CN112202750B - Control method for policy execution, policy execution system and computing device - Google Patents

Control method for policy execution, policy execution system and computing device Download PDF

Info

Publication number
CN112202750B
CN112202750B CN202011021736.9A CN202011021736A CN112202750B CN 112202750 B CN112202750 B CN 112202750B CN 202011021736 A CN202011021736 A CN 202011021736A CN 112202750 B CN112202750 B CN 112202750B
Authority
CN
China
Prior art keywords
policy
terminal
server
access
terminals
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011021736.9A
Other languages
Chinese (zh)
Other versions
CN112202750A (en
Inventor
陈作朋
李鹤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Uniontech Software Technology Co Ltd
Original Assignee
Uniontech Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Uniontech Software Technology Co Ltd filed Critical Uniontech Software Technology Co Ltd
Priority to CN202011021736.9A priority Critical patent/CN112202750B/en
Publication of CN112202750A publication Critical patent/CN112202750A/en
Priority to PCT/CN2021/117706 priority patent/WO2022062918A1/en
Application granted granted Critical
Publication of CN112202750B publication Critical patent/CN112202750B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a control method for strategy execution, which is executed in a strategy control device and comprises the following steps: receiving a policy execution request sent by a configuration platform, and determining a policy rule to be executed based on the policy execution request; determining device identifications of one or more terminals executing the policy rule; adding the policy rules to a message queue based on device identifications of one or more terminals so as to send the policy rules to the one or more terminals through the message queue; obtaining an execution result returned by each terminal after executing the strategy rule from the message queue; and sending the execution result of each terminal to the configuration platform so as to display the execution result on the configuration platform. The invention also discloses a corresponding strategy execution system and a computing device. According to the technical scheme of the invention, each terminal can be controlled to execute the corresponding strategy rule more conveniently and efficiently.

Description

Control method for policy execution, policy execution system and computing device
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a policy execution control method, a policy execution system, and a computing device.
Background
In the prior art, microsoft AD (Active Directory) is a Directory service provided by microsoft to a SERVER platform based on LDAP, and it implements centralized control and simplified management of resources through a domain mode. The AD domain is a large security boundary, and as long as a user passes authentication during login, all resources allowed to be accessed in the domain can be directly accessed without performing authentication independently, so that resource sharing is realized. For a user, the 'my document' on the desktop of the user can be redirected to a file server based on an AD domain, so that on one hand, the user data can be intensively backed up, and the user data loss caused by the damage of a reinstallation system or hardware is avoided; on the other hand, the user can search own data no matter which computer the user logs on.
However, because multiple levels of security policies are set in the AD domain, each level of security policy corresponds to a different rule, so that the overall security configuration of the AD domain is relatively complex, the threshold is high, and the requirement on the skill level of an administrator is high. On the other hand, the AD domain is mainly dependent on the Windows operating system, and cannot manage the user policy based on the Linux operating system.
Therefore, a control method for policy enforcement and a policy enforcement system are needed to solve the above problems.
Disclosure of Invention
To this end, the present invention provides a method, system and computing device for controlling policy enforcement to solve or at least alleviate the above-identified problems.
According to an aspect of the present invention, there is provided a policy control method, executed in a policy control device connected to a configuration platform and connected to one or more terminals, the method including: receiving a policy execution request sent by a configuration platform, and determining a policy rule to be executed based on the policy execution request; determining device identifications of one or more terminals executing the policy rule; adding the policy rule to a message queue based on device identifications of one or more terminals so as to send the policy rule to the one or more terminals through the message queue; obtaining an execution result returned by each terminal after executing the strategy rule from the message queue; and sending the execution result of each terminal to the configuration platform so as to display the execution result on the configuration platform. The invention also discloses a corresponding strategy execution system and a computing device.
Optionally, in the control method for policy enforcement according to the present invention, before adding the policy rule to the message queue, the method further includes the steps of: and receiving a subscription request for the policy rule sent by one or more terminals based on the corresponding equipment identifications.
Optionally, in the control method for policy execution according to the present invention, the method further includes: receiving an identity authentication request sent by a terminal, and returning a corresponding access permission identifier to the terminal after the authentication is passed; and receiving an access request sent by the terminal based on the access permission identification.
Optionally, in the policy execution control method according to the present invention, before receiving an identity authentication request sent by a terminal, the method includes: receiving a registration account request sent by a terminal; and generating an access account and an access password corresponding to the terminal user identity based on the registration account request so that the terminal can send an identity authentication request based on the corresponding access account and the access password.
Optionally, in a control method of policy execution according to the present invention, the policy control device includes: the policy server is connected with the configuration platform and is suitable for receiving a policy execution request sent by the configuration platform; the message queue server is connected with the policy server and one or more terminals and comprises a message queue; and the access control server is connected with the policy server and one or more terminals, is suitable for receiving an identity authentication request sent by the terminal, returns a corresponding access permission identifier to the terminal after the authentication is passed, and is suitable for receiving an access request sent by the terminal based on the access permission identifier.
Optionally, in the policy enforcement control method according to the present invention, the terminal is adapted to generate a corresponding device identifier based on hardware information, and the terminal includes: the Pluggable Authentication Module (PAM) is connected with the access control server and is suitable for sending an identity authentication request to the access control server and receiving an access permission identifier returned by the access control server; the process monitoring module (Agent) is connected with the message queue server and is suitable for acquiring a strategy rule from the message queue based on the equipment identifier of the terminal; and a message bus module (DBUS) connected to the process monitoring module and adapted to execute the policy rules.
Optionally, in the control method for policy enforcement according to the present invention, the message queue server is an NSQ message queue server; the access control server is OpenLDAP.
Optionally, in the control method for policy enforcement according to the present invention, the policy includes: applying one or more of a customization policy, a desktop customization policy, a password policy, a firewall policy.
According to an aspect of the present invention, there is provided a policy enforcement system, including: a policy control device adapted to perform the method as described above to control the execution of a policy; the configuration platform is connected with the strategy control equipment, is suitable for sending a strategy execution request to the strategy control equipment, is suitable for receiving an execution result of each terminal returned by the strategy control equipment, and displays the execution result; and each terminal group comprises one or more terminals, and the terminal is suitable for acquiring the strategy rule from the message queue based on the corresponding equipment identifier, executing the strategy rule and sending the execution result to the message queue.
Optionally, in a policy enforcement system according to the present invention, the policy control device includes: the policy server is connected with the configuration platform and is suitable for receiving a policy execution request sent by the configuration platform; the message queue server is connected with the policy server and one or more terminals and comprises a message queue; and the access control server is connected with the policy server and one or more terminals, is suitable for receiving an identity authentication request sent by the terminal, returns a corresponding access permission identifier to the terminal after the authentication is passed, and is suitable for receiving an access request sent by the terminal based on the access permission identifier.
Optionally, in the policy enforcement system according to the present invention, the access control server is further adapted to: receiving a registration account request sent by a terminal; and generating an access account and an access password corresponding to the terminal user identity based on the registration account request so that the terminal can send an identity authentication request based on the corresponding access account and the access password.
Optionally, in the policy enforcement system according to the present invention, the terminal is adapted to generate a corresponding device identifier based on the hardware information, and the terminal includes: the Pluggable Authentication Module (PAM) is connected with the access control server and is suitable for sending an identity authentication request to the access control server and receiving an access permission identifier returned by the access control server; the process monitoring module (Agent) is connected with the message queue server and is suitable for acquiring a policy rule from the message queue based on the equipment identifier of the terminal; and a message bus module (DBUS) connected to the process monitoring module and adapted to execute the policy rules.
Optionally, in the policy enforcement system according to the present invention, the message queue server is an NSQ message queue server; the access control server is OpenLDAP.
Optionally, in the policy enforcement system according to the present invention, the policy includes: applying one or more of a customization policy, a desktop customization policy, a password policy, a firewall policy.
According to an aspect of the invention, there is provided a computing device comprising: at least one processor; a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing the control method of policy execution as described above.
According to an aspect of the present invention, there is provided a readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to execute the control method of policy execution as described above.
According to the technical scheme of the invention, the configuration platform for configuring and managing various policies is provided, and the configuration platform is connected to the policy control equipment, so that policy managers can configure corresponding policy rules for the terminals through the configuration platform, request the policy control equipment to control the corresponding terminals to execute the policy rules, and acquire the execution results of the terminals. Therefore, the strategy configuration is carried out by using the configuration platform, so that the operation is simple, the configuration efficiency is high, and the strategy configuration method is beneficial to controlling each terminal to execute the corresponding strategy rule more efficiently.
Furthermore, the invention can divide a plurality of terminals into a plurality of terminal groups based on the area where each terminal is located, and each terminal group comprises one or more terminals arranged in the corresponding area, thus realizing the partition management of the terminals.
In addition, according to the control method for strategy execution of the invention, strategy execution of a plurality of terminal devices for controlling the Linux operating system can be realized.
The above description is only an overview of the technical solutions of the present invention, and the present invention can be implemented in accordance with the content of the description so as to make the technical means of the present invention more clearly understood, and the above and other objects, features, and advantages of the present invention will be more clearly understood.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which are indicative of various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description read in conjunction with the accompanying drawings. Throughout this disclosure, like reference numerals generally refer to like parts or elements.
FIG. 1 shows a schematic diagram of a policy enforcement system 100 according to one embodiment of the present invention;
FIG. 2 shows a schematic diagram of a computing device 200, according to one embodiment of the invention;
FIG. 3 shows a flow diagram of a method 300 of controlling policy enforcement, according to one embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
FIG. 1 shows a schematic diagram of a policy enforcement system 100 according to one embodiment of the present invention.
As shown in fig. 1, the policy enforcement system 100 includes one or more terminals 110, a configuration platform 150, and a policy control device 200. Wherein the policy control device 200 is communicatively coupled to the configuration platform 150 and to one or more terminals 110, for example, via a wired or wireless network connection. Here, the present invention does not limit the specific connection manner of the policy control device 200 with the configuration platform 150 and the terminal 110.
The terminal 110 is a terminal device used by a user, and may specifically be a personal computer such as a desktop computer and a notebook computer, or may also be a mobile phone, a tablet computer, a multimedia device, an intelligent wearable device, and the like, but is not limited thereto.
In one embodiment, the terminal 110 may be a terminal device installed with a Linux operating system, but the present invention is not limited to a specific kind of operating system installed in the terminal 110. It should be noted that, in the embodiment, the present invention has been specifically described with respect to the policy execution system 100 by taking the Linux operating system as an example. However, it should be understood that the policy enforcement system 100 of the present invention is not limited to a specific kind of operating system installed in the terminal.
In an embodiment of the present invention, the policy control device 200 may be configured to control the terminal 110 to execute the policy. The system can be realized as a computing device such as a desktop computer, a notebook computer, a processor chip, a mobile phone, a tablet computer and the like, and also can be realized as a system consisting of a plurality of computing devices.
The configuration platform 150 may be a Web platform provided for an administrator (policy manager) who may configure and manage various policies, and the administrator may access the configuration platform 150 through a browser. By connecting the configuration platform 150 to the policy control device 200, after the configuration platform 150 configures the policy rules for the terminal 110, the administrator can request the policy control device 200 through the configuration platform 150 to control the corresponding terminal to execute the policy rules.
In one embodiment, the policy enforcement system 100 may include a plurality of terminal groups, each having one or more terminals 110 disposed therein. That is, the various terminals 110 in the system 100 may be arranged in different terminal groups. In this way, the configuration platform 150 can configure the corresponding policy rules for different terminal groups and request the policy control device 200 to control each terminal 110 in the terminal group to execute the policy rule corresponding to the terminal group. It should be noted that each terminal group may correspond to different areas, specifically, the present invention may divide the plurality of terminals 110 into a plurality of terminal groups based on the area where each terminal 110 is located, and each terminal group includes one or more terminals 110 arranged in a corresponding area, so that the partition management of the terminals may be implemented.
In an embodiment of the present invention, the policy control device 200 is adapted to execute a control method of policy execution to control a terminal to execute a policy. The policy enforcement control method 300 of the present invention will be described in detail below.
In one embodiment, the policy control device 200 according to the present invention may control the policy executed by the terminal, including: applying one or more of a customization policy, a desktop customization policy, a password policy, a firewall policy. However, the present invention is not limited to the above-listed types of strategies.
In one embodiment, as shown in FIG. 1, the policy control device 200 includes a policy server 250, a message queue server 210, and an access control server 220. The policy server 250 is connected to the message queue server 210 and the access control server 220, respectively. Also, the policy server 250 is connected to the configuration platform 150, for example, through a Registry connection, so that the policy server 250 can receive the policy execution request sent by the configuration platform 150.
The message queue server 210 is connected to one or more terminals 110, and the message queue server 210 includes a message queue. Thus, the policy server 250 establishes a communication connection with one or more terminals 110 through the message queue server 210 and performs asynchronous communication based on the message queue in the message queue server 210.
In one embodiment, the access control server 220 is connected to one or more terminals 110. The access control server 220 may receive the identity authentication request sent by the terminal 110, and return the corresponding access permission identifier to the terminal 110 after the authentication is passed. Further, the access control server 220 receives an access request transmitted by the terminal 110 based on the access permission flag.
In one embodiment, the access control server 220 may also receive a request for account registration sent by the terminal 110 before receiving the authentication request sent by the terminal 110. The access control server 220 may generate and store an access account and an access password corresponding to the identity of the user of the terminal 110 based on the registration account request, so that the terminal 110 transmits an identity authentication request to the access control server 220 based on the corresponding access account and access password. In this way, the access control server 220 stores access accounts and access passwords corresponding to the plurality of terminals 110, and the access control server 220 also stores information of terminal groups corresponding to each terminal 110.
In one embodiment, the access control server is, for example, openLDAP, and the message queue server 210 is, for example, NSQ message queue server, although the invention is not limited thereto.
In one embodiment, the terminal 110 may generate the corresponding device identification based on the hardware information. The terminal 110 includes a Pluggable Authentication Module (PAM), a process monitoring module (Agent), and a message bus module (DBUS).
As shown in fig. 1, a Pluggable Authentication Module (PAM) is connected to the access control server 220, so that the terminal 110 can transmit a registration account request to the access control server 220 through the pluggable authentication module to acquire a corresponding access account and an access password. Further, the pluggable authentication module sends an identity authentication request to the access control server 220 based on the corresponding access account and access password, receives the access permission identifier returned by the access control server 220, and sends an access request to the access control server 220 based on the access permission identifier, so as to complete identity authentication of the terminal 110, and establish communication between the terminal 110 and the policy control device 200. The pluggable authentication module comprises an authentication management module (Auth), an Account management module (Account), a Session management module (Session) and a Password management module (Password).
The process monitoring module (Agent) is connected to the message queue server 210 and communicates with the policy server 250 of the policy control device 200 through the message queue. The terminal 110 receives and transmits messages through the process monitoring module. Specifically, the process monitoring module may obtain the corresponding policy rule from the message queue based on the device identifier of the terminal 110, and may return the execution result of the terminal 110 executing the policy rule to the policy server 250 of the policy control device 200 through the message queue.
A message bus module (DBUS) may be used to enable communication between processes of terminal 110. The message bus module is connected with the process monitoring module, and after the process monitoring module obtains the strategy rules, the strategy rules can be executed by calling the message bus module.
In one embodiment, the policy enforcement system 100 further includes a data storage system 140 coupled to the policy server 250. The data storage system 140 is, for example, a MySQL relational data storage system, but is not limited thereto. The data storage system 140 may store service data, where the service data includes, for example, terminal group information, terminal information, user information, policy information, application information, and behavior logs, and may also store correspondence between terminal groups, terminals, users, applications, and policies.
In one embodiment, policy enforcement system 100 further includes Redis memory coupled to policy server 250.
According to the policy enforcement system 100 of the present invention, by providing the configuration platform 150 for configuring and managing various policies, the configuration platform 150 is connected to the policy control device 200, so that a policy manager can configure a corresponding policy rule for the terminal 110 through the configuration platform 150, and request the policy control device 200 to control the corresponding terminal 110 to enforce the policy rule, and obtain an enforcement result of the terminal 110. Therefore, the strategy configuration is carried out by utilizing the configuration platform, so that the operation is simple, the configuration efficiency is high, and the strategy configuration method is beneficial to controlling each terminal to execute the corresponding strategy rule more efficiently.
Further, the present invention may divide the plurality of terminals 110 into a plurality of terminal groups based on the area where each terminal 110 is located, where each terminal group includes one or more terminals 110 arranged in a corresponding area, so that the terminals may be managed in a partitioned manner.
In one embodiment, the policy control device 200 of the present invention may be implemented as a computing device such that the control method of policy execution of the present invention may be executed in the computing device.
FIG. 2 illustrates a block diagram of a computing device 200, according to one embodiment of the invention. As shown in FIG. 2, in a basic configuration 202, computing device 200 typically includes system memory 206 and one or more processors 204. A memory bus 208 may be used for communicating between the processor 204 and the system memory 206.
Depending on the desired configuration, the processor 204 may be any type of processing, including but not limited to: a microprocessor (μ P), a microcontroller (μ C), a digital information processor (DSP), or any combination thereof. The processor 204 may include one or more levels of cache, such as a level one cache 210 and a level two cache 212, a processor core 214, and registers 216. Example processor core 214 may include an Arithmetic Logic Unit (ALU), a Floating Point Unit (FPU), a digital signal processing core (DSP core), or any combination thereof. The example memory controller 218 may be used with the processor 204, or in some implementations the memory controller 218 may be an internal part of the processor 204.
Depending on the desired configuration, system memory 206 may be any type of memory including, but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. System memory 106 may include an operating system 220, one or more applications 222, and program data 224. The application 222 is actually a plurality of program instructions that direct the processor 204 to perform corresponding operations. In some embodiments, application 222 may be arranged to cause processor 204 to operate with program data 224 on an operating system.
Computing device 200 may also include an interface bus 240 that facilitates communication from various interface devices (e.g., output devices 242, peripheral interfaces 244, and communication devices 246) to the basic configuration 202 via the bus/interface controller 230. The example output device 242 includes a graphics processing unit 248 and an audio processing unit 250. They may be configured to facilitate communication with various external devices, such as a display or speakers, via one or more a/V ports 252. Example peripheral interfaces 244 may include a serial interface controller 254 and a parallel interface controller 256, which may be configured to facilitate communications with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device) or other peripherals (e.g., printer, scanner, etc.) via one or more I/O ports 258. An example communication device 246 may include a network controller 260, which may be arranged to facilitate communications with one or more other computing devices 262 over a network communication link via one or more communication ports 264.
A network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information delivery media. A "modulated data signal" may be a signal that has one or more of its data set or its changes made in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or private-wired network, and various wireless media such as acoustic, radio Frequency (RF), microwave, infrared (IR), or other wireless media. The term computer readable media as used herein may include both storage media and communication media.
In the computing device 200 according to the present invention, the application 222 includes a plurality of program instructions that execute the control method for policy execution 300, which may instruct the processor 204 to execute the control method for policy execution 300 of the present invention, such that the computing device 200 implements the control terminal to execute the policy by executing the control method for policy execution 300 of the present invention.
FIG. 3 shows a flow diagram of a method 300 of controlling policy enforcement, according to one embodiment of the invention. The method 300 is suitable for execution in a policy control device 200, such as the aforementioned computing device 200.
According to an embodiment of the present invention, the policy control device 200 is connected to the configuration platform 150 and to one or more terminals 110. Here, the terminal 110 is a terminal device used by a user. The configuration platform 150 may be a Web platform provided for an administrator (policy manager) who may access the configuration platform 150 through a browser, and may configure and manage various policies. By connecting the configuration platform 150 to the policy control device 200, after the configuration platform 150 configures the policy rules for the terminal 110, the administrator can request the policy control device 200 to control the corresponding terminal to execute the policy rules through the configuration platform 150.
In one embodiment, the plurality of terminals 110 may be arranged in different terminal groups. In this way, when the method 300 according to the present invention controls a plurality of terminals 110 to execute a policy, the policy control device 200 is requested to control each terminal 110 in a terminal group to execute a policy rule corresponding to the terminal group by configuring a corresponding policy rule for different terminal groups at the configuration platform 150. It should be noted that each terminal group may correspond to different areas, specifically, the present invention may divide the plurality of terminals 110 into a plurality of terminal groups based on the area where each terminal 110 is located, and each terminal group includes one or more terminals 110 arranged in a corresponding area, so that the partition management of the terminals may be implemented.
In one embodiment, the terminal 110 may be a terminal device installed with a Linux operating system, so that the control method 300 for policy execution of the present invention can implement control and management of policy execution of a plurality of terminal devices installed with the Linux operating system, in other words, the control method 300 for policy execution of the present invention can control a plurality of terminal devices to execute corresponding policies based on the Linux operating system.
It should be noted that, in the embodiment, the control method 300 for executing the policy is specifically described by taking the Linux operating system as an example. However, it should be understood that the policy enforcement control method 300 of the present invention is not limited to a specific kind of operating system installed in the terminal. Any type of operating system capable of controlling the terminal to execute the policy by the method 300 of the present invention is within the scope of the present invention.
It should be further noted that the policy that the terminal can be controlled to execute based on the method 300 of the present invention includes: applying one or more of a customization policy, a desktop customization policy, a password policy, a firewall policy. However, the present invention is not limited to the above-listed types of strategies.
As shown in fig. 3, the method 300 begins at step S310.
In step S310, a policy execution request sent by the administrator at the configuration platform 150 is received, and the policy rule to be executed is determined based on the policy execution request. Here, the administrator controls one or more terminals 110 to execute corresponding policy rules by configuring policy rules to be executed for these terminals 110 at the configuration platform 150 and sending a policy execution request to the policy control device 200 to request the policy control device 200 to execute the corresponding policy rules. Here, the policy rule includes, for example, one or more of an application customization policy, a desktop customization policy, a password policy, and a firewall policy.
According to one embodiment, the administrator configures the policy rules based on the device identification of each terminal 110 executing the policy rules at the configuration platform 150 and sends a policy execution request. Thus, the policy enforcement request also includes device identifications corresponding to the one or more terminals 110 that enforce the policy rules.
Thus, in step S320, the policy control device 200 may determine the device identities of the one or more terminals 110 that execute the policy rule according to the policy execution request.
According to an embodiment of the present invention, the policy control device 200 and one or more terminals 110 may implement asynchronous communication based on message queues.
Subsequently, in step S330, the policy control device 200 adds the policy rule to the message queue based on the determined device identification of the one or more terminals 110, so as to transmit the policy rule to the corresponding one or more terminals 110 through the message queue, thereby enabling to control the corresponding terminals 110 to execute the configured policy rule.
It should be noted that, based on the message queue, the policy control device 200 and one or more terminals 110 may perform data interaction through a publish-and-subscribe mode. In particular, the terminals 110 may generate respective unique device identifications based on their own hardware information, in other words, each terminal 110 corresponds to a device identification capable of identifying the terminal 110. Also, the terminal 110 may send a subscription request to subscribe to a corresponding topic message in the message queue based on its own device identification, that is, subscribe to a policy rule corresponding to the topic message.
In one example, the policy control device 200 receives a request for subscribing to the corresponding policy rule sent by one or more terminals based on the device identifier before performing step S330. In this way, after the policy control device 200 packages the policy rule as a subject message based on the device identifier of the terminal 110 and adds the subject message to the message queue, the terminal 110 may obtain the subject message and the policy rule corresponding to its own device identifier from the message queue.
The policy control device 200, after determining the device identities of one or more terminals 110 executing the policy rule, controls the terminals 110 to execute the policy rule by sending a theme message corresponding to the terminal 110 (device identity) that needs to execute the policy rule to a message queue. Specifically, the policy control device 200 adds the theme message to the message queue by encapsulating the policy rules as the corresponding theme message based on the determined device identification of the one or more terminals 110. In this way, the terminal 110 that subscribes to the topic message based on the own device identifier (i.e. the terminal 110 corresponding to the device identifier in the topic message) can obtain the topic message corresponding to the own device identifier from the message queue, thereby obtaining the policy rule corresponding to the topic message. In turn, one or more terminals 110 may execute the corresponding policy rules.
Subsequently, in step S340, the policy control device 200 acquires, from the message queue, an execution result returned by each terminal 110 after executing the policy rule. Here, after each terminal 110 executes the policy rule, the execution result of the policy rule may be packaged as a corresponding topic message and added to the message queue. In this way, the policy control device 200 can acquire the theme message corresponding to each terminal 110 from the message queue to acquire the execution result of the policy rule corresponding to each terminal 110.
Finally, in step S350, the policy control device 200 sends the execution result of each terminal 110 to the configuration platform 150, so that the execution result of each terminal 110 is presented on the configuration platform 150.
According to one embodiment, the policy control device 200 includes a policy server 250, a message queue server 210, and an access control server 220. The policy server 250 is connected to the message queue server 210 and the access control server 220, respectively. Also, the policy server 250 is connected to the configuration platform 150, so that the policy server 250 can receive a policy execution request transmitted by the configuration platform 150.
The message queue server 210 is connected to one or more terminals 110, and the message queue server 210 includes a message queue. Thus, the policy server 250 establishes a communication connection with one or more terminals 110 through the message queue server 210 and performs asynchronous communication based on the message queue in the message queue server 210.
According to one embodiment, the access control server 220 is connected to one or more terminals 110. In the method 300 of the present invention, before performing step S310, the policy control device 200 may receive, through the access control server 220, an identity authentication request sent by one or more terminals 110, and return a corresponding access permission identifier to the terminal 110 after the authentication is passed. Further, the access control server 220 receives an access request transmitted by the terminal 110 based on the access permission flag.
That is, before controlling one or more terminals 110 to execute corresponding policy rules by the policy control device 200, the terminal 110 needs to send an authentication request to the policy control device 200, and receive the authentication request of the terminal 110 by the access control server 220 to authenticate the terminal 110. After the terminal 110 passes the identity authentication, the access control server 220 returns a corresponding access permission identifier to the terminal 110. Further, the terminal 110 may send an access request to the policy control device 200 (the policy server 250) based on the access permission identifier, and thus may perform data interaction with the policy control device 200 (the policy server 250) so as to subscribe to a corresponding topic message based on the device identifier, obtain a policy rule, execute the policy rule, and return an execution result.
According to one embodiment, the policy control device 200 further receives a request for registering an account sent by the terminal 110 through the access control server 220 before receiving the identity authentication request sent by the terminal 110. Further, the access control server 220 generates an access account and an access password corresponding to the identity of the user of the terminal 110 based on the registration account request, so that the terminal 110 sends an identity authentication request to the access control server 220 based on the corresponding access account and access password. In this way, the access control server 220 stores access accounts and access passwords corresponding to the plurality of terminals 110, and the access control server 220 also stores information of terminal groups corresponding to each terminal 110.
In one embodiment, the access control server is, for example, openLDAP, and the message queue server 210 is, for example, an NSQ message queue server, although the invention is not limited thereto.
In one embodiment, the terminal 110 may generate the corresponding device identification based on the hardware information. The terminal 110 includes a Pluggable Authentication Module (PAM), a process monitoring module (Agent), and a message bus module (DBUS).
As shown in fig. 1, a Pluggable Authentication Module (PAM) is connected to the access control server 220, so that the terminal 110 may send a request for registering an account to the access control server 220 through the pluggable authentication module to acquire a corresponding access account and access password. Further, the pluggable authentication module sends an identity authentication request to the access control server 220 based on the corresponding access account and the access password, receives the access permission identifier returned by the access control server 220, and sends an access request to the access control server 220 based on the access permission identifier, so as to complete identity authentication of the terminal 110 and establish communication between the terminal 110 and the policy control device 200. The pluggable authentication module comprises an authentication management module (Auth), an Account management module (Account), a Session management module (Session) and a Password management module (Password).
The process monitoring module (Agent) is connected to the message queue server 210 and communicates with the policy server 250 of the policy control device 200 through the message queue. The terminal 110 receives and transmits messages through the process monitoring module. Specifically, the process monitoring module may obtain the corresponding policy rule from the message queue based on the device identifier of the terminal 110, and may return the execution result of the terminal 110 executing the policy rule to the policy server 250 of the policy control device 200 through the message queue.
A message bus module (DBUS) may be used to enable communication between processes of terminal 110. The message bus module is connected with the process monitoring module, and after the process monitoring module acquires the strategy rules, the strategy rules can be executed by calling the message bus module.
According to the policy execution control method 300 of the present invention, by providing the configuration platform 150 for configuring and managing various policies, the configuration platform 150 is connected to the policy control device 200, so that policy managers can configure corresponding policy rules for the terminal 110 through the configuration platform 150, and request the policy control device 200 to control the corresponding terminal 110 to execute the policy rules, and obtain the execution result of the terminal 110. Therefore, the strategy configuration is carried out by utilizing the configuration platform, so that the operation is simple, the configuration efficiency is high, and the strategy configuration method is beneficial to controlling each terminal to execute the corresponding strategy rule more efficiently.
Further, the present invention may divide the plurality of terminals 110 into a plurality of terminal groups based on the area where each terminal 110 is located, where each terminal group includes one or more terminals 110 arranged in a corresponding area, so that the terminals may be managed in a partitioned manner.
The method as in A5, wherein the terminal is adapted to generate a corresponding device identifier based on the hardware information, and the terminal includes: the Pluggable Authentication Module (PAM) is connected with the access control server and is suitable for sending an identity authentication request to the access control server and receiving an access permission identifier returned by the access control server; the process monitoring module (Agent) is connected with the message queue server and is suitable for acquiring a policy rule from the message queue based on the equipment identifier of the terminal; and a message bus module (DBUS) connected to the process monitoring module and adapted to execute the policy rules.
A7, the method as recited in A5 or A6, wherein the message queue server is an NSQ message queue server; the access control server is OpenLDAP.
A8, the method of any one of A1-A7, wherein the policy comprises: applying one or more of a customization policy, a desktop customization policy, a password policy, a firewall policy.
B12, the system as in B10 or B11, wherein the terminal is adapted to generate a corresponding device identifier based on the hardware information, the terminal comprising: the Pluggable Authentication Module (PAM) is connected with the access control server and is suitable for sending an identity authentication request to the access control server and receiving an access permission identifier returned by the access control server; the process monitoring module (Agent) is connected with the message queue server and is suitable for acquiring a strategy rule from the message queue based on the equipment identifier of the terminal; and a message bus module (DBUS) connected to the process monitoring module and adapted to execute the policy rules.
B13, the system according to any of B10-B12, wherein the message queue server is an NSQ message queue server; the access control server is OpenLDAP.
The system as in any one of B9-B13, wherein the policy comprises: applying one or more of a customization policy, a desktop customization policy, a password policy, a firewall policy.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard drives, U.S. disks, floppy disks, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the mobile terminal will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to execute the policy enforcement control method of the present invention according to instructions in the program code stored in the memory.
By way of example, and not limitation, readable media may comprise readable storage media and communication media. Readable storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with examples of this invention. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: rather, the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment, or alternatively may be located in one or more devices different from the device in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore, may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Moreover, those skilled in the art will appreciate that although some embodiments described herein include some features included in other embodiments, not others, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the means for performing the functions performed by the elements for the purpose of carrying out the invention.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense with respect to the scope of the invention, as defined in the appended claims.

Claims (13)

1. A control method for strategy execution is executed in a strategy control device of a strategy control system, the strategy control system comprises a plurality of terminal groups, each terminal group corresponds to different areas, and each terminal group comprises one or more terminals; the policy control device is connected with a configuration platform and connected with one or more terminals of each terminal group, the configuration platform is suitable for configuring corresponding policy rules for each terminal group, wherein the policy rules comprise one or more of application customization policy, desktop customization policy, password policy and firewall policy, and the method comprises the following steps:
receiving a subscription request for a policy rule sent by one or more terminals based on corresponding equipment identifiers;
receiving a policy execution request sent by a configuration platform, and determining a policy rule to be executed based on the policy execution request, wherein the configuration platform is suitable for requesting the policy control device to control each terminal in the terminal group to execute the policy rule corresponding to the terminal group so as to perform partition management on the terminals;
determining device identifications of one or more terminals executing the policy rules;
packaging the strategy rules into a subject message based on the equipment identifications of one or more terminals, and adding the subject message to a message queue so that the one or more terminals can obtain the subject message and the strategy rules corresponding to the equipment identifications of the terminals from the message queue;
obtaining an execution result returned by each terminal after executing the strategy rule from the message queue; and
and sending the execution result of each terminal to the configuration platform so as to display the execution result on the configuration platform.
2. The method of claim 1, further comprising the steps of:
receiving an identity authentication request sent by a terminal, and returning a corresponding access permission identifier to the terminal after the authentication is passed; and
and receiving an access request sent by the terminal based on the access permission identification.
3. The method of claim 2, wherein before receiving the identity authentication request transmitted by the terminal, comprising the steps of:
receiving a registration account request sent by a terminal; and
and generating an access account and an access password corresponding to the identity of the terminal user based on the registration account request so that the terminal can send an identity authentication request based on the corresponding access account and the access password.
4. The method of claim 2, wherein the policy control device comprises:
the policy server is connected with the configuration platform and is suitable for receiving a policy execution request sent by the configuration platform;
the message queue server is connected with the policy server and one or more terminals and comprises a message queue; and
and the access control server is connected with the policy server and one or more terminals, is suitable for receiving an identity authentication request sent by the terminal, returns a corresponding access permission identifier to the terminal after the authentication is passed, and is suitable for receiving an access request sent by the terminal based on the access permission identifier.
5. The method of claim 4, wherein the terminal is adapted to generate the respective device identification based on hardware information, the terminal comprising:
the Pluggable Authentication Module (PAM) is connected with the access control server and is suitable for sending an identity authentication request to the access control server and receiving an access permission identifier returned by the access control server;
the process monitoring module (Agent) is connected with the message queue server and is suitable for acquiring a policy rule from the message queue based on the equipment identifier of the terminal; and
and the message bus module (DBUS) is connected with the process monitoring module and is suitable for executing the strategy rule.
6. The method of claim 4 or 5,
the message queue server is an NSQ message queue server;
the access control server is OpenLDAP.
7. A policy enforcement system comprising:
a policy control device adapted to perform the method of any one of claims 1-6 to control the enforcement of policies, wherein the policy rules include one or more of application customization policies, desktop customization policies, password policies, firewall policies;
each terminal group corresponds to different areas and comprises one or more terminals, one or more terminals of each terminal group are connected with the policy control equipment, and the terminals are suitable for acquiring theme messages and policy rules corresponding to the equipment identifications from a message queue based on the corresponding equipment identifications, executing the policy rules and sending execution results to the message queue;
the configuration platform is suitable for configuring corresponding policy rules for each terminal group respectively, is connected with the policy control equipment, and is suitable for sending a policy execution request to the policy control equipment so as to request the policy control equipment to control each terminal in the terminal group to execute the policy rules corresponding to the terminal group, so that the terminals are subjected to partition management; and is adapted to receive the execution result of each terminal returned by the policy control device and to present the execution result.
8. The system of claim 7, wherein the policy control device comprises:
the policy server is connected with the configuration platform and is suitable for receiving a policy execution request sent by the configuration platform;
the message queue server is connected with the policy server and one or more terminals and comprises a message queue; and
and the access control server is connected with the policy server and one or more terminals, is suitable for receiving an identity authentication request sent by a terminal, returns a corresponding access permission identifier to the terminal after the authentication is passed, and is suitable for receiving an access request sent by the terminal based on the access permission identifier.
9. The system of claim 8, wherein the access control server is further adapted to:
receiving a registration account request sent by a terminal;
and generating an access account and an access password corresponding to the terminal user identity based on the registration account request so that the terminal can send an identity authentication request based on the corresponding access account and the access password.
10. The system of claim 8, wherein the terminal is adapted to generate a corresponding device identification based on hardware information, the terminal comprising:
the Pluggable Authentication Module (PAM) is connected with the access control server and is suitable for sending an identity authentication request to the access control server and receiving an access permission identifier returned by the access control server;
the process monitoring module (Agent) is connected with the message queue server and is suitable for acquiring a policy rule from the message queue based on the equipment identifier of the terminal; and
and the message bus module (DBUS) is connected with the process monitoring module and is suitable for executing the strategy rule.
11. The system of any one of claims 8-10,
the message queue server is an NSQ message queue server;
the access control server is OpenLDAP.
12. A computing device, comprising:
at least one processor; and
a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing the method of any of claims 1-6.
13. A readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform the method of any of claims 1-6.
CN202011021736.9A 2020-09-25 2020-09-25 Control method for policy execution, policy execution system and computing device Active CN112202750B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202011021736.9A CN112202750B (en) 2020-09-25 2020-09-25 Control method for policy execution, policy execution system and computing device
PCT/CN2021/117706 WO2022062918A1 (en) 2020-09-25 2021-09-10 Control method for strategy implementation, strategy implementation system, and computing device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011021736.9A CN112202750B (en) 2020-09-25 2020-09-25 Control method for policy execution, policy execution system and computing device

Publications (2)

Publication Number Publication Date
CN112202750A CN112202750A (en) 2021-01-08
CN112202750B true CN112202750B (en) 2023-01-24

Family

ID=74007223

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011021736.9A Active CN112202750B (en) 2020-09-25 2020-09-25 Control method for policy execution, policy execution system and computing device

Country Status (2)

Country Link
CN (1) CN112202750B (en)
WO (1) WO2022062918A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112202750B (en) * 2020-09-25 2023-01-24 统信软件技术有限公司 Control method for policy execution, policy execution system and computing device
CN114531280A (en) * 2022-01-25 2022-05-24 北京北信源软件股份有限公司 Data leakage prevention method and device based on mobile terminal connected enterprise terminal
CN115208933A (en) * 2022-07-07 2022-10-18 成都域卫科技有限公司 Software application control method, device and storage medium
CN115333781A (en) * 2022-07-18 2022-11-11 北京泰立鑫科技有限公司 Access control security system, method and firewall based on environment data certificate
CN115174677A (en) * 2022-07-19 2022-10-11 中国工商银行股份有限公司 Information creation terminal management method, device and system based on distributed message

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101237447A (en) * 2007-01-29 2008-08-06 华为技术有限公司 Policy execution method, system and network element
CN102916826A (en) * 2011-08-01 2013-02-06 中兴通讯股份有限公司 Method and device for controlling network access
CN108459917A (en) * 2018-03-15 2018-08-28 欧普照明股份有限公司 A kind of message distribution member, message handling system and message distribution method
CN111416822A (en) * 2020-03-20 2020-07-14 数篷科技(深圳)有限公司 Method for access control, electronic device and storage medium
WO2020164425A1 (en) * 2019-02-15 2020-08-20 华为技术有限公司 Method, device and system for sending terminal policy

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2287094C (en) * 1998-10-22 2006-12-12 At&T Corp. Method and apparatus for providing a process for registering with a plurality of independent services
CN100346610C (en) * 2004-11-01 2007-10-31 沈明峰 Security policy based network security management system and method
CN101232509A (en) * 2008-02-26 2008-07-30 杭州华三通信技术有限公司 Equipment, system and method for supporting insulation mode network access control
US9363182B2 (en) * 2011-01-20 2016-06-07 Nec Corporation Communication system, control device, policy management device, communication method, and program
CN102195991A (en) * 2011-06-28 2011-09-21 辽宁国兴科技有限公司 Terminal security management and authentication method and system
JP5422753B1 (en) * 2012-09-26 2014-02-19 株式会社東芝 Policy management system, ID provider system, and policy evaluation apparatus
CN109784703A (en) * 2019-01-02 2019-05-21 深圳壹账通智能科技有限公司 Business data processing method, device, computer equipment and storage medium
CN112202750B (en) * 2020-09-25 2023-01-24 统信软件技术有限公司 Control method for policy execution, policy execution system and computing device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101237447A (en) * 2007-01-29 2008-08-06 华为技术有限公司 Policy execution method, system and network element
CN102916826A (en) * 2011-08-01 2013-02-06 中兴通讯股份有限公司 Method and device for controlling network access
CN108459917A (en) * 2018-03-15 2018-08-28 欧普照明股份有限公司 A kind of message distribution member, message handling system and message distribution method
WO2020164425A1 (en) * 2019-02-15 2020-08-20 华为技术有限公司 Method, device and system for sending terminal policy
CN111416822A (en) * 2020-03-20 2020-07-14 数篷科技(深圳)有限公司 Method for access control, electronic device and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
自适应的策略管理系统的研究与设计;吴蓓等;《计算机应用与软件》;20080415(第04期);全文 *

Also Published As

Publication number Publication date
WO2022062918A1 (en) 2022-03-31
CN112202750A (en) 2021-01-08

Similar Documents

Publication Publication Date Title
CN112202750B (en) Control method for policy execution, policy execution system and computing device
US20220358229A1 (en) Device and methods for management and access of distributed data sources
US8990950B2 (en) Enabling granular discretionary access control for data stored in a cloud computing environment
US20210014061A1 (en) Identity proofing offering for customers and non-customers
US20070136471A1 (en) Systems and methods for negotiating and enforcing access to network resources
CN112995131B (en) Page login method, system and computing device
US11470120B2 (en) Providing different levels of resource access to a computing device that is connected to a dock
CN109587126B (en) User authentication method and system
US9753786B2 (en) Client server communication system
US20130111542A1 (en) Security policy tokenization
CN103384237A (en) Method for sharing IaaS cloud account, shared platform and network device
JP2017507563A (en) Entity handle registry to support traffic policy enforcement
WO2017041562A1 (en) Method and device for identifying user identity of terminal device
CN109039792A (en) Management method, device, equipment and the storage medium of network management device
KR20190052033A (en) Transient transaction server
CN113271289A (en) Method, system and computer storage medium for resource authorization and access
CN112311851A (en) Network policy configuration method and device
US20070136301A1 (en) Systems and methods for enforcing protocol in a network using natural language messaging
US10326833B1 (en) Systems and method for processing request for network resources
CN110213250B (en) Data processing method and terminal equipment
CN109558710B (en) User login method, device, system and storage medium
CN111447178B (en) Access control method, system and computing device
US10242174B2 (en) Secure information flow
US20130007841A1 (en) Client server communication system
CN111835523B (en) Data request method, system and computing device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant