CN114048508A - Tag-based information asset mandatory access control method - Google Patents
Tag-based information asset mandatory access control method Download PDFInfo
- Publication number
- CN114048508A CN114048508A CN202111391992.1A CN202111391992A CN114048508A CN 114048508 A CN114048508 A CN 114048508A CN 202111391992 A CN202111391992 A CN 202111391992A CN 114048508 A CN114048508 A CN 114048508A
- Authority
- CN
- China
- Prior art keywords
- label
- tag
- access
- tags
- main body
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention provides a label-based information asset mandatory access control method, which comprises the following steps: self-defining a tag management system, and determining tag types, definitions and tag levels; marking the information assets, and endowing the information assets with labels meeting the service; endowing a label for a main body, determining an access main body, and marking the access main body; constructing an access strategy for the tags, and setting filtering rules for different types of tags; constructing an information asset access filter, matching the tag carried by the subject with the tag carried by the object according to the filtering rule of the tags, and allowing access if the tags are within the authority range; otherwise, access is denied. Based on a mandatory access control mechanism, a label access control strategy is introduced, fine-grained access control on information assets is realized through label-based access control, object-level and row-level authority control can be realized, and stronger guarantee is provided for the safety of the data assets.
Description
Technical Field
The invention relates to the field of computer software databases, in particular to a label-based information asset mandatory access control method.
Background
The system determines whether a subject can access an object by comparing access tags of the subject and the object. The user's program cannot change its own security label, as well as any other objects, and only the administrator can determine the access rights of the user and group.
The mandatory access control is more applied to the security field, and is more oriented to the access of information of different levels, the system determines the access right of a subject to an object according to the degree of trust of the subject and the confidentiality or sensitivity degree of the information contained in the object, and the control is realized by endowing a security label to the subject and the object. This access control approach is limited and does not provide support for other scenarios, such as when access to a particular type of information asset is required.
The autonomous access control has certain limitation on the active authorization of the data assets, when the data assets in different data tables need to be authorized, more authorization information is often required to be recorded to mark the authority, and the method is very complex under the condition that the number of applicants and applications is large.
Disclosure of Invention
In view of the above, the present invention has been made to provide a tag-based information asset mandatory access control method that overcomes or at least partially solves the above problems.
According to an aspect of the present invention, there is provided a tag-based information asset mandatory access control method using mandatory access control policy control using a tag matching rule between a subject and an object, the control method including:
self-defining a tag management system, and determining tag types, definitions and tag levels;
marking the information assets, and endowing the information assets with labels meeting the service;
endowing a label for a main body, determining an access main body, and marking the access main body;
constructing an access strategy for the tags, and setting filtering rules for different types of tags;
constructing an information asset access filter, matching the tag carried by the subject with the tag carried by the object according to the filtering rule of the tags, and allowing access if the tags are within the authority range; otherwise, access is denied.
Optionally, the tag types specifically include:
enumerated labels are a label set, the labels in the label set belong to a service set, and the labels in the set are not related to each other;
the value range type labels are labels with different levels and different value ranges;
the hierarchical label is a label classified according to a hierarchical level.
Optionally, the constructing an access policy for the tag, and setting a filtering rule for different types of tags specifically includes:
the filtering strategy set by the enumeration type label is direct matching, and data can be returned when the labels of the subject and the object are correspondingly matched;
the filtering strategy set by the value range type label is level matching, and if the label of the subject is higher than that of the object, data is returned; otherwise, not returning data;
and the filtering strategy set by the hierarchical label is that a parent label accesses a child label, otherwise, data is not returned.
Optionally, the constructing an information asset access filter matches the tag carried by the subject with the tag carried by the object according to the filtering rule of the tags, and if the matching is within the scope of the authority, the constructing the information asset access filter specifically includes:
accessing information assets by an executing program subject, the executing program subject in a standard computer language;
acquiring a label carried on the executive program main body to obtain a main body label;
determining a corresponding filtering strategy according to the type of the main body label;
adopting a compiler to analyze the grammar and the lexical method of the sentences of the computer language to form a grammar tree;
acquiring nodes for converting the label conversion information into a syntax tree, and reconstructing an abstract syntax tree;
converting the abstract syntax tree into a RelNode tree and converting the RelNode tree into a physical execution plan;
connecting a data source, performing operation processing according to the query plan, and converting the physical execution plan into a program which can be executed on a specific platform;
and after the execution is finished, acquiring the information assets after the execution is finished, and returning the result.
The invention provides a label-based information asset mandatory access control method, which utilizes mandatory access control strategy control and utilizes a label matching rule between a subject and an object, and the control method comprises the following steps: self-defining a tag management system, and determining tag types, definitions and tag levels; marking the information assets, and endowing the information assets with labels meeting the service; endowing a label for a main body, determining an access main body, and marking the access main body; constructing an access strategy for the tags, and setting filtering rules for different types of tags; constructing an information asset access filter, matching the tag carried by the subject with the tag carried by the object according to the filtering rule of the tags, and allowing access if the tags are within the authority range; otherwise, access is denied. Based on a mandatory access control mechanism, a label access control strategy is introduced, fine-grained access control on information assets is realized through label-based access control, object-level and row-level authority control can be realized, and stronger guarantee is provided for the safety of the data assets.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a tag-based mandatory access control method for information assets according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The terms "comprises" and "comprising," and any variations thereof, in the present description and claims and drawings are intended to cover a non-exclusive inclusion, such as a list of steps or elements.
The technical solution of the present invention is further described in detail with reference to the accompanying drawings and embodiments.
As shown in fig. 1, a tag-based information asset mandatory access control method, using mandatory access control policy control, using a tag matching rule between a subject and an object, includes:
and self-defining a tag management system, and determining the type, definition and level of the tag.
The tag types specifically include: enumerated labels are a label set, the labels in the label set belong to a service set, and the labels in the set are not related to each other, such as gender labels; value range type labels, which are labels with different levels and different value ranges, such as security class labels; the hierarchical label is a label classified according to a hierarchical level, such as an organization-class label and a region-class label.
Marking the information assets, and endowing the information assets with labels meeting the service;
giving a label to the main body, determining an access main body, and marking the access main body;
constructing an access strategy for the tags, and setting filtering rules for different types of tags;
the filtering strategy set by the enumeration type label is direct matching, and data can be returned when the labels of the subject and the object are correspondingly matched; the filtering strategy set by the value range type label is level matching, and if the label of the subject is higher than that of the object, data is returned; otherwise, not returning data; and the filtering strategy set by the hierarchical type tag is that the parent-level tag accesses the child-level tag, otherwise, the data is not returned.
Constructing an information asset access filter, matching the tag carried by the subject with the tag carried by the object according to the filtering rule of the tags, and allowing access if the tags are within the authority range; otherwise, access is denied.
The main body of the executive program accesses the information assets and passes through a standard computer language;
acquiring a label carried on an execution program main body to obtain a main body label;
determining a corresponding filtering strategy according to the type of the main body label; determining an execution main body, acquiring a label carried on the main body, and finding out a corresponding filtering strategy according to the type of the main body label: enumerating, value range type and hierarchy type, and generating filter conditions according to corresponding strategies. For an enumeration type label filtering strategy, the filtering condition is only required to directly carry the label; filtering the value range type tags according to the level of the value range, wherein a filtering range is generated by defining the tags, and the filtering range is in which interval; for hierarchical tags, a principal, if carrying a parent tag, needs to carry all subordinate child tags of the parent tag in a filter condition.
Adopting a compiler to analyze the grammar and the lexical method of the sentences of the computer language to form a grammar tree; acquiring nodes for converting the label conversion information into a syntax tree, and reconstructing an abstract syntax tree; converting the abstract syntax tree into a RelNode tree and converting the RelNode tree into a physical execution plan; connecting a data source, performing operation processing according to the query plan, and converting the physical execution plan into a program which can be executed on a specific platform; the method mainly converts a physical execution plan into a program which can be executed in a specific platform, such as full-table scanning of information assets, filtering according to filtering conditions and data aggregation. And after the execution is finished, acquiring the information assets after the execution is finished, and returning the result.
Has the advantages that:
the invention introduces a label access control strategy on the basis of a mandatory access control mechanism, realizes fine-grained access control on information assets through the access control based on labels, can realize object-level and row-level authority control, and provides stronger guarantee for the safety of data assets;
the access control is carried out based on the tag strategy, and the tag strategy can be configured in a user-defined way, so that the authority control of the information assets is more flexible, and the authorization modes of different modes of the assets under multiple scenes are met;
the query implementation mode of the information assets supports various types of data sources, and the authority filtering of the information assets in the various types of data sources is realized.
The above embodiments are provided to further explain the objects, technical solutions and advantages of the present invention in detail, it should be understood that the above embodiments are merely exemplary embodiments of the present invention and are not intended to limit the scope of the present invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (4)
1. A tag-based information asset mandatory access control method is characterized in that mandatory access control policy control is utilized, and a tag matching rule between a subject and an object is utilized, wherein the control method comprises the following steps:
self-defining a tag management system, and determining tag types, definitions and tag levels;
marking the information assets, and endowing the information assets with labels meeting the service;
endowing a label for a main body, determining an access main body, and marking the access main body;
constructing an access strategy for the tags, and setting filtering rules for different types of tags;
constructing an information asset access filter, matching the tag carried by the subject with the tag carried by the object according to the filtering rule of the tags, and allowing access if the tags are within the authority range; otherwise, access is denied.
2. The tag-based information asset mandatory access control method according to claim 1, wherein the tag type specifically includes:
enumerated labels are a label set, the labels in the label set belong to a service set, and the labels in the set are not related to each other;
the value range type labels are labels with different levels and different value ranges;
the hierarchical label is a label classified according to a hierarchical level.
3. The tag-based information asset mandatory access control method according to claim 2, wherein the constructing an access policy for the tag and setting filtering rules for different types of tags specifically comprises:
the filtering strategy set by the enumeration type label is direct matching, and data can be returned when the labels of the subject and the object are correspondingly matched;
the filtering strategy set by the value range type label is level matching, and if the label of the subject is higher than that of the object, data is returned; otherwise, not returning data;
and the filtering strategy set by the hierarchical label is that a parent label accesses a child label, otherwise, data is not returned.
4. The method as claimed in claim 1, wherein the constructing of the information asset access filter matches the tag carried by the subject with the tag carried by the object according to the filtering rule of the tags, and if the matching is within the scope of authority, the method comprises:
accessing information assets by an executing program subject, the executing program subject in a standard computer language;
acquiring a label carried on the executive program main body to obtain a main body label;
determining a corresponding filtering strategy according to the type of the main body label;
adopting a compiler to analyze the grammar and the lexical method of the sentences of the computer language to form a grammar tree;
acquiring nodes for converting the label conversion information into a syntax tree, and reconstructing an abstract syntax tree;
converting the abstract syntax tree into a RelNode tree and converting the RelNode tree into a physical execution plan;
connecting a data source, performing operation processing according to the query plan, and converting the physical execution plan into a program which can be executed on a specific platform;
and after the execution is finished, acquiring the information assets after the execution is finished, and returning the result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111391992.1A CN114048508A (en) | 2021-11-23 | 2021-11-23 | Tag-based information asset mandatory access control method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111391992.1A CN114048508A (en) | 2021-11-23 | 2021-11-23 | Tag-based information asset mandatory access control method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114048508A true CN114048508A (en) | 2022-02-15 |
Family
ID=80210897
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111391992.1A Pending CN114048508A (en) | 2021-11-23 | 2021-11-23 | Tag-based information asset mandatory access control method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114048508A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115065529A (en) * | 2022-06-13 | 2022-09-16 | 北京寰宇天穹信息技术有限公司 | Access control method based on credible label fusing host and object key information |
| CN116089987A (en) * | 2023-04-07 | 2023-05-09 | 北京元数智联技术有限公司 | Data leakage protection method, device and equipment |
| CN116662373A (en) * | 2023-07-27 | 2023-08-29 | 天津神舟通用数据技术有限公司 | Data access control method, device, equipment and medium |
-
2021
- 2021-11-23 CN CN202111391992.1A patent/CN114048508A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115065529A (en) * | 2022-06-13 | 2022-09-16 | 北京寰宇天穹信息技术有限公司 | Access control method based on credible label fusing host and object key information |
| CN115065529B (en) * | 2022-06-13 | 2023-11-03 | 北京寰宇天穹信息技术有限公司 | Access control method based on trusted tag fusing key information of host and guest |
| CN116089987A (en) * | 2023-04-07 | 2023-05-09 | 北京元数智联技术有限公司 | Data leakage protection method, device and equipment |
| CN116662373A (en) * | 2023-07-27 | 2023-08-29 | 天津神舟通用数据技术有限公司 | Data access control method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114048508A (en) | Tag-based information asset mandatory access control method | |
| Ashley et al. | E-P3P privacy policies and privacy authorization | |
| Siponen | An analysis of the recent IS security development approaches: descriptive and prescriptive implications | |
| US20060277594A1 (en) | Policy implementation delegation | |
| Seifermann et al. | Detecting violations of access control and information flow policies in data flow diagrams | |
| KR20030096310A (en) | Method, system, and program product for permission to access software | |
| KR20120117018A (en) | Controlling resource access based on resource properties | |
| KR20060088013A (en) | Integration of a non-relational query language with a relational data store | |
| Villarroel et al. | Secure information systems development–a survey and comparison | |
| Cheney et al. | An analytical survey of provenance sanitization | |
| Kim et al. | A feature-based approach for modeling role-based access control systems | |
| US8190673B2 (en) | Enforcement of object permissions in enterprise resource planning software | |
| Ghani et al. | A Pursuit of Sustainable Privacy Protection in Big Data Environment by an Optimized Clustered-Purpose Based Algorithm. | |
| El Hadj et al. | Formal approach to detect and resolve anomalies while clustering ABAC policies | |
| Abd-Ali et al. | A Metamodel for Hybrid Access Control Policies. | |
| CN106020923A (en) | SELinux strategy compiling method and system | |
| CN116032579A (en) | Access control system and method based on ABAC model | |
| Sladić et al. | Flexible access control framework for MARC records | |
| KR101220014B1 (en) | Security critical data containers | |
| El Ouazzani et al. | Dynamic management of data warehouse security levels based on user profiles | |
| US7624374B2 (en) | Readers and scanner design pattern | |
| Belokosztolszki | Role-based access control policy administration | |
| Pechenkin et al. | Application of deep neural networks for security analysis of digital infrastructure components | |
| Abdelgawad et al. | Synthesizing and Analyzing Attribute-Based Access Control Model Generated from Natural Language Policy Statements | |
| US9507929B1 (en) | Decentralized information flow securing method and system for multilevel security and privacy domains |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |