CN113824673A - Fine-grained operation control method and system for hazardous chemical substance public information service platform - Google Patents
Fine-grained operation control method and system for hazardous chemical substance public information service platform Download PDFInfo
- Publication number
- CN113824673A CN113824673A CN202010562091.3A CN202010562091A CN113824673A CN 113824673 A CN113824673 A CN 113824673A CN 202010562091 A CN202010562091 A CN 202010562091A CN 113824673 A CN113824673 A CN 113824673A
- Authority
- CN
- China
- Prior art keywords
- operation control
- data
- role
- user
- fine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 239000000126 substance Substances 0.000 title claims abstract description 50
- 239000000383 hazardous chemical Substances 0.000 title claims abstract description 45
- 238000011217 control strategy Methods 0.000 claims abstract description 96
- 238000004458 analytical method Methods 0.000 claims abstract description 4
- 230000009471 action Effects 0.000 claims description 18
- 238000003860 storage Methods 0.000 claims description 9
- 238000012795 verification Methods 0.000 claims description 8
- 239000003999 initiator Substances 0.000 claims description 6
- 238000013507 mapping Methods 0.000 claims description 6
- 239000000203 mixture Substances 0.000 claims description 5
- 238000013475 authorization Methods 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000013500 data storage Methods 0.000 description 3
- 239000000463 material Substances 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000012549 training Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003213 activating effect Effects 0.000 description 1
- 238000012824 chemical production Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention provides a fine-grained operation control method and a fine-grained operation control system for a hazardous chemical substance public information service platform, and belongs to the field of authority control of hazardous chemical substance public information service platforms. The method comprises the following steps: receiving an operation request initiated by a user; analyzing the operation request according to a fine-grained operation control strategy generation method to generate a first operation control strategy; and judging whether the operation request meets the operation control rule or not according to the first operation control strategy, if so, allowing the user to operate the corresponding data, and otherwise, not allowing the user to operate the corresponding data. The system comprises: the operation request analysis unit is used for analyzing the operation request of the user and generating a first operation control strategy; and the operation decision unit is used for judging whether the operation request meets the role attribute in the operation control rule or not according to the first operation control strategy, if so, allowing the user to operate the corresponding data, and otherwise, not allowing the user to operate the corresponding data.
Description
Technical Field
The invention relates to the field of authority control of a hazardous chemical substance public information service platform, in particular to a method for generating a fine-grained operation control strategy of the hazardous chemical substance public information service platform, a system for generating the fine-grained operation control strategy of the hazardous chemical substance public information service platform, a method for controlling the fine-grained operation of the hazardous chemical substance public information service platform and a system for controlling the fine-grained operation of the hazardous chemical substance public information service platform.
Background
In recent years, serious accidents of dangerous chemicals in the chemical industry are frequent. Chemical accidents bring huge economic losses to enterprises and individuals, cause irretrievable damage to the environment and even cause serious casualties. Therefore, the value of the dangerous chemical public information service platform is fully exerted, different users are accurately served, various requirements of the users are met, safety consciousness and capability of enterprises and the public are improved, and the problem to be solved is solved urgently.
The hazardous chemical public information service platform integrates the information of the whole life cycle of the hazardous chemical production, transportation, storage and the like, and with the wide application of big data technology, the multi-domain environment integrated data puts higher requirements on the access control of the data, and at present, there are three widely adopted access control methods: autonomous access control, mandatory access control, and role-based access control.
In the prior art, a role-based access control method is mostly adopted. And introducing a role concept, granting the authority to the role, and enabling the user to obtain the authority by activating the set role. The management efficiency is improved to a certain extent, the complexity of authorization management is reduced, the management overhead is reduced, and the flexibility is high. However, the dangerous chemical public information service platform relates to a plurality of data domains, and the existing role-based access control model cannot meet fine-grained access control in a multi-domain environment.
Data access has great hidden trouble and challenge in data security. The security problem is mainly presented in three aspects: the first is information leakage. The open internet enables massive big data to be in a naked state, domestic network equipment mainly depends on foreign technologies, and information leakage is easily caused by 'bugs' and 'backdoors'. The second is data unauthorized access, and the problem of ownership and access of data stored in a cloud disk, a big data platform and other shared platforms by multiple users with complex relationships. The third is network attack, large-scale data storage in the big data service era, which only provides a single access service interface and is easy to be attacked by hackers on a large scale, thereby affecting normal data use of large-scale users.
In summary, in order to adapt to a multi-domain environment of a hazardous chemical public information service platform and fully utilize data of the hazardous chemical public information service platform to serve enterprises and the public, a hazardous chemical public information service platform fine-grained access control method needs to be developed.
Disclosure of Invention
The invention aims to provide a fine-grained operation control method and a fine-grained operation control system for a hazardous chemical substance public information service platform, which are used for generating a role-based fine-grained operation control strategy by analyzing an operation request, using the operation control strategy as an access basis, realizing a dynamic and fine-grained authorization mechanism, ensuring the flexibility and expandability of operation control, meeting different requirements of different users on hazardous chemical substance public service information, realizing non-public and authorized access of data, ensuring the data safety, providing a plurality of access service interfaces through multi-domain access, and ensuring the normal data use of large-scale users even if the service interfaces suffer network attacks.
In order to achieve the above object, a first aspect of the present invention provides a method for generating a fine-grained operation control policy for a hazardous chemical substance public information service platform, where the method includes:
dividing the operation request into a plurality of data units, wherein each data unit represents one type of data element;
defining role attributes of data elements in the data units;
role attribute assignment is carried out on the defined role attributes;
extracting role attribute assigned data composition sets of one or more data elements in each data unit to generate an operation control strategy;
the operation control policy is used to define role attributes of the operation request. The operation request is expressed as different attribute information by such an operation control policy generation method, for example, the operation request is divided into the following items: the system comprises four data units of a main body, resources, an environment and operation, wherein the main body is an initiator of an operation request, and the resources are data requested by the operation request and comprise enterprise information, material information, accident cases, emergency response, safety service, educational training and the like; the environment is environment information contained in the operation request, and the operation is an action requested by the operation request, such as query, download, edit, and the like. The attribute information is simultaneously used as an access basis, so that a dynamic and fine-grained authorization mechanism can be ensured, and the flexibility and expandability of access control are ensured.
Optionally, the method further includes: role attribute threshold data of data elements in a data unit is set. The role attribute threshold data defines the value range of the role attribute assigned data.
The second aspect of the present invention provides a system for generating a fine-grained operation control policy for a hazardous chemical substance public information service platform, where the system includes: the data sorting module is used for dividing the operation request into a plurality of data units, and each data unit represents one type of data element;
the role attribute definition module is used for defining role attributes of the data elements in the data units;
the data assignment module is used for assigning role attributes to the defined role attributes; and
and the operation control strategy generation module is used for extracting the role attribute assigned data composition set of one or more data elements in each data unit to construct the operation control strategy, and the operation control strategy is used for limiting the role attribute of the operation request.
The system is used for expressing the operation request as different attribute information, and the attribute information is simultaneously used as an access basis, so that the realization of a dynamic and fine-grained authorization mechanism can be ensured, and the flexibility and the expandability of access control are ensured.
Optionally, the system further includes: and the role threshold data setting module is used for setting role attribute threshold data of the data elements in the data unit.
The data sorting module divides the operation request into the following parts: the operation control strategy generation system comprises four data units of a main body, resources, an environment and an operation, wherein the main body is an initiator of the operation request, the resources are data requested by the operation request, the environment is environment information contained in the operation request, the operation is an action requested by the operation request, a role attribute definition module carries out role attribute definition on the main body, the resources, the environment and the action, a data assignment module carries out role attribute assignment on role attributes corresponding to the main body, the resources, the environment and the action, and an operation control strategy generation module extracts role attribute assignments of one or more data elements from the four data units of the main body, the resources, the environment and the action to form a set to generate an operation control strategy. The operation control strategy embodies the multi-element constraint relation among the main body, the resources, the environment and the actions, and forms fine-grained access control based on the multi-element attributes.
The third aspect of the present invention provides a fine-grained operation control method for a hazardous chemical substance public information service platform, where the method includes:
receiving an operation request initiated by a user;
analyzing the operation request according to the fine-grained operation control strategy generation method to generate a first operation control strategy;
and judging whether the operation request meets role attributes in an operation control rule or not according to a first operation control strategy, if so, allowing the user to operate corresponding data, otherwise, not allowing the user to operate corresponding data, wherein the operation control rule comprises the role attributes, authorities corresponding to the role attributes and allowed data fields corresponding to the authorities.
Judging whether the operation request meets role attributes in the operation control rules according to the first operation control strategy, and the method comprises the following steps:
1) judging whether role attribute assigned data in the first operation control strategy contains a request attribute, if so, turning to the step 2); if not, turning to the step 4);
2) judging whether the first operation control strategy meets role attributes in operation control rules or not; if yes, turning to the step 3); if not, turning to the step 4);
3) merging the judgment results of all the operation control rules met by the first operation control strategy, and allowing the user to operate the data in the judgment result set;
4) the user is not allowed to operate the corresponding data.
In step 3), the merging the determination results of all the operation control rules that are satisfied by the first operation control policy includes:
acquiring role attributes corresponding to the user according to the first operation control strategy;
acquiring user authority according to all operation control rules met by the role attributes;
acquiring a data field which can be used according to the user authority;
and merging all data fields allowed to be used by the first operation control strategy to obtain a judgment result set. The operation request of the user is analyzed into a first operation control strategy, and whether the operation request can be approved or not is judged by combining with the operation control rule of the system, so that dynamic and fine-grained authorized access of data resources is realized, and the safety of the data is guaranteed.
The user authority is obtained through a role authority mapping table:
Rolei→Permissionj,i,j=1,2,3,4…;
the usable data domain is obtained according to the authority data domain mapping table:
Permissionj→data fieldk,k=1,2,3,4…;
the operation control rule is that all the usable data fields of the roles:
Rolei→data fieldk,k=1,2,3,4…。
optionally, the method further includes:
carrying out user identity authentication when a user logs in the platform;
after an operation request initiated by a user is obtained, before the operation request is analyzed into a first operation control strategy, the operation request can be approved according to an identity verification result. The identity authentication can prove the identity of a user when the user accesses the dangerous chemical public information resource service, and prevent malicious public information resource service access.
The fourth aspect of the present invention provides a fine-grained operation control system for a hazardous chemical substance public information service platform, where the system includes:
the operation request analysis unit is used for analyzing and generating a first operation control strategy for the operation request of the user according to the fine-grained operation control strategy generation method; and
and the operation decision unit is used for judging whether the operation request meets the role attribute in the operation control rule or not according to the first operation control strategy, and if so, allowing the user to operate the corresponding data. The operation request of the user is analyzed into a first operation control strategy, and whether the operation request can be approved or not is judged by combining with the operation control rule of the system, so that dynamic and fine-grained authorized access of data resources is realized, and the safety of the data is guaranteed.
Further, the operation decision unit includes:
the request attribute judging module is used for judging whether role attribute assigned data in the first operation control strategy contains a request attribute;
the operation control rule judging module is used for acquiring role attributes corresponding to the users according to the first operation control strategy, acquiring user permissions according to all operation control rules met by the role attributes and acquiring data fields allowed to be used according to the user permissions; and
and the result merging module is used for merging all the data fields allowed to be used by the first operation control strategy to obtain a judgment result set.
Optionally, the system further includes:
the domain positioning unit is used for analyzing the subject attribute assigned data and the resource attribute assigned data in the first operation control strategy and judging whether the operation request is local domain operation or cross-domain operation;
if the operation is cross-domain operation, searching the corresponding data domain and forwarding the operation request to the corresponding data domain;
the operation decision unit further comprises a cross-domain sending module, and the cross-domain sending module is used for sending the judgment result set from the local data domain to the policy execution data domain. For an information service platform for storing multiple data domains, the position of data storage is accurately acquired through domain positioning, the resource domains are quickly positioned, and multiple service interfaces are provided through multi-domain storage.
Optionally, the system further includes:
a user authentication unit to:
carrying out user identity authentication when a user logs in the platform;
after an operation request initiated by a user is obtained, the operation request can be approved according to an identity verification result. The identity authentication can prove the identity of a user when the user accesses the dangerous chemical public information resource service, and prevent malicious public information resource service access.
The fifth aspect of the invention provides a machine-readable storage medium, which stores instructions that cause a machine to execute the fine-grained operation control method for the hazardous chemical substance public information service platform.
The scheme of the invention has at least the following effects:
the operation request is analyzed to generate a role-based fine-grained operation control strategy, the operation control strategy is used as an access basis, a dynamic and fine-grained authorization mechanism is realized, the flexibility and expandability of operation control are ensured, different requirements of different users on dangerous chemical public service information are met, non-public and authorized access of data is realized, the data safety is ensured, a plurality of access service interfaces are provided through multi-domain access, and normal data use of large-scale users can be ensured even if the service interfaces are attacked by a network.
Access control is carried out on multi-domain data information of a dangerous chemical public information service platform in a simplified and flexible mode, so that the safety of the platform under open, complex and dynamic conditions is guaranteed, and the working efficiency of platform access control management is reduced; the access control rule with fine granularity improves the utilization rate of platform data information and the accuracy of service, and provides support for different users in aspects of safety education, emergency treatment and the like.
Additional features and advantages of embodiments of the invention will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the embodiments of the invention without limiting the embodiments of the invention. In the drawings:
fig. 1 is a flowchart of a fine-grained operation control policy generation method according to an embodiment of the present invention;
FIG. 2 is a block diagram of a fine-grained operation control policy generation system according to an embodiment of the present invention;
FIG. 3 is a flow chart of a fine-grained operation control method provided by one embodiment of the invention;
FIG. 4 is a diagram of a fine-grained access control policy of the present invention;
fig. 5 is a block diagram of a fine-grained operation control system according to an embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation.
Fig. 1 is a flowchart of a fine-grained operation control policy generation method according to an embodiment of the present invention. As shown in fig. 1, the method includes:
dividing the operation request into a plurality of data units, wherein each data unit represents one type of data element;
the role attribute definition is carried out on the data elements in the data units, the role attribute definition is used for defining the data elements, and the definition determines the specific value of role attribute assigned data;
role attribute assignment is carried out on the defined role attributes, different data elements have the same role attribute assignment due to the same role attribute definition, and role attribute assigned data of one or more data elements in each data unit are extracted to form a set to generate an operation control strategy; the operation control policy is used to define role attributes of the operation request. The operation request is expressed as different attribute information by such an operation control policy generation method, for example, the operation request is divided into the following items: the system comprises four data units of a main body, resources, an environment and operation, wherein the main body is an initiator of an operation request, and the resources are data requested by the operation request and comprise enterprise information, material information, accident cases, emergency response, safety service, educational training and the like; the environment is environment information contained in the operation request, and the operation is an action requested by the operation request, such as query, download, edit, and the like. The body, resource, environment and action attribute assignment data constitute a complete operation request data. The attribute information is simultaneously used as an access basis, so that a dynamic and fine-grained authorization mechanism can be ensured, and the flexibility and expandability of access control are ensured. The operation control strategy embodies the multi-element constraint relation among the main body, the resources, the environment and the actions, and forms fine-grained access control based on the multi-element attributes.
Optionally, the method further includes: role attribute threshold data of data elements in a data unit is set. The role attribute threshold data defines the value range of the role attribute assigned data.
It should be noted that, in other embodiments of the present invention, a person skilled in the art may divide the operation request into other numbers of data units, where the more data units, the higher the degree of fine-grained generation, the more precise the control, and the more complex the control policy is, and conversely, the fewer data units, the lower the degree of fine-grained generation, the coarser the control, and the simpler the control policy is.
Fig. 2 is a block diagram of a fine-grained operation control policy generation system according to an embodiment of the present invention. As shown in fig. 2, the system includes:
the data sorting module is used for dividing the operation request into a plurality of data units, and each data unit represents one type of data element;
the role attribute definition module is used for defining role attributes of the data elements in the data units;
the data assignment module is used for assigning role attributes to the defined role attributes; and
and the operation control strategy generation module is used for extracting the role attribute assigned data composition set of one or more data elements in each data unit to construct the operation control strategy, and the operation control strategy is used for limiting the role attribute of the operation request. The system is used for expressing the operation request as different attribute information, and the attribute information is simultaneously used as an access basis, so that the realization of a dynamic and fine-grained authorization mechanism can be ensured, and the flexibility and the expandability of access control are ensured.
Optionally, the system further includes: and the role threshold data setting module is used for setting role attribute threshold data of the data elements in the data unit.
The data sorting module divides the operation request into the following parts: the operation control strategy generation system comprises four data units of a main body, resources, an environment and an operation, wherein the main body is an initiator of the operation request, the resources are data requested by the operation request, the environment is environment information contained in the operation request, the operation is an action requested by the operation request, a role attribute definition module carries out role attribute definition on the main body, the resources, the environment and the action, a data assignment module carries out role attribute assignment on role attributes corresponding to the main body, the resources, the environment and the action, and an operation control strategy generation module extracts role attribute assignments of one or more data elements from the four data units of the main body, the resources, the environment and the action to form a set to generate an operation control strategy. The operation control strategy embodies the multi-element constraint relation among the main body, the resources, the environment and the actions, and forms fine-grained access control based on the multi-element attributes.
It should be noted that, in other embodiments of the present invention, a person skilled in the art may set the data sorting module to divide the operation request into other numbers of data units, where the more data units, the higher the degree of fine-grained generation, the more accurate the control is, and the more complex the control policy is, and conversely, the fewer data units, the lower the degree of fine-grained generation, the coarser the control is, and the simpler the control policy is.
Fig. 3 is a flowchart of a fine-grained operation control method according to an embodiment of the present invention. As shown in fig. 3, the method includes:
receiving an operation request initiated by a user;
analyzing the operation request according to the fine-grained operation control strategy generation method to generate a first operation control strategy;
and judging whether the operation request meets role attributes in operation control rules or not according to the first operation control strategy, if so, allowing the user to operate corresponding data, otherwise, not allowing the user to operate corresponding data, wherein the operation control rules comprise the role attributes, authorities corresponding to the role attributes and allowed data fields corresponding to the authorities.
Judging whether the operation request meets role attributes in operation control rules according to the first operation control strategy, and the method comprises the following steps:
1) judging whether role attribute assigned data in the first operation control strategy contains a request attribute, if so, turning to the step 2); if not, turning to the step 4);
2) judging whether the first operation control strategy meets role attributes in operation control rules or not; if yes, turning to the step 3); if not, turning to the step 4);
3) merging the judgment results of all the operation control rules met by the first operation control strategy, and allowing the user to operate the data in the judgment result set;
4) the user is not allowed to operate the corresponding data.
In step 3), the merging the determination results of all the operation control rules that are satisfied by the first operation control policy includes:
acquiring role attributes corresponding to the user according to the first operation control strategy;
acquiring user authority according to all operation control rules met by the role attributes;
acquiring a data field allowed to be used according to the user authority;
and merging all data fields allowed to be used by the first operation control strategy to obtain a judgment result set.
The operation request of the user is analyzed into a first operation control strategy, and whether the operation request can be approved or not is judged by combining with the operation control rule of the system, so that dynamic and fine-grained authorized access of data resources is realized, and the safety of the data is guaranteed.
The first operation control policy embodies the role attribute of the current operation request and corresponds to a corresponding role, as shown in fig. 4, the fine-grained operation control rules of all resources in the platform can be analyzed as "role attribute → authority → data field", and the user authority is obtained through the role authority mapping table:
Rolei→Permissionj,i,j=1,2,3,4…;
the usable data domain is obtained according to the authority data domain mapping table:
Permissionj→data fieldk,k=1,2,3,4…;
the operation control rule is that all the usable data fields of the roles are as follows:
Rolei→data fieldk,k=1,2,3,4…,
so that the data field in the authority range of the operation request can be obtained according to the operation control rule.
Optionally, the method further includes: carrying out user identity authentication when a user logs in the platform;
after an operation request initiated by a user is obtained, before the operation request is analyzed into a first operation control strategy, the operation request can be approved according to an identity verification result.
The identity authentication can prove the identity of a user when the user accesses the dangerous chemical public information resource service, and prevent malicious public information resource service access. In an embodiment of the application, the identity authentication adopts a security certificate, and when a user accesses a dangerous chemical public information resource service for the first time, the user firstly applies the security certificate to the platform, and the security certificate has the function that the user can use the security certificate to prove the identity of the user when accessing the dangerous chemical public information resource service, so that malicious public information resource service access is prevented, and the authentication credential is also the identity certificate. The design has the advantage that the security certificate is trusted by the universe, so that repeated verification operations can be effectively reduced.
Fig. 5 is a block diagram of a fine-grained operation control system according to an embodiment of the present invention. As shown in fig. 5, the system includes:
the operation request analysis unit is used for analyzing the operation request of the user according to the fine-grained operation control strategy generation method to generate a first operation control strategy; and
and the operation decision unit is used for judging whether the operation request meets role attributes in operation control rules or not according to the first operation control strategy, if so, allowing the user to operate corresponding data, otherwise, not allowing the user to operate corresponding data, and the operation control rules comprise the role attributes, the authorities corresponding to the role attributes and the allowed data fields corresponding to the authorities.
The operation request of the user is analyzed into a first operation control strategy, and whether the operation request can be approved or not is judged by combining with the operation control rule of the system, so that dynamic and fine-grained authorized access of data resources is realized, and the safety of the data is guaranteed.
Further, the operation decision unit includes:
the request attribute judging module is used for judging whether role attribute assigned data in the first operation control strategy contains a request attribute;
the operation control rule judging module is used for acquiring role attributes corresponding to the users according to the first operation control strategy, acquiring user permissions according to all operation control rules met by the role attributes and acquiring data fields allowed to be used according to the user permissions; and
and the result merging module is used for merging all the data fields allowed to be used by the first operation control strategy to obtain a judgment result set.
Optionally, the system further includes:
the domain positioning unit is used for analyzing the subject attribute assigned data and the resource attribute assigned data in the first operation control strategy and judging whether the operation request is local domain operation or cross-domain operation; if the operation is cross-domain operation, searching the corresponding data domain and forwarding the operation request to the corresponding data domain;
the operation decision unit further comprises a cross-domain sending module, and the cross-domain sending module is used for sending the judgment result set from the local data domain to the policy execution data domain.
Different data fields adopt the same operation control rule, and reliable basis is provided for strategy judgment. When the user who passes the identity authentication accesses the public information resource, the operation request is forwarded to the domain positioning module, and the domain positioning module analyzes the main body attribute and the resource attribute. For an information service platform for storing multiple data domains, the position of data storage is accurately acquired through domain positioning, the resource domains are quickly positioned, and multiple service interfaces are provided through multi-domain storage.
Optionally, the system further includes a user authentication unit, configured to: carrying out user identity authentication when a user logs in the platform; after an operation request initiated by a user is obtained, the operation request can be approved according to an identity verification result. The identity authentication can prove the identity of a user when the user accesses the dangerous chemical public information resource service, and prevent malicious public information resource service access.
In an embodiment of the application, the identity authentication uses a security certificate, and when a user accesses the dangerous chemical public information resource service for the first time, the user first applies the security certificate to the platform, where the security certificate has an effect that the user can use the security certificate to prove the identity of the user when accessing the dangerous chemical public information resource service for the second and subsequent times, and the user authentication unit verifies the security certificate to implement the identity authentication, thereby preventing malicious public information resource service access, and the verified credential is also the identity certificate. The design has the advantage that the security certificate is trusted by the universe, so that repeated verification operations can be effectively reduced.
The fine-grained operation control method for the hazardous chemical public information service platform is applied to the hazardous chemical public information service platform, and when the method is applied, firstly, the hazardous chemical public resource service needs to be identified, classified and stored, and the method mainly comprises the aspects of enterprise information, material information, accident cases, emergency response, safety service, education training and the like.
And then, the user downloads the security certificate during the first access as the basis of identity authentication, and the security certificate is used as the authentication credential in the subsequent access process. And then the user inputs an operation request, for example, an operation request is inquired about SDS of a certain hazardous chemical, or information about a certain typical accident case is inquired about or an emergency disposal method of a certain hazardous chemical is downloaded, the platform judges whether the access request can be approved or not according to login and registration information of the user, if the access request can be approved, the operation request is analyzed into an operation control strategy, whether role attribute assigned data in the operation control strategy contains a request attribute or not is judged, if the role attribute assigned data contains the request attribute, whether the operation control strategy meets an operation control rule or not is judged, if the role assigned data meets the operation control rule, all data fields allowed to be used by the operation control strategy are combined to obtain a judgment result set, the user is allowed to operate the judgment result set, and if the role assigned data does not contain hazardous chemical public resource information service, the judgment result set does not allow the user to operate the hazardous chemical public resource information service.
Specifically, assuming that the operation request input by the user a is to access enterprise information related to the enterprise B, the main body of the operation request is the user a, the action is access, and the environment attribute is not limited, the resource represents enterprise information in all environment cases, assuming that the Role attribute assignment of the user a is x1, the Role attribute assignment of the access is y1, the environment is z0, and the attribute assignment of the enterprise information is r1, the operation control policy of the request is (x1, y1, z0, r1), comparing the operation control policy with the Role in all operation control rules on the platform, and there is no Role in all operation control rules on the platformiThe policy is the same, then it is determined that the request is not allowed.
Assuming that the C user inputs a request for accessing the related enterprise information of the B enterprise, and assuming that the Role attribute assignment of the C user is x2, the operation control policy of the request is (x2, y1, z0, r1), and the policy is compared with the Role in all the operation control rules on the platform, and there is the Role6The policy is the same, then it is determined that the request is allowed, that is, the C user belongs to the role set of policy rules that can access the enterprise information. C user corresponds to Role in Role set6This Role, then the C user will be assigned a Role6And if the related enterprise information of the enterprise B belongs to the data domains corresponding to the permissions E1, E2 and E3 …, the user C can access the related enterprise information of the enterprise B. The access request is refined through such a fine-grained operation control strategy.
In the above embodiment, the operation request only includes one data element in each data unit, and in practical applications, there may be two or more data elements in the same data unit. Specifically, assuming that the user C requests access to the enterprise information and the substance information of the enterprise B in another request, and assuming that the attribute assignment of the substance information is r3, the requested operation control policy includes two policies, namely policy 1: (x2, y1, z0, r1) andstrategy 2: (x2, y1, z0, r3), comparing the two policies with Role in all operation control rules on the platform respectively during the processing, wherein Role exists6Same as strategy 1, if there is no RoleiAs with policy 2, then the C user will only be granted Role6The rights E1, E2 and E3 … corresponding to the roles, the data fields corresponding to the rights E1, E2 and E3 … can be accessed by the C user, if the related enterprise information of the B enterprise belongs to the data fields corresponding to the rights E1, E2 and E3 …, the related enterprise information of the B enterprise can be accessed by the C user, and the substance information of the B enterprise cannot be accessed; if there is also Role4Like policy 2, then C user will also be given Role4And the authorities F1, F2 and F3 … corresponding to the roles, and the C user can access the data fields corresponding to the authorities F1, F2 and F3 …, at this time, E1, E2, E3 …, F1, F2 and F3 … need to be combined, and an output set { E1, E2, E3 …, F1, F2 and F3 … } is provided for the user C to access, so that the user C can access the related enterprise information and substance information of the enterprise B.
If the data fields stored by the F1, the F2 and the F3 … are different from the data fields stored by the E1, the E2 and the E3 …, cross-domain operation is involved, and the system sends { E1, E2, E3 …, F1, F2 and F3 … } to the data fields stored by the F1, F2 and F3 …, so that the execution of the access operation is facilitated.
On the other hand, the operation request is analyzed into the operation control strategy, different users have the same role attribute definition according to the organization structure, the hierarchy and the like, and the same role attribute assigned data also exists, so that the main body combination is performed to a certain extent, and the role number is reduced. For example, if H and G are the same members of a department of a certain government department, the role attribute assigned data of the main body is the same, and if the operation request has the same action, environment and resource, the authority of H and G is the same, and the accessed data field is the same.
The embodiment of the invention also provides a machine-readable storage medium, wherein the machine-readable storage medium is stored with instructions, and the instructions enable a machine to execute the fine-grained operation control method for the hazardous chemical substance public information service platform.
Those skilled in the art will appreciate that all or part of the steps in the method for implementing the above embodiments may be implemented by a program, which is stored in a storage medium and includes several instructions to enable a single chip, a chip, or a processor (processor) to execute all or part of the steps in the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
While the embodiments of the present invention have been described in detail with reference to the accompanying drawings, the embodiments of the present invention are not limited to the details of the above embodiments, and various simple modifications can be made to the technical solution of the embodiments of the present invention within the technical idea of the embodiments of the present invention, and the simple modifications are within the scope of the embodiments of the present invention. It should be noted that the various features described in the above embodiments may be combined in any suitable manner without departing from the scope of the invention. In order to avoid unnecessary repetition, the embodiments of the present invention will not be described separately for the various possible combinations.
In addition, any combination of the various embodiments of the present invention is also possible, and the same should be considered as disclosed in the embodiments of the present invention as long as it does not depart from the spirit of the embodiments of the present invention.
Claims (16)
1. A method for generating a fine-grained operation control strategy of a hazardous chemical substance public information service platform is characterized by comprising the following steps:
dividing the operation request into a plurality of data units, wherein each data unit represents one type of data element;
defining role attributes of data elements in the data units;
role attribute assignment is carried out on the defined role attributes;
extracting the role attribute assigned data composition set of one or more data elements in each data unit generates an operation control strategy, and the operation control strategy is used for defining the role attribute of the operation request.
2. The method for generating the fine-grained operation control strategy of the hazardous chemical substance public information service platform according to claim 1, further comprising: role attribute threshold data of data elements in a data unit is set.
3. The method for generating the fine-grained operation control strategy of the hazardous chemical substance public information service platform according to claim 1, wherein the data unit comprises: subject, resource, environment, and operation; the main body is an initiator of the operation request, the resource is data requested by the operation request, the environment is environment information contained in the operation request, and the operation is an action requested by the operation request.
4. A system for generating a fine-grained operation control strategy of a hazardous chemical substance public information service platform is characterized by comprising:
the data sorting module is used for dividing the operation request into a plurality of data units, and each data unit represents one type of data element;
the role attribute definition module is used for defining role attributes of the data elements in the data units;
the data assignment module is used for assigning role attributes to the defined role attributes; and
and the operation control strategy generation module is used for extracting the role attribute assigned data composition set of one or more data elements in each data unit to generate the operation control strategy, and the operation control strategy is used for limiting the role attribute of the operation request.
5. The system for generating fine-grained operation control strategies for hazardous chemical substances public information service platforms according to claim 4, further comprising:
and the role threshold data setting module is used for setting role attribute threshold data of the data elements in the data unit.
6. The system for generating fine-grained operation control strategies for hazardous chemical substances public information service platforms according to claim 4, wherein the data unit comprises: subject, resource, environment, and operation; the main body is an initiator of the operation request, the resource is data requested by the operation request, the environment is environment information contained in the operation request, and the operation is an action requested by the operation request.
7. A fine-grained operation control method for a hazardous chemical substance public information service platform is characterized by comprising the following steps:
receiving an operation request initiated by a user;
the fine-grained operation control strategy generation method according to any one of claims 1 to 6, analyzing the operation request to generate a first operation control strategy;
and judging whether the operation request meets role attributes in operation control rules or not according to the first operation control strategy, if so, allowing the user to operate corresponding data, otherwise, not allowing the user to operate corresponding data, wherein the operation control rules comprise the role attributes, authorities corresponding to the role attributes and allowed data fields corresponding to the authorities.
8. The fine-grained operation control method for the hazardous chemical substance public information service platform according to claim 7, wherein the step of judging whether the operation request meets role attributes in operation control rules according to the first operation control policy comprises the following steps:
1) judging whether role attribute assigned data in the first operation control strategy contains a request attribute, if so, turning to the step 2); if not, turning to the step 4);
2) judging whether the first operation control strategy meets role attributes in operation control rules or not; if yes, turning to the step 3); if not, turning to the step 4);
3) merging the judgment results of all the operation control rules met by the first operation control strategy, and allowing the user to operate the data in the judgment result set;
4) the user is not allowed to operate the corresponding data.
9. The fine-grained operation control method for the hazardous chemical substance public information service platform according to claim 8, wherein in step 3), the merging the determination results of all the operation control rules satisfied by the first operation control policy includes:
acquiring role attributes corresponding to the user according to the first operation control strategy;
acquiring user authority according to all operation control rules met by the role attributes;
acquiring a data field which can be used according to the user authority;
and merging all data fields allowed to be used by the first operation control strategy to obtain a judgment result set.
10. The fine-grained operation control method for the hazardous chemical substance public information service platform according to claim 9, wherein the user right is obtained through a role right mapping table:
Rolei→Permissionj,i,j=1,2,3,4…;
the usable data domain is obtained according to the authority data domain mapping table:
Permissionj→data fieldk,k=1,2,3,4…;
the operation control rule is that all the usable data fields of the roles are as follows:
Rolei→data fieldk,k=1,2,3,4…。
11. the fine-grained operation control method for the hazardous chemical substance public information service platform according to claim 7, further comprising:
carrying out user identity authentication when a user logs in the platform;
after an operation request initiated by a user is obtained, before the operation request is analyzed into a first operation control strategy, the operation request can be approved according to an identity verification result.
12. A fine-grained operation control system of a hazardous chemical substance public information service platform is characterized by comprising:
an operation request analysis unit, configured to analyze an operation request of a user according to the fine-grained operation control policy generation method according to any one of claims 1 to 6, and generate a first operation control policy; and
and the operation decision unit is used for judging whether the operation request meets role attributes in operation control rules according to the first operation control strategy, if so, allowing the user to operate corresponding data, otherwise, not allowing the user to operate corresponding data, and the operation control rules comprise the role attributes, the authorities corresponding to the role attributes and the allowed data fields corresponding to the authorities.
13. The fine-grained operation control system for the hazardous chemical substance public information service platform according to claim 12, wherein the operation decision unit comprises:
the request attribute judging module is used for judging whether role attribute assigned data in the first operation control strategy contains a request attribute;
the operation control rule judging module is used for acquiring role attributes corresponding to the users according to the first operation control strategy, acquiring user permissions according to all operation control rules met by the role attributes and acquiring data fields allowed to be used according to the user permissions;
and the result merging module is used for merging all the data fields allowed to be used by the first operation control strategy to obtain a judgment result set.
14. The fine-grained operation control system for the common information service platform of hazardous chemicals according to claim 13, further comprising:
a domain positioning unit, configured to analyze body attribute assigned data and resource attribute assigned data in the first operation control policy, and determine whether the operation request is a local domain operation or a cross-domain operation; if the operation is cross-domain operation, searching the corresponding data domain and forwarding the operation request to the corresponding data domain;
the operation decision unit further comprises a cross-domain sending module, and the cross-domain sending module is used for sending the judgment result set from the local data domain to the policy execution data domain.
15. The fine-grained operation control system for the common information service platform of hazardous chemicals according to claim 12, further comprising:
a user authentication unit to:
carrying out user identity authentication when a user logs in the platform;
after an operation request initiated by a user is obtained, the operation request can be approved according to an identity verification result.
16. A machine-readable storage medium having stored thereon instructions for causing a machine to execute the fine-grained operation control method for a hazardous chemical substance public information service platform according to any one of claims 7 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010562091.3A CN113824673A (en) | 2020-06-18 | 2020-06-18 | Fine-grained operation control method and system for hazardous chemical substance public information service platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010562091.3A CN113824673A (en) | 2020-06-18 | 2020-06-18 | Fine-grained operation control method and system for hazardous chemical substance public information service platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113824673A true CN113824673A (en) | 2021-12-21 |
Family
ID=78911942
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010562091.3A Pending CN113824673A (en) | 2020-06-18 | 2020-06-18 | Fine-grained operation control method and system for hazardous chemical substance public information service platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113824673A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103404093A (en) * | 2011-02-21 | 2013-11-20 | 日本电气株式会社 | Communication system, database, control device, communication method and program |
| CN104967620A (en) * | 2015-06-17 | 2015-10-07 | 中国科学院信息工程研究所 | Access control method based on attribute-based access control policy |
| CN109165516A (en) * | 2018-08-14 | 2019-01-08 | 中国银联股份有限公司 | A kind of access control method and device |
| CN109918924A (en) * | 2019-02-02 | 2019-06-21 | 北京奇安信科技有限公司 | The control method and system of dynamic access permission |
-
2020
- 2020-06-18 CN CN202010562091.3A patent/CN113824673A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103404093A (en) * | 2011-02-21 | 2013-11-20 | 日本电气株式会社 | Communication system, database, control device, communication method and program |
| CN104967620A (en) * | 2015-06-17 | 2015-10-07 | 中国科学院信息工程研究所 | Access control method based on attribute-based access control policy |
| CN109165516A (en) * | 2018-08-14 | 2019-01-08 | 中国银联股份有限公司 | A kind of access control method and device |
| CN109918924A (en) * | 2019-02-02 | 2019-06-21 | 北京奇安信科技有限公司 | The control method and system of dynamic access permission |
Non-Patent Citations (2)
| Title |
|---|
| 房璐: "基于资源和属性的访问控制模型研究及应用", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 王继业等: "基于细粒度访问控制的大数据安全防护方法", 《计算机技术与发展》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20180054460A1 (en) | Techniques to provide network security through just-in-time provisioned accounts | |
| US7188254B2 (en) | Peer-to-peer authorization method | |
| Ghosh et al. | SoftAuthZ: A context-aware, behavior-based authorization framework for home IoT | |
| EP3805962B1 (en) | Project-based permission system | |
| WO2011162750A1 (en) | Authorization control | |
| CN106101074B (en) | A kind of sacurity dispatching method based on user's classification towards big data platform | |
| CN116049884A (en) | Data desensitization method, system and medium based on role access control | |
| CN115549973A (en) | Zero-trust dynamic access control method based on GBDS user credibility evaluation | |
| Ullah et al. | TCloud: a dynamic framework and policies for access control across multiple domains in cloud computing | |
| WO2016014079A1 (en) | Constraining authorization tokens via filtering | |
| Martinelli et al. | Too long, did not enforce: a qualitative hierarchical risk-aware data usage control model for complex policies in distributed environments | |
| Hasani et al. | Criteria specifications for the comparison and evaluation of access control models | |
| Ghazinour et al. | An autonomous model to enforce security policies based on user's behavior | |
| Wang et al. | A trust and attribute-based access control framework in internet of things | |
| JP4723930B2 (en) | Compound access authorization method and apparatus | |
| CN113824673A (en) | Fine-grained operation control method and system for hazardous chemical substance public information service platform | |
| Shetty et al. | Policy-Based access control scheme for securing hadoop ecosystem | |
| Mutti et al. | Policy specialization to support domain isolation | |
| Obelheiro et al. | Role-based access control for CORBA distributed object systems | |
| Menaka et al. | An Enhancement Role and Attribute Based Access Control Mechanism in Big Data. | |
| CN105653928A (en) | Service denial detection method for large data platform | |
| Lonetti et al. | Issues and Challenges of Access Control in the Cloud. | |
| Khan et al. | Fuzzy User Access Trust Model for Cloud Access Control. | |
| Chaimaa et al. | A Dynamic Access Control Model for Cloud Computing Environments | |
| US9774446B1 (en) | Managing use of security keys |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211221 |
|
| RJ01 | Rejection of invention patent application after publication |