or more computers. In addition, these components can execute from various computer readable media having various data structures stored thereon. The components may communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from two components interacting with another component in a local system, distributed system, and/or across a network such as the internet with other systems by way of the signal).
Attribute-based access control is a high-level implementation of role-based access control that utilizes attributes of related entities (e.g., principals, resources, environments) rather than just identities as the basis for authorization.Attribute refers to certain security-related characteristics.Attribute can be divided into principals attributes, resource attributes, and environment attributes for purposes of access control.A principal is an entity that takes actions on a resource, such as a user, an application, a process, etc., a principal has attributes that define its identity and characteristics, including the principal's identity, role, capability, age, job title, etc., a resource is an entity operated by the principal, such as data, services, system equipment, etc., resource attributes include the resource's identity, location (UR L), size, value, etc., and environment attributes are transaction-related attributes that are generally independent of identity, but are applicable to authorization decisions, such as time, date, system state, security level, etc.
Fig. 1 shows an authorization model for attribute-based access control, and fig. 1 is a schematic diagram of a system architecture to which the access control method provided in the embodiment of the present application is applied.
It should be understood that the system architecture shown in fig. 1 is only for convenience of illustration, and the access control method provided in the embodiment of the present application can also be applied to other access systems, which is not limited in the present application.
The following describes each network element that may be involved in the system architecture shown in fig. 1 separately.
Policy Enforcement Point (PEP): the PEP is configured to establish an access control request based on attributes of the principal, the resource, and the environment according to the access resource request of the requester, and to send the access control request to the PDP, which also needs to perform a decision of the PDP (e.g., allow or deny the access request to the resource).
Policy Decision Point (PDP): the PDP is responsible for judging whether to grant the access control request sent by the PEP according to the access control strategy and returning the judgment result to the PEP through an access control decision response. Also, when an attribute is not present in the access control request, it needs to be responsible for contacting the PIP to extract the required attribute information.
Policy Information Point (PIP): the PIP is used to provide access control attribute information, such as a group relationship of an access subject, a mapping relationship of an access location IP address and a region, a correspondence relationship of an accessed device number and a device type, and the like.
Policy Retrieval Point (PRP): the PRP is used to provide control policy information for access control.
For the convenience of understanding the embodiment of the present application, the following description is continued for the simple description of the policy information and the access control request in the PRP.
Each access policy is generally configured according to a parameter set (or element set) with different dimensions, where each parameter set includes at least one parameter (or element), and the policy information is used to indicate the access policy corresponding to the parameter set with different dimensions (where the parameter set with different dimensions may also be regarded as one parameter set). In particular, the policy information may be used to indicate the access policy corresponding to the index (or name, identity) of the parameter group of different dimensions.
For example, the policy information # α in table 1 is used to indicate the access policy # α corresponding to the four parameter sets of group #1, Shenzhen, PC, and resource group # 1:
table 1:
| identity of subject | Visiting location | Access device | Resource(s) | Results |
| Group #1 | Shenzhen (Shenzhen medicine) | PC | Resource group #1 | By passing |
Specifically, the policy information # α is used to indicate the access policy # α corresponding to the indexes of the four parameter groups "group # 1", "Shenzhen", "PC", "resource group # 1".
The group #1, the Shenzhen, the PC, and the resource group #1 are four different-dimension parameter groups corresponding to the control policy # α, each parameter group includes at least one parameter, for example, the group #1 includes a plurality of job numbers ID (e.g., job number #1), the Shenzhen includes a plurality of IP addresses (e.g., IP #1), the PC includes a plurality of device codes (e.g., device #1), and the resource group 1 (e.g., resource #1) corresponds to a plurality of resources.
For example, the control policy # α also corresponds to the work number #1, IP #1, device #1, resource #1, and the like.
The access control request generally comprises a plurality of request parameters with different dimensions, wherein the plurality of request parameters may comprise a resource to be accessed, the identity of a requester, the environment where the request is initiated, and the like, and as an example, the access control request # α may be job #1IP #1 device #1 resource #1, an employee with job #1 initiates an access request to the resource #1 at the position with the IP address of IP #1 through the device with the device #1, and finally the access control request #1 is sent to the PDP by the PEP, the PDP makes a decision on the access control request #1, and the decision result is fed back to the PEP.
Since the policy information in the PRP is used to indicate the access policy corresponding to the parameter group with different dimensions, or specifically, since the policy information in the PRP is used to indicate the access policy corresponding to the index of the parameter group with different dimensions, there may not be the policy information directly corresponding to the access control request # α in the PRP.
Therefore, in order to make a decision on access control request # α, the relevant attribute information stored in the PIP is called.
Then, the PDP may need to obtain relevant attribute information in the PIP by calling the remote interface multiple times, finally determine which parameter groups the job number #1, the IP #1, the device #1, and the resource #1 belong to, respectively, and finally determine the access policy # α indicated by the policy information # α to make a decision on the access control request # α, and the PDP sends a decision result of allowing access to the PEP, and the PEP performs a corresponding operation.
In the above decision process, since the PDP needs to call the remote interface multiple times to obtain the relevant attribute information in the PIP, it takes a certain time (e.g., 50ms) each time the remote interface is called, thereby making the decision inefficient.
In view of this, the present application provides an access control method, and a policy decision process is completely performed locally, and a remote interface does not need to be called many times to obtain related attribute information in a PIP, thereby greatly improving decision efficiency.
Fig. 2 shows a schematic flow chart of an access control method 200 according to an embodiment of the present application.
As shown in fig. 2, in S210, mapping relationship information is determined according to a plurality of policy information.
Wherein, referring to the foregoing description, each of the plurality of policy information is used for indicating an access policy corresponding to at least one parameter group.
In other words, each of the plurality of policy information is used to indicate an access policy that is commonly corresponding to a set of parameter sets consisting of at least one parameter set.
In particular, each of the plurality of policy information may be used to indicate an access policy corresponding to an index (or, a name, an identification) of at least one parameter group.
Alternatively, each of the policy information may be configured to indicate an access policy that is commonly corresponding to a parameter set index set that is composed of indexes of at least one parameter set.
For example, referring to table 1, the policy information # α is used to indicate the access policy # α corresponding to the four parameter sets of group #1, Shenzhen, PC, and resource group # 1.
Alternatively, the policy information # α is used to indicate the access policy # α that is commonly associated with a parameter set group consisting of four parameter sets, i.e., group #1, Shenzhen, PC, and resource group # 1.
Specifically, this policy information # α is used to indicate the access policy # α corresponding to the indexes of the four parameter groups "group # 1", "Shenzhen", "PC", "resource group # 1".
Alternatively, the policy information # α is used to indicate the access policy # α that is commonly associated with a parameter set index set that is composed of indexes of four parameter sets of "group # 1", "Shenzhen", "PC", "resource group # 1".
Wherein each of the at least one parameter set comprises at least one parameter.
The mapping relation information is used for indicating an access policy corresponding to each parameter.
Specifically, the access policy # a (i.e., an example of the first access policy) corresponding to the parameter # a (i.e., an example of the first parameter) is an access policy corresponding to the parameter group to which the parameter # a belongs.
It should be understood that the parameter # a may belong to one or more parameter groups (for example, an employee with a job number of job #1 may belong to a plurality of groups, and then the job number #1 may belong to other parameter groups in addition to the parameter group belonging to the group #1), each parameter group may correspond to one or more access policies (i.e. each parameter group may be used to configure a plurality of access policies), and thus, the parameter # a may correspond to one or more access policies, that is, the access policy # a may be one access policy or a plurality of access policies.
For example, referring to table 1, the parameter # a may be any one of a job number #1, an IP #1, a device #1, and a resource #1, and the access policy # a may be one or more access policies including the access policy # α.
The plurality of policy information may be a part of or the entire policy information in the database (for example, in the PRP).
For example, the plurality of policy information may be all policy information in the database, and then the mapping relationship information is used to indicate the access policy corresponding to each of all parameters.
It should be understood that the mapping information may be one or more, by way of example and not limitation, the mapping information is multiple and corresponds to multiple parameters in a one-to-one manner, wherein the mapping information # a is used to indicate the access policy # a corresponding to the parameter # a.
Specifically, the policy information is specifically used to indicate an access policy corresponding to an index of at least one parameter group, and the mapping relationship information is determined according to a plurality of policy information, which may be performed in the following manner:
transmitting first query request information (or, attribute request information) including an index for each parameter group;
receiving first query response information (or attribute response information), wherein the first query response information comprises parameters included in each parameter group;
and determining the mapping relation information according to the first query response information and the strategy information.
Specifically, it may be determined by invoking the related attribute information, which parameters each parameter set corresponding to each access policy specifically includes, so that it can be determined to which parameters each access policy corresponds, or that it can be determined to which access policies each parameter corresponds, and finally, the mapping relationship information is determined.
By way of example and not limitation, first query request information may be sent to the PIP, the first query request information including an index of each parameter group (e.g., including parameter group indexes "group # 1", "Shenzhen", "PC", "resource group # 1") corresponding to the plurality of access policies including the access policy # α.
And receiving first query response information sent by the PIP, wherein the first query response information comprises parameters included in each parameter group (for example, at least one parameter included in each parameter group of the group #1, Shenzhen, PC and the resource group # 1).
According to the first query response information and the strategy information, the corresponding access strategies of each parameter can be determined, and finally the mapping relation information is determined. Specifically, determining the mapping relationship information according to the first query response information and the policy information may be implemented as follows:
determining a plurality of parameters corresponding to the access policy # B according to the first query response information;
adding the access policy # B into the access policy corresponding to each of the plurality of parameters indicated by the mapping relationship information;
the access policy # B is any one of a plurality of access policies indicated by the plurality of policy information.
For example, if the access policy # α (in this case, the access policy # B is the access policy # α) corresponds to the parameters work number #1, IP #1, device #1, resource #1, and the like, the access policy corresponding to each parameter indicated by the mapping relationship information may include the access policy # α, and similarly, if other access policies correspond to each parameter, the access policy corresponding to each parameter indicated by the mapping relationship information may also include the other access policies.
In S220, an access request # a (i.e., an example of a first access request) including a plurality of target parameters is received, and a target access policy corresponding to each target parameter included in the access request # a is determined based on the mapping information.
For example, an access request # a including a plurality of target parameters may be received from a PEP, either remote or local.
Specifically, the target access policy is an access policy corresponding to each target parameter included in the access request # a, or the parameter group corresponding to the target access policy should include all the target parameters.
For example, referring to the description of table 1 above, the access request # a may be the access control request # α, the target parameters may be job number #1, IP #1, device #1, resource #1, and the target access policy may be the access policy # α.
By way of example and not limitation, determining a target access policy based on the mapping relationship information may be implemented as follows:
and determining a plurality of access policy sets according to the mapping relation information, wherein the access policy sets correspond to the target parameters one by one, and each access policy set comprises an access policy corresponding to the corresponding target parameter.
Determining a target access policy from the intersection of the multiple access policy sets.
Specifically, the mapping relationship information can indicate an access policy corresponding to each of the multiple target parameters, and since each target parameter may belong to one or more parameter groups, and each parameter group may correspond to one or more access policies, each target parameter may correspond to one or more access policies, and an access policy set corresponding to each target parameter includes one or more access policies corresponding to the target parameter.
In addition, an access policy set corresponding to each parameter of all the parameters may also be determined according to the mapping relationship information, where the access policy set includes access policies corresponding to the corresponding parameters. When receiving an access request # a including a plurality of target parameters, the access policy set corresponding to the target parameters may be directly acquired.
Specifically, the intersection of the multiple access policy sets may be determined by performing intersection processing on the multiple access policy sets, where "determining the intersection of the multiple access policy sets" may be understood as determining a set composed of access policies that are common in the multiple access policy sets, or may be understood as determining a set composed of access policies that correspond to each of the multiple target parameters.
Thus, the intersection of the multiple access policy sets may include one access policy or multiple access policies, that is, there may be one or more access policies for the access request # a. In this case, the target access policy is determined from the intersection of the multiple access policy sets, and the determination may be performed according to the following two cases:
case a
Only one access policy is included in the intersection of the multiple access policy sets, which indicates that there is only one access policy corresponding to each of the multiple target parameters, or there is only one access policy for the access request # a, and then it may be determined that the only one access policy in the intersection is the target access policy.
Case b
The intersection of the multiple access policy sets includes multiple access policies, which indicates that multiple access policies corresponding to each of the multiple target parameters exist, or multiple access policies exist for the access request # a, at this time, priorities of the multiple access policies may be determined, and the target access policy may be determined according to the priorities. For example, the highest priority one of the plurality of access policies may be determined to be the target access policy.
Specifically, the priority of the access policy may be determined in the following manner.
Mode 1: and determining the priority according to the sequence of the access policy configuration.
As an example, the priority of the access policy configured earlier may be higher. For example, the access policies are sorted according to the configured precedence order, and the higher the priority of the access policy in the front (or the lower the sequence number) is.
Mode 2: the priority is determined according to the database to which the access policy belongs.
It should be understood that the plurality of policy information may be from different databases, for example, a local database and a remotely located database, respectively, and then the access policy corresponding to the policy information in the local database may be determined to have a higher priority and the access policy corresponding to the policy information in the local database may be preferentially used.
Mode 3: the access policies are prioritized according to usage priorities of different sets of parameters in the same dimension.
For example, an employee with a job number of job #1 belongs not only to group #1, but also to group #2, and the policy information # β in table 2 is used to indicate the access policy # β corresponding to the four parameter groups of group #2, shenzhen, PC, and resource group # 1:
table 2:
| identity of subject | Visiting location | Access device | Resource(s) | Results |
| Group #2 | Shenzhen (Shenzhen medicine) | PC | Resource group #1 | Rejection of |
For example, the group #1 is a group consisting of job numbers of department leaders including the department a, and the group #2 is a group consisting of job numbers of all members of the department a (i.e., the employee having the job number of the job #1 is the leader of the department a), if the use priority of the group #1 is higher than that of the group #2, then the priority of the access policy # α may be determined to be higher, and the access policy # α may be determined to be the target access policy.
In addition, it is worth mentioning that if none of the access policies in the intersection of the multiple access policy sets exists, it indicates that none of the multiple access policies corresponding to the multiple policy information is applicable to the access request # a, and if the multiple policy information is all of the policy information in the database, it indicates that no access policy applicable to the access request # a is configured in the database.
In S230, access control is performed on the access request # a according to the target access policy.
Specifically, the access control of the access request # a may include: a decision is made on the access request # a, for example, to allow the access request # a, or to deny the access request # a, or to allow the access request # a but with certain access requirements (e.g., to allow viewing of the resource but not to allow downloading of the resource).
The access control of the access request # a may further include: the result of the above decision is fed back to the requester (e.g., PEP) of the access request # a. At this point the PEP may perform the decision of the PDP to request # a via this access, or, in other words, to allow access to resource # 1.
How to update the mapping relationship information when one or more policy information (e.g., policy information # C) of the plurality of policy information changes is discussed below. The policy information # C is used to indicate an access policy # C corresponding to an index of at least one parameter set, and may be implemented by the following way, by way of example and not limitation:
transmitting second inquiry request information (or, attribute request information) including an index of each parameter group corresponding to the access policy # C before and after the update;
receiving second query response information (or attribute response information) including parameters included in each parameter group corresponding to the access policy # C before and after updating;
and updating the mapping relation information according to the second query response information and the strategy information.
Specifically, the second query response information includes parameters included in each parameter group corresponding to the access policy # C before and after the update, so that which parameters the access policy # C corresponds to before the update can be determined, and which parameters the access policy # C corresponds to after the update can be determined, so that a newly added parameter (for example, parameter # C1) and a newly decreased parameter (for example, parameter # C2) before and after the update in the parameters corresponding to the access policy # C can be determined.
At this time, in order to synchronously update the mapping information, the access policy # C may be added to the access policy corresponding to the parameter # C1 indicated by the mapping information, and the access policy # C may be deleted from the access policy corresponding to the parameter # C2 indicated by the mapping information.
Through the steps, the updating of the mapping relation information is realized.
It should be understood that, as two special cases, adding one or more policy information to the policy information or deleting one or more policy information, the above method of updating the mapping relationship information can also be used.
The method provided by the embodiment of the present application is described in detail above with reference to fig. 2. Hereinafter, the apparatus provided in the embodiment of the present application will be described in detail with reference to fig. 3 to 4.
Fig. 3 is a schematic block diagram of an access control device 300 provided in an embodiment of the present application. As shown in fig. 3, the access control device 300 includes: a processing module 310 and a communication module 320.
The processing module 310 is configured to determine mapping relationship information according to a plurality of pieces of policy information, where each piece of policy information is used to indicate an access policy corresponding to at least one parameter group, each parameter group includes at least one parameter, and the mapping relationship information is used to indicate an access policy corresponding to each parameter, where a first access policy corresponding to a first parameter is an access policy corresponding to a parameter group to which the first parameter belongs;
the processing module 320 is further configured to determine a target access policy according to the mapping relationship information when the receiving module 310 receives the first access request, where the target access policy is an access policy corresponding to each target parameter;
the processing module 310 is further configured to perform access control on the first access request according to the target access policy.
It should be understood that the access control device 300 may correspond to the access control device in the access control method 200 according to the embodiment of the present application, and the access control device 300 may include modules for performing the method performed by the access control device of the access control method 200 in fig. 2. For example, the access control device 300 may be a PDP, or may be a chip disposed in the PDP.
Moreover, each module and the other operations and/or functions in the access control device 300 are respectively for implementing the corresponding flow of the access control method 200 in fig. 2, specifically, the processing module 310 is used for executing the step 210 and the step 230 in the method 200, and the specific process of each module for executing the corresponding step is already described in detail in the method 200, and is not repeated herein for brevity.
Fig. 4 is a schematic structural diagram of an access control device 400 according to an embodiment of the present application. As shown in fig. 4, the access control device 400 includes: a processor 410, a memory 420, and a communication interface 430. Wherein, the memory 420 stores instructions, the processor 410 is configured to execute the instructions in the memory 420, when the instructions are executed, the processor 410 is configured to execute the method provided by the above method embodiment, and the processor 410 is further configured to control the communication interface 430 to communicate with the outside.
Specifically, the access control device 400 may correspond to the access control device in the access control method 200 according to the embodiment of the present application, and the access control device 400 may include modules for executing the method executed by the access control device of the access control method 200 in fig. 2. Also, the modules and other operations and/or functions described above in the access control apparatus 400 are respectively for implementing the corresponding flows of the access control method 200 in fig. 2. The specific processes of each module for executing the corresponding steps are already described in detail in the method 200, and are not described herein again for brevity.
Embodiments of the present application further provide a computer-readable storage medium, which includes a computer program and when the computer program runs on a computer, the computer is caused to execute the method provided by the above method embodiments.
Embodiments of the present application further provide a computer program product containing instructions, which when run on a computer, cause the computer to execute the method provided by the above method embodiments.
An embodiment of the present application further provides an access control system, including the access control device provided in the foregoing embodiment.
In particular, the access control system may further comprise a PEP, a PRP, a PIP.
It should be understood that in the embodiments of the present application, the processor may be a Central Processing Unit (CPU), and the processor may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It should also be understood that the memory in the embodiments of the present application may be either volatile memory or non-volatile memory, or may include both volatile and non-volatile memory, wherein the non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), Erasable Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory the volatile memory may be Random Access Memory (RAM) which functions as an external cache memory, by way of example and not limitation, many forms of Random Access Memory (RAM) may be used, such as static RAM (static RAM), SRAM, Dynamic RAM (DRAM), synchronous DRAM (synchronous, SDRAM), double data rate Synchronous DRAM (SDRAM), SDRAM (SDRAM), and DDR direct access DRAM (DDR L).
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (13)
1. An access control method, comprising:
determining mapping relationship information according to a plurality of pieces of policy information, wherein each piece of policy information is used for indicating an access policy corresponding to at least one parameter group, each parameter group comprises at least one parameter, and the mapping relationship information is used for indicating an access policy corresponding to each parameter, wherein a first access policy corresponding to a first parameter is an access policy corresponding to the parameter group to which the first parameter belongs;
when a first access request comprising a plurality of target parameters is received, determining a target access policy according to the mapping relation information, wherein the target access policy is an access policy corresponding to each target parameter;
and performing access control on the first access request according to the target access policy.
2. The access control method of claim 1, wherein determining a target access policy based on the mapping comprises:
determining a plurality of access policy sets according to the mapping relation information, wherein the access policy sets correspond to the target parameters one by one, and each access policy set comprises an access policy corresponding to the corresponding target parameter;
determining a target access policy from the intersection of the multiple access policy sets.
3. The access control method of claim 2, wherein when the intersection of the plurality of access policy sets includes a plurality of access policies, the determining the target access policy from the intersection of the plurality of access policy sets comprises:
determining a priority for each access policy in an intersection of the plurality of sets of access policies;
and determining a target access strategy according to the priority.
4. The access control method according to any of claims 1-3, wherein the policy information is specifically for indicating an access policy corresponding to an index of at least one parameter group, and
the determining the mapping relationship information according to the plurality of policy information includes:
sending first query request information, wherein the first query request information comprises an index of each parameter group;
receiving first query response information, wherein the first query response information comprises parameters included in each parameter group;
and determining the mapping relation information according to the first query response information and the strategy information.
5. The access control method of claim 4, further comprising:
sending second query request information, wherein the second query request information comprises indexes of each parameter group corresponding to the updated access policy before and after updating;
receiving second query response information, wherein the second query response information comprises parameters included in each parameter group corresponding to the updated access policy before and after updating;
and updating the mapping relation information according to the second query response information and the strategy information.
6. An access control apparatus, comprising:
the processing module is configured to determine mapping relationship information according to a plurality of pieces of policy information, where each piece of policy information is used to indicate an access policy corresponding to at least one parameter group, each parameter group includes at least one parameter, and the mapping relationship information is used to indicate an access policy corresponding to each parameter, where a first access policy corresponding to a first parameter is an access policy corresponding to a parameter group to which the first parameter belongs;
the processing module is further configured to determine a target access policy according to the mapping relationship information when the first access request is received, where the target access policy is an access policy corresponding to each target parameter;
the processing module is further configured to perform access control on the first access request according to the target access policy.
7. The access control device of claim 6, wherein the processing module is further configured to:
determining a plurality of access policy sets according to the mapping relation information, wherein the access policy sets correspond to the target parameters one by one, and each access policy set comprises an access policy corresponding to the corresponding target parameter;
determining a target access policy from the intersection of the multiple access policy sets.
8. The access control device of claim 7, wherein when the intersection of the multiple access policy sets comprises multiple access policies, the processing module is further configured to:
determining a priority for each access policy in an intersection of the plurality of sets of access policies;
and determining a target access strategy according to the priority.
9. The access control device according to any of claims 6-8, wherein the policy information is specifically configured to indicate an access policy corresponding to an index of at least one parameter group, and the access control device further comprises a communication module configured to:
sending first query request information, wherein the first query request information comprises an index of each parameter group;
receiving first query response information, wherein the first query response information comprises parameters included in each parameter group;
the processing module is further configured to determine the mapping relationship information according to the first query response information and the policy information.
10. The access control device of claim 9, wherein the communication module is further configured to:
sending second query request information, wherein the second query request information comprises indexes of each parameter group corresponding to the updated access policy before and after updating;
receiving second query response information, wherein the second query response information comprises parameters included in each parameter group corresponding to the updated access policy before and after updating;
the processing module is further configured to update the mapping relationship information according to the second query response information and the policy information.
11. An access control device comprising at least one processor configured to perform the method of any one of claims 1 to 5.
12. A computer-readable medium, comprising a computer program which, when run on a computer, causes the computer to perform the method of any one of claims 1 to 5.
13. An access control system comprising an access control device according to any one of claims 6 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910059731.6A CN111464487B (en) | 2019-01-22 | 2019-01-22 | Access control method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910059731.6A CN111464487B (en) | 2019-01-22 | 2019-01-22 | Access control method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111464487A true CN111464487A (en) | 2020-07-28 |
| CN111464487B CN111464487B (en) | 2022-02-25 |
Family
ID=71679904
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910059731.6A Active CN111464487B (en) | 2019-01-22 | 2019-01-22 | Access control method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111464487B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113032745A (en) * | 2021-03-19 | 2021-06-25 | 上海依图网络科技有限公司 | Authority management apparatus, authority management method and medium |
| CN114257397A (en) * | 2021-11-05 | 2022-03-29 | 奇安信科技集团股份有限公司 | Policy conflict processing method and device based on complex network |
| CN114760136A (en) * | 2022-04-20 | 2022-07-15 | 中科星启(北京)科技有限公司 | Safety early warning system and method based on micro-isolation |
| CN116760640A (en) * | 2023-08-18 | 2023-09-15 | 建信金融科技有限责任公司 | Access control method, device, equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8495701B2 (en) * | 2008-06-05 | 2013-07-23 | International Business Machines Corporation | Indexing of security policies |
| CN102341808A (en) * | 2009-03-04 | 2012-02-01 | 皇家飞利浦电子股份有限公司 | Specifying an access control policy |
| JP6260283B2 (en) * | 2014-01-07 | 2018-01-17 | 富士ゼロックス株式会社 | Information processing apparatus and information processing program |
-
2019
- 2019-01-22 CN CN201910059731.6A patent/CN111464487B/en active Active
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113032745A (en) * | 2021-03-19 | 2021-06-25 | 上海依图网络科技有限公司 | Authority management apparatus, authority management method and medium |
| CN114257397A (en) * | 2021-11-05 | 2022-03-29 | 奇安信科技集团股份有限公司 | Policy conflict processing method and device based on complex network |
| CN114257397B (en) * | 2021-11-05 | 2024-04-26 | 奇安信科技集团股份有限公司 | Policy conflict processing method and device based on complex network |
| CN114760136A (en) * | 2022-04-20 | 2022-07-15 | 中科星启(北京)科技有限公司 | Safety early warning system and method based on micro-isolation |
| CN114760136B (en) * | 2022-04-20 | 2024-03-08 | 中科星启(北京)科技有限公司 | Safety early warning system and method based on micro-isolation |
| CN116760640A (en) * | 2023-08-18 | 2023-09-15 | 建信金融科技有限责任公司 | Access control method, device, equipment and storage medium |
| CN116760640B (en) * | 2023-08-18 | 2023-11-03 | 建信金融科技有限责任公司 | Access control method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111464487B (en) | 2022-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111464487B (en) | Access control method, device and system | |
| CN110535777B (en) | Access request control method and device, electronic equipment and readable storage medium | |
| US11128465B2 (en) | Zero-knowledge identity verification in a distributed computing system | |
| US10614248B2 (en) | Privacy preserving cross-organizational data sharing with anonymization filters | |
| US11082226B2 (en) | Zero-knowledge identity verification in a distributed computing system | |
| US7650644B2 (en) | Object-based access control | |
| US9674223B1 (en) | User privacy framework | |
| US20220156394A1 (en) | Data aggregation system for enabling query operations on restricted data that originates from multiple independent multiple sources | |
| EP2521066A1 (en) | Fine-grained relational database access-control policy enforcement using reverse queries | |
| US20160036860A1 (en) | Policy based data processing | |
| US20090222882A1 (en) | Unified management policy | |
| US20100306775A1 (en) | Role based delegated administration model | |
| EP2659412B1 (en) | A system and method for using partial evaluation for efficient remote attribute retrieval | |
| CN110298189B (en) | Database authority management method and device | |
| CN111417954A (en) | Data de-identification based on detection of allowable configuration of data de-identification process | |
| US20170054761A1 (en) | Lock-free updates to a domain name blacklist | |
| CN115238247A (en) | Data processing method based on zero trust data access control system | |
| CN110866011B (en) | Data table synchronization method and device, computer equipment and storage medium | |
| US10721236B1 (en) | Method, apparatus and computer program product for providing security via user clustering | |
| US9165027B2 (en) | Dynamic directory control registration | |
| CN113282626A (en) | Redis-based data caching method and device, computer equipment and storage medium | |
| US8095970B2 (en) | Dynamically associating attribute values with objects | |
| CN109219807B (en) | System, method, and medium providing access to a database | |
| US10764399B2 (en) | Customized web services gateway | |
| US20200412739A1 (en) | Managing Application Constraints across Platforms |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |