CN114969809A - Cross-domain multi-source information access control method and system based on process engine - Google Patents

Cross-domain multi-source information access control method and system based on process engine Download PDF

Info

Publication number
CN114969809A
CN114969809A CN202210494218.1A CN202210494218A CN114969809A CN 114969809 A CN114969809 A CN 114969809A CN 202210494218 A CN202210494218 A CN 202210494218A CN 114969809 A CN114969809 A CN 114969809A
Authority
CN
China
Prior art keywords
information
engine
model
cross
role
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210494218.1A
Other languages
Chinese (zh)
Inventor
陈晨
刘文军
姜炳雨
冯帝
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Lixing Information Technology Co ltd
Original Assignee
Suzhou Lixing Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Lixing Information Technology Co ltd filed Critical Suzhou Lixing Information Technology Co ltd
Priority to CN202210494218.1A priority Critical patent/CN114969809A/en
Publication of CN114969809A publication Critical patent/CN114969809A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a cross-domain multi-source information access control method and a system based on a process engine, which comprises the following steps: establishing a process engine, and formulating a standard specification based on the process engine to obtain a process model; establishing an authority engine, and constructing a role control model based on a process model; establishing a unified authentication platform, authenticating the role identity in the process model through the process model, and obtaining the shared resource information of the role identity in the process model; based on the shared resource information, adopting an identification analysis technology to obtain shared information; and calculating shared information by adopting a flow model and a role control model to obtain a resource information set. And information barriers are opened, and the data value is improved. For information with different sensitivities and distributed in different use units, the sharing and the confidentiality of the information can be ensured.

Description

Cross-domain multi-source information access control method and system based on process engine
Technical Field
The invention relates to the technical field of computers, in particular to a cross-domain multi-source information access control method and a cross-domain multi-source information access control system based on a process engine.
Background
With the deep development of digital technologies such as informatization, networking, intellectualization and the like, the trend of social digitization is more and more obvious, and various industries actively use modern means to establish a large-scale computer management information system and improve the working efficiency. However, because the top-level design and planning are lacked in early construction, the use units all use respective applications as cores, and are not effectively fused, and the problems of ordered collection, deep sharing, association analysis and efficient utilization of the information islands, the data chimneys and the like are not realized, so that the full play of the value and the vitality of the data resources is restricted. Meanwhile, with the construction of the system and the summarization and concentration of data, the requirements on the safety management and control of the digital assets are more and more.
Disclosure of Invention
In order to solve the problem that interconnection and intercommunication among data information have limitations in the prior art, the invention provides a cross-domain multi-source information management method and a cross-domain multi-source information management system based on a process engine and authority control. For information with different sensitivities and distributed in different use units, the sharing and the confidentiality of the information can be ensured.
In order to achieve the above object, the present invention provides a cross-domain multi-source information access control method based on a process engine, including:
s1, establishing a process engine, and formulating a standard specification based on the process engine to obtain a process model;
s2, establishing an authority engine, and establishing a role control model based on the process model;
s3, establishing a unified authentication platform, authenticating the role identity in the process model through the process model, and obtaining the shared resource information of the role identity in the process model;
s4, based on the shared resource information, adopting an identification analysis technology to obtain shared information;
and S5, calculating the shared information by adopting the process model and the role control model to obtain a resource information set.
Optionally, the process of constructing the flow model includes:
s101, defining a process node, wherein the process node is an activity in the process;
s102, defining metadata of all the process nodes;
s103, defining an incidence relation, and describing the relation between the information objects of the process nodes by adopting the incidence relation so as to support incidence inquiry and obtain the process model.
Optionally, the role control model uses resource management of the system as a core, and adopts a role-based access control technology to support a centralized authorization and a hierarchical authorization mechanism.
Optionally, the identifier resolution technology includes identifier registration and identifier resolution.
The invention also provides a cross-domain multi-source information access control system based on the process engine, which comprises the following steps: the system comprises a process engine module, a permission engine module, a unified authentication module, an identification tool module and a resource calculation engine module;
the process engine module is used for establishing a process model;
the authority engine module is used for providing information authorization;
the unified authentication module is used for managing the centralized account;
the identification tool module is used for realizing cross-industry, cross-region and cross-country information sharing;
the resource calculation engine module is used for carrying out validity check on the identity of the visitor.
Optionally, the process engine module establishes a process model according to industry or product standard specifications.
Optionally, the permission engine module takes resource management of the system as a core, and supports a centralized authorization and hierarchical authorization mechanism by using a role-based access control technology.
Optionally, the resource calculation engine module checks the identity of the visitor by calling a role control model.
The invention has the following technical effects:
1. and (4) information sharing. By means of the identification coding resource and the identification analysis system, identification data management and data sharing and sharing across enterprises, industries, regions and countries are developed, information barriers are opened, and data value is improved.
2. Flexible and expandable. The process model and the role control can be individually configured in the system by management personnel according to the data type and the requirements of the service system.
3. And (4) information security. For the information with different sensitivities and distributed in different use units, the sharing and the sharing can be realized, and the confidentiality of the information can be ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
FIG. 1 is a flow chart of a cross-domain multi-source information access control method based on a flow engine according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a role-based privilege control according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a unified authentication performed by the unified authentication platform according to an embodiment of the present invention;
FIG. 4 is an interaction diagram of identity registration according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating resource calculation according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
As shown in fig. 1, the present invention discloses a cross-domain multi-source information access control method based on a process engine, which comprises:
s1, establishing a process engine, and formulating a standard specification based on the process engine to obtain a process model;
firstly, defining flow nodes, metadata of the flow nodes and an incidence relation among the flow nodes according to the actual situation of information circulation. The process node is a set of specific activities and attributes in the process; the metadata of the process node is data describing data, such as: the order data refers to data such as order number and creation time of each order, and the metadata of the order data is data describing the order data, namely, which fields the order data has, what types the fields are, and the like; and defining the association relationship of the process nodes, and describing the association relationship of the information objects among the process nodes by using the process relationship so as to support association query. The flow direction relationship between enterprise data is really existed in an enterprise information system and is easy to obtain, but the association relationship between the enterprise data and a process model is generally logical, and the logical relationship can be obtained generally by crossing departments or systems, so that the relationship needs to be established for the enterprise data through a process engine.
Then, based on the process engine, a primary establishment mode from bottom to top and a secondary establishment mode from top to bottom are adopted, standard specifications are formulated according to actual conditions of industries and enterprises, so that the relation with the actual conditions of the enterprises is easier to establish, the standard specifications are established imperfectly, and the cooperation cannot be carried out.
And finally, constructing a flow model by adopting a flow designer, wherein the flow designer adopts Web pure JS, programming is not needed, flow editing is completed in a mouse dragging, pulling and dragging mode, and the editing environment can be used for constructing a flow model diagram and carrying out various attribute configurations on basic flow elements in the flow model.
S2, establishing an authority engine, and establishing a role control model based on the process model;
based on the process model established in S1, sensitive information in the process model should be controlled. Specifically, in this embodiment, the whole life cycle of the device may be divided into links such as device design, operation and maintenance, production, and use, and classification and partition analysis are required for information of different links, so as to realize efficient collaboration among device manufacturers, device service providers, and device users on the premise of ensuring data security. Therefore, a role control model needs to be established in the process model, the user and the enterprise data are separated through the role control model, the user corresponds to the role to which the user belongs, and the connection between the user and the information resource is realized through the authorized role.
As shown in fig. 2, the role control model uses resource management of the system as a core, and adopts a role-based access control technology to support a centralized authorization and a hierarchical authorization mechanism. Namely: the process, the process nodes, the metadata and the information resources are allocated to different roles by analyzing the actual conditions of the business, and the enterprise selects a subscription process model according to the application scene and carries out role authentication, thereby realizing centralized authorization and hierarchical authorization and protecting sensitive information. Therefore, the enterprise user can inherit the corresponding information resource from the possessed role, and the control of the sensitive information becomes simpler.
S3, establishing a unified authentication platform, authenticating the role identity in the process model through the process model, and obtaining the shared resource information of the role identity in the process model;
due to the early lack of top-level design, a set of account management systems exists in each system of many enterprises or departments. However, since these systems all work independently and the systems are not communicated with each other, embodiments of the present invention provide a unified authentication platform, which associates systems having unified user groups with certain information resources, exchanges authentication information through a certain channel, and implements a sharing mechanism of authentication relationships on the basis of ensuring the security of user information. Meanwhile, the unified authentication platform can perform centralized account management, integrate account information of each system, realize centralized unified management of the life cycle of the user account, realize enterprise unified access authentication, and inherit the shared resource information of the role identity in the process model by subscribing the process model constructed by the process engine and authenticating the role identity of the enterprise in the corresponding process after the enterprise access authentication. The management complexity of the user and the account is simplified, and the safety risk of system management is reduced.
Specifically, in the present embodiment, as shown in fig. 3,
s301, an enterprise user accesses a service system to request enterprise registration;
s302, the business system redirects the enterprise user to the unified authentication platform and carries a callback address;
s303, in a page provided by the unified authentication platform, an enterprise user inputs enterprise registration information, submits a registration request, the unified authentication platform submits the enterprise registration information to an identifier resolution secondary IDIS system for grade-by-grade auditing, and an effective token is generated and is sent to a service system, and the operation proceeds to S304; and if the enterprise registration information is invalid to be checked, the enterprise user continues to authenticate until the enterprise user successfully authenticates or the enterprise user actively quits.
S304, based on the token obtained in S303, the service system carries the token to call the API interface to perform validity check, and obtains the identity information of the enterprise user.
S305, if the token passes the validity check, issuing a valid token, returning the enterprise user identity information corresponding to the token to the service system by the unified authentication platform, writing the enterprise user identity information and the valid token into a session state by the service system, and allowing the enterprise user to perform various operations of the service system by using the enterprise user identity information, including acquiring shared resource information in the flow model; if the token fails the validity check, the token is redirected to the unified authentication platform again, and the process returns to S303.
S4, based on the shared resource information, adopting an identification analysis technology to obtain shared information;
at present, enterprises have a lot of data, and hope to perform statistical analysis, decision making and the like through data analysis, the data is certain to be existed, but a lot of needed data are distributed in a plurality of systems, and even some data have conflicts. Therefore, the service system adopts the identification analysis technology to share data according to the standard specification, obtains shared information and exerts the value of the data.
Specifically, as shown in the interaction diagram of the identifier registration of the present embodiment provided in fig. 4,
and identification data management and cross-enterprise, cross-industry, cross-region and cross-country data sharing and sharing are carried out by means of identification coding resources and an industrial internet identification analysis system. The main elements of the industrial internet identification analysis system comprise a root node, a national top level node, a secondary node, an enterprise node, a public recursion node and the like. The secondary node is a public node which provides identification service for a specific industry platform, a general platform or a large enterprise platform, and a flexible industry identification data format can be defined according to specific industry requirements. The second-level node is upwards connected with the national top-level node, and downwards distributes identification resources for the industrial enterprise, and provides data services such as identification registration, analysis, public query and the like.
According to the registration and analysis API interface provided by the secondary node, an interface which is in butt joint with the secondary node is developed in the cross-domain multi-source information management system, packaging is carried out, the butt joint with the national top node, the secondary node and the enterprise node is supported, and the functions of identification registration, analysis, query and the like are realized.
The identification analysis technology comprises identification registration and identification analysis, wherein the identification registration refers to that an information provider registers shared resource information as an identification to realize sharing; the identification analysis means that a consumer analyzes according to the identification to obtain the shared information of the information provider, and the sharing of information across industries, regions and countries can be realized according to standard specifications by means of an identification analysis technology.
And step S5, calculating the shared information by adopting the process model and the role control model to obtain a resource information set.
Specifically, in the present embodiment, as shown in fig. 5,
firstly, establishing a resource calculation engine, wherein the resource calculation engine comprises user validity verification, intelligent search and sequencing, data processing and the like, the verification is carried out according to an accessed enterprise user, then information search and sequencing are realized according to a process node and an incidence relation in a process model through the process model and a role control model subscribed by the user, data processing is carried out according to the role control model, and only authorized information resources of the user are returned.
And calling the role control model by the resource calculation engine to carry out validity check on the accessed enterprise users, if the check is passed, carrying out information resource calculation based on the shared information, and if the check is failed, returning abnormal information.
Acquiring related information resource data of related enterprises according to the identity roles of the accessed enterprise users by calling the flow model and the role control model, and if the acquisition is successful, continuing to execute an authentication flow in the role control model; if the acquisition fails, returning abnormal information of the business system client, and simultaneously prohibiting enterprise users from executing related operations by the business system client so as to ensure the safety of the system;
after the enterprise user successfully obtains the data set, the data set and the role control model are used as parameters to be calculated simultaneously, and finally a calculation result of a set type is obtained and returned to the enterprise user, so that cross-domain multi-source information management is completed. The data set refers to a set which is calculated according to the identity roles of the accessed enterprise users and the flow model and is composed of metadata corresponding to a plurality of flow nodes. Each user has a different role and a different subscription process, and the data set is correspondingly different.
Example two
A cross-domain multi-source information access control system based on a process engine comprises: the system comprises a process engine module, a permission engine module, a unified authentication module, an identification tool module and a resource calculation engine module;
the process engine module is used for establishing a process model;
the authority engine module is used for providing information authorization;
the unified authentication module is used for managing the centralized account;
the identification tool module is used for realizing cross-industry, cross-region and cross-country information sharing;
the resource calculation engine module is used for carrying out validity check on the identity of the visitor.
The process engine module establishes a process model according to industry or product standard specifications.
The authority engine module takes resource management of a system as a core, adopts a role-based access control technology and supports a centralized authorization and hierarchical authorization mechanism.
The resource calculation engine module verifies the identity of the visitor by calling the role control model.
The foregoing illustrates and describes the principles, general features, and advantages of the present invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (8)

1. A cross-domain multi-source information access control method based on a process engine is characterized by comprising the following steps:
s1, establishing a process engine, and formulating a standard specification based on the process engine to obtain a process model;
s2, establishing an authority engine, and establishing a role control model based on the process model;
s3, establishing a unified authentication platform, authenticating the role identity in the process model through the process model, and obtaining the shared resource information of the role identity in the process model;
s4, based on the shared resource information, adopting an identification analysis technology to obtain shared information;
and S5, calculating the shared information by adopting the process model and the role control model to obtain a resource information set.
2. The cross-domain multi-source information access control method based on the process engine as claimed in claim 1, wherein the process model building process comprises:
s101, defining a process node, wherein the process node is an activity in the process;
s102, defining metadata of all the process nodes;
s103, defining an incidence relation, and describing the relation between the information objects of the process nodes by adopting the incidence relation so as to support incidence inquiry and obtain the process model.
3. The process engine-based cross-domain multi-source information access control method as claimed in claim 1, wherein the role control model is centered on resource management of a system, and adopts a role-based access control technology to support centralized authorization and hierarchical authorization mechanisms.
4. The process engine-based cross-domain multi-source information access control method of claim 1, wherein the identifier resolution technique comprises identifier registration and identifier resolution.
5. A cross-domain multi-source information access control system based on a process engine is characterized by comprising: the system comprises a process engine module, a permission engine module, a unified authentication module, an identification tool module and a resource calculation engine module;
the process engine module is used for establishing a process model;
the authority engine module is used for providing information authorization;
the unified authentication module is used for managing the centralized account;
the identification tool module is used for realizing cross-industry, cross-region and cross-country information sharing;
the resource calculation engine module is used for checking the validity of the identity of the visitor.
6. The cross-domain multi-source information access control system based on the process engine of claim 5, wherein the process engine module builds the process model according to industry or product standard specifications.
7. The cross-domain multi-source information access control system based on the process engine as claimed in claim 5, wherein the authority engine module takes resource management of the system as a core, and adopts a role-based access control technology to support a centralized authorization and a hierarchical authorization mechanism.
8. The process engine-based cross-domain multi-source information access control system of claim 5, wherein the resource calculation engine module verifies visitor identity by invoking a role control model.
CN202210494218.1A 2022-05-07 2022-05-07 Cross-domain multi-source information access control method and system based on process engine Pending CN114969809A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210494218.1A CN114969809A (en) 2022-05-07 2022-05-07 Cross-domain multi-source information access control method and system based on process engine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210494218.1A CN114969809A (en) 2022-05-07 2022-05-07 Cross-domain multi-source information access control method and system based on process engine

Publications (1)

Publication Number Publication Date
CN114969809A true CN114969809A (en) 2022-08-30

Family

ID=82982289

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210494218.1A Pending CN114969809A (en) 2022-05-07 2022-05-07 Cross-domain multi-source information access control method and system based on process engine

Country Status (1)

Country Link
CN (1) CN114969809A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117892206A (en) * 2024-03-15 2024-04-16 深圳市志奋领科技有限公司 Method and device for managing moisture content measurement model, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106874461A (en) * 2017-02-14 2017-06-20 北京慧正通软科技有限公司 A kind of workflow engine supports multi-data source configuration security access system and method
CN106897810A (en) * 2015-12-17 2017-06-27 北京奇虎科技有限公司 Method for processing business and system, workflow engine and system, operation system
CN112699089A (en) * 2021-03-23 2021-04-23 中国信息通信研究院 Data sharing system, data sharing method and device
CN112989313A (en) * 2021-01-14 2021-06-18 国网上海市电力公司 Identification registration method and device, electronic equipment and storage medium
CN114449010A (en) * 2021-12-15 2022-05-06 国网电动汽车服务有限公司 Car pile network interaction system and method based on industrial internet identification analysis

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106897810A (en) * 2015-12-17 2017-06-27 北京奇虎科技有限公司 Method for processing business and system, workflow engine and system, operation system
CN106874461A (en) * 2017-02-14 2017-06-20 北京慧正通软科技有限公司 A kind of workflow engine supports multi-data source configuration security access system and method
CN112989313A (en) * 2021-01-14 2021-06-18 国网上海市电力公司 Identification registration method and device, electronic equipment and storage medium
CN112699089A (en) * 2021-03-23 2021-04-23 中国信息通信研究院 Data sharing system, data sharing method and device
CN114449010A (en) * 2021-12-15 2022-05-06 国网电动汽车服务有限公司 Car pile network interaction system and method based on industrial internet identification analysis

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
严俊兰: "面向社会保障系统的业务协同平台的设计与实现" *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117892206A (en) * 2024-03-15 2024-04-16 深圳市志奋领科技有限公司 Method and device for managing moisture content measurement model, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN112118224B (en) Trusted mechanism authority management method and system for big data block chain
CN113114498B (en) Architecture system of trusted block chain service platform and construction method thereof
EP2510473B1 (en) Unified user login for co-location facilities
US8528043B2 (en) Systems and methods for generating trust federation data from BPMN choreography
US11361106B2 (en) Chaining, triggering, and enforcing entitlements
US20080104250A1 (en) Identity migration system apparatus and method
Cao et al. A topology-aware access control model for collaborative cyber-physical spaces: Specification and verification
CN102073817A (en) Dynamic access control improvement method on basis of RBAC (Role-Based policies Access Control) model
US11775681B2 (en) Enforcement flow for pipelines that include entitlements
MANGIUC Cloud identity and access management–A model proposal
CN114969809A (en) Cross-domain multi-source information access control method and system based on process engine
Huo et al. A blockchain-enabled trusted identifier co-governance architecture for the industrial internet of things
Zhang et al. Access control and trust management for emerging multidomain environments
CN110189440A (en) A kind of smart lock monitoring equipment and its method based on block chain
Qin et al. Construction of E-government data sharing framework based on big data technology
Tang et al. Collaborative management and control of blockchain in cloud computing environment
Huai et al. CROWN: A service grid middleware with trust management mechanism
de Aguiar Monteiro et al. A Survey on Microservice Security–Trends in Architecture Privacy and Standardization on Cloud Computing Environments
Horn et al. Properties and models of software agents and prefabrication for agent application systems
Kasinathan Workflow-aware access control for the Internet of Things
Krym et al. Configuration and management of security procedures with dedicated ‘spa-lang’domain language in security engineering
CN116108407A (en) Method and system for realizing middle-stage authorization management service
Devi et al. Analysis of blockchain based smart contract system to understand its performance in different applications
Mansor et al. Analysis of adaptive policy-based approach to avoid policy conflicts
Bouras et al. A Lightweight Blockchain-Based IoT Identity Management Approach. Future Internet 2021, 13, 24

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination