CN115189906B - Multi-domain security management method for network management system - Google Patents
Multi-domain security management method for network management system Download PDFInfo
- Publication number
- CN115189906B CN115189906B CN202210566388.6A CN202210566388A CN115189906B CN 115189906 B CN115189906 B CN 115189906B CN 202210566388 A CN202210566388 A CN 202210566388A CN 115189906 B CN115189906 B CN 115189906B
- Authority
- CN
- China
- Prior art keywords
- security
- domain
- role
- request
- policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a multi-domain security management method of a network management system, which comprises the following steps: requesting a security domain user to generate a service request; the system administrator extracts the security attribute of the access service request and searches the related access service policy in the security policy library of the security domain; if the related access service policy exists in the security policy library of the security domain, the access request carries the inter-domain access control policy and is sent to the target security domain; the target security domain administrator receives and analyzes the role-mapping request information and performs security policy authentication on the request. According to the invention, the access decision is directly executed through the role mapping relation, the accurate authority search method is adopted, the corresponding target role is found according to the access request authority, the access control decision is executed through the role mapping, the multi-level access requirement and the security assurance among security domains are met, and the security and the efficiency of the security collaboration of the multi-domain system components are improved.
Description
Technical Field
The invention relates to the technical field of network management, in particular to a multi-domain security management method of a network management system.
Background
In recent years, as the size of the transmission network is continuously increased, the transmission network of the telecom operator forms a situation of coexistence of multiple manufacturers and multiple transmissions. The transmission network management centrally manages various types and various factories' equipment, monitors alarms and performances in real time, configures various network connections and services, and because the transmission network management is centrally managed and the management range and the realization functions are more and more, the security management of the network management is more and more demanding, and clients expect to provide flexible authority control means to give one or more operation authorities to appointed users.
The network management system manages various types of equipment of various factories and is distributed in different physical areas, and clients expect different management authorities for different areas. The existing user authority allocation is complicated, the multi-level access requirements and the security guarantee among security domains can not be met, and the security and the efficiency of the security collaboration of the multi-domain system components can not be guaranteed.
Disclosure of Invention
Based on the technical problems existing in the background technology, the invention provides a multi-domain security management method of a network management system.
The multi-domain security management method of the network management system provided by the invention comprises the following steps:
s1, requesting a security domain user to generate a service request;
s2, the system administrator extracts the security attribute of the access service request and searches the related access service policy in the security policy library of the security domain;
s3, if the related access service policies exist in the security policy library of the security domain, enabling the access request to carry the inter-domain access control policies and send the inter-domain access control policies to the target security domain;
s4, the target security domain administrator receives and analyzes the role-mapping request information, carries out security policy authentication on the request, and then returns corresponding service resources to the requesting user according to the service attribute of the request to realize security interaction among the domains;
s5, if the related access service strategies do not exist in the security strategy library of the security domain, an inter-domain authorized search request is sent to the target security domain, and the inter-domain authorized search process searches the optimal role set meeting the authority requirements in the target security domain according to the authority of the service request and returns the optimal role set to the requested security domain in the form of a service output strategy;
s6, carrying out static policy combination on the service output policy returned in the step and the security policy of the request security domain, and finally adding the combined policy into the security policy of the request security domain.
Preferably, the access policy repository stores a request security domain policy and a part of target security domain policies, and mainly includes: PA, PH and inter-domain role mapping.
Preferably, the step S6 of static policy combination mainly completes role mapping between different role systems, and constructs global role hierarchy.
Preferably, the step S5 inter-domain authorization search process is divided into two steps:
and (5) role finding: searching a matching role set meeting the service request permission set in the target security domain role system according to a certain searching principle;
character activation detection: and performing an activation detection contract bundle check on the character set obtained in the color searching process to determine whether the character set can be activated in a single Session of the user.
Preferably, the hierarchical relationship of the roles: rights inheritance, role activation inheritance, and a combination of rights inheritance and role activation inheritance.
Preferably, the step S5 role finding is to find a set of roles meeting the access request authority in the current security domain.
Preferably, the step S5 role finding follows the following principle:
the algorithm complexity meets the polynomial time requirement;
adopting a role adding method to enable the system to meet the access request permission to the maximum extent;
the integrity and the security of the role hierarchy are guaranteed, and the number of roles contained in the role set matched with the permission set is minimum.
In the multi-domain security management method of the network management system, multi-domain access control is divided into a static mode and a dynamic mode, the static multi-domain access control searches security policies related to request service in a policy library of the system, the dynamic multi-domain access control searches a role set meeting access request permission in a target security domain by a multi-domain authorized search method, returns the role set to the security domain, and then performs static policy combination on the access request security domain to obtain a global security policy so as to realize multi-domain access control;
the invention directly executes the access decision through the role mapping relation, adopts an accurate authority search method, finds the corresponding target role according to the access request authority, executes the access control decision through the role mapping, meets the multi-level access requirement and the security assurance among the security domains, and improves the security and the efficiency of the security collaboration of the multi-domain system components.
Drawings
Fig. 1 is a flow chart of a multi-domain security management method of a network management system according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments.
Referring to fig. 1, the multi-domain security management method of a network management system includes the steps of:
s1, requesting a security domain user to generate a service request;
s2, the system administrator extracts the security attribute of the access service request and searches the related access service policy in the security policy library of the security domain;
s3, if the related access service policies exist in the security policy library of the security domain, enabling the access request to carry the inter-domain access control policies and send the inter-domain access control policies to the target security domain;
s4, the target security domain administrator receives and analyzes the role-mapping request information, carries out security policy authentication on the request, and then returns corresponding service resources to the requesting user according to the service attribute of the request to realize security interaction among the domains;
s5, if the related access service strategies do not exist in the security strategy library of the security domain, an inter-domain authorized search request is sent to the target security domain, and the inter-domain authorized search process searches the optimal role set meeting the authority requirements in the target security domain according to the authority of the service request and returns the optimal role set to the requested security domain in the form of a service output strategy;
s6, carrying out static policy combination on the service output policy returned in the step and the security policy of the request security domain, and finally adding the combined policy into the security policy of the request security domain.
In the invention, the access policy library stores a request security domain policy and a part of target security domain policies, and mainly comprises: PA, PH and inter-domain role mapping.
In the invention, the step S6 of static strategy combination mainly completes role mapping among different role systems and constructs global role hierarchical relationship.
In the invention, the step S5 inter-domain authorization searching process is divided into two steps:
and (5) role finding: searching a matching role set meeting the service request permission set in the target security domain role system according to a certain searching principle;
character activation detection: and performing an activation detection contract bundle check on the character set obtained in the color searching process to determine whether the character set can be activated in a single Session of the user.
In the invention, the hierarchical relationship of the roles: rights inheritance, role activation inheritance, and a combination of rights inheritance and role activation inheritance.
In the invention, the step S5 role searching is to search the role set meeting the access request authority in the current security domain.
In the invention, the step S5 role finding follows the following principle:
the algorithm complexity meets the polynomial time requirement;
adopting a role adding method to enable the system to meet the access request permission to the maximum extent;
the integrity and the security of the role hierarchy are guaranteed, and the number of roles contained in the role set matched with the permission set is minimum.
The invention comprises the following steps: requesting a security domain user to generate a service request; the system administrator extracts the security attribute of the access service request and searches the related access service policy in the security policy library of the security domain; if the related access service policy exists in the security policy library of the security domain, the access request carries the inter-domain access control policy and is sent to the target security domain; the target security domain administrator receives and analyzes the role-mapping request information, performs security policy authentication on the request, and then returns corresponding service resources to the requesting user according to the service attribute of the request to realize security interaction among the domains; if the related access service strategies do not exist in the security strategy library of the security domain, an inter-domain authorized search request is sent to the target security domain, and the inter-domain authorized search process searches the optimal role set meeting the authority requirements in the target security domain according to the authority of the service request and returns the optimal role set to the requested security domain in the form of a service output strategy; and carrying out static policy combination on the service output policy returned by the step and the security policy of the request security domain, and finally adding the combined policy into the security policy of the request security domain.
The foregoing is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art, who is within the scope of the present invention, should make equivalent substitutions or modifications according to the technical scheme of the present invention and the inventive concept thereof, and should be covered by the scope of the present invention.
Claims (7)
1. The multi-domain security management method of the network management system is characterized by comprising the following steps:
s1, requesting a security domain user to generate a service request;
s2, the system administrator extracts the security attribute of the access service request and searches the related access service policy in the security policy library of the security domain;
s3, if the related access service policies exist in the security policy library of the security domain, enabling the access request to carry the inter-domain access control policies and send the inter-domain access control policies to the target security domain;
s4, the target security domain administrator receives and analyzes the role-mapping request information, carries out security policy authentication on the request, and then returns corresponding service resources to the requesting user according to the service attribute of the request to realize security interaction among the domains;
s5, if the related access service strategies do not exist in the security strategy library of the security domain, an inter-domain authorized search request is sent to the target security domain, and the inter-domain authorized search process searches the optimal role set meeting the authority requirements in the target security domain according to the authority of the service request and returns the optimal role set to the requested security domain in the form of a service output strategy;
s6, carrying out static policy combination on the service output policy returned in the step and the security policy of the request security domain, and finally adding the combined policy into the security policy of the request security domain.
2. The method for multi-domain security management of a network management system according to claim 1, wherein the access policy repository stores a requested security domain policy and a part of target security domain policies, and mainly comprises: PA, PH and inter-domain role mapping.
3. The method for multi-domain security management of network management system according to claim 1, wherein the step S6 of static policy combination mainly completes role mapping between different role systems, and constructs global role hierarchy.
4. The method for multi-domain security management of a network management system according to claim 1, wherein the step S5 of inter-domain authorized search is divided into two steps:
and (5) role finding: searching a matching role set meeting the service request permission set in the target security domain role system according to a certain searching principle;
character activation detection: and performing an activation detection contract bundle check on the character set obtained in the color searching process to determine whether the character set can be activated in a single Session of the user.
5. The network management system multi-domain security management method according to claim 1, wherein the hierarchical relationship of the roles: rights inheritance, role activation inheritance, and a combination of rights inheritance and role activation inheritance.
6. The multi-domain security management method of the network management system according to claim 1, wherein the step S5 of role finding is to find a set of roles satisfying the access request authority within the current security domain.
7. The method for multi-domain security management of a network management system according to claim 1, wherein the step S5 role finding follows the following principle:
the algorithm complexity meets the polynomial time requirement;
adopting a role adding method to enable the system to meet the access request permission to the maximum extent;
the integrity and the security of the role hierarchy are guaranteed, and the number of roles contained in the role set matched with the permission set is minimum.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210566388.6A CN115189906B (en) | 2022-05-24 | 2022-05-24 | Multi-domain security management method for network management system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210566388.6A CN115189906B (en) | 2022-05-24 | 2022-05-24 | Multi-domain security management method for network management system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115189906A CN115189906A (en) | 2022-10-14 |
CN115189906B true CN115189906B (en) | 2023-07-07 |
Family
ID=83513721
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210566388.6A Active CN115189906B (en) | 2022-05-24 | 2022-05-24 | Multi-domain security management method for network management system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115189906B (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103338194A (en) * | 2013-03-06 | 2013-10-02 | 中国电力科学研究院 | Credibility based cross- security domain access control system and method |
CN103378987A (en) * | 2012-04-24 | 2013-10-30 | 国际商业机器公司 | Policy management method and system of multiple security domains |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100997802B1 (en) * | 2008-10-20 | 2010-12-01 | 한국전자통신연구원 | Apparatus and method for security managing of information terminal |
US20120291089A1 (en) * | 2011-05-13 | 2012-11-15 | Raytheon Company | Method and system for cross-domain data security |
US10721237B2 (en) * | 2016-08-05 | 2020-07-21 | Oracle International Corporation | Hierarchical processing for a virtual directory system for LDAP to SCIM proxy service |
-
2022
- 2022-05-24 CN CN202210566388.6A patent/CN115189906B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103378987A (en) * | 2012-04-24 | 2013-10-30 | 国际商业机器公司 | Policy management method and system of multiple security domains |
CN103338194A (en) * | 2013-03-06 | 2013-10-02 | 中国电力科学研究院 | Credibility based cross- security domain access control system and method |
Also Published As
Publication number | Publication date |
---|---|
CN115189906A (en) | 2022-10-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Qiu et al. | A survey on access control in the age of internet of things | |
Chen et al. | Bidm: a blockchain-enabled cross-domain identity management system | |
KR20040048814A (en) | Method for communication between nodes in peer-to-peer networks using common group label | |
Adda et al. | Toward an access control model for IOTCollab | |
Lican et al. | Virtual and dynamic hierarchical architecture for E-science grid | |
CN114666067B (en) | Cross-domain fine-grained attribute access control method and system based on block chain | |
CN114268493B (en) | Cross-domain access method and server on block chain | |
Poolsappasit et al. | Towards Achieving Personalized Privacy for Location-Based Services. | |
Zeydan et al. | Blockchain-Based Service Orchestration for 5G Vertical Industries in Multicloud Environment | |
CN115189906B (en) | Multi-domain security management method for network management system | |
Ahmed et al. | Trust management for IoT security: taxonomy and future research directions | |
Moghaddam et al. | A multi-layered policy generation and management engine for semantic policy mapping in clouds | |
Feeney et al. | A trust model for capability delegation in federated policy systems | |
Lampropoulos et al. | Introducing a cross federation identity solution for converged network environments | |
Ramalingam et al. | Secure Semantic Aware Middleware: a Security-Based Semantic Access Control for Web Services | |
Zhu et al. | Microthingschain: blockchain-based controlled data sharing platform in multi-domain iot | |
Gatial et al. | Platform for distributed execution of agents for trusted data collection | |
Priesnitz Filho et al. | Obtaining strong identifiers through attribute aggregation | |
Xiang et al. | Approaches to access control policy comparison and the inter-domain role mapping problem | |
Ponomarev et al. | Attribute-Based Encryption with Authentication Provider in FIWARE Platform | |
Ciuciu et al. | Ontology based interoperation for securely shared services: Security concept matching for authorization policy interoperability | |
Nath et al. | An authorization mechanism for access control of resources in the web services paradigm | |
Panneerselvam et al. | Mutual-contained access delegation scheme for the Internet of Things user services | |
Saadi et al. | The Chameleon: A Pervasive Grid Security Architecture | |
Chuang et al. | An Integrated Framework for Trust-Based Access Control for Open Systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |