CN113779603A - Asset authority control system and method based on 4A unified security management platform - Google Patents
Asset authority control system and method based on 4A unified security management platform Download PDFInfo
- Publication number
- CN113779603A CN113779603A CN202111069569.XA CN202111069569A CN113779603A CN 113779603 A CN113779603 A CN 113779603A CN 202111069569 A CN202111069569 A CN 202111069569A CN 113779603 A CN113779603 A CN 113779603A
- Authority
- CN
- China
- Prior art keywords
- calculation
- authority control
- authority
- user
- management platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to an asset authority control system and method based on a 4A unified security management platform, which comprises an authority control model and an authority control engine; the authority control model consists of a plurality of authority units, and corresponding authority description and authority calculation are realized by randomly arranging, combining and nesting the authority units; the authority control engine is used for receiving the authority control model and related user data, obtaining a Boolean type calculation result after memory operation is carried out, and the unified security management platform can judge whether the behavior of the user is authorized or legal according to the result, if the calculation result is true, the behavior of the user is authorized, and the system is released; if the calculation result is false, the user behavior is not authorized, and the system prohibits the user operation. The invention is suitable for the authority control of a 4A unified security management platform, and the design of a bottom layer data structure is separated from the service, so that the authority control is more universal, and the invention can be suitable for various complex service scenes and customer requirements.
Description
Technical Field
The invention relates to the technical field of asset authority control, in particular to an asset authority control system and method based on a 4A unified safety management platform.
Background
With the continuous development of information technology and the continuous progress of informatization construction, business applications, office systems and business platforms are continuously released and put into operation, and information systems are comprehensively permeated in the operation of enterprises. The telecommunication industry, finance, tax, finance, electric power, petroleum, large and medium-sized enterprises and portal sites use a large number of network devices and server hosts to provide basic network services, operate key services, provide services such as electronic commerce, database application, ERP (enterprise resource planning) and cooperative work group members and the like. Due to the fact that the number of devices and servers is large, the pressure of system administrators is too high, and the like, unauthorized access, misoperation, abuse, malicious damage and the like happen sometimes, so that the economic operation efficiency of enterprises is seriously influenced, and the reputation of the enterprises is greatly influenced. In addition, malicious access of hackers can also acquire system authority and break into departments or internal networks of enterprises, so that immeasurable loss is caused. How to improve the system operation and maintenance management level, track the operation behavior of the user on the server, prevent the invasion and damage of hackers, provide control and audit basis, reduce the operation and maintenance cost, meet the requirements of relevant standards, and become more and more concerned by enterprises.
4A means: authentication, Authorization, Account, Audit and Chinese name are the solution of the unified security management platform. With the rapid development of internet technology, business systems of enterprise clients are increasing, and the scales of various devices are increasing rapidly, so that a unified security management platform is required to manage the security work of each business system. However, because the mechanism composition of each enterprise client is different, the personnel configuration is different, the asset size is different, and the asset type is different, the special difficulty of the authority management is caused.
Meanwhile, the existing authority control scheme is relatively fixed and inflexible, and cannot meet various authority configuration requirements of clients in complex client environments. Some more flexible authority control schemes can only control fixed asset attributes, and cannot meet the requirements of custom setting of the asset attributes and authority control by customers; for the technicians in product development, if there is no flexibly configurable right control scheme, it means that the right management requirements of each enterprise client may need different special processing, resulting in delayed response of client requirements and increased product development cost, which not only affects client experience, but also adds extra cost to the company. So far, the common authority control scheme in the platform is based on role authority management. The scheme needs a client to define role authorities of various granularities in advance according to services and then endows roles to corresponding service personnel to realize authority control, and the defects of the scheme are as follows: 1. the client is required to define various roles and the corresponding authorities of the various roles in advance; 2. for an asset newly added to a platform by a client, corresponding research and development modification are needed, and the asset cannot be well accessed; 3. most of the role authority is authenticated based on a database query mode, and a performance bottleneck exists.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, provides an asset authority control system and method based on a 4A unified security management platform, and solves the problems in the prior art.
The purpose of the invention is realized by the following technical scheme: an asset authority control system based on a 4A unified security management platform comprises an authority control model and an authority control engine; the authority control model consists of a plurality of authority units, and corresponding authority description and authority calculation are realized by randomly arranging, combining and nesting the authority units; the authority control engine is used for receiving the authority control model and related user data, obtaining a Boolean type calculation result after memory operation is carried out, and the unified security management platform can judge whether the behavior of the user is authorized or legal according to the result, if the calculation result is true, the behavior of the user is authorized, and the system is released; if the calculation result is false, the user behavior is not authorized, and the system prohibits the user operation.
The authority unit in the authority control model comprises a calculation operator unit, a calculation parameter unit and a calculation numerical value unit; the calculation operator unit is a character string type which designates which calculation mode is adopted after the calculation operator unit is analyzed by the authority control engine; the calculation parameter unit defines a plurality of authority units in the calculation unit list, and the calculation units can be freely and flexibly arranged, combined and nested; the calculation value unit is a value participating in calculation, and represents that when the calculation unit is calculated by a computer, the value is compared and calculated with a value stored in a database or a context.
When the calculation operator unit is not AND operation or OR operation, the calculation parameter unit calculates the values of the first calculation unit in the calculation parameters as the list item and the column item name of the database, and the values of the second calculation unit in the calculation parameters as the actual values configured by the user.
The authority control engine comprises an authority control operator and authority control calculation; the authority control operator comprises a series of Boolean operation sets, the operation set functions receive a series of parameters to obtain an operation result, each operation result is of a Boolean type, and the unified security management platform judges whether the user behavior is authorized according to the operation result; and the authority control calculation converts the authority control model and the data set into a calculation operator unit and parameters of a calculation operator, then assembles the calculation operator unit and the parameters into a high-order function, obtains a calculation result by executing the function, and judges the user authority of the calculation result.
A method of an asset authority control system based on a 4A unified security management platform, the method comprising:
s1, the validity of the related data format is verified by the authority control model verification function, if the verification is passed, the data is stored in the database, and if the verification is failed, the related abnormal information is returned to the client; when a common user logs in the assets hosted by the unified security management platform, the client automatically initiates authentication;
s2, after receiving the authority verification request, the authority control engine calls the initialization information of the relevant environment;
s3, after initialization is completed, the authority control engine is called through an interface, the unified security management platform is wanted to acquire relevant user data and asset data, if acquisition is successful, the authentication process is continuously executed, if acquisition is failed, relevant abnormal information is returned to the client, and meanwhile, the client prohibits the user from executing relevant operations, so as to ensure system security;
s4, after the data set is successfully acquired, the authority control engine transmits the data set and the authority control model as parameters to the authority control calculation for calculation to obtain a Boolean type calculation result, judges whether the authentication of the user is successful according to the true and false value of the result, if the authentication is true, the user can continue to execute the related operation, and if the authentication is false, the user is prohibited to execute the related operation.
The method further includes the step of executing step S1, where the administrator performs authority configuration on the client provided by the unified security management platform, and after the user completes the authority configuration through UI operation and related prompts, the client submits the generated authority control model to the unified security management platform.
The invention has the following advantages: an asset authority control system and method based on a 4A unified security management platform are suitable for authority control of the 4A unified security management platform, and the design of a bottom data structure is separated from a service, so that the authority control is more universal, and the system and method can be suitable for various complex service scenes and customer requirements.
Drawings
FIG. 1 is a schematic flow diagram of the process of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the detailed description of the embodiments of the present application provided below in connection with the appended drawings is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application. The invention is further described below with reference to the accompanying drawings.
The invention relates to an asset authority control system based on a 4A unified security management platform, which comprises an authority control model and an authority control engine; the authority control model consists of a plurality of authority units, and corresponding authority description and authority calculation are realized by randomly arranging, combining and nesting the authority units; the authority control engine is used for receiving the authority control model and related user data, obtaining a Boolean type calculation result after memory operation is carried out, and the unified security management platform can judge whether the behavior of the user is authorized or legal according to the result, if the calculation result is true, the behavior of the user is authorized, and the system passes; if the calculation result is false, the user behavior is not authorized, and the system prohibits the user operation.
The authority unit in the authority control model comprises a calculation operator unit, a calculation parameter unit and a calculation numerical value unit; the calculation operator unit is a character string type which designates which calculation mode is adopted after the calculation operator unit is analyzed by the authority control engine; the calculation parameter unit defines a plurality of authority units in the calculation unit list, and the calculation units can be freely and flexibly arranged, combined and nested; the calculation value unit is a value participating in calculation, and represents that when the calculation unit is calculated by a computer, the value is compared and calculated with a value stored in a database or a context.
When the calculation operator unit is not AND operation or OR operation, the calculation parameter unit calculates the values of the first calculation unit in the calculation parameters as the list item and the column item name of the database, and the values of the second calculation unit in the calculation parameters as the actual values configured by the user.
For example, taking "the user age is greater than 18 years" as an example, the rights expression is converted into a computing unit: the calculation operator should be configured as GT; the calculation parameters are two calculation units, the first calculation unit is the value participating in calculation, namely the user, and the second calculation unit is the value participating in calculation, namely the value 18 (the calculation operator and the calculation parameters are null).
Taking "three hosts with ip address 10.0.10.10 accessible at 9:00 to 18: 00" as an example, the privilege description can be converted into a sort nest of four privilege calculation units, which is finally stored as a privilege control model.
The limit control engine does not include data storage, namely the authority control engine does not care how the platform stores the user data and the asset data, only when the authority of the related user is calculated, the platform can transmit the related user data and the asset data into the engine through an interface, and the engine can automatically analyze the relation between the authority control model and the data set, convert the relation into parameters which can be received by the authority control operator, so that maximum decoupling is realized, and finally the calculation is carried out in a memory in a unified mode.
Further, the authority control engine comprises an authority control operator and authority control calculation; the authority control operator comprises a series of Boolean operation sets, the operation set functions receive a series of parameters to obtain an operation result, each operation result is of a Boolean type, and the unified security management platform judges whether the user behavior is authorized or not according to the operation result; and the authority control calculation converts the authority control model and the data set into a calculation operator unit and parameters of a calculation operator, then assembles the calculation operator unit and the parameters into a high-order function, obtains a calculation result by executing the function, and judges the user authority of the calculation result.
The specific operation set of the authority control operator is shown in the following table:
further, when authority calculation is carried out, when an engine analyzes an operator, the engine replaces the operator with a function realized by a corresponding calculation language, then recursively analyzes params, according to the convention of an authority control model, the engine searches a real value from a data set according to' host. If the query is successful, the queried value and the '10.0.10.10' are taken as function parameters and are transmitted into the function corresponding to the calculation operator together for calculation, and a calculation result is returned.
As shown in fig. 1, another embodiment of the present invention relates to a method of an asset authority control system based on a 4A unified security management platform, the method including:
s1, the administrator configures the authority on the client provided by the unified security management platform, and after the user completes the authority configuration through UI operation and related prompts, the client submits the generated authority control model to the unified security management platform;
s2, the unified security management platform calls the authority control model check function provided by the method to check the validity of the related data format, and if the check is passed, the data is stored in the storage engine; if the verification fails, returning the relevant abnormal information of the client;
s3, when the common user logs in the assets managed by the unified security management platform, the client automatically initiates authentication;
s4, after the authority control engine receives the authority checking request, the initialization of the relevant environment is called, such as the information of the current system time, the current system version and the like is prepared;
s5, after the initialization is completed, the authority control engine is called through an interface to acquire related user data and asset data from the unified security management platform (storage engine), if the acquisition is successful, the authentication process is continuously executed, if the acquisition is failed, the related abnormal information of the client is returned, and meanwhile, the client prohibits the user from executing related operation to ensure the system security;
s6, after the data set is successfully acquired, the authority control engine transmits the data set and the authority control model as parameters to the calculation module for calculation, and finally obtains a Boolean type calculation result, the system judges whether the user is successfully authenticated according to the result, if the result is true, the user can continue to execute the relevant operation, and if the result is false, the user is prohibited to execute the relevant operation.
The foregoing is illustrative of the preferred embodiments of this invention, and it is to be understood that the invention is not limited to the precise form disclosed herein and that various other combinations, modifications, and environments may be resorted to, falling within the scope of the concept as disclosed herein, as will be apparent to those skilled in the art from the teachings herein. And that modifications and variations may be effected by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (6)
1. The utility model provides an asset authority control system based on unified safety management platform of 4A which characterized in that: the system comprises an authority control model and an authority control engine; the authority control model consists of a plurality of authority units, and corresponding authority description and authority calculation are realized by randomly arranging, combining and nesting the authority units; the authority control engine is used for receiving the authority control model and related user data, obtaining a Boolean type calculation result after memory operation is carried out, and the unified security management platform can judge whether the behavior of the user is authorized or legal according to the result, if the calculation result is true, the behavior of the user is authorized, and the system is released; if the calculation result is false, the user behavior is not authorized, and the system prohibits the user operation.
2. The asset authority control system based on the 4A unified security management platform according to claim 1, wherein: the authority unit in the authority control model comprises a calculation operator unit, a calculation parameter unit and a calculation numerical value unit; the calculation operator unit is a character string type which designates which calculation mode is adopted after the calculation operator unit is analyzed by the authority control engine; the calculation parameter unit defines a plurality of authority units in the calculation unit list, and the calculation units can be freely and flexibly arranged, combined and nested; the calculation value unit is a value participating in calculation, and represents that when the calculation unit is calculated by a computer, the value is compared and calculated with a value stored in a database or a context.
3. The asset authority control system based on the 4A unified security management platform according to claim 2, wherein: when the calculation operator unit is not AND operation or OR operation, the calculation parameter unit calculates the values of the first calculation unit participating in calculation in the calculation parameters as the list item and the column item name of the database, and the values of the second calculation unit participating in calculation are actual values configured by the user.
4. The asset authority control system based on the 4A unified security management platform according to claim 1, wherein: the authority control engine comprises an authority control operator and authority control calculation; the authority control operator comprises a series of Boolean operation sets, the operation set functions receive a series of parameters to obtain an operation result, each operation result is of a Boolean type, and the unified security management platform judges whether the user behavior is authorized according to the operation result; and the authority control calculation converts the authority control model and the data set into a calculation operator unit and parameters of a calculation operator, then assembles the calculation operator unit and the parameters into a high-order function, obtains a calculation result by executing the function, and judges the user authority of the calculation result.
5. The method of the asset authority control system based on the 4A unified security management platform according to any one of claims 1 to 4, wherein: the method comprises the following steps:
s1, the validity of the related data format is verified by the authority control model verification function, if the verification is passed, the data is stored in the database, and if the verification is failed, the related abnormal information is returned to the client; when a common user logs in the assets hosted by the unified security management platform, the client automatically initiates authentication;
s2, after receiving the authority verification request, the authority control engine calls the initialization information of the relevant environment;
s3, after the initialization is completed, the authority control engine is called through an interface, the unified security management platform is expected to acquire the related user data and the asset data, if the acquisition is successful, the authentication process is continuously executed, if the acquisition is failed, the related abnormal information is returned to the client, and meanwhile, the client prohibits the user from executing the related operation to ensure the system security;
s4, after the data set is successfully acquired, the authority control engine transmits the data set and the authority control model as parameters to the authority control calculation for calculation to obtain a Boolean type calculation result, judges whether the authentication of the user is successful according to the result true and false value, if the result is true, the user can continue to execute the relevant operation, and if the result is false, the user is prohibited to execute the relevant operation.
6. The method of claim 5, wherein the asset authority control system based on the 4A unified security management platform comprises: the method further includes the step of executing step S1, where the administrator performs authority configuration on the client provided by the unified security management platform, and after the user completes authority configuration through UI operation and related prompts, the client submits the generated authority control model to the unified security management platform.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111069569.XA CN113779603A (en) | 2021-09-13 | 2021-09-13 | Asset authority control system and method based on 4A unified security management platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111069569.XA CN113779603A (en) | 2021-09-13 | 2021-09-13 | Asset authority control system and method based on 4A unified security management platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113779603A true CN113779603A (en) | 2021-12-10 |
Family
ID=78843192
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111069569.XA Pending CN113779603A (en) | 2021-09-13 | 2021-09-13 | Asset authority control system and method based on 4A unified security management platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113779603A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102955910A (en) * | 2011-08-25 | 2013-03-06 | 阿里巴巴集团控股有限公司 | Method and device for multi-account authority control |
| CN106572116A (en) * | 2016-11-10 | 2017-04-19 | 长春理工大学 | Role-and-attribute-based cross-domain secure switch access control method of integrated network |
| CN108093094A (en) * | 2017-12-08 | 2018-05-29 | 腾讯科技(深圳)有限公司 | Database instance access method, device, system, storage medium and equipment |
| CN112149105A (en) * | 2020-10-21 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Data processing system, method, related device and storage medium |
| CN113098695A (en) * | 2021-04-21 | 2021-07-09 | 金陵科技学院 | Micro-service unified authority control method and system based on user attributes |
-
2021
- 2021-09-13 CN CN202111069569.XA patent/CN113779603A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102955910A (en) * | 2011-08-25 | 2013-03-06 | 阿里巴巴集团控股有限公司 | Method and device for multi-account authority control |
| CN106572116A (en) * | 2016-11-10 | 2017-04-19 | 长春理工大学 | Role-and-attribute-based cross-domain secure switch access control method of integrated network |
| CN108093094A (en) * | 2017-12-08 | 2018-05-29 | 腾讯科技(深圳)有限公司 | Database instance access method, device, system, storage medium and equipment |
| CN112149105A (en) * | 2020-10-21 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Data processing system, method, related device and storage medium |
| CN113098695A (en) * | 2021-04-21 | 2021-07-09 | 金陵科技学院 | Micro-service unified authority control method and system based on user attributes |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112615849B (en) | Micro-service access method, device, equipment and storage medium | |
| US10140453B1 (en) | Vulnerability management using taxonomy-based normalization | |
| CN110543464B (en) | Big data platform applied to intelligent park and operation method | |
| US7987495B2 (en) | System and method for multi-context policy management | |
| CN101547092B (en) | Method and device for data synchronization of multi-application systems for unifying user authentication | |
| CN107733863B (en) | Log debugging method and device under distributed hadoop environment | |
| CN104753677B (en) | Password hierarchical control method and system | |
| EP2387746B1 (en) | Methods and systems for securing and protecting repositories and directories | |
| US20170034200A1 (en) | Flaw Remediation Management | |
| CN104486346A (en) | Stepping stone system | |
| CN112651011A (en) | Login verification method, device and equipment for operation and maintenance system and computer storage medium | |
| US10282461B2 (en) | Structure-based entity analysis | |
| KR20140035146A (en) | Apparatus and method for information security | |
| CN103152336A (en) | Distributed authorization and authentication method in cloud computing environment | |
| CN112039868A (en) | Firewall policy verification method, device, equipment and storage medium | |
| CN111327613A (en) | Distributed service authority control method and device and computer readable storage medium | |
| CN101729541A (en) | Method and system for accessing resources of multi-service platform | |
| CN112202708A (en) | Identity authentication method and device, electronic equipment and storage medium | |
| CN110798353B (en) | Network behavior risk perception and defense method based on behavior characteristic big data analysis | |
| CN113127906A (en) | Unified authority management platform, method and storage medium based on C/S architecture | |
| US20210344701A1 (en) | System and method for detection promotion | |
| WO2021127232A1 (en) | Systems, methods, and devices for logging activity of a security platform | |
| CN114915500B (en) | Self-media account management method and device based on PC desktop client | |
| CN114969450B (en) | User behavior analysis method, device, equipment and storage medium | |
| CN113779603A (en) | Asset authority control system and method based on 4A unified security management platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |