CN113678127A

CN113678127A - Access control method, server, access device, and storage medium

Info

Publication number: CN113678127A
Application number: CN201980095168.6A
Authority: CN
Inventors: 吕小强
Original assignee: Guangdong Oppo Mobile Telecommunications Corp Ltd
Current assignee: Guangdong Oppo Mobile Telecommunications Corp Ltd
Priority date: 2019-08-30
Filing date: 2019-08-30
Publication date: 2021-11-19
Also published as: WO2021035740A1

Abstract

An access control method comprising: the server (304) establishing a sharing record (S401) among a first device identity of a first access device (301), a second device identity of a second access device (302) and a target device identity of a target device (303) associated with the second access device (302), the sharing record being used for sharing access rights of the target device (303) to the first access device (301); the server (304) transmits (S402) a local sharing credential between the first access device (301) and the second access device (302), the local sharing credential being used for the first access device (301) to establish a local connection with the target device (303).

Description

Access control method, server, access device, and storage medium

Technical Field

The present invention relates to Internet of Things (IoT) technology, and in particular, to an access control method, a server, an access device, and a storage medium.

Background

In the internet of things, devices which are not in the same local network can communicate with each other through the cloud, and the cloud groups the devices belonging to the same user into the user ID created by the same cloud. All devices registered in the cloud and belonging to the same user ID may communicate in the permission policy of the device authorization cloud (e.g., ACE2 policy). In the internet of things, devices in the same local network can communicate with each other through the local network. Therefore, the cloud communication and the local network communication are isolated from each other, and the device can only be accessed by one user and cannot meet the application scene of multiple users.

Disclosure of Invention

Embodiments of the present invention provide an access control method, a server, an access device, and a storage medium, which can share an access right of a device to other users, so as to implement multi-user access.

The technical scheme of the embodiment of the invention is realized as follows:

in a first aspect, an embodiment of the present invention provides an access control method, including:

the method comprises the steps that a server establishes a sharing record among a first device identifier of a first access device, a second device identifier of a second access device and a target device identifier of a target device associated with the second access device, wherein the sharing record is used for sharing the access authority of the target device to the first access device;

the server transmits a local sharing certificate between the first access device and the second access device, wherein the local sharing certificate is used for establishing local connection between the first access device and the target device.

In a second aspect, an embodiment of the present invention provides an access control method, including:

the first access equipment acquires a second equipment identifier of second access equipment;

the first access device sends a first device identifier and a second device identifier of the first access device to a server, wherein the first device identifier and the second device identifier are used for the server to establish a sharing record among the first device identifier, the second device identifier and a target device identifier of a target device associated with the second access device, and the sharing record is used for sharing the accessed authority of the target device to the first access device;

the first access device and the server transmit a local sharing certificate, and the local sharing certificate is used for establishing local connection between the first access device and the target device.

In a third aspect, an embodiment of the present invention provides an access control method, including:

the second access equipment acquires a first equipment identifier of the first access equipment;

the second access device sends the first device identifier and a second device identifier of the second access device to a server, where the first device identifier and the second device identifier are used by the server to establish a sharing record among the first device identifier, the second device identifier, and a target device identifier of a target device associated with the second access device, and the sharing record is used to share the access right of the target device to the first access device;

and the second access device and the server transmit a local sharing certificate, wherein the local sharing certificate is used for establishing local connection between the first access device and the target device.

In a fourth aspect, an embodiment of the present invention provides a server, including:

the access control device comprises an establishing unit, a processing unit and a processing unit, wherein the establishing unit is configured to establish a sharing record among a first device identifier of a first access device, a second device identifier of a second access device and a target device identifier of a target device associated with the second access device, and the sharing record is used for sharing the access authority of the target device to the first access device;

a transmission unit configured to transmit a local sharing credential between the first access device and the second access device, where the local sharing credential is used for establishing a local connection between the first access device and the target device.

In a fifth aspect, an embodiment of the present invention provides an access device, including:

a first obtaining unit configured to obtain a second device identifier of a second access device;

a first sending unit, configured to send a first device identifier and a second device identifier of the first access device to a server, where the first device identifier and the second device identifier are used by the server to establish a sharing record among the first device identifier, the second device identifier, and a target device identifier of a target device associated with the second access device, and the sharing record is used to share an access right of the target device to the first access device;

the first transmission unit is configured to transmit a local sharing credential to the server, where the local sharing credential is used for establishing a local connection between the first access device and the target device.

In a sixth aspect, an embodiment of the present invention provides an access device, including:

a second obtaining unit configured to obtain a first device identifier of the first access device;

a second sending unit, configured to send the first device identifier and a second device identifier of the second access device to a server, where the first device identifier and the second device identifier are used by the server to establish a sharing record among the first device identifier, the second device identifier, and a target device identifier of a target device associated with the second access device, and the sharing record is used to share an access right of the target device to the first access device;

the second transmission unit is configured to transmit a local sharing credential to the server, where the local sharing credential is used for establishing a local connection between the first access device and the target device.

In a seventh aspect, an embodiment of the present invention provides a server, including: a processor and a memory for storing a computer program operable on the processor, wherein the processor is configured to perform the steps of the access control method performed by the server when executing the computer program.

In an eighth aspect, an embodiment of the present invention provides an access device, including: a processor and a memory for storing a computer program operable on the processor, wherein the processor is configured to perform the steps of the access control method performed by the first access device when executing the computer program.

In a ninth aspect, an embodiment of the present invention provides an access device, including: a processor and a memory for storing a computer program operable on the processor, wherein the processor is configured to execute the steps of the access control method performed by the second access device when executing the computer program.

In a tenth aspect, an embodiment of the present invention provides a storage medium, which stores an executable program, and when the executable program is executed by a processor, the storage medium implements the access control method executed by the server.

In an eleventh aspect, an embodiment of the present invention provides a storage medium, which stores an executable program, and when the executable program is executed by a processor, the storage medium implements the access control method executed by the first access device.

In a twelfth aspect, an embodiment of the present invention provides a storage medium, which stores an executable program, and when the executable program is executed by a processor, the storage medium implements the access control method executed by the second access device.

The access control method provided by the embodiment of the invention comprises the following steps: the method comprises the steps that a server establishes a sharing record among a first device identifier of a first access device, a second device identifier of a second access device and a target device identifier of a target device associated with the second access device, wherein the sharing record is used for sharing the access authority of the target device to the first access device; the server transmits a local sharing certificate between the first access device and the second access device, wherein the local sharing certificate is used for establishing local connection between the first access device and the target device; therefore, access of the first access device which is not associated with the target device to the target access device is achieved based on the sharing record, a local sharing certificate which enables the first access device to execute local access to the target device is conducted between the first access device and the second access device which correspond to the sharing record, the target device is not limited by access of user identifications only having binding relations, multi-user access is achieved, and access of the first access device to the target device is not limited by a network.

Drawings

FIG. 1 is a schematic diagram of an alternative configuration of an Internet of things system provided by an embodiment of the present invention;

fig. 2 is an alternative flow chart of the access control method provided by the embodiment of the invention;

FIG. 3 is an alternative schematic diagram of an Internet of things system provided by an embodiment of the invention;

fig. 4A is an alternative flow chart of the access control method provided by the embodiment of the invention;

fig. 4B is an alternative flowchart of an access control method according to an embodiment of the present invention;

fig. 4C is an alternative flow chart of the access control method according to the embodiment of the present invention;

fig. 5 is an alternative flow chart of the access control method provided by the embodiment of the invention;

fig. 6 is an alternative flow chart of the access control method provided by the embodiment of the invention;

fig. 7 is an alternative flow chart of the access control method provided by the embodiment of the invention;

FIG. 8 is an alternative structural diagram of a server according to an embodiment of the present invention;

fig. 9 is an alternative structural diagram of an access device provided in an embodiment of the present invention;

fig. 10 is an alternative structural diagram of an access device provided by an embodiment of the present invention;

fig. 11 is an alternative structural schematic diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail with reference to the accompanying drawings, the described embodiments should not be construed as limiting the present invention, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

Before describing the access control method provided by the embodiment of the invention in detail, the access control of the internet of things system is briefly described.

The access control of the Internet of things system comprises local access based on a home network and remote access based on a cloud terminal.

The internet of things equipment needs to be registered in a cloud after entering the internet of things, the internet of things equipment can obtain a corresponding user identification (UserID) during registration, and the internet of things equipment is in a remote operation state after being registered in the cloud. If the Internet of things equipment is not registered in the cloud end, remote operation cannot be performed, but local operation can be performed. The reason for this result is that the UserID is the user identifier of the internet of things device in the cloud, and is not a device id (device id), and the local operation of the internet of things device is related to the access policy of the internet of things device and is not related to the UserID.

In the following, local access and remote access will be described separately.

Local access

After the internet of things equipment is accessed to the home network, the internet of things equipment can be directly configured. The configuration is done by the OBT. In the configuration process, an Owner identifier (Owner ID) of the internet of things Device needs to be set as a Device ID of the OBT Device, and in addition, an access credential of the internet of things Device needs to be configured, and the access credential is used for bidirectional authentication when the two devices establish connection. The access credential may be in the form of a symmetric key, an asymmetric key, a certificate, or the like.

After the two devices pass the authentication, the two devices can establish a safe communication connection, namely, the two devices can be interconnected and intercommunicated for interoperation.

Remote access

The cloud-based internet of things system is shown in fig. 1 and comprises: client 101, server 102, and cloud 103. The client 101 accesses the resources of the server 102, and the server 102 provides the resources accessed by the client 101. And the client 101 and the server 102 communicate with each other through the cloud 103.

When a client 101 executes a CRUDN operation to a resource request referenced by Links of a resource borne by a cloud 103, the client 101 sends the CRUDN request to the cloud 103, the cloud 103 forwards the CRUDN request of the client 101 to a server 102 actually bearing the resource, the server 102 responds to the CRUDN request of the cloud 103, and the cloud 103 forwards a response of the server 102 to the client 101, that is, a communication path is the client 101- > cloud 103- > server 102- > cloud 103- > client 101.

Illustratively, the cloud 103 may include three functional entities:

cloud interface 1031: the cloud anchor point is responsible for access management of the server, message routing of remote communication between the client and the server, and the cloud interface provides a uniform address and port number for the outside, such as a applications + tcp:// example. com: 443.

Authorization server 1032: and the server side is responsible for registration of the server side and authentication of the client side and the server side.

The resource directory 1033: and the client can acquire the resources of the target equipment by retrieving the resource directory.

Authorization server 1032 may be the same physical entity as the cloud, or may be a different physical entity.

Wherein each device may be a client, a server, or both a client and a server.

Fig. 2 shows a process of registering a device in a cloud, including:

step S201, the configurator acquires the Access Token (Access Token) of the user from the authorization server.

A configurator (Mediator) function is provided in a user APP and used for configuring equipment to be connected with a cloud. The configurator is configured with a cloud access Uniform Resource Locator (URL), and the user has registered a user name and a password, so that the authorization server can authorize the user and return an access token to the configurator. Wherein the user APP may be located on a device acting as a client.

Step S202, the configurator registers in the cloud.

The configurator provides an Access Token for the cloud to register the configurator, and the cloud verifies the Access Token provided by the configurator and allocates a User identification (User ID). The same User uses different configurators and the authorization server provides different Access tokens, but any configurator of the same User is associated with the same User ID.

And S203, connecting the configurator to the equipment to configure the equipment.

The configurator is connected to the devices through a normal device discovery process, and then requests Access Token for the configured devices from the cloud. The configurator uses an Access Token authorized from the cloud, a cloud Access Uniform Resource Identifier (URI) and a cloud Universal Unique Identifier (UUID) to update cloud configuration resources for cloud information configuration on the device, such as: a "oic.r.coapcloudconf" resource. The Access Token provided by the cloud is used when the device initially registers to the cloud.

Step S204, the device establishes a Transport Layer Security (TLS) connection with the cloud.

After the configurator configures configuration resources of the devices, the devices establish TLS connections using preset digital certificates and the cloud. The preset digital certificate includes: a manufacturer certificate of the device, a trust anchor certificate (trust anchor certificate).

Step S205, the device is registered in the cloud.

When the device needs to register in the cloud, an UPDATE (UPDATE) operation request needs to be sent to account resources on the cloud, and the resource UPDATE request includes Access Token and User ID configured in cloud configuration resources. The cloud maintains a unique instance of account resources for each device. The account resource can be "/oic/sec/account" resource.

Step S206 to step S207, and the Access Token provided by the cloud verification device.

And the cloud sends the User ID and the Access Token provided by the equipment to the authorization server, and when the authorization server successfully verifies the updating operation request, the cloud carries out updating operation response, and the response can provide an updated Access Token and the validity period of the Access Token for the equipment. In addition, the cloud end also records the User ID which is associated with the equipment and has a binding relationship.

It should be noted that, when the authorization server is integrated in the cloud, step S201 is completed between the cloud and the configurator, and step S207 is not required.

The device needs to log in the cloud end to transmit data between the device and the cloud end, and the device sends an UPDATE (UPDATE) operation request to a session resource of the cloud end. After the cloud successfully verifies the update operation request, the TLS connection is established between the device and the cloud, and data exchange can be started. Wherein, the session resource can be "/oic/sec/session" resource.

The device in fig. 2 may be a client or a server. If the device serves as a server, after the device and the cloud establish TLS connection, the device discloses the resources borne by the device in a resource directory of the cloud so as to remotely access the resources of the client.

Devices not in the same local network can communicate with each other through the cloud by using a constrained application Protocol (CoAP over TCP) based on a Transmission Control Protocol (TCP). The cloud end groups the devices belonging to the same User ID under the same User ID. All devices registered in the cloud and belonging to the same User ID may communicate per ACE2 policy of the device authorization cloud. In the embodiment of the present invention, a device under a User ID is referred to as a device having a binding relationship with the User ID.

However, in the remote access, only the devices associated with the same User ID can access each other, and the devices can be remotely accessed through the cloud by only one User ID. In a multi-member family, this scheme limits the ability to have only one User ID to control devices in the family, and other family members can only log on with the same User ID. If a plurality of family members register User IDs at the cloud end respectively, only the devices managed by the User IDs of the family members can be controlled respectively, the devices associated under other User IDs in the family members cannot be controlled through the cloud end, the application scene of multiple users cannot be met, and remote sharing and local sharing of the devices cannot be completed under the condition that a local communication structure and a remote communication structure are cracked.

Based on the above problem, the present invention provides an access control method, and the access control method according to the embodiment of the present invention may be applied to the internet of things system 300 shown in fig. 3, including: a first access device 301, a second access device 302, a target device 303, and a server 304; the first access device 301 and the second access device are clients, the target device is a server, and the server 304 is a cloud. The client accesses the resources of the server based on the cloud.

The first access device 301 logs in the server 304 with a first user identification and the second access device 302 logs in the server 304 with a second user identification. The first user identifier is not associated with the target device, and the second user identifier is associated with the target device, that is, the first access device and the target device are not devices under the same user identifier, and the second access device and the target device are devices under the same user identifier.

The client, the server and the cloud in the internet of things system 300 may communicate based on various communication systems, for example: a Global System for Mobile communications (GSM) System, a Code Division Multiple Access (CDMA) System, a Wideband Code Division Multiple Access (WCDMA) System, a General Packet Radio Service (GPRS), a Long Term Evolution (Long Term Evolution, LTE) System, an LTE Frequency Division Duplex (FDD) System, an LTE Time Division Duplex (TDD), a Universal Mobile Telecommunications System (UMTS), a Worldwide Interoperability for Microwave Access (WiMAX) communication System, or a 5G System.

The first access device 301 and the second access device 302 may be terminal devices, which may refer to access terminals, User Equipment (UE), subscriber units, subscriber stations, mobile stations, remote terminals, mobile devices, User terminals, wireless communication devices, User agents, or User Equipment. An access terminal may be a cellular telephone, a cordless telephone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), a handheld device having Wireless communication capabilities, a computing device or other processing device connected to a Wireless modem, a vehicle mounted device, a wearable device, a terminal device in a 5G network, or a terminal device in a future evolved PLMN, etc.

The target device 303 may be a sensor, a laser scanning system, an intelligent home appliance, and other internet of things devices.

Fig. 3 exemplarily shows one server and two clients, and optionally, the internet of things system 300 may include a plurality of servers and clients having a binding relationship with the server or clients not having a binding relationship with the server, which is not limited in this embodiment of the present invention.

As shown in fig. 4A, an optional processing flow of the access control method provided in the embodiment of the present invention includes the following steps:

step S401, the server establishes a sharing record among a first device identifier of the first access device, a second device identifier of the second access device, and a target device identifier of a target device associated with the second access device.

The server may receive a first device identifier and a second device identifier sent by a first access device or a second access device, establish a correspondence between the first device identifier and the second device identifier and a target device identifier of a target device associated with the same user identifier as the second access device based on the obtained first device identifier and second device identifier, and call the established correspondence as a sharing record, where the sharing record is used to share an accessed right of the target device to the first access device, so as to determine that an accessed right of at least one target device associated with the second access device is shared to the first access device not associated with the target device.

Here, the first access device and the target device are not associated with the same user identity, i.e. the first access device is not associated with the target device, and the second access device and the target device are associated with the same user identity, i.e. the second access device is associated with the target device.

And under the condition that the server receives the first equipment identifier and the second equipment identifier sent by the first access equipment, the first access equipment initiates equipment sharing registration to the server.

And under the condition that the server receives the first equipment identifier and the second equipment identifier sent by the second access equipment, the second access equipment initiates equipment sharing registration to the server.

In the embodiment of the invention, a server receives a registration request sent by first access equipment or second access equipment; the registration request carries the first device identifier and the second device identifier.

Optionally, the registration request does not carry the target device identifier of the target device, at this time, the server searches all target devices associated with the second access device according to the second device identifier and/or a second user identifier corresponding to the second device identifier, and establishes a sharing record based on the target device identifiers of all the target devices and the first device identifier and the second device identifier. The sharing record can be established corresponding to all the target device identifiers, and the corresponding sharing records can also be respectively established based on different target device identifiers.

Optionally, the registration request further carries: the target device identification. At this time, the server establishes a sharing record among the first device identifier, the second device identifier and the target device identifier carried in the registration request. The server may establish a sharing record corresponding to all target device identifiers carried in the registration request, or may respectively establish corresponding sharing records based on different target device identifiers.

In the embodiment of the invention, the server stores the sharing record through independent resources. Alternatively, the resource storing the sharing record is referred to as a device sharing (devicechar) resource.

And after establishing a new sharing record, the server adds the established sharing record to the equipment sharing resource.

In the embodiment of the present invention, the registration request further carries one of the following information:

a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition; correspondingly, the sharing record further includes one of the following information: a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition.

The sharing restriction condition is used for restricting the access right of the first access device to the target device, and the sharing restriction condition may include: One-Time-Only (Only One Time) characterizing access Only once, Always-shared (Always) characterizing permanent access, sharing Time periods characterizing allowed access for a period of Time, or other conditional content. Here, different sharing restrictions may be represented by different sharing identifications.

Step S402, the server performs transmission of a local sharing credential between the first access device and the second access device.

The local sharing certificate is used for establishing local connection between the first access device and the target device, so that the first sharing certificate and the target device can establish local connection based on the local network after accessing the local network, and the first access device accesses the target device based on the established local connection.

In the process of executing step S402, the transmission of the local sharing credential is performed among the first access device, the second access device, and the server. Optionally, the server sends the local sharing credentials to the first access device and the second access device, respectively. Optionally. The server receives the local sharing certificate sent by the first access device and sends the received local sharing certificate to the second access device. Optionally, the server receives the local sharing credential sent by the second access device, and sends the received local sharing credential to the first access device.

The local sharing credential may be generated by the server, the first access device, or the second access device.

Optionally, when the local sharing credential is generated by the server, the server sends the generated local sharing credential to the first access device and the second access device, respectively, so that the second access device configures the local sharing credential to the target device. Therefore, the first access device and the target device have the same local sharing certificate, and local access is realized.

Optionally, when the local sharing credential is generated by the first access device, the first access device sends the generated local sharing credential to the server, and the server sends the received local sharing credential to the second access device, so that the second access device configures the local sharing credential to the target device. Therefore, the first access device and the target device have the same local sharing certificate, and local access is realized.

Optionally, when the local sharing credential is generated by the second access device, the second access device sends the generated local sharing credential to the server, and the server sends the received local sharing credential to the first access device, and the second access device configures the generated local sharing credential to the target device. Therefore, the first access device and the target device have the same local sharing certificate, and local access is realized.

Optionally, when the local sharing credential is generated by the second access device, the second access device configures the generated local sharing credential to the target device, the target device sends the generated local sharing credential to the server, and the server sends the received local sharing credential to the first access device. Therefore, the first access device and the target device have the same local sharing certificate, and local access is realized.

In the embodiment of the present invention, the transmission of the local sharing credential and the establishment process of the sharing record may be performed interactively, or the establishment of the sharing record may be performed first and then the transmission of the local sharing credential may be performed.

Taking the registration of the first access device initiating device sharing to the server, that is, the server receives the first device identifier and the second device identifier sent by the first access device, a process of the server establishing the sharing record may be as shown in fig. 4B, and includes:

in step S4011a, the first access device obtains a second device identifier of the second access device.

The first access device may obtain the second device identifier of the second access device in an out-of-band manner, such as device discovery, identifier scanning, and the like. Optionally, the scanned identification comprises a two-dimensional code. The embodiment of the invention does not limit the way and the way for the first access device to acquire the second device identifier.

Step S4012a, the first access device sends the first device identifier and the second device identifier of the first access device to a server.

The first device identifier and the second device identifier are used for the server to establish a sharing record among the first device identifier, the second device identifier and a target device identifier of a target device associated with the second access device, and the sharing record is used for sharing the access right of the target device to the first access device.

Optionally, the first access device generates a registration request according to the first device identifier and the second device identifier; correspondingly, step S4012a includes: the first access device sends the registration request to the server.

Here, the first access device transmits the first device identification and the second device identification to the server by transmitting a registration request to the server. Optionally, the registration request does not carry the target device identifier. Optionally, the registration request carries the target device identifier.

When the registration request carries the target device identifier, the first access device may obtain the target device identifier of the target device based on out-of-band methods such as device discovery and identifier scanning. Optionally, the scanned identification comprises a two-dimensional code.

Optionally, after the server receives the registration request sent by the first access device and establishes the sharing record according to the information carried in the registration request, as shown in fig. 4B, step S4013a and step S4014a are executed:

step S4013a, the server sends a first confirmation request to the second access device.

Step S4014a, the server receives a first response that the second access device responds to the first confirmation request, and sets the sharing record to an active state.

Before step S4013a is executed, the sharing record established by the server is in an inactive state that is not available, and after the server receives the first response from the second access device, the established sharing record is set to an active state that is available. At this point, the shared record may be used to control access to the target device by the first access device.

In the embodiment of the invention, after receiving a first confirmation request sent by a server, a second access device confirms whether the access authority of a target device is authorized to be shared with a first access device, and when the access authority is authorized, a first response is returned to the server. Optionally, the first confirmation request may carry a first device identifier and a target device identifier, after receiving the first device identifier and the target device identifier carried in the first confirmation request, the second access device sets the same sharing record in the second access device, and when the second access device establishes the same sharing record, the second access device indicates that the second access device approves sharing the access right of the target device to the first access device, and responds to the server with the first response.

In the embodiment of the present invention, after the server determines that the approval of the second access device is obtained based on step S4014a, as shown in fig. 4B, step S4015a-1 may be executed:

step S4015a-1, the server sends a first sharing completion notification to the first access device.

The first sharing completion notification is used to instruct the first access device to set the sharing record locally on the first access device.

At this time, the first access device performs step S4015a-1 and step S4015 a-2:

step S4015a-1, the first access device receives the first sharing completion notification sent by the server.

Step S4015a-2, the first access sets the sharing record based on a trigger of the first sharing completion notification.

Here, the first sharing completion notification is used to notify the first access device that the server has shared the access right of the target device to the first access device. The first access device may synchronize the server to establish the shared record locally.

Optionally, the first sharing completion notification carries the sharing record. Optionally, the first sharing completion notification does not carry the sharing record.

In this embodiment of the present invention, after the server determines that the approval of the second access device is obtained based on step S4014a, as shown in fig. 4B, step S4016a may be executed: the server sends a second sharing completion notification to the target device. The second sharing completion notification is used for indicating the target device to set the sharing record locally on the target device.

At this time, the target device receives a second sharing completion notification sent by the server, and sets the sharing record based on the trigger of the second sharing completion notification.

Here, the second sharing completion notification is used to notify the target device server that the access right of the target device has been shared to the first access device. The target device may synchronize the server to establish the shared record locally.

Optionally, the second sharing completion notification carries the sharing record. Optionally, the second sharing completion notification does not carry the sharing record.

Taking the registration of the second access device initiating device sharing to the server, that is, the server receives the first device identifier and the second device identifier sent by the second access device, a process of the server establishing the sharing record may be as shown in fig. 4C, and includes:

in step S4011b, the second access device obtains the first device identifier of the first access device.

The second access device may obtain the first device identifier of the first access device in an out-of-band manner, such as device discovery, identifier scanning, and the like. Optionally, the scanned identification comprises a two-dimensional code. The embodiment of the invention does not limit the way and the way for the second access device to acquire the first device identifier.

Step S4012b, the second access device sends the first device identifier and the second device identifier of the second access device to a server.

Optionally, the second access device generates a registration request according to the first device identifier and the second device identifier; correspondingly, step S4012b includes: the second access device sends the registration request to the server.

Here, the second access device transmits the first device identification and the second device identification to the server by transmitting a registration request to the server. Optionally, the registration request does not carry the target device identifier. Optionally, the registration request carries the target device identifier.

Optionally, after the server receives the registration request sent by the second access device and establishes the sharing record according to the information carried in the registration request, as shown in fig. 4C, step S4013b and step S4014b are executed:

step S4013b, the server sends a second confirmation request and a third confirmation request to the first access device and the target device, respectively.

Wherein, step S4013b includes:

step S4013b-1, the server sends a second confirmation request to the first access device.

Step S4013b-2, the server sends a third confirmation request to the target device.

Step S4014b, the server receives a second response of the first access device in response to the second confirmation request, and receives a third response of the target device in response to the third confirmation request, and sets the sharing record to an active state.

Wherein, step S4014b includes:

step S4014b-1, the server receives a second response of the first access device in response to the second confirmation request.

Step S4014b-2, the server receives a third response of the target device in response to the third confirmation request.

Step S4014b-3, the server sets the sharing record to an activated state.

Before step S4013b is executed, the shared record established by the server is in an inactive state that is not available, and after the server receives the second response from the first access device and the third response from the target device, the established shared record is set in an active state that is available. At this point, the shared record may be used to control access to the target device by the first access device.

In the embodiment of the invention, after receiving the second confirmation request sent by the server, the first access device confirms whether the access authority of the target device is authorized to be shared to the first access device, and when the access authority is authorized, a second response is returned to the server. Optionally, the second confirmation request may carry a second device identifier and a target device identifier, after receiving the second device identifier and the target device identifier carried in the second confirmation request, the first access device sets the same sharing record in the first access device, and when the first access device establishes the same sharing record, the first access device indicates that the first access device approves sharing the access right of the target device to the first access device, and responds to the server with a second response.

In the embodiment of the invention, after receiving the third confirmation request sent by the server, the target device confirms whether the access right of the target device is authorized to be shared with the first access device, and when the access right is authorized, the target device returns a third response to the server. Optionally, the third confirmation request may carry the first device identifier and the second device identifier, after receiving the first device identifier and the second device identifier carried in the third confirmation request, the target device sets the same sharing record in the target device, and when the target device establishes the same sharing record, the target device indicates that the target device approves sharing the access right of the target device to the first access device, and responds to the server with a third response.

In the embodiment of the present invention, after the server determines that the approval of the first access device and the target device is obtained based on step S4014b, as shown in fig. 4C, step S4015b-1 may be performed:

step S4015b-1, the server sends a third sharing completion notification to the second access apparatus.

The third sharing completion notification is used to instruct the second access device to set the sharing record locally on the second access device.

At this time, the second access device performs step S4015b-1 and step S4015 b-2:

step S4015b-1, the second access device receives the third sharing completion notification sent by the server.

Step S4015b-2, the second access device sets the sharing record based on the trigger of the third sharing completion notification.

Here, the third sharing completion notification is used to notify the second access device server that the access right of the target device has been shared to the first access device. The second access device may synchronize the server to establish the shared record locally.

Optionally, the third sharing completion notification carries the sharing record. Optionally, the third sharing completion notification does not carry the sharing record.

In the embodiment of the present invention, in the case that the local sharing credential is generated by the server, step S402 may complete transmission between the first access device and the second access device through information interaction in fig. 4B or fig. 4C.

Taking the example that the local sharing credential is generated by the server and the first access device initiates device sharing registration to the server, step S402, the server performs transmission of the local sharing credential between the first access device and the second access device, including: the server sends the local sharing certificate to the second access device through a first confirmation request carrying the local sharing certificate; and the server sends the local sharing certificate to the first access device through the first sharing completion notification carrying the local sharing certificate.

Here, the local sharing credentials transmitted to the second access device and the first access device are carried in the first confirmation request in step S4013a and the first sharing completion notification in step S4015a-1 shown in fig. 4B, respectively.

At this time, the transmitting, by the first access device, the local sharing credential with the server includes: the first access device receives a local sharing certificate sent by the server through the first sharing completion notification carrying the local sharing certificate, wherein the local sharing certificate is generated by the server. And the second access equipment receives the local sharing certificate sent by the server through the first confirmation request.

Taking the example that the local sharing credential is generated by the server and the second access device initiates registration of device sharing to the server, step S402, the server performs transmission of the local sharing credential between the first access device and the second access device, including: the server sends the local sharing certificate to the first access device through a second confirmation request carrying the local sharing certificate; and the server sends the local sharing certificate to the second access device through a third sharing completion notification carrying the local sharing certificate.

Here, the second confirmation request in step S4013b-1 and the third sharing completion in step S4015b-1 shown in fig. 4C carry the local sharing credentials transmitted to the first access device and the second access device, respectively.

At this time, the transmitting, by the second access device, the local sharing credential with the server includes: and the second access device receives a local sharing certificate sent by the server through the third sharing completion notification carrying the local sharing certificate, wherein the local sharing certificate is generated by the server. And the first access device receives the local sharing certificate sent by the server through a second confirmation request.

Taking an example that the local sharing credential is generated by a first access device, the first access device and the server perform transmission of the local sharing credential, including: the first access device generates the local sharing credential; the first access device sends the local sharing credential to the server, so that the server sends the local sharing credential to the second access device. At this time, the server performs transmission of a local sharing credential between the first access device and the second access device, including: the server receives a local sharing certificate sent by the first access device; and the server sends the local sharing certificate to the second access device. The second access device and the server perform local sharing credential transmission, including: and the second access device receives the local sharing certificate generated by the first access device and sent by the server.

Taking an example that the local sharing credential is generated by a second access device, the second access device and the server perform transmission of the local sharing credential, including: the second access device generates the local sharing credential; the second access device configures the local sharing credential to the target server, so that the server sends the local sharing credential to the first access device.

Optionally, the second access device directly sends the local sharing credential to the server. Optionally, the second access device configures the local sharing credential to the target device, and the target device sends the local sharing credential to the server.

The method includes that when second access equipment configures a local sharing certificate to target equipment and the target equipment sends the local sharing certificate to a server, and when the server generates the local sharing certificate, the server transmits the local sharing certificate between the first access equipment and the second access equipment, and the method includes: the server receives a local sharing certificate sent by the target equipment; and the server sends the local sharing certificate to the first access device. At this time, the transmitting, by the first access device, the local sharing credential with the server includes: and the first access equipment receives a local sharing certificate generated by the second access equipment and sent by the server.

In the embodiment of the present invention, when the local sharing credential received by the server is sent by the first access device, the local sharing credential is generated by the first access device; or the local sharing credential received by the server is generated by the second access device under the condition that the local sharing credential is sent by the target device.

In the embodiment of the present invention, the first access device configures, according to the local sharing credential, an access policy for the first access device to access the target device. And the second access device configures an access policy for the second access device to access the target device according to the local sharing certificate.

In the embodiment of the present invention, a first access device generates an access request based on the target device identifier, and sends the access request to a server, where the server forwards the access request to the target device when the sharing record exists, and at this time, the server receives the access request sent by the first access device to access the target device; and under the condition that the sharing record exists, the server forwards the access request to the target device.

The first access device may initiate an access request for accessing the target device based on the target device identifier and send the access request to the server under the condition that the first access device and the target device are not in one local network, and the server sends the access request to the target device under the condition that it is determined that the access right of the target device is shared to the first access device based on the sharing record.

Under the condition that the first access device and the target device are in a local network, the first access device can establish local connection with the target device based on the local sharing certificate to access the target device.

The present invention will be described in detail with reference to specific examples. The target Device is Device a, the OBT A is a client which has an association relation with the Device a, namely, a second access Device, and the Device a and the OBT A have the same User ID: user ID a, OBT B is a client, i.e. a first access device, which has no association with DeviceA, and OBT B has a User ID: user ID B.

Example one

In example one, the OBTA is used as the initiator of the registration of device sharing and the generator of the local sharing certificate.

Step S501, the OBTA acquires the equipment information of the OBTB.

The device information of the OBTB may include: a device identification and/or a user identification. Step S501 may be performed in an out-of-band manner, for example, the OBTA scans a two-dimensional code generated by the OBTB.

The embodiment of the invention does not limit the way and the mode of acquiring the equipment information of the OBTB by the OBTA.

Step S502, the OBTA initiates a registration request to the cloud.

The information sent by the OBTA to the cloud, namely the cloud platform, through the registration request comprises: user ID A (optional), Device ID of OBTA, Device ID of Device A, User ID B (optional), Device ID of OBTB, etc.,

the registration request may also carry sharing restrictions: allow once (Only One Time) \ Always allowed (Always), etc. The sharing constraint may also be a temporal constraint, for example from 8:00 to 10:00, as well as more complex constraints.

The cloud platform generates a sharing record based on the information sent by the registration request, and it needs to be noted that the sharing record is still available if not activated.

In the implementation process, a device sharing (devicechar) resource can be set, the devicechar resource can be stored in the cloud and the device side at the same time, and the purpose of the devicechar resource is used for storing the sharing record. But only the associated User ID (for example, User ID a or User ID B) can be accessed to the saved record saved in the cloud.

After receiving an access request, the cloud platform checks the devicechar resource, and if the access target specified by the message is a device having a sharing relationship based on the sharing record, the cloud platform shall forward the access request.

The content of the sharing record can be as shown in table 1.

TABLE 1

Step S503-step S504, the cloud confirms the approval of the Device A and the OBT B.

Step S503 includes: step S503-1 and step S503-2.

In step S503-1, the cloud sends a confirmation request to Device a to confirm whether the registration request is approved by Device a.

The confirmation is made by adding the same contents as in step S502 to the devicechar resource held on Device A

In step S503-2, the Device A sends a sharing confirmation to the cloud.

When the Device a approves the registration request, a sharing confirmation, namely a third response, of the corresponding confirmation request is sent to the cloud platform.

In step S504-1, the cloud sends a confirmation request to the OBT B to confirm whether the registration request is approved by the OBT B.

The confirmation is made by adding the same contents as in step S502 to the devicechar resource held on the OBT B.

In step S504-2, the OBT B sends a sharing confirmation to the cloud.

And when the OBT B approves the registration request, sending a sharing confirmation, namely a third response, of the corresponding confirmation request to the cloud platform.

The way of confirmation is to add the same contents as step S502 to the devicechar resource saved on Device a.

In step S505, the cloud end changes the sharing attributes of the stored sharing records to true.

And after the cloud platform obtains the approval of the Device A and the OBTB, changing the sharelable of the saved sharing record into true to activate the sharing record.

Optionally, after step S505, the cloud respectively sends a request to modify sharelable of the sharing records stored in the Device a and the OBTB as true.

In step S506, the cloud sends a sharing completion notification to the OBTA.

After receiving the request, the OBTA may also modify the sharelable attribute of the corresponding sharing record stored by the OBTA to true. So far, the OBT B establishes connection with the Device A in an application layer, and the OBT B can remotely access the Device A.

In practical applications, after step S505, the cloud platform may update the sharing record to devicechar resources stored on the OBT a, that is, the same sharing record is stored on all the devices.

In step S507, the OBTA generates a local sharing credential.

And the OBTA initiates a local sharing process after receiving the sharing completion notification sent by the cloud platform, and generates a local sharing certificate. Two devices with locally shared credentials may establish a connection.

The local sharing credentials may include: pin code, shared key, certificate, and the like.

Step S508, the OBT a configures an access policy of Device a.

The OBT a configures the access policy of Device a using the local sharing credentials generated in step S506.

Taking the local sharing certificate as the shared secret key as an example, the shared secret key is stored as an access policy of the Device a, and the certificate is used for confirmation of both parties when the connection is subsequently established.

Wherein, step S508 includes: step S508-1 and step S508-2.

In step S508-1, the OBT a configures the generated local sharing credentials to Device a.

Step S508-2, Device A sends configuration complete message to OBT A.

In step S509, the OBT a shares the local sharing credential to the OBTB through the cloud.

After completing configuration of the access policy of Device a, the OBT a may share the local sharing credentials to the OBTB through the cloud platform.

It should be noted that only DeviceA and OBTB hold the local shared credential, so that the credential can only be used for both devices.

Wherein, step S509 includes: step S509-1, step S509-2, step 509-3, step S509-4 and step S509-5.

In step S509-1, Device a notifies the cloud to update Device a' S local share credentials.

In step S509-2, the cloud notifies the OBTB to update the local sharing credential of Device a.

And step S509-3, the OBTB completes self-configuration according to the local sharing certificate of the Device A.

In step S509-4, the OBTB sends a self-configuration completion message to the cloud.

In step S509-5, the cloud forwards the self-configuration completion message sent by the OBTB to the Device A.

To this end, both Device a and OBTB have a local shared credential, and Device a and OBTB can establish a connection locally.

Example two

In example two, the OBT B is used as the initiator of the device sharing registration and the generator of the local sharing credential.

Step S601, the OBT B acquires the device information of the OBT a.

The device information of the OBT a may include: a device identification and/or a user identification. Step S601 may be performed in an out-of-band manner, for example, the OBT B scans a two-dimensional code generated by the OBT a.

The embodiment of the invention does not limit the way and the mode for acquiring the equipment information of the OBT A by the OBT B.

Step S602, the OBTB initiates a registration request to the cloud.

The information sent by the OBT B to the cloud platform through the registration request comprises: user ID A (optional), Device ID of OBTA, Device ID of Device A, User ID B (optional), Device ID of OBTB, etc.,

The cloud platform generates a sharing record based on the information sent by the registration request, and the sharing limit in the sharing record can be modified by the OBT. It should be noted that, at this time, the sharing record is not activated yet and is not available.

In step S603, the cloud confirms the approval of the OBT a.

Step S603 includes: step S603-1 and step S603-2.

Step S603-1, the cloud sends a confirmation request to the OBT a to confirm whether the registration request obtains the approval of the OBT a.

The confirmation is made by adding the same contents as those in step S602 to the devicechar resource stored in the OBT a

In step S603-2, the OBT a sends a sharing confirmation to the cloud.

And when the OBT A approves the registration request, sending a sharing confirmation corresponding to the confirmation request, namely a first response to the cloud platform.

In step S604, the sharing attributes of the sharing records stored in the cloud become true.

After the cloud platform obtains the approval of the OBT a, changing the sharelable of the saved sharing record into true to activate the sharing record.

In step S605, the cloud sends a sharing notification to Device a.

The cloud platform sends a sharing notice to the Device a, and the Device a saves the sharing record and changes the sharenable attribute into true.

In step S606, the cloud sends a sharing completion notification to the OBT B.

The cloud platform sends a sharing completion notification for the registration request in step S602 to the OBTB. After receiving the sharing completion notification, the OBTB may also modify the shared attribute of the corresponding sharing record stored in the OBTB to true.

So far, the OBT B establishes connection with the Device A at an application layer, and the OBT B can remotely access the Device A.

In step S607, the OBT B generates a local sharing credential.

And after receiving the sharing completion notification sent by the cloud platform, the OBTB initiates a local sharing process to generate a local sharing certificate. Two devices with locally shared credentials may establish a connection.

Step S608, the OBT B completes self-configuration according to the local sharing credential of Device a.

In step S609, the OBT B notifies the cloud to update the local sharing credential of Device a.

In step S610, the cloud notifies the OBT a to update the local sharing credential of Device a.

In step S611, the OBT a configures an access policy of Device a.

The OBT a configures the access policy of Device a using the local sharing credentials received in step S610.

Wherein, step S611 includes: step S6011-1 and step S6011-2.

In step S611-1, the OBT a configures the received local sharing credentials to Device a.

In step S611-2, the Device A sends a configuration complete message to the OBT A.

And step S612, sending a self-configuration completion message to the cloud end by the OBT A.

Step S613, the cloud forwards the self-configuration completion message to the OBT B.

Example three

In example three, the cloud is a generator of the local shared credential.

Step S701, the OBTA acquires the equipment information of the OBTB.

Step S702, the OBTA initiates a registration request to the cloud.

Step S703-step S704, the cloud confirms the approval of Device a and OBT B.

Step S703 includes: step S703-1 and step S703-2.

In step S703-1, the cloud sends a confirmation request to Device a to confirm whether the registration request is approved by Device a.

In step S703-2, the Device a sends a sharing confirmation to the cloud.

Step 704-1, the cloud sends a confirmation request to the OBT B to confirm whether the registration request is approved by the OBT B.

The cloud platform can carry a local sharing certificate in a confirmation request sent to the OBTB.

In step S704-2, the OBT B sends a sharing confirmation to the cloud.

In step S705, the sharing attributes of the sharing records stored in the cloud become true.

Step S706, the cloud sends a sharing completion notification to the OBTA.

After receiving the request, the OBTA may also modify the sharelable attribute of the corresponding sharing record stored by the OBTA to true. Meanwhile, the cloud platform carries the local sharing certificate in the sharing completion notification sent to the OBTA.

So far, the OBT B establishes connection with the Device A in an application layer, and the OBT B can remotely access the Device A.

And step S707, the OBT B completes self-configuration according to the received local sharing certificate.

In step S708-1, the OBT A configures the received local sharing credentials to Device A.

In step S708-2, Device A sends a configuration complete message to OBT A.

It should be noted that, in the embodiment of the present invention, the steps shown by the dotted lines in fig. 5 to 8 are optional.

In practical applications, the remote sharing and the local sharing in the first instance and the second instance can be combined in a cross mode. In the above example, only the identifier of the OBTA may be carried in the registration request, and the identifier of Device a does not need to be carried, which means that all devices associated with the OBTA may be shared with the OBTB. But can also be extended to share as multiple devices at once.

In order to implement the above access control method, an embodiment of the present invention further provides a server 800, which is the server 304 in fig. 3, and a constituent structure of the server 800 is shown in fig. 8, where the server 800 includes:

an establishing unit 801 configured to establish a sharing record among a first device identifier of a first access device, a second device identifier of a second access device, and a target device identifier of a target device associated with the second access device, where the sharing record is used to share access rights of the target device to the first access device;

a credential transmitting unit 802, configured to transmit a local sharing credential between the first access device and the second access device, where the local sharing credential is used for establishing a local connection between the first access device and the target device.

In this embodiment of the present invention, the server 800 further includes:

the receiving unit is configured to receive a registration request sent by the first access device or the second access device; the registration request carries the first device identifier and the second device identifier.

In the embodiment of the present invention, the registration request further carries: the target device identification.

a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition;

correspondingly, the sharing record further includes one of the following information: a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition.

In this embodiment of the present invention, the server 800 further includes:

a first validation unit configured to:

sending a first confirmation request to the second access device under the condition that the registration request is sent by the first access device;

and receiving a first response of the second access device responding to the first confirmation request, and setting the sharing record to be in an activated state.

In this embodiment of the present invention, the server 800 further includes: a first notification unit, configured to send a first sharing completion notification to the first access device, where the first sharing completion notification is used to instruct the first access device to set the sharing record locally on the first access device.

In this embodiment of the present invention, the server 800 further includes:

a second notification unit, configured to send a second sharing completion notification to the target device, where the second sharing completion notification is used to instruct the target device to set the sharing record locally on the target device.

In this embodiment of the present invention, the server 800 further includes: a second validation unit configured to:

under the condition that the registration request is sent by the second access device, sending a second confirmation request and a third confirmation request to the first access device and the target device respectively;

and receiving a second response of the first access device to the second confirmation request, receiving a third response of the target device to the third confirmation request, and setting the sharing record to be in an activated state.

In this embodiment of the present invention, the server 800 further includes:

and the third notification server sends a third sharing completion notification to the second access device, where the third sharing completion notification is used to instruct the second access device to set the sharing record locally on the second access device.

In this embodiment of the present invention, the credential transmitting unit 802 is further configured to:

in the event the server generates the local sharing credentials,

sending the local sharing voucher to the second access device through a first confirmation request carrying the local sharing voucher;

and sending the local sharing certificate to the first access device through the first sharing completion notification carrying the local sharing certificate.

In this embodiment of the present invention, the credential transmitting unit 802 is further configured to: in the event the server generates the local sharing credentials,

sending the local sharing voucher to the first access device through a second confirmation request carrying the local sharing voucher;

and sending the local sharing voucher to the second access device through a third sharing completion notice carrying the local sharing voucher.

receiving a local sharing certificate sent by the first access device or the target device;

and sending the local sharing certificate to the second access device or the first access device.

In the embodiment of the present invention, the first and second substrates,

under the condition that the received local sharing voucher is sent by the first access device, the local sharing voucher is generated by the first access device; or

And under the condition that the received local sharing voucher is sent by the target equipment, the local sharing voucher is generated by the second access equipment.

In this embodiment of the present invention, the server 800 further includes:

a first access unit configured to:

receiving an access request for accessing the target device, which is sent by the first access device;

forwarding the access request to the target device if the sharing record exists.

The embodiment of the present invention further provides a server, which includes a processor and a memory for storing a computer program capable of running on the processor, wherein the processor is configured to execute the steps of the access control method executed by the server when running the computer program.

An embodiment of the present invention further provides an access device 900, which is the first access device 301 in fig. 3, and a schematic structural diagram of the access device 900 is shown in fig. 9, where the access device 900 includes:

a first obtaining unit 901 configured to obtain a second device identifier of a second access device;

a first sending unit 902, configured to send a first device identifier and a second device identifier of the first access device to a server, where the first device identifier and the second device identifier are used by the server to establish a sharing record among the first device identifier, the second device identifier, and a target device identifier of a target device associated with the second access device, and the sharing record is used to share access rights of the target device to the first access device;

a first transmission unit 903, configured to perform transmission of a local sharing credential with the server, where the local sharing credential is used for establishing a local connection between the first access device and the target device.

In this embodiment of the present invention, the access device 900 further includes:

a first generating unit configured to generate a registration request according to the first device identifier and the second device identifier;

correspondingly, the first sending unit is configured to send the registration request to the server.

In this embodiment of the present invention, the registration request further carries: the target device identification.

In this embodiment of the present invention, the access device 900 further includes: a first setting unit configured to:

receiving a first sharing completion notification sent by the server;

and setting the sharing record based on the trigger of the first sharing completion notification.

In this embodiment of the present invention, the first transmission unit 903 is further configured to receive a local sharing credential sent by the server through the first sharing completion notification carrying the local sharing credential, where the local sharing credential is generated by the server.

In this embodiment of the present invention, the first transmission unit 903 is further configured to:

generating the local sharing credential;

sending the local sharing credential to the server, so that the server sends the local sharing credential to the second access device.

In this embodiment of the present invention, the first transmission unit 903 is further configured to receive a local sharing credential generated by the second access device and sent by the server.

the second access unit is configured to generate an access request based on the target device identifier, send the access request to a server, and forward the access request to the target device by the server when the sharing record exists.

a first configuration unit, configured to configure, according to the local sharing credential, an access policy for the access device to access the target device.

An embodiment of the present invention further provides an access device, which includes a processor and a memory for storing a computer program capable of running on the processor, where the processor is configured to execute the steps of the access control method executed by the access device 900 when running the computer program.

An embodiment of the present invention further provides an access device 1000, which is used as the second access device 302 in fig. 3, and a schematic structural diagram of the access device 1000 is shown in fig. 10, where the schematic structural diagram includes:

a second obtaining unit 1001 configured to obtain a first device identifier of the first access device;

a second sending unit 1002, configured to send the first device identifier and a second device identifier of the second access device to a server, where the first device identifier and the second device identifier are used by the server to establish a sharing record among the first device identifier, the second device identifier, and a target device identifier of a target device associated with the second access device, and the sharing record is used to share access rights of the target device to the first access device;

a second transmission unit 1003, configured to perform transmission of a local sharing credential with the server, where the local sharing credential is used for establishing a local connection between the first access device and the target device.

In this embodiment of the present invention, the access device 1000 further includes:

a second generating unit configured to generate a registration request according to the first device identifier and the second device identifier;

correspondingly, the second sending unit is configured to send the registration request to the server.

In this embodiment of the present invention, the access device 1000 further includes: a second setting unit configured to:

receiving a third sharing completion notification sent by the server;

and setting the sharing record based on the trigger of the third sharing completion notice.

In this embodiment of the present invention, the second transmission unit 1003 is further configured to receive a local sharing credential sent by the server through the third sharing completion notification carrying the local sharing credential, where the local sharing credential is generated by the server.

In this embodiment of the present invention, the second transmission unit 1003 is further configured to:

generating the local sharing credential;

sending the local sharing credential to the server, so that the server sends the local sharing credential to the first access device.

In this embodiment of the present invention, the second transmission unit 1003 is further configured to receive a local sharing credential generated by the first access device and sent by the server.

a second configuration unit, configured to configure, according to the local sharing credential, an access policy for the second access device to access the target device.

An embodiment of the present invention further provides an access device, which includes a processor and a memory for storing a computer program capable of running on the processor, where the processor is configured to execute the steps of the access control method executed by the access device 1000 when running the computer program.

Fig. 11 is a schematic diagram of a hardware component structure of an electronic device (access device or server) according to an embodiment of the present invention, where the electronic device 1100 includes: at least one processor 1101, memory 1102, and at least one network interface 1104. The various components in the electronic device 1100 are coupled together by a bus system 1105. It is understood that the bus system 1105 is used to enable communications among the components. The bus system 1105 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled in fig. 11 as the bus system 1105.

It will be appreciated that the memory 1102 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. The non-volatile Memory may be ROM, Programmable Read-Only Memory (PROM), Erasable Programmable Read-Only Memory (EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), magnetic random access Memory (FRAM), Flash Memory (Flash Memory), magnetic surface Memory, optical Disc, or Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 1102 described in connection with the embodiments of the invention is intended to comprise, without being limited to, these and any other suitable types of memory.

The memory 1102 in embodiments of the present invention is used to store various types of data in support of the operation of the electronic device 1100. Examples of such data include: any computer program for operating on the electronic device 1100, such as application programs 11021. Programs that implement methods in accordance with embodiments of the invention may be included in application 11021.

The methods disclosed in the embodiments of the present invention described above may be implemented in the processor 1101 or by the processor 1101. The processor 1101 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by instructions in the form of hardware, integrated logic circuits, or software in the processor 1101. The Processor 1101 described above may be a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. Processor 1101 may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 1102, and the processor 1101 reads the information in the memory 1102 to perform the steps of the aforementioned methods in conjunction with its hardware.

In an exemplary embodiment, the electronic Device 1100 may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), FPGAs, general purpose processors, controllers, MCUs, MPUs, or other electronic components for performing the foregoing methods.

The embodiment of the invention also provides a storage medium for storing the computer program.

Optionally, the storage medium may be applied to a server in the embodiment of the present invention, and the computer program enables a computer to execute corresponding processes in each method in the embodiment of the present invention, which is not described herein again for brevity.

Optionally, the storage medium may be applied to an access device in the embodiment of the present invention, and the computer program enables a computer to execute corresponding processes in each method in the embodiment of the present invention, which is not described herein again for brevity.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The above description is only an example of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and scope of the present invention are included in the protection scope of the present invention.

Claims

An access control method comprising:

the method comprises the steps that a server establishes a sharing record among a first device identifier of a first access device, a second device identifier of a second access device and a target device identifier of a target device associated with the second access device, wherein the sharing record is used for sharing the access authority of the target device to the first access device;

the server transmits a local sharing certificate between the first access device and the second access device, wherein the local sharing certificate is used for establishing local connection between the first access device and the target device.
The method of claim 1, wherein the method further comprises:

the server receives a registration request sent by the first access equipment or the second access equipment; the registration request carries the first device identifier and the second device identifier.
The method of claim 2, wherein the registration request further carries: the target device identification.
The method according to claim 2 or 3, wherein the registration request further carries one of the following information:

a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition;

correspondingly, the sharing record further includes one of the following information: a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition.
The method of any of claims 2 to 4, wherein in the case that the registration request is sent by the first access device, the method further comprises:

the server sends a first confirmation request to the second access device;

and the server receives a first response of the second access equipment responding to the first confirmation request, and sets the sharing record to be in an activated state.
The method of claim 5, wherein the method further comprises:

the server sends a first sharing completion notification to the first access device, where the first sharing completion notification is used to instruct the first access device to set the sharing record locally on the first access device.
The method of claim 5, wherein the method further comprises:

and the server sends a second sharing completion notification to the target device, wherein the second sharing completion notification is used for indicating the target device to set the sharing record locally on the target device.
The method of any of claims 2 to 4, wherein in the case that the registration request is sent by the second access device, the method further comprises:

the server sends a second confirmation request and a third confirmation request to the first access device and the target device respectively;

and the server receives a second response of the first access device responding to the second confirmation request, receives a third response of the target device responding to the third confirmation request, and sets the sharing record to be in an activated state.
The method of claim 8, wherein the method further comprises:

and the server sends a third sharing completion notification to the second access device, wherein the third sharing completion notification is used for indicating the second access device to set the sharing record locally at the second access device.
The method of claim 6, wherein, in the case where the server generates the local sharing credential, the server performs transmission of the local sharing credential between the first access device and the second access device, comprising:

the server sends the local sharing certificate to the second access device through a first confirmation request carrying the local sharing certificate;

and the server sends the local sharing certificate to the first access device through the first sharing completion notification carrying the local sharing certificate.
The method of claim 9, wherein, in a case where the server generates the local sharing credential, the server performs transmission of the local sharing credential between the first access device and the second access device, comprising:

the server sends the local sharing certificate to the first access device through a second confirmation request carrying the local sharing certificate;

and the server sends the local sharing certificate to the second access device through a third sharing completion notification carrying the local sharing certificate.
The method of any of claims 1 to 9, wherein the server performing the transmission of the local shared credential between the first access device and the second access device comprises:

the server receives a local sharing certificate sent by the first access device or the target device;

and the server sends the local sharing certificate to the second access device or the first access device.
The method of claim 12, wherein,

under the condition that the local sharing certificate received by the server is sent by the first access device, the local sharing certificate is generated by the first access device; or

And under the condition that the local sharing certificate received by the server is sent by the target device, the local sharing certificate is generated by the second access device.
The method of any one of claims 1 to 13, wherein the method further comprises:

the server receives an access request for accessing the target device, which is sent by the first access device;

and under the condition that the sharing record exists, the server forwards the access request to the target device.
An access control method comprising:

the first access equipment acquires a second equipment identifier of second access equipment;

the first access device sends a first device identifier and a second device identifier of the first access device to a server, wherein the first device identifier and the second device identifier are used for the server to establish a sharing record among the first device identifier, the second device identifier and a target device identifier of a target device associated with the second access device, and the sharing record is used for sharing the accessed authority of the target device to the first access device;

the first access device and the server transmit a local sharing certificate, and the local sharing certificate is used for establishing local connection between the first access device and the target device.
The method of claim 15, wherein the method further comprises:

the first access equipment generates a registration request according to the first equipment identification and the second equipment identification;

correspondingly, the sending, by the first access device, the first device identifier and the second device identifier of the first access device to a server includes:

the first access device sends the registration request to the server.
The method of claim 16, wherein the registration request further carries: the target device identification.
The method according to claim 16 or 17, wherein the registration request further carries one of the following information:

a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition;

correspondingly, the sharing record further includes one of the following information: a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition.
The method of any of claims 16 to 18, wherein the method further comprises:

the first access equipment receives a first sharing completion notification sent by the server;

the first access sets the sharing record based on a trigger of the first sharing completion notification.
The method of claim 19, wherein the first access device communicating with the server locally sharing credentials comprises:

the first access device receives a local sharing certificate sent by the server through the first sharing completion notification carrying the local sharing certificate, wherein the local sharing certificate is generated by the server.
The method of any of claims 15 to 19, wherein the transmitting, by the first access device, the local sharing credential with the server comprises:

the first access device generates the local sharing credential;

the first access device sends the local sharing credential to the server, so that the server sends the local sharing credential to the second access device.
The method of any of claims 15 to 19, wherein the transmitting, by the first access device, the local sharing credential with the server comprises:

and the first access equipment receives a local sharing certificate generated by the second access equipment and sent by the server.
The method of any of claims 15 to 22, wherein the method further comprises:

the first access device generates an access request based on the target device identification, sends the access request to a server, and the server forwards the access request to the target device under the condition that the sharing record exists.
The method of any of claims 15 to 23, wherein the method further comprises:

and the first access equipment configures an access strategy for the first access equipment to access the target equipment according to the local sharing certificate.
A method of access control, the method comprising:

the second access equipment acquires a first equipment identifier of the first access equipment;

the second access device sends the first device identifier and a second device identifier of the second access device to a server, where the first device identifier and the second device identifier are used by the server to establish a sharing record among the first device identifier, the second device identifier, and a target device identifier of a target device associated with the second access device, and the sharing record is used to share the access right of the target device to the first access device;

and the second access device and the server transmit a local sharing certificate, wherein the local sharing certificate is used for establishing local connection between the first access device and the target device.
The method of claim 25, wherein the method further comprises:

the second access equipment generates a registration request according to the first equipment identification and the second equipment identification;

correspondingly, the sending, by the second access device, the first device identifier and the second device identifier of the second access device to a server includes:

the second access device sends the registration request to the server.
The method of claim 26, wherein the registration request further carries: the target device identification.
The method according to claim 26 or 27, wherein the registration request further carries one of the following information:

a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition;

correspondingly, the sharing record further includes one of the following information: a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition.
The method of any one of claims 26 to 28, wherein the method further comprises:

the second access equipment receives a third sharing completion notification sent by the server;

and the second access device sets the sharing record based on the trigger of the third sharing completion notification.
The method of claim 29, wherein the second access device communicating with the server a local shared credential comprises:

and the second access device receives a local sharing certificate sent by the server through the third sharing completion notification carrying the local sharing certificate, wherein the local sharing certificate is generated by the server.
The method of any of claims 25 to 29, wherein the second access device communicating with the server a local sharing credential comprises:

the second access device generates the local sharing credential;

the second access device configures the local sharing credential to the target server, so that the server sends the local sharing credential to the first access device.
The method of any of claims 25 to 29, wherein the second access device communicating with the server a local sharing credential comprises:

and the second access device receives the local sharing certificate generated by the first access device and sent by the server.
The method of any of claims 25 to 32, wherein the method further comprises:

and the second access device configures an access policy for the second access device to access the target device according to the local sharing certificate.
A server, comprising:

the access control device comprises an establishing unit, a processing unit and a processing unit, wherein the establishing unit is configured to establish a sharing record among a first device identifier of a first access device, a second device identifier of a second access device and a target device identifier of a target device associated with the second access device, and the sharing record is used for sharing the access authority of the target device to the first access device;

a credential transmission unit configured to transmit a local sharing credential between the first access device and the second access device, where the local sharing credential is used for establishing a local connection between the first access device and the target device.
The server of claim 34, wherein the server further comprises:

the receiving unit is configured to receive a registration request sent by the first access device or the second access device; the registration request carries the first device identifier and the second device identifier.
The server of claim 35, wherein the registration request further carries: the target device identification.
The server according to claim 35 or 36, wherein the registration request further carries one of the following information:

a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition;

correspondingly, the sharing record further includes one of the following information: a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition.
The server of any one of claims 35 to 37, wherein the server further comprises:

a first validation unit configured to:

sending a first confirmation request to the second access device under the condition that the registration request is sent by the first access device;

and receiving a first response of the second access device responding to the first confirmation request, and setting the sharing record to be in an activated state.
The server of claim 38, wherein the server further comprises: a first notification unit, configured to send a first sharing completion notification to the first access device, where the first sharing completion notification is used to instruct the first access device to set the sharing record locally on the first access device.
The server of claim 38, wherein the server further comprises:

a second notification unit, configured to send a second sharing completion notification to the target device, where the second sharing completion notification is used to instruct the target device to set the sharing record locally on the target device.
The server of any one of claims 35 to 37, wherein the server further comprises: a second validation unit configured to:

under the condition that the registration request is sent by the second access device, sending a second confirmation request and a third confirmation request to the first access device and the target device respectively;

and receiving a second response of the first access device to the second confirmation request, receiving a third response of the target device to the third confirmation request, and setting the sharing record to be in an activated state.
The server of claim 41, wherein the server further comprises:

and the third notification server sends a third sharing completion notification to the second access device, where the third sharing completion notification is used to instruct the second access device to set the sharing record locally on the second access device.
The server of claim 39, wherein the credential transfer unit is further configured to:

in the event the server generates the local sharing credentials,

sending the local sharing voucher to the second access device through a first confirmation request carrying the local sharing voucher;

and sending the local sharing certificate to the first access device through the first sharing completion notification carrying the local sharing certificate.
The server of claim 42, wherein the credential transfer unit is further configured to: in the event the server generates the local sharing credentials,

sending the local sharing voucher to the first access device through a second confirmation request carrying the local sharing voucher;

and sending the local sharing voucher to the second access device through a third sharing completion notice carrying the local sharing voucher.
The server according to any one of claims 34 to 42, wherein the credential transmitting unit is further configured to:

receiving a local sharing certificate sent by the first access device or the target device;

and sending the local sharing certificate to the second access device or the first access device.
The server according to claim 45, wherein,

under the condition that the received local sharing voucher is sent by the first access device, the local sharing voucher is generated by the first access device; or

And under the condition that the received local sharing voucher is sent by the target equipment, the local sharing voucher is generated by the second access equipment.
The server of any one of claims 34 to 46, wherein the server further comprises:

a first access unit configured to:

receiving an access request for accessing the target device, which is sent by the first access device;

forwarding the access request to the target device if the sharing record exists.
An access device, comprising:

a first obtaining unit configured to obtain a second device identifier of a second access device;

a first sending unit, configured to send a first device identifier and a second device identifier of the first access device to a server, where the first device identifier and the second device identifier are used by the server to establish a sharing record among the first device identifier, the second device identifier, and a target device identifier of a target device associated with the second access device, and the sharing record is used to share an access right of the target device to the first access device;

the first transmission unit is configured to transmit a local sharing credential to the server, where the local sharing credential is used for establishing a local connection between the first access device and the target device.
The access device of claim 48, wherein the access device further comprises:

a first generating unit configured to generate a registration request according to the first device identifier and the second device identifier;

correspondingly, the first sending unit is configured to send the registration request to the server.
The access device of claim 49, wherein the registration request further carries: the target device identification.
The access device of claim 49 or 50, wherein the registration request further carries one of the following information:

a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition;

correspondingly, the sharing record further includes one of the following information: a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition.
The access device of any one of claims 49-51, wherein the access device further comprises: a first setting unit configured to:

receiving a first sharing completion notification sent by the server;

and setting the sharing record based on the trigger of the first sharing completion notification.
The access device of claim 52, wherein the first transmission unit is further configured to receive a local sharing credential sent by the server through the first sharing completion notification carrying the local sharing credential, and the local sharing credential is generated by the server.
The access device of any of claims 48-52, wherein the first transmission unit is further configured to:

generating the local sharing credential;

sending the local sharing credential to the server, so that the server sends the local sharing credential to the second access device.
The access device of any one of claims 48 to 52, wherein the first transmission unit is further configured to receive a local sharing credential generated by the second access device sent by the server.
The access device of any one of claims 48 to 55, wherein the access device further comprises:

the second access unit is configured to generate an access request based on the target device identifier, send the access request to a server, and forward the access request to the target device by the server when the sharing record exists.
The access device of any one of claims 48 to 56, wherein the access device further comprises:

a first configuration unit, configured to configure, according to the local sharing credential, an access policy for the access device to access the target device.
An access device, comprising:

a second obtaining unit configured to obtain a first device identifier of the first access device;

a second sending unit, configured to send the first device identifier and a second device identifier of the second access device to a server, where the first device identifier and the second device identifier are used by the server to establish a sharing record among the first device identifier, the second device identifier, and a target device identifier of a target device associated with the second access device, and the sharing record is used to share an access right of the target device to the first access device;

the second transmission unit is configured to transmit a local sharing credential to the server, where the local sharing credential is used for establishing a local connection between the first access device and the target device.
The access device of claim 58, wherein the access device further comprises:

a second generating unit configured to generate a registration request according to the first device identifier and the second device identifier;

correspondingly, the second sending unit is configured to send the registration request to the server.
The access device of claim 59, wherein the registration request further carries: the target device identification.
The access device of claim 59 or 60, wherein the registration request further carries one of the following information:

a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition;

correspondingly, the sharing record further includes one of the following information: a first user identifier of the first access device, a second user identifier of the second access device, and a sharing restriction condition.
The access device of any one of claims 59 to 60, wherein the access device further comprises: a second setting unit configured to:

receiving a third sharing completion notification sent by the server;

and setting the sharing record based on the trigger of the third sharing completion notice.
The access device of claim 62, wherein the second transmission unit is further configured to receive a local sharing credential sent by the server through the third sharing completion notification carrying the local sharing credential, and the local sharing credential is generated by the server.
The access device of any of claims 58 to 62, wherein the second transmission unit is further configured to:

generating the local sharing credential;

sending the local sharing credential to the server, so that the server sends the local sharing credential to the first access device.
The access device of any one of claims 58 to 62, wherein the second transmission unit is further configured to receive a local sharing credential generated by the first access device and sent by the server.
The access device of any one of claims 58 to 65, wherein the access device further comprises:

a second configuration unit, configured to configure, according to the local sharing credential, an access policy for the second access device to access the target device.
A server comprising a processor and a memory for storing a computer program capable of running on the processor, wherein,

the processor is adapted to perform the steps of the access control method of any of claims 1 to 14 when running the computer program.
An access device comprising a processor and a memory for storing a computer program capable of running on the processor, wherein,

the processor is adapted to perform the steps of the access control method of any of claims 15 to 24 when running the computer program.
An access device comprising a processor and a memory for storing a computer program capable of running on the processor, wherein,

the processor is adapted to perform the steps of the access control method of any of claims 25 to 33 when running the computer program.
A storage medium storing an executable program which, when executed by a processor, implements the access control method of any one of claims 1 to 14.
A storage medium storing an executable program which, when executed by a processor, implements the access control method of any one of claims 15 to 24.
A storage medium storing an executable program which, when executed by a processor, implements the access control method of any one of claims 25 to 33.