CN112580006A - Access right control method and device of multi-cloud system and authentication server - Google Patents

Access right control method and device of multi-cloud system and authentication server Download PDF

Info

Publication number
CN112580006A
CN112580006A CN202011554144.3A CN202011554144A CN112580006A CN 112580006 A CN112580006 A CN 112580006A CN 202011554144 A CN202011554144 A CN 202011554144A CN 112580006 A CN112580006 A CN 112580006A
Authority
CN
China
Prior art keywords
target
user
information
identifier
cloud system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011554144.3A
Other languages
Chinese (zh)
Inventor
常岚
孙靖
杨贵垣
王升东
吴晓宇
张迁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
Original Assignee
China Construction Bank Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp filed Critical China Construction Bank Corp
Priority to CN202011554144.3A priority Critical patent/CN112580006A/en
Publication of CN112580006A publication Critical patent/CN112580006A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses an access right control method, an access right control device and an authentication server of a multi-cloud system, wherein the method is applied to the authentication server, the authentication server corresponds to the multi-cloud system, the multi-cloud system comprises a plurality of accessed objects, and the method comprises the following steps: receiving an object access request sent by a client, wherein the object access request at least comprises a user identifier of a target user and an object identifier of a target object, and the target object is an accessed object in a target cloud system in the plurality of cloud systems; obtaining a target permission strategy matched with the user identification and the object identification in a permission strategy set, wherein the permission strategy set comprises a plurality of pieces of permission strategy information, and each piece of permission strategy information corresponds to one user and one accessed object; and obtaining an authentication result according to the target authority strategy, wherein the authentication result represents whether the target user has the authority of accessing the target object in the target cloud system.

Description

Access right control method and device of multi-cloud system and authentication server
Technical Field
The present application relates to the technical field of rights management, and in particular, to a method and an apparatus for controlling access rights of a multi-cloud system, and an authentication server.
Background
With the development of technology, more and more cloud services provide cloud services that provide different functions for users. For different cloud service providers, the authority of the user for accessing the resources or functions of each cloud system can be managed through the unified authentication center.
At present, in management of access rights to a multi-cloud system, rights management is usually performed according to a cloud system, for example, a certain user has access rights to one or more cloud systems, and another user does not have access rights to a certain cloud system.
Therefore, when managing the access right of the user, the subdivision on the right granularity cannot be performed, which results in poor flexibility of managing the access right of the user.
Disclosure of Invention
In view of this, the present application provides an access right control method and apparatus for a multi-cloud system, and an authentication server, which are used to solve the technical problem in the prior art that the flexibility of access right management for a user is poor.
The application provides an access authority control method of a multi-cloud system, which is applied to an authentication server, wherein the authentication server corresponds to a plurality of cloud systems, the cloud systems comprise a plurality of accessed objects, and the method comprises the following steps:
receiving an object access request sent by a client, wherein the object access request at least comprises a user identifier of a target user and an object identifier of a target object, and the target object is an accessed object in a target cloud system in the plurality of cloud systems;
obtaining a target permission strategy matched with the user identification and the object identification in a permission strategy set, wherein the permission strategy set comprises a plurality of pieces of permission strategy information, and each piece of permission strategy information corresponds to one user and one accessed object;
and obtaining an authentication result according to the target authority strategy, wherein the authentication result represents whether the target user has the authority of accessing the target object in the target cloud system.
Preferably, in the method, obtaining a target permission policy matched with the user identifier and the object identifier in a permission policy set includes:
screening initial policy information matched with the user identification and/or the user group identification corresponding to the user identification in an authority policy set; the user group identification is the identification of a target user group to which the target user belongs; the target user group also comprises one or more other users;
and screening out the target authority strategy matched with the object identification in the initial strategy information.
Preferably, in the method, screening, in the permission policy set, initial policy information matched with the user identifier and/or a user group identifier corresponding to the user identifier includes:
screening first policy information matched with the user identification in an authority policy set;
and screening second policy information matched with the user group identification in the permission policy set, wherein the first policy information and/or the second policy information form initial policy information.
The above method, preferably, further comprises:
and transmitting the authentication result to the target cloud system.
In the above method, preferably, the object access request further includes an authentication identifier of the target user;
the identity authentication identifier is generated when the target user logs in the target cloud system, and represents that the target user successfully logs in the target.
The above method, preferably, further comprises:
receiving a user login request sent by the client, wherein the user login request at least comprises authentication information of the target user and a system identifier of the target cloud system;
verifying the verification information according to the system identification to obtain a verification result, wherein the verification result represents whether the target user passes the identity verification of the target cloud system;
and under the condition that the verification result represents that the target user passes the identity verification of the target cloud system, obtaining an identity verification identifier of the target user.
Preferably, the method, according to the system identifier, of verifying the verification information to obtain a verification result includes:
obtaining verification signature information corresponding to the verification information;
and comparing the standard signature information corresponding to the system identification with the verification signature information to obtain a verification result.
Preferably, the obtaining of the verification signature information corresponding to the verification information includes:
signing the user name and the password in the verification information by using a signature algorithm to obtain verification signature information;
alternatively, the first and second electrodes may be,
and signing the access secret key in the verification information by using a signature algorithm to obtain verification signature information.
The application also provides an access right control device of a multi-cloud system, which is applied to an authentication server, wherein the authentication server corresponds to the multi-cloud system, the cloud system comprises a plurality of accessed objects, and the device comprises:
a request receiving unit, configured to receive an object access request sent by a client, where the object access request at least includes a user identifier of a target user and an object identifier of a target object, and the target object is an accessed object in a target cloud system of the multiple cloud systems;
a policy obtaining unit, configured to obtain a target permission policy that matches the user identifier and the object identifier in a permission policy set, where the permission policy set includes multiple pieces of permission policy information, and each piece of permission policy information corresponds to one user and one accessed object;
and the result obtaining unit is used for obtaining an authentication result according to the target authority strategy, wherein the authentication result represents whether the target user has the authority of accessing the target object in the target cloud system.
The present application further provides an authentication server, where the authentication server corresponds to a plurality of cloud systems, and the cloud systems include a plurality of accessed objects, and the authentication server includes:
a transmission module, configured to receive an object access request sent by a client, where the object access request at least includes a user identifier of a target user and an object identifier of a target object, and the target object is an accessed object in a target cloud system of the multiple cloud systems;
the processor is used for obtaining a target authority policy matched with the user identifier and the object identifier in an authority policy set, wherein the authority policy set comprises a plurality of pieces of authority policy information, and each piece of authority policy information corresponds to one user and one accessed object; and obtaining an authentication result according to the target authority strategy, wherein the authentication result represents whether the target user has the authority of accessing the target object in the target cloud system.
The present application also provides a storage medium on which a program is stored, the program implementing the access right control method of the multi-cloud system described above when executed by a processor.
The application also provides a processor, wherein the processor is used for running a program, and the program executes the access right control method of the multi-cloud system when running.
According to the technical scheme, in the access authority control method, the access authority control device and the authentication server of the multi-cloud system, after the object access request sent by the client is received, the target authority strategy matched with the object access request can be obtained from the authority strategy set, and then the authentication result representing whether the target user in the object access request can access the target object in the target cloud system can be obtained. Therefore, in the application, by subdividing the access right granularity of the multiple cloud systems into the accessed object in each cloud system, the right control of the user for accessing the accessed object in the cloud system can be realized when the user accesses the cloud system through the client, so that the flexibility of the right management is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a flowchart of an access right management method for a multi-cloud system according to an embodiment of the present application;
FIGS. 2-5 are diagrams illustrating examples of applications of embodiments of the present application;
fig. 6 is a partial flowchart of an access right management method for a multi-cloud system according to an embodiment of the present application;
fig. 7-fig. 8 are respectively another flow charts of an access right management method of a multi-cloud system according to an embodiment of the present application;
FIG. 9 is a diagram illustrating another exemplary application of an embodiment of the present application;
fig. 10 is another partial flowchart of an access right management method for a multi-cloud system according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of an access right management apparatus of a multi-cloud system according to a second embodiment of the present application;
fig. 12 is another schematic structural diagram of an access right management apparatus of a multi-cloud system according to a second embodiment of the present application;
fig. 13 is a schematic structural diagram of an authentication server according to a third embodiment of the present application;
fig. 14-16 are diagrams illustrating user identity authentication and rights management in the financial industry according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, an implementation flowchart of an access right management method for a multi-cloud system provided in an embodiment of the present application is applicable to an authentication server capable of performing data processing, such as a computer or a server, where it is to be noted that the authentication server corresponds to a plurality of cloud systems, as shown in fig. 2, each cloud system is implemented by an electronic device deployed in a cloud, and each cloud system includes a plurality of accessed objects, such as data resources or functional components that can be accessed. The technical scheme in the embodiment is mainly used for realizing the authority control of the user for accessing the accessed object in the cloud system, so that the flexibility of authority management is improved.
Specifically, the method in this embodiment may include the following steps:
step 101: and receiving an object access request sent by a client.
The object access request at least comprises a user identifier of a target user and an object identifier of a target object, the target user is a user needing to access the target object, and the target object is an accessed object in one or more target cloud systems in the multiple cloud systems, such as a certain picture resource or a certain computing function.
It should be noted that the object access request may be a request generated by clicking or selecting a corresponding control of a target object, such as a resource or a function, on an operation interface of the target cloud system presented on the client of the target user after the target user logs in the target cloud system, so as to represent that the target user needs to access the target object. At this time, the user identifier of the target user may be information such as a user name, code, or label that can uniquely characterize the target user, and the object identifier of the target object may be information such as an object name, code, or storage path that can uniquely characterize the target object.
It should be particularly noted that, in this embodiment, in order to implement unified management of access permissions of a multi-cloud system, management control of the access permissions is centralized in the authentication server in this embodiment, after an object access request is generated on a client and sent to a target cloud system, a reply message that is returned by the target cloud system and needs to authenticate the object access request on the client sends the object access request to the authentication server in this embodiment through redirection, and thus, the authentication server in this embodiment can receive the object access request sent by the client through a communication connection with the client, as shown in fig. 3.
The client corresponding to the target user can be a terminal or a device such as a mobile phone, a pad or a computer.
Step 102: and obtaining a target authority policy matched with the user identifier and the object identifier in the authority policy set.
The authority policy set is a pre-configured set, and may include multiple pieces of authority policy information, where each piece of authority policy information corresponds to one user and one accessed object, and each piece of authority policy information includes information on whether a user has an access authority to an accessed object. For example, the set of rights policies is implemented as a table containing a plurality of fields, as shown in fig. 4, the table contains a plurality of rows of fields, each row of fields contains a user column, an object column and a rights column, an identifier of a user is recorded in the user column, an identifier of an object is recorded in the object column, and information on whether the user has access rights is recorded in the rights column, based on which, the information in the rights column in each row of fields characterizes whether the user in the user column has rights to access the object in the object column, for example, an allow indicates that the user a has access rights to the accessed object B, and a deny indicates that the user a does not have access rights to the accessed object C. It should be noted that, the table may include a plurality of rows of fields corresponding to the same user, and the plurality of rows of fields corresponding to the same user are respectively used for recording whether the user has access rights to different accessed objects respectively. It should be noted that the table may include a plurality of rows of fields corresponding to the same accessed object, and the plurality of rows of fields corresponding to the same accessed object are respectively used for recording whether different users respectively have access rights to the accessed object.
Further, in a multi-cloud system, two or even more users may be bound to the same user group, as shown in fig. 5, while users in the same user group have the same access rights, e.g. the same access rights to the same accessed object or objects. In addition, a user may exist alone and not be bound to any user group, or may be bound to only a user group, or may exist alone and be bound to one or more user groups at the same time.
Based on this, the rights policy information in the rights policy set may also be rights policy information corresponding to the user group and the accessed object, and the rights policy information corresponding to the user group includes information on whether the user in the user group has access rights to the accessed object. For example, as shown in fig. 4, the user column of the row field in the table may also correspond to a user group, at this time, the identification of the user group is recorded in the user column, the identification of the object is recorded in the object column, and information whether or not to have access right is recorded in the permission column, based on which, the information in the permission column in each row field characterizes whether or not the users in the user group in the user column have the right to access the object in the object column, for example, the users a and D in the user group X have access right to the accessed object B in all, and the users a and D in the user group Y do not have access right to the accessed object C in deny. It should be noted that, the table may include multiple rows of fields corresponding to the same user group, and the multiple rows of fields corresponding to the same user group are respectively used to record whether the user group has access rights to different accessed objects. It should be noted that the table may include a plurality of rows of fields corresponding to the same accessed object, and the plurality of rows of fields corresponding to the same accessed object are respectively used for recording whether different user groups respectively have access rights to the accessed object.
It should be noted that, unlike the access right management that one user can only correspond to one cloud system, in the present embodiment, by subdividing the access right into the granularity of the accessed object, each piece of rights policy information can correspond to the accessed object instead of the cloud system to which a plurality of accessed objects belong.
Based on this, in this embodiment, after the user identifier and the object identifier are obtained, the authority policy information is screened in the authority policy set, so as to obtain the target authority policy that matches both the user identifier and the object identifier in the object access request, where the target authority policy includes information on whether the target user has access authority for the target object.
Step 103: and obtaining an authentication result according to the target authority strategy.
And the authentication result represents whether the target user has the right to access the target object in the target cloud system.
Specifically, in this embodiment, whether the target user in the target permission policy has the information of the access permission to the target object may be analyzed and determined, so as to analyze whether the target user has the permission to access the target object in the target cloud system, thereby generating the authentication result.
The authentication result may use the identifier to represent whether the target user has the right to access the target object in the target cloud system, for example, an allow represents that the target user has the right to access the target object in the target cloud system, and a deny represents that the target user does not have the right to access the target object in the target cloud system.
According to the above scheme, in the access authority management method for the multi-cloud system provided in the embodiment of the present application, after receiving the object access request sent by the client, the target authority policy matched with the object access request can be obtained in the authority policy set, and then the authentication result indicating whether the target user in the object access request can access the target object in the target cloud system can be obtained. As can be seen, in this embodiment, by subdividing the access permission granularity of the multiple cloud systems into the accessed object in each cloud system, when the user accesses the cloud system through the client, the permission control of the user to access the accessed object in the cloud system can be realized, so that the flexibility of the permission management is improved.
In an implementation manner, when the target permission policy matching the user identifier and the object identifier is obtained in the permission policy set in step 102, the following steps may be specifically implemented, as shown in fig. 6:
step 601: and screening initial policy information matched with the user identification and/or the user group identification corresponding to the user identification in the permission policy set.
The user group identification is the identification of a target user group to which the target user belongs, the target user group can include one or more other users besides the target user, and the access rights of all the users in the target user group to the accessed object are the same.
Specifically, in this embodiment, only the initial policy information matched with the user identifier may be screened from the permission policy set;
or, only screening the initial strategy information matched with the user group identification corresponding to the user identification in the authority strategy set;
or, screening first policy information matched with the user identifier and second policy information matched with the user group identifier corresponding to the user identifier in the permission policy set at the same time, and forming initial policy information by the screened first policy information and/or second policy information;
or, in this embodiment, first policy information matched with the user identifier is first screened in the permission policy set, and if the first policy information matched with the user identifier is not screened in the permission policy set, second policy information matched with the user group identifier corresponding to the user identifier is further screened in the permission policy set to serve as the initial policy information.
Specifically, taking screening of the authority policy information matched with the user identifier as an example, in this embodiment, the user identifier may be compared with the user in each piece of authority policy information in the authority policy set, so as to screen out the initial policy information matched with the user identifier. For example, in the table of the authority policy set in this embodiment, the user identifier is compared with the users in the user column in the table, and then one or more rows of fields matched with the user identifier are screened out, where each row of fields screened out corresponds to one piece of authority policy information, that is, the initial policy information matched with the user identifier. Reference may be made to the above manner for implementing the filtering of the authority policy information matching with the user group identification, and details thereof are not described herein.
It should be noted that there may be one or more pieces of initial policy information that match the user identifier.
Step 602: and screening out the target authority strategy matched with the object identifier in the initial strategy information.
In this embodiment, the object identifier may be compared with the initial policy information, and then a target permission policy matched with the object identifier is screened out. For example, in this embodiment, in one or more rows of screened fields that match the user identifier, the object identifier is compared with the accessed object in the object column in the fields, and then one or more rows of fields that match both the user identifier and the object identifier are screened, where each row of screened fields is respectively associated with one piece of permission policy information, that is, the target permission policy.
In one implementation, after step 103, the method in this embodiment may further include the following steps, as shown in fig. 7:
step 104: and transmitting the authentication result to the target cloud system.
After the authentication server in this embodiment transmits the authentication result to the target cloud system, the target cloud system may allow or prohibit the target user from accessing the target object based on the information about whether the target user has the access right to the accessed object in the authentication result. For example, in the case that the authentication result represents that the target user has an access right to a target object such as a picture, the target cloud system allows the target user to view the picture or allows the target user to download the picture; for another example, when the authentication result indicates that the target user does not have the access right to the picture, the target cloud system prohibits the target user from viewing the target object, such as the picture.
Further, in this embodiment, after the authentication result is obtained, the authentication result may also be transmitted to the client to prompt the target user. In addition, when the target user has no access right to the target object, the target user is further prompted to access the object after obtaining the access right.
In an implementation manner, the object access request may further include an authentication identifier of the target user, where the authentication identifier is generated when the target user logs in the target cloud system, and the authentication identifier is used to represent that the target user successfully logs in the target cloud system, that is, the target user is authenticated and verified by the authentication server when logging in the target cloud system.
Wherein the identity authentication identification can be represented by a character string.
Specifically, when a target user needs to log in the target cloud system, the target user is authenticated on the authentication server. Based on this, before step 101, the method in this embodiment may further include the following step of authenticating the target user, as shown in fig. 8:
step 105: and receiving a user login request sent by a client.
The user login request at least comprises authentication information of a target user and a system identifier of the target cloud system.
Specifically, the authentication information of the target user can be realized differently according to the way in which the target user logs in the target cloud system: when a target user logs in a target cloud system through a page, the verification information of the target user comprises information such as a user name and a password input by the target user on the page; when the target user logs in the target cloud system through an interface such as an execution program, the authentication information of the target user includes information such as an access key of the target user included in the execution program.
It should be noted that, when a target user performs a login operation of a target cloud system on a client, such as inputting a user name and a password or triggering an execution program to start running, the client sends an initial user login request generated by the login operation to the target cloud system, and at this time, the initial user login request may only include verification information of the target user, because in this embodiment, in order to implement uniform management of access permissions of a multi-cloud system, management control of the access permissions is centralized in the authentication server in this embodiment, after the user login request is generated on the client and sent to the target cloud system, the user login request is sent to the authentication server in this embodiment by redirection according to reply information that needs to perform identity verification on the target user and is returned by the target cloud system on the client, and at this time, the user login request received by the authentication server also comprises a system identifier of the target cloud system so as to represent that the target user needs to be authenticated when logging in the target cloud system. Thus, the authentication server in the present embodiment can receive a user login request transmitted by the client through a communication connection with the client, as shown in fig. 9.
Step 106: and verifying the verification information according to the system identification to obtain a verification result.
And the verification result represents whether the target user passes the identity verification of the target cloud system.
Specifically, when verifying the verification information in the present embodiment, the following manner may be implemented, as shown in fig. 10:
step 1001: and obtaining verification signature information corresponding to the verification information.
Specifically, in this embodiment, the verification signature information may be obtained by performing encryption or encoding processing on the verification information by using a signature algorithm.
In one implementation, in this embodiment, a user name and a password in the verification information may be signed by using a signature algorithm, such as an encryption algorithm, to obtain verification signature information;
in another implementation, in this embodiment, a signature algorithm may be used to sign the access key in the verification information to obtain the verification signature information.
The above two implementations correspond to the two access manners here, respectively: one is a mode that a target user logs in through a user name and a password on a page, at the moment, the user name and the password are signed by a signature algorithm to obtain verification signature information so as to verify the identity of the user; another way is to use a program to call product services, at this time, a key pair, such as an AccessKeyID and an AccessKeySecret, is used as an input parameter of the program, and a signature algorithm is used to sign the key pair to obtain verification signature information, so as to verify the identity of the user.
Step 1002: and comparing the standard signature information corresponding to the system identification with the verification signature information to obtain a verification result.
For example, in this embodiment, the standard signature information of the target cloud system may be obtained in a signature library in which the standard signature information of each cloud system is stored in advance in the authentication server, and then the standard signature information of the target cloud system is compared with the verification signature information obtained by signing the verification information by using a signature algorithm, so as to obtain the verification result.
Under the condition that standard signature information corresponding to the system identification is consistent with verification signature information, the characterization verification result characterizes that a target user passes the identity verification of the target cloud system; and under the condition that the standard signature information corresponding to the system identification is inconsistent with the verification signature information, the verification result represents that the target user does not pass the identity verification of the target cloud system.
Step 107: and judging whether the verification result represents that the target user passes the identity verification of the target cloud system, and executing the step 108 under the condition that the verification result represents that the target user passes the identity verification of the target cloud system.
Specifically, in this embodiment, the content in the verification result may be determined, for example, when the verification result is 1, the verification result indicates that the target user passes the authentication of the target cloud system, and when the verification result is 0, the verification result indicates that the target user does not pass the authentication of the target cloud system.
Step 108: and obtaining the authentication identification of the target user.
In this embodiment, an authentication identifier, which may also be referred to as an access ticket, may be generated for the target user according to a generation rule of the authentication identifier, so as to represent that the target user passes the authentication of the target cloud system.
In addition, in this embodiment, when performing identity verification on a target user, the authentication server may provide identification information such as a global ticket, a service ticket, and a global session for the target user to log in the target cloud system, so as to represent a login state of the target user logging in the target cloud system through the client, so that when the target user logs in the target cloud system again through another terminal such as a mobile phone, the target user is controlled to exit from the login state of the target cloud system on the client.
Referring to fig. 11, a schematic structural diagram of an access authority management apparatus of a multi-cloud system according to a second embodiment of the present disclosure is provided, where the apparatus may be configured in an authentication server capable of performing data processing, such as a computer or a server, and it is to be noted that the authentication server corresponds to a plurality of cloud systems, as shown in fig. 2, each cloud system is implemented by an electronic device deployed in a cloud, and each cloud system includes a plurality of accessed objects, such as data resources or functional components that can be accessed. The technical scheme in the embodiment is mainly used for realizing the authority control of the user for accessing the accessed object in the cloud system, so that the flexibility of authority management is improved.
Specifically, the apparatus in this embodiment may include the following units:
a request receiving unit 1101, configured to receive an object access request sent by a client, where the object access request at least includes a user identifier of a target user and an object identifier of a target object, and the target object is an accessed object in a target cloud system of the multiple cloud systems;
a policy obtaining unit 1102, configured to obtain a target permission policy matched with the user identifier and the object identifier in a permission policy set, where the permission policy set includes multiple pieces of permission policy information, and each piece of permission policy information corresponds to one user and one accessed object;
a result obtaining unit 1103, configured to obtain an authentication result according to the target permission policy, where the authentication result represents whether the target user has permission to access the target object in the target cloud system.
It can be seen from the foregoing solution that, in the access permission control device for a multi-cloud system provided in the second embodiment of the present application, after receiving an object access request sent by a client, a target permission policy matched with the object access request may be obtained in a permission policy set, so as to obtain an authentication result representing whether a target user in the object access request can access a target object in a target cloud system. As can be seen, in this embodiment, by subdividing the access permission granularity of the multiple cloud systems into the accessed object in each cloud system, when the user accesses the cloud system through the client, the permission control of the user to access the accessed object in the cloud system can be realized, so that the flexibility of the permission management is improved.
In an implementation manner, the policy obtaining unit 1102 is specifically configured to: screening initial policy information matched with the user identification and/or the user group identification corresponding to the user identification in an authority policy set; the user group identification is the identification of a target user group to which the target user belongs; the target user group also comprises one or more other users; and screening out the target authority strategy matched with the object identification in the initial strategy information.
Optionally, the policy obtaining unit 1102 is specifically configured to, when screening, in the permission policy set, initial policy information matched with the user identifier and/or the user group identifier corresponding to the user identifier: screening first policy information matched with the user identification in an authority policy set; and screening second policy information matched with the user group identification in the permission policy set, wherein the first policy information and/or the second policy information form initial policy information.
In one implementation, the result obtaining unit 1103 is further configured to: and transmitting the authentication result to the target cloud system.
In one implementation, the object access request further includes an authentication identifier of the target user; the identity authentication identifier is generated when the target user logs in the target cloud system, and represents that the target user successfully logs in the target.
In one implementation, the apparatus in this embodiment may further include the following units, as shown in fig. 12:
an identity authentication unit 1104, configured to, after the request receiving unit 1101 receives the user login request sent by the client, where the user login request at least includes authentication information of the target user and a system identifier of the target cloud system; verifying the verification information according to the system identification to obtain a verification result, wherein the verification result represents whether the target user passes the identity verification of the target cloud system; and under the condition that the verification result represents that the target user passes the identity verification of the target cloud system, obtaining an identity verification identifier of the target user.
In one implementation manner, when the authentication unit 1104 verifies the authentication information according to the system identifier to obtain a verification result, specifically: obtaining verification signature information corresponding to the verification information; for example, a signature algorithm is used for signing the user name and the password in the verification information to obtain verification signature information; or, signing the access secret key in the verification information by using a signature algorithm to obtain verification signature information; and then, comparing the standard signature information corresponding to the system identification with the verification signature information to obtain a verification result.
It should be noted that, for the specific implementation of each unit in the present embodiment, reference may be made to the corresponding content in the foregoing, and details are not described here.
Referring to fig. 13, a schematic structural diagram of an authentication server according to a third embodiment of the present disclosure is provided, where the authentication server may correspond to multiple cloud systems, as shown in fig. 2, each cloud system is implemented by an electronic device deployed in a cloud, and each cloud system includes multiple accessed objects, such as data resources or functional components that can be accessed. The technical scheme in the embodiment is mainly used for realizing the authority control of the user for accessing the accessed object in the cloud system, so that the flexibility of authority management is improved.
Specifically, the authentication server in this embodiment may include the following structure:
a transmission module 1301, configured to receive an object access request sent by a client, where the object access request at least includes a user identifier of a target user and an object identifier of a target object, and the target object is an accessed object in a target cloud system of the multiple cloud systems;
a processor 1302, configured to obtain a target permission policy matching the user identifier and the object identifier in a permission policy set, where the permission policy set includes multiple pieces of permission policy information, and each piece of permission policy information corresponds to one user and one accessed object; and obtaining an authentication result according to the target authority strategy, wherein the authentication result represents whether the target user has the authority of accessing the target object in the target cloud system.
Of course, the authentication server in this embodiment may further include a memory for storing the application program and data generated by the application program, and when the processor 1302 executes the application program stored in the memory, the above functions of the processor 1302 may be implemented.
According to the scheme, in the authentication server provided by the third embodiment of the present application, after receiving the object access request sent by the client, the target permission policy matched with the object access request can be obtained in the permission policy set, and then the authentication result indicating whether the target user in the object access request can access the target object in the target cloud system can be obtained. As can be seen, in this embodiment, by subdividing the access permission granularity of the multiple cloud systems into the accessed object in each cloud system, when the user accesses the cloud system through the client, the permission control of the user to access the accessed object in the cloud system can be realized, so that the flexibility of the permission management is improved.
The embodiment of the present application further provides a storage medium, on which a program is stored, and when the program is executed by a processor, the method for controlling access rights of a multi-cloud system according to any of the embodiments described above is implemented.
The embodiment of the present application further provides a processor, where the processor is configured to execute a program, where the program executes the method for controlling access rights of a multi-cloud system according to any one of the above embodiments when running.
Taking users and authority management of a plurality of cloud systems configured at the cloud end in the financial industry as an example, the technical scheme in the application is exemplified as follows:
the inventor of the application discovers that at present, there are various different implementation schemes but all have certain defects when managing the identity authentication and the authority of the user under the cloud ecology, and the implementation schemes are as follows:
in one implementation scheme, different application systems respectively maintain a set of user identity authentication systems, for an administrator managing different systems, the administrator needs to respectively input own user names and passwords to log in, authorize, operate and the like, the use and management are inconvenient, a single sign-on solution is formed at the later stage, and the authentication process is automatically completed by the system. Taking single sign-on based on cookie as an example, the main principle is that a user name and a password are stored in the cookie after being encrypted, then the user is verified in the current login state in the website accessing process, if the verification is not passed, the user name and the password are taken out from the cookie for login, from the user perspective, the login operation of inputting the user name and the password is considered to be performed only once, the user name and the password are transmitted for many times actually, the theft risk is increased, the unified login scheme cannot be accessed across domains, each system has a login authentication system, the code complexity is increased, and the limitation is large.
For the CAS-based unified authentication center login method, an independent authentication center is separately deployed to provide authentication services, but due to the complexity of the authority control, the individual CAS authentication cannot meet the subdivision of the authority granularity.
Based on the defects, the inventor of the application provides an identity access and control system for unified user full-life-cycle management under a multi-cloud ecology in order to solve the problem of unified management of identity authentication and authority management of an enterprise under the multi-cloud ecology (a scene of the multi-cloud system), so that the cost of authority management and control is effectively reduced, and a more flexible and convenient control console access mode is provided for the multi-cloud ecology. For example, based on a unified Authentication system of a unified Authentication center cas (central Authentication server), the management of the full life cycle of the user and the management of the user authority can be independently used as a set of Authentication system, so that the same user and the same authority can be used for logging in and operating the cloud platform under a multi-cloud ecology.
The specific design scheme is as follows:
according to the method, an independent set of unified authentication center is set up, namely the authentication server in the foregoing, under a multi-cloud ecology, each cloud management system does not manage an independent user identity access and authority control module, account management of a user in a full life cycle such as newly-built, authorized, logged-in, authenticated and deleted is managed independently through the independent unified authentication center, and a safe access mode can be provided for resources and operation. The access management is mainly realized by binding an authorization strategy by a user and a user group, and an access key consists of a user name and a password or consists of an access key ID and an access key secret and is used for identity authentication requested by a cloud service API. When a user accesses functions or resources, the identity of the user is firstly authenticated, then the access authority is verified, the user can access the resources after the two steps are passed, otherwise, the access is denied.
Firstly, unifying the single sign-on design of user life cycle management under a multi-cloud form:
firstly, unified identity access and authority control system database design:
as shown in fig. 14, in the unified identity authentication scheme proposed in the present application, a dedicated user information database is used to store user information, which includes information such as a user name, a password, a mobile phone number, a mailbox, an affiliated user group, and an access key corresponding to a user. Based on the CAS principle, the CAS Server is a unified identity authentication center (i.e., an authentication Server), and the user information is stored in a database DB (database) and authenticated by querying the DB during user authentication. The CAS Client is deployed in an application system of a Client (namely the Client), and a URL is set to redirect a user identity authentication request to a CAS Server, so that the operations of login, verification and logout are realized.
Secondly, designing a unified identity access and authority control system scheme:
when a user firstly passes through a domain name login system, a webpage is redirected to a uniform identity authentication server for carrying out initial login, identity authentication is carried out according to user information certificates such as a user name and a password input by the user, if the user information certificates pass the authentication, an access authentication evidence, namely an identity authentication mark in the previous text, is generated, when the user accesses other resources or functions under the cloud system, the access bill is carried to submit the CAS uniform identity authentication server for authentication, and at the moment, when an administrator opens the system, the login information does not need to be submitted again.
To implement single sign-on functionality, CAS provides global tickets tgt (ticket writing tickets), service tickets st (service tickets), and global sessions (ticket writing cookies). The workflow of the CAS single sign-on based unified identity authentication scheme is shown in fig. 14:
the specific description is as follows:
1. a user accesses the cloud system 001 in a Web manner;
2. the system 001 finds that the user does not perform identity authentication, and redirects the page request to the CAS Server;
3. the user inputs the relevant authentication information and passes the verification;
4. after the authentication is passed, the authentication center jumps to the corresponding cloud system 001 for the user with the relevant authentication to log in;
5. after the authentication is passed, the authentication center jumps to the corresponding cloud system 002 for the user with the relevant authentication to log in (or);
6. after the authentication is passed, the authentication center jumps to a corresponding cloud system 004 for the user with the relevant authentication to log in (or); to a different cloud system, such as cloud system 001;
7. the cloud system returns information that the client user logs in the cloud system.
Secondly, unified user life cycle management authority management control under the multi-cloud form:
after the user performs unified single sign-on, due to the fact that the authority control granularity of the user is not fine enough, the operable functions and resources need to be further authenticated after the user logs on the platform. As shown in fig. 15, when the user clicks a certain resource or a function at a certain interface level on the cloud platform through the browser, the browser may check the user information with the authorization control module of the unified authentication center, if the identity check passes, the user may operate the function and the resource corresponding to the platform, and if the authentication fails, the user returns an unauthorized operation to contact with a prompt message authorized by the administrator.
Firstly, unified identity access and authority control system database design:
it is mentioned above that in the unified identity authentication scheme proposed in the present application, a dedicated user information database is used to store user information. In addition, for further management of user rights, the database design is used for storing the strategy data of the platform separately. The authority control scheme is realized on the basis of IAM, and the strategy is the key element forming the scheme: and realizing authentication based on a user and user group binding strategy, and determining whether the user has the authority of a certain function or resource of the operation platform. The authentication flow is shown in fig. 15.
Scheme design of unified identity access and authority control system
The IAM authority management system is finer access control, and achieves the purpose that multiple users manage the whole cloud platform in different roles. When the user logs in the system and operates a certain resource on the platform, the browser authenticates the operation to the uniform authentication center. When a user initiates an access request, the system performs authentication judgment according to action in an authorized access policy of the user, and the check rule is as shown in fig. 15:
1. a user initiates an access request;
2. the system redirects the request to the CAS Server;
3. the system preferentially searches the authority based on IAM project authorization in the granted access authority, namely, the system screens the matched authority strategy information action in the authority strategy set and searches the action corresponding to the request in the authority;
4. if the action of the matched Allow or the matched Deny is found, the cloud system 001 performs access control, and returns the requested authentication decision, and the Allow or the Deny ends the authentication;
5. if the action of the matched Allow or the dny is found, the cloud system 002 performs access control and returns the requested authentication decision, and the Allow or the dny finishes the authentication;
6. if the action of the matched Allow or the dny is found, the cloud system 004 performs access control, and returns the requested authentication decision, and the Allow or the dny finishes authentication;
7. and the cloud system returns the content corresponding to the request, such as resources or functions, to the user.
The following describes the acquisition process of the authentication result with reference to fig. 16:
firstly, after obtaining an access request, searching whether IAM authority strategy information corresponding to the access request exists or not, if so, directly obtaining an authentication result, either Allow or Deny, and finishing authentication;
if the access request does not have the IAM authority policy information corresponding to the access request, judging whether the user is added into the user group, if so, searching whether the IAM authority policy information corresponding to the user group exists, if so, directly obtaining an authentication result, and if so, obtaining the low or the Deny, and finishing the authentication;
and if the user is not added into the user group or does not have IAM authority strategy information corresponding to the user group added by the user, obtaining an authentication result, namely Deny, and finishing the authentication.
In summary, in a multi-cloud mode, an enterprise mostly adopts a set of user and authority control system under different clouds, so that the defects are great, in view of the above, the current situations of multiple identity authentications and individual authority control under a multi-cloud ecology are solved by setting an individual set of identity access and authority control system managed by a user in a full life cycle, and thus the management costs of user registration, login and authority control are reduced. And the unified identity access and authority control system can reduce system redundancy at the same time, and is convenient for each system administrator to manage own products, for example, the CVM administrator has the same management authority under different clouds. Compared with the traditional user mode, the mode is more suitable for the actual pain points in the existing enterprises, and the management efficiency can be improved for the enterprises.
Therefore, the technical scheme in the application can effectively solve the management of the platform user in the multi-cloud deployment state. From the perspective of users, the same user (the role of a product manager on the cloud platform) can conveniently manage the products operated and maintained by the user only through one set of authentication system; for the platform management end, an independent user authentication system gets rid of the complex architecture and redundancy of the platform end management, each platform does not need to maintain a set of module for managing users independently, and the platform can be more concentrated on the development of products per se; in addition, better operability can be achieved in the aspects of maintaining user information data fields, managing the full life cycle of users, uniformly authorizing the users, managing and controlling the authority and the like, the situation that a plurality of user management modules of a plurality of platforms are difficult to manage or a certain platform user is lost, the role of a product administrator is lost, and the management and operation and maintenance of products are affected is avoided.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. An access authority control method for a multi-cloud system is applied to an authentication server, the authentication server corresponds to a plurality of cloud systems, and the cloud systems comprise a plurality of accessed objects, and the method comprises the following steps:
receiving an object access request sent by a client, wherein the object access request at least comprises a user identifier of a target user and an object identifier of a target object, and the target object is an accessed object in a target cloud system in the plurality of cloud systems;
obtaining a target permission strategy matched with the user identification and the object identification in a permission strategy set, wherein the permission strategy set comprises a plurality of pieces of permission strategy information, and each piece of permission strategy information corresponds to one user and one accessed object;
and obtaining an authentication result according to the target authority strategy, wherein the authentication result represents whether the target user has the authority of accessing the target object in the target cloud system.
2. The method of claim 1, wherein obtaining a target permission policy matching the user identifier and the object identifier in a permission policy set comprises:
screening initial policy information matched with the user identification and/or the user group identification corresponding to the user identification in an authority policy set; the user group identification is the identification of a target user group to which the target user belongs; the target user group also comprises one or more other users;
and screening out the target authority strategy matched with the object identification in the initial strategy information.
3. The method according to claim 2, wherein screening, in a set of permission policies, initial policy information that matches the user identifier and/or a user group identifier corresponding to the user identifier comprises:
screening first policy information matched with the user identification in an authority policy set;
and screening second policy information matched with the user group identification in the permission policy set, wherein the first policy information and/or the second policy information form initial policy information.
4. The method of claim 1, further comprising:
and transmitting the authentication result to the target cloud system.
5. The method of claim 1, wherein the object access request further includes an authentication identification of the target user;
the identity authentication identifier is generated when the target user logs in the target cloud system, and represents that the target user successfully logs in the target.
6. The method of claim 5, further comprising:
receiving a user login request sent by the client, wherein the user login request at least comprises authentication information of the target user and a system identifier of the target cloud system;
verifying the verification information according to the system identification to obtain a verification result, wherein the verification result represents whether the target user passes the identity verification of the target cloud system;
and under the condition that the verification result represents that the target user passes the identity verification of the target cloud system, obtaining an identity verification identifier of the target user.
7. The method of claim 6, wherein verifying the verification information to obtain a verification result according to the system identifier comprises:
obtaining verification signature information corresponding to the verification information;
and comparing the standard signature information corresponding to the system identification with the verification signature information to obtain a verification result.
8. The method of claim 7, wherein obtaining verification signature information corresponding to the verification information comprises:
signing the user name and the password in the verification information by using a signature algorithm to obtain verification signature information;
alternatively, the first and second electrodes may be,
and signing the access secret key in the verification information by using a signature algorithm to obtain verification signature information.
9. An access right control device for a multi-cloud system, applied to an authentication server, the authentication server corresponding to a plurality of cloud systems, the cloud systems including a plurality of accessed objects, the device comprising:
a request receiving unit, configured to receive an object access request sent by a client, where the object access request at least includes a user identifier of a target user and an object identifier of a target object, and the target object is an accessed object in a target cloud system of the multiple cloud systems;
a policy obtaining unit, configured to obtain a target permission policy that matches the user identifier and the object identifier in a permission policy set, where the permission policy set includes multiple pieces of permission policy information, and each piece of permission policy information corresponds to one user and one accessed object;
and the result obtaining unit is used for obtaining an authentication result according to the target authority strategy, wherein the authentication result represents whether the target user has the authority of accessing the target object in the target cloud system.
10. An authentication server, wherein the authentication server corresponds to a plurality of cloud systems, and wherein the cloud systems include a plurality of accessed objects, the authentication server comprising:
a transmission module, configured to receive an object access request sent by a client, where the object access request at least includes a user identifier of a target user and an object identifier of a target object, and the target object is an accessed object in a target cloud system of the multiple cloud systems;
the processor is used for obtaining a target authority policy matched with the user identifier and the object identifier in an authority policy set, wherein the authority policy set comprises a plurality of pieces of authority policy information, and each piece of authority policy information corresponds to one user and one accessed object; and obtaining an authentication result according to the target authority strategy, wherein the authentication result represents whether the target user has the authority of accessing the target object in the target cloud system.
CN202011554144.3A 2020-12-24 2020-12-24 Access right control method and device of multi-cloud system and authentication server Pending CN112580006A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011554144.3A CN112580006A (en) 2020-12-24 2020-12-24 Access right control method and device of multi-cloud system and authentication server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011554144.3A CN112580006A (en) 2020-12-24 2020-12-24 Access right control method and device of multi-cloud system and authentication server

Publications (1)

Publication Number Publication Date
CN112580006A true CN112580006A (en) 2021-03-30

Family

ID=75139682

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011554144.3A Pending CN112580006A (en) 2020-12-24 2020-12-24 Access right control method and device of multi-cloud system and authentication server

Country Status (1)

Country Link
CN (1) CN112580006A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113420275A (en) * 2021-07-19 2021-09-21 北京百度网讯科技有限公司 Data connection processing method, related device and computer program product
CN113645249A (en) * 2021-08-17 2021-11-12 杭州时趣信息技术有限公司 Server password control method, system and storage medium
CN113938477A (en) * 2021-09-07 2022-01-14 西安电子科技大学 Cross-domain picture spreading access control method and system based on block chain
CN114980095A (en) * 2021-05-08 2022-08-30 中移互联网有限公司 Data access method and data access device
WO2023024057A1 (en) * 2021-08-27 2023-03-02 京东方科技集团股份有限公司 Cross-domain authorization processing method and cross-domain call processing method
WO2023109782A1 (en) * 2021-12-17 2023-06-22 北京字跳网络技术有限公司 Data processing method and apparatus based on cloud document component
TWI820961B (en) * 2022-10-11 2023-11-01 中華電信股份有限公司 Electronic device and method for processing intelligence based on microservice and public cloud component
TWI825525B (en) * 2021-12-14 2023-12-11 中華電信股份有限公司 Identity and access management system and method for multi-cloud integrated application service and computer readable medium therefor

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101042699A (en) * 2007-04-28 2007-09-26 华中科技大学 Safety search engine system based on accessing control
CN103532981A (en) * 2013-10-31 2014-01-22 中国科学院信息工程研究所 Identity escrow and authentication cloud resource access control system and method for multiple tenants
CN103701801A (en) * 2013-12-26 2014-04-02 四川九洲电器集团有限责任公司 Resource access control method
CN105577665A (en) * 2015-12-24 2016-05-11 西安电子科技大学 Identity and access control and management system and method in cloud environment
CN105978933A (en) * 2016-04-25 2016-09-28 青岛海信电器股份有限公司 Webpage request method, webpage response method, terminal, server, and webpage request and response system
CN108900483A (en) * 2018-06-13 2018-11-27 江苏物联网研究发展中心 Cloud storage fine-grained access control method, data upload and data access method
CN111241523A (en) * 2020-01-08 2020-06-05 中国联合网络通信集团有限公司 Authentication processing method, device, equipment and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101042699A (en) * 2007-04-28 2007-09-26 华中科技大学 Safety search engine system based on accessing control
CN103532981A (en) * 2013-10-31 2014-01-22 中国科学院信息工程研究所 Identity escrow and authentication cloud resource access control system and method for multiple tenants
CN103701801A (en) * 2013-12-26 2014-04-02 四川九洲电器集团有限责任公司 Resource access control method
CN105577665A (en) * 2015-12-24 2016-05-11 西安电子科技大学 Identity and access control and management system and method in cloud environment
CN105978933A (en) * 2016-04-25 2016-09-28 青岛海信电器股份有限公司 Webpage request method, webpage response method, terminal, server, and webpage request and response system
CN108900483A (en) * 2018-06-13 2018-11-27 江苏物联网研究发展中心 Cloud storage fine-grained access control method, data upload and data access method
CN111241523A (en) * 2020-01-08 2020-06-05 中国联合网络通信集团有限公司 Authentication processing method, device, equipment and storage medium

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114980095A (en) * 2021-05-08 2022-08-30 中移互联网有限公司 Data access method and data access device
CN114980095B (en) * 2021-05-08 2023-10-27 中移互联网有限公司 Data access method and data access device
CN113420275A (en) * 2021-07-19 2021-09-21 北京百度网讯科技有限公司 Data connection processing method, related device and computer program product
CN113420275B (en) * 2021-07-19 2023-07-28 北京百度网讯科技有限公司 Data connection processing method, related device and computer program product
CN113645249A (en) * 2021-08-17 2021-11-12 杭州时趣信息技术有限公司 Server password control method, system and storage medium
WO2023024057A1 (en) * 2021-08-27 2023-03-02 京东方科技集团股份有限公司 Cross-domain authorization processing method and cross-domain call processing method
CN113938477A (en) * 2021-09-07 2022-01-14 西安电子科技大学 Cross-domain picture spreading access control method and system based on block chain
CN113938477B (en) * 2021-09-07 2022-10-21 西安电子科技大学 Cross-domain picture spreading access control method and system based on block chain
TWI825525B (en) * 2021-12-14 2023-12-11 中華電信股份有限公司 Identity and access management system and method for multi-cloud integrated application service and computer readable medium therefor
WO2023109782A1 (en) * 2021-12-17 2023-06-22 北京字跳网络技术有限公司 Data processing method and apparatus based on cloud document component
TWI820961B (en) * 2022-10-11 2023-11-01 中華電信股份有限公司 Electronic device and method for processing intelligence based on microservice and public cloud component

Similar Documents

Publication Publication Date Title
CN112580006A (en) Access right control method and device of multi-cloud system and authentication server
JP6426189B2 (en) System and method for biometric protocol standard
EP1427160B1 (en) Methods and systems for authentication of a user for sub-locations of a network location
US8225384B2 (en) Authentication system for enhancing network security
US8141138B2 (en) Auditing correlated events using a secure web single sign-on login
US8387136B2 (en) Role-based access control utilizing token profiles
US8997196B2 (en) Flexible end-point compliance and strong authentication for distributed hybrid enterprises
EP2238711B1 (en) Selective authorization based on authentication input attributes
US8800003B2 (en) Trusted device-specific authentication
US8387137B2 (en) Role-based access control utilizing token profiles having predefined roles
EP1914658B1 (en) Identity controlled data center
US9172541B2 (en) System and method for pool-based identity generation and use for service access
US8209394B2 (en) Device-specific identity
US7987357B2 (en) Disabling remote logins without passwords
US20090235345A1 (en) Authentication system, authentication server apparatus, user apparatus and application server apparatus
US20170171189A1 (en) Distributed authentication system
US7428748B2 (en) Method and system for authentication in a business intelligence system
US11956228B2 (en) Method and apparatus for securely managing computer process access to network resources through delegated system credentials
US8875244B1 (en) Method and apparatus for authenticating a user using dynamic client-side storage values
Wang et al. Research on cross-platform unified resource access control management system
US20220247578A1 (en) Attestation of device management within authentication flow
KR101066729B1 (en) Methods and systems for authentication of a user for sub-locations of a network location
Eldridge et al. Final report for the network authentication investigation and pilot.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination