CN115357878A - Access control method and device, electronic equipment and storage medium - Google Patents

Access control method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115357878A
CN115357878A CN202211015139.4A CN202211015139A CN115357878A CN 115357878 A CN115357878 A CN 115357878A CN 202211015139 A CN202211015139 A CN 202211015139A CN 115357878 A CN115357878 A CN 115357878A
Authority
CN
China
Prior art keywords
user
access control
result
access
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211015139.4A
Other languages
Chinese (zh)
Inventor
王金石
沈周阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN202211015139.4A priority Critical patent/CN115357878A/en
Publication of CN115357878A publication Critical patent/CN115357878A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/123Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices

Abstract

The application discloses an access control method, an access control device, electronic equipment and a storage medium; the method comprises the following steps: inputting an access request of a user into a TIR-PBAC model; wherein the access request includes at least: proxy users, actions, and objects; analyzing the access control request through a TIR-PBAC model to obtain an access control result corresponding to the access request; and outputting the access control result through the TIR-PBAC model. According to the embodiment of the application, the fineness of access control can be further improved, and more refined granularity control is provided for the access control.

Description

Access control method and device, electronic equipment and storage medium
Technical Field
The embodiment of the application relates to the technical field of industrial control, in particular to an access control method, an access control device, electronic equipment and a storage medium.
Background
An access control technology, which is one of key technologies for securing information security, has been favored by various learners since its appearance in the past century. The main purpose of access control technology is to prevent an object from being illegally accessed by an unauthorized subject, where the object often refers to data, resources, services, technologies, etc. having value and is owned by a particular organization or person who owns the object resources and has a set of policies assigned to limit access by the unauthorized subject. Currently, the integration of access control technology with other fields is becoming a new research focus.
Currently, research on origin of data mainly focuses on establishing an origin model, storing and querying origin data, and a relatively complete system is established, but related research on origin of data in access control is relatively few, and basic models (such as PBAC and the like) only provide basic models which need to be combined with other access control modes, and related concepts in the models are often too abstract and difficult to combine with reality; and a single access control model based on origin data is often insufficient in the system, so that the origin data and the traditional access control model are combined by utilizing the characteristics of the origin data to realize a finer-grained access control model, and the combination of the origin data and the traditional access control model can establish a new idea for the future access control research.
Compared with the traditional access control model, the PBAC has a great degree of improvement on the fineness of access control, and can realize access control, dynamic authority division, workflow-based control, version control and the like according to origin data. However, PBAC has a great problem that the verification phase frequently traverses the origin graph, which results in time and labor consuming verification process, and the verification phase is difficult to process, for example, when PBAC is used alone in a system, the verification of the user is almost impossible.
The access control process of the conventional PBAC model includes user authorization, which specifies whether the user qualifies to make the request, and behavior verification, which specifies whether the request can be operated on the resource for which access is applied. However, this access control method requires the system to provide user-oriented access policies when performing user authentication, which is clearly inconvenient for system design because it is impossible to define access control policies of all users in advance, which requires refining relevant policies by extracting their provenance data during constant access of users.
Disclosure of Invention
The application provides an access control method, an access control device, electronic equipment and a storage medium, which can further improve the fineness of access control and provide more refined granularity control for access control.
In a first aspect, an embodiment of the present application provides an access control method, where the method includes:
inputting an access request of a user into a TIR-PBAC model; wherein the access request comprises at least: proxy users, actions and objects;
analyzing the access control request through the TIR-PBAC model to obtain an access control result corresponding to the access request;
and outputting the access control result through the TIR-PBAC model.
In a second aspect, an embodiment of the present application further provides an access control apparatus, where the apparatus includes: the device comprises an input module, an analysis module and an output module; wherein the content of the first and second substances,
the input module is used for inputting an access request of a user into the TIR-PBAC model; wherein the access request comprises at least: proxy users, actions and objects;
the analysis module is used for analyzing the access control request through the TIR-PBAC model to obtain an access control result corresponding to the access request;
and the output module is used for outputting the access control result through the TIR-PBAC model.
In a third aspect, an embodiment of the present application provides an electronic device, including:
one or more processors;
a memory for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the access control method of any embodiment of the present application.
In a fourth aspect, an embodiment of the present application provides a storage medium, on which a computer program is stored, where the program is executed by a processor to implement the access control method according to any embodiment of the present application.
The embodiment of the application provides an access control method, an access control device, electronic equipment and a storage medium, wherein an access request of a user is input into a TIR-PBAC model; wherein the access request comprises: proxy users, actions, and objects; then analyzing the access control request through a TIR-PBAC model to obtain an access control result corresponding to the access request; and then outputting an access control result through the TIR-PBAC model. That is to say, in the technical solution of the present application, a new access control model TIR-PBAC is provided, and the permissions of a class of users are predefined by introducing concepts of roles and permissions, so that the authorization of roles becomes very simple when accessing, and only the roles of the users need to be queried, and then it is determined whether the permissions in the access request are owned by the roles. In the prior art, the conventional access control mode of the PBAC model requires the system to provide a user-oriented access policy when performing user authentication, which requires the user to complete related policies by extracting their origin data during constant access of the user. Therefore, compared with the prior art, the access control method, the access control device, the electronic device and the storage medium provided by the embodiment of the application can further improve the fineness of access control and provide more refined granularity control for the access control; moreover, the technical scheme of the embodiment of the application is simple and convenient to implement, convenient to popularize and wide in application range.
Drawings
Fig. 1 is a first flowchart of an access control method according to an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of the structure of a PBAC model provided by the prior art;
fig. 3 is a schematic structural diagram of an OPM + model provided in an embodiment of the present application;
FIG. 4 is a schematic structural diagram of a TIR-PBAC model provided in an embodiment of the present application;
fig. 5 is a second flowchart of an access control method according to an embodiment of the present application;
fig. 6 is a third flow chart of an access control method according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an access control device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. It should be further noted that, for the convenience of description, only some of the structures related to the present application are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a first flowchart of an access control method provided in an embodiment of the present application, where the method may be executed by an access control apparatus or an electronic device, where the apparatus or the electronic device may be implemented by software and/or hardware, and the apparatus or the electronic device may be integrated in any intelligent device with a network communication function. As shown in fig. 1, the access control method may include the steps of:
s101, inputting an access request of a user into a TIR-PBAC model; wherein the access request comprises at least: proxy users, actions, and objects.
By utilizing origin data in access control, the application proposes a new access control model TIR-PBAC (Transaction and ownership of Role-PBAC), and specifically solves the problems that: aiming at the problems that when the roles exist in Role Access Control, the Role hierarchy is fuzzy, management is not easy, and Role explosion is easy to occur, the application provides a Role Access Control model (Transaction and ownership-RBAC, TI-RBAC) Based on Transaction and Inheritance on the basis of RBAC (Role-Based Access Control), utilizes the idea of Inheritance in an object-oriented to the Inheritance of the Role relationship, and abstracts the Transaction into the Transaction type and the authority corresponding to each other. The method has the advantages that the public inheritance, the protective inheritance and the private inheritance in inheritance are utilized in role inheritance and authority, so that the role hierarchy is clearer, and the inheritance mechanism of the role is more diversified and simplified; aiming at the problem that environmental information cannot be collected in a traditional OPM (Open Provenance Model), the application provides an OPM + (Open Provenance Model +) Model, increases attribute nodes and dependency relationship, and provides a basic Model for a TIR-PBAC Model to collect the environmental information; aiming at the problem that the role authorization stage in the PBAC model is too complex, the TI-RBAC model is combined, the hierarchical relationship between roles, the corresponding relationship between roles and authorities and the environmental information when access occurs are increased, and the system architecture and the access control algorithm of the TIR-PBAC model are provided.
And S102, analyzing the access control request through the TIR-PBAC model to obtain an access control result corresponding to the access request.
And S103, outputting an access control result through the TIR-PBAC model.
The access control in the embodiment of the present application means that a series of policies are set to achieve three purposes: preventing malicious agents from accessing protected resources; allowing authorized users access to the protected resource; unauthorized legitimate users are prevented from accessing protected resources. The access control process comprises the following steps: when a user, an application program, a service or a process accesses valuable objects such as data, resources, services, technologies and the like, the identity validity of the user needs to be verified according to rules specified by an object owner, if the verification fails, the access is refused, if the verification passes, the subject is authorized according to a minimum authorization principle, and the objects accessed by the subject are guaranteed to be within the authority range of the subject.
The origin data in the embodiments of the present application is any information used to describe the production process of the final product, and may be any information from digital data to physical information objects. The origin of the data is also referred to as the origin of the data, the pedigree of the data, the ancestry of the data. Through the origin data, people can know where the data is changed, what is changed, the time of the change, factors prompting the change, who causes the change, why the change is caused, and what is the change.
The OPM model in the embodiment of the present application is used to solve the problem of mutual compatibility and exchange of origin information between different systems, because it supports a datalized expression of the origin of anything and specifies the technology of implementation, so that many fields using origin information use OPM as a basic model. OPMs can describe the cause of what is causing, i.e. how a certain thing depends on other things and causes a certain state.
The RBAC model in the embodiment of the application introduces the role concept into access control, decouples users and authorities, respectively corresponds the users and the roles with the authorities by using the roles, judges the roles of one user in the access control process, acquires the authorities of the data needing to be accessed, judges whether the roles of the users have the authorities, agrees to the access if the roles of the users have the authorities, and refuses the access if the roles of the users do not have the authorities.
The PBAC model in the embodiments of the present application mainly solves the problem of how to use origin data in access control, and the model considers that two phases are required for verifying that an access request cannot be authorized, one is a user authorization phase, and the other is a behavior authentication phase. In the user authorization stage, whether the user has the right to access the object is judged according to the history of the user, and in the behavior authentication stage, whether the behavior meets the established rules is judged, and the related access request can be accepted only through user authorization and behavior authentication.
Fig. 2 is a schematic structural diagram of a PBAC model provided by the prior art. As shown in fig. 2, the PBAC model mainly includes an Agent User (AU), an Action (a), an object (O), origin Data (PD), a Dependency List (DL), a policy (P), and an Access Evaluation function (AE).
The proxy user (AU) represents the user who initiates the request for accessing the object, in particular, the origin data is captured by the request from the access subject rather than the user, but one user often corresponds to a plurality of access subjects, and the model assumes that the user and the subject have certain dependency relationship and can be mapped on the subject from the user, so that the user is supposed to replace the subject for convenience and readability.
Action (a) represents an instance of a user-initiated access request, which is generally abstracted into an Action Type (AT).
The object (O) represents a resource to be accessed by a user.
The Provenance Data (PD), also called provenance data, is composed of basic provenance data and user-defined provenance data; wherein the underlying origin data is transformed by transaction data in the system, in PBAC a transaction consists of two entities and a causal relationship, the two entities being respectively a user and an action, the causal relationship being a direct dependency in the OPM.
The Dependency List (DL) is a binary set of dependency names corresponding to dependency paths.
The policy (P) comprises user authentication and behavior rule authentication, wherein the user authentication is based on the previous behavior record of the user, and the behavior authentication is determined according to the dependency relationship between the objects.
The Access Evaluation (AE) returns a boolean value, which is a conjunction value of user authentication and behavior authentication, to determine whether the access is allowed.
Access control flow of PBAC model: the PBAC model considers that two stages are required for verifying that an access request cannot be authorized, one is a user authorization stage, and the other is a behavior authentication stage.
Compared with the traditional access control model, the PBAC model has a great degree of improvement on the fineness of access control, and can realize access control, dynamic authority division, workflow-based control, version control and the like according to origin data. However, the PBAC model also has a troublesome problem that the verification phase frequently traverses the origin graph, which results in time and labor consumption in the verification process, and the role verification phase is difficult to process, for example, when the PBAC model is used alone in a system, the user can hardly be verified because it cannot be determined that a user cannot use a certain authority.
Aiming at the problem, the authority of a class of users is predefined by introducing the concepts of roles and authorities, so that the role authorization is very simple when the users access, and only the roles of the users need to be inquired, and then whether the authority in the access request is owned by the roles is judged. In the subsequent authorization stage, the application adds specific environment information of the access operation, specifically: finding out the corresponding operation type in the access request, resolving out a related access control strategy according to the operation type, extracting the name and the dependency name of the accessed resource according to the access strategy, finding out a corresponding dependency path in a dependency list according to the dependency name, then reading the attribute information of the node according to the related node found out by the name and the dependency path of the resource, and finishing the related access evaluation to obtain an answer. For example, in the forum system, a user a may post a comment below a post, but if the user a is forbidden by an administrator for one month, the user a may not post any comment within the month, and in the access control, the role of a is that the user a has a comment function, but when commenting on the post C, an operation of the comment of the user a is found according to C, then the operation type of "comment" is parsed according to this operation instance, and then a policy that the commented user cannot be in a forbidden state is found, and according to the policy, a dependent name, "forbidden" related to C and related dependent path and current environment information are found, the user a is found through the forbidden dependent path starting from C, and it is determined that the user a appears in the forbidden dependent path, so that it is concluded that the user a cannot comment on the post at this time, and this access control is completed. Therefore, the model not only can quickly finish user authorization through the role of the user, but also can make more accurate judgment on access operation according to the current environmental information.
Fig. 3 is a schematic structural diagram of an OPM + model provided in an embodiment of the present application. The OPM + model is an extension of the OPM model, and attribute nodes and attribute dependency relationships are added so as to more completely describe how data changes. As shown in fig. 3, there are four nodes in total, which are an entity (Artifact), a Process (Process), an Agent (Agent), and an Attribute (Attribute); wherein c, g, u and ha are all dependent relations. Further, c represents a control relationship; g represents a generation relationship; u represents a usage relationship, and ha represents a possession attribute. In the OPM + model, the requirement for fine-grained access control, i.e. more detailed origin data needs to be captured, attribute nodes and dependencies with attributes (has Attribute Of) are added. The OPM + model introduces attribute nodes containing types and values into the OPM model, for example a process has the attribute { Time Stamp:3/20/2020; system Condition: linux; location: sydney, the context information of the process can be known through the attributes, and the origin information is enriched, wherein the attributes are divided into three categories, namely, the attributes related to the agent, the attributes related to the process and the attributes related to the entity.
1) Attribute-Attribute associated with entity (Artifact-Attribute): an entity is an object that includes input information, output information, and source data. The attributes associated with them may include size, rights predefined and enforceable on the object, etc.
2) Process-related Attribute (Process-Attribute): a process is an action or series of actions that is continuously applied to an object and causes its state to change. The attributes associated with them may be location, time, environmental information, and the like in general.
3) Attribute related to Agent (Agent-Attribute): agents are able to trigger or execute processes, and the attributes associated with them typically include an ID, the role that has been activated, etc.
The OPM + model is a data origin model specifically generated aiming at the access control related problem, a plurality of indirect dependency relations in the PROV technical standard are abandoned, only the most basic 4 dependency relations are introduced, the richness of information collection is guaranteed, the model is simplified to the greatest extent, and the OPM + model can be well utilized in the access control.
Fig. 4 is a schematic structural diagram of the TIR-PBAC model provided in the embodiment of the present application. As shown in fig. 4, the origin data in the model mainly consists of two parts, one part is the origin data consisting of environmental factors, where the environmental factors mainly refer to specific environmental conditions when access occurs, including the basic information of the user, such as name, age, sex, etc., the basic information of the operation includes time, place, etc., and information related to the operated resource, including the size of the article, whether it has been lighted up, etc., and these three environmental conditions also tend to restrict access; the other part is basic origin data, mainly referring to transaction data stored in the system, and these transaction data can be transformed into origin data according to the causal relationship in the OPM + model and provide relevant references for later access control, for example, the transaction data in the system is as follows:<u1,replace,o1,o2>can be translated into the following origin data:<replace,u1,WasControlledBy>,<o2,replace,WasControlledBy>and<u1,o1,Used>the above transaction data can be expressed as user u1 replacing o1 with o2, and the following three dependencies are used to describe the behavior thereof, respectively, and how the transaction data is converted into the origin data is described above, and the origin data of the environment can be described as three categories of data:<u1,ha,attribute i >,<o1,ha,attribute o1 >,<o2,ha,attribute o2 >and ha refers to a has Attribute Of dependency relationship, so that more detailed data can be obtained when origin data is traced, and more accurate use Of each version Of the data is facilitated.
The Environment Information (Environment Information) in the model can be understood as an Attribute (Attribute) node in the OPM + model, and three different attributes are defined in the OPM +, which are an Attribute related to an entity, an Attribute related to an agent, and an Attribute related to a process, and are specifically described as Information related to a user, information related to an operation, and Information related to an object. a) Information related to a User (Environment Information of User, EIU for short): attributes of the user are referred to, including basic information of the user, such as name, age, sex, and most commonly, ID of the user. b) Information related to a Process (Environment Information of Process, EIP for short): attributes of a process are referred to, including information such as time, place, operating system and the like when the process occurs; c) The Information (EIR for short) related to the Resource refers to the attribute of the Resource, including the inherent attribute of the Resource, and the Resource that needs to be accessed when accessing the system is often in the server, so the location of the file is a parameter that well describes the inherent attribute of the file.
Dependency List (Dependency List): because dependencies tend to be formed by a series of permissions, additional strategies are required to resolve such conflicts if the system-predefined dependency list is in error with the user-defined dependency list. The dependency list can be thought of as a binary group, the constituent elements are respectively a dependency name and a dependency path, because the basic dependency relationship is already defined, the dependency relationship between two objects can be described through a series of basic dependency relationships, namely the dependency path can be called as the dependency name, in addition, the dependency name can be utilized in the dependency path, so that a dependency name is generated, a complete dependency list is formed, through the dependency list, the related dependency path can be inquired, and then the required information can be found in the origin graph through the names of the dependency path and the object.
Policy (Policy): when access control is carried out, two links are respectively user authorization and behavior authentication, a simple example can be taken to be convenient to understand, if a user A wants to approve a post of a user B, the user A is firstly considered to have the role of approving the authority, then whether the user A approves the post is inquired according to the appropriated user of the post, and finally the behavior is approved or denied, wherein the behavior authentication is included.
Request (u, a, o): this Request can be understood as a transaction that has not occurred because once it has occurred it can be written as transaction data into the database, and if not agreed, a rollback operation is performed.
The access control method provided by the embodiment of the application comprises the steps of firstly inputting an access request of a user into a TIR-PBAC model; wherein the access request comprises: proxy users, actions, and objects; then analyzing the access control request through a TIR-PBAC model to obtain an access control result corresponding to the access request; and then outputting an access control result through the TIR-PBAC model. That is to say, in the technical solution of the present application, a new access control model TIR-PBAC is provided, where the authority of a type of user is predefined by introducing concepts of role and authority, so that, when accessing, the authority of a role becomes very simple, and only the role of the user needs to be queried, and then it is determined whether the authority in the access request is owned by the role. In the prior art, the conventional access control mode of the PBAC model requires the system to provide a user-oriented access policy when performing user authentication, which requires to refine related policies by extracting their origin data during continuous access of users. Therefore, compared with the prior art, the access control method provided by the embodiment of the application can further improve the fineness of access control and provide more refined granularity control for the access control; moreover, the technical scheme of the embodiment of the application is simple and convenient to implement, convenient to popularize and wide in application range.
Example two
Fig. 5 is a second flowchart of the access control method according to the embodiment of the present application. Further optimization and expansion are performed based on the technical scheme, and the method can be combined with various optional embodiments. As shown in fig. 5, the access control method may include the steps of:
s501, inputting an access request of a user into a TIR-PBAC model; wherein the access request comprises at least: proxy users, actions, and objects.
S502, respectively determining the result of the user in the authorization stage and the result of the user in the rule collection stage based on the access control request.
In this step, the electronic device may first obtain the role of the user through the proxy user when determining the result of the user in the authorization stage; and then determining the result of the user in the authorization stage by utilizing an access control algorithm in the TIR-PBAC model according to the role of the user. When determining the result of the user in the rule collection stage, the behavior type of the user can be obtained through actions; then, acquiring an access strategy of the user according to the behavior type and a predetermined mapping relation between the behavior type and the access strategy; and then, obtaining the result of the user in the rule collection stage according to the access strategy.
S503, determining the result of the user in the behavior verification stage based on the access control request and the result of the user in the rule collection stage.
In this step, the electronic device may extract a rule from the results of the user in the rule collection stage as the current rule; wherein the structure of the user in the rule collection phase comprises at least one rule; then determining a node associated with the access request under the current rule; if the environment information of the node associated with the access request meets the preset operation requirement, determining the verification result of the user under the current rule as passing verification; and repeating the operation until the verification result of the user under each rule is determined.
S504, determining an access control result corresponding to the access request according to the result of the user in the authorization stage and the result of the user in the behavior verification stage.
In this step, if the result of the user in the authorization stage is authorization pass and the result of the user in the behavior verification stage is verification pass, determining that the access control result corresponding to the access request is access permission; and if the result of the user in the authorization stage is that the authorization is not passed or the result of the user in the behavior verification stage is that the verification is not passed, determining that the access control result corresponding to the access request is not allowed to access.
And S505, outputting an access control result through the TIR-PBAC model.
In the TIR-PBAC model, U (Users) refers to a subject of access, either a person or an agent. R (Roles) is simply a role or function within an organization, and Roles are a subset of a limited set of permissions, abstracted into Roles. P (Permissions) is an approval for a particular access mode to one or more resources in the system. Rights may also be expressed in terms of authorization, access rights, privileges, and the like. The access granularity is often given by the division of rights, because if a system has few rights, even one right can access all resources in the system, the access control is certainly too coarse to change according to a specific person or a specific situation.
The access request represents a user (U), an Action Instance (Action Instance) and an accessed resource Object (Object) in the access request, the user U has given definitions, and the Action instances AI and O are described below respectively. Behavior example (AI): the behavior instance describes the specific behavior that the user would make on the accessed data in the access request; type of behavior (AT): the behavior type can be abstracted through a concrete behavior instance, for example, user A submits (Submit A) a Post (Post Submit), where Submit A is a concrete behavior instance and Submit represents the type of the behavior. It is assumed that the system can find the policy associated with Submit from the given policies. Resource object: representing the kind of resource to be accessed, in a specific application scenario, the resource will be labeled with different subscripts for different behavior types, which can be understood as the role (Object role) of the resource.
Policy set (Policy): the access policy formulated for the behavior, such as a post may not be commented by a banned person, is predefined by the system and is available to the AT according to the behavior type.
Attribute set (Attribute): the attributes are divided into three types, namely the attributes of the user, the attributes of the operation and the attributes of the resource, the three types of attributes can store relevant information when the user accesses the request, and provide the relevant information when the access control judges, wherein the attribute information is mainly added to the behavior, and the information of the user, the information of the behavior and the information of the resource can be stored and inquired more conveniently when the access request occurs and the information of the behavior and the information of the resource are stored to the behavior.
Origin Data (Provenance Data): PD = PD B ∪PD E (ii) a Wherein PD is B Transaction data, PD, transformed from a system transaction after a request has been performed E The environmental factors in the specific operation process, such as time, personnel, location, system environment, and the like, are recorded in the form of transaction data, and are converted into environmental information possessed by an Action (Action).
Origin map (Provenance Graph): the origin graph is composed of a triplet and is a directed acyclic graph describing the dependency relationship of data, and can be specifically described as<V E ,E E ,D E >Where the subscript E indicates that the provenance graph is an extended provenance graph on a PBAC basis. In the above description, V E Defining the types of fixed points in the origin graph, including users, behaviors, resources and attribute nodes; d E Defining basic dependency relationships in the origin graph; e E The types of edges in the origin graph are defined.
The access control method provided by the embodiment of the application comprises the steps of firstly inputting an access request of a user into a TIR-PBAC model; wherein the access request comprises: proxy users, actions, and objects; then analyzing the access control request through a TIR-PBAC model to obtain an access control result corresponding to the access request; and then outputting an access control result through the TIR-PBAC model. That is to say, in the technical solution of the present application, a new access control model TIR-PBAC is provided, and the permissions of a class of users are predefined by introducing concepts of roles and permissions, so that the authorization of roles becomes very simple when accessing, and only the roles of the users need to be queried, and then it is determined whether the permissions in the access request are owned by the roles. In the prior art, the conventional access control mode of the PBAC model requires the system to provide a user-oriented access policy when performing user authentication, which requires the user to complete related policies by extracting their origin data during constant access of the user. Therefore, compared with the prior art, the access control method provided by the embodiment of the application can further improve the fineness of access control and provide more refined granularity control for the access control; moreover, the technical scheme of the embodiment of the application is simple and convenient to implement, convenient to popularize and wide in application range.
EXAMPLE III
Fig. 6 is a schematic view of a third flow of an access control method according to an embodiment of the present application. Further optimization and expansion are performed based on the technical scheme, and the method can be combined with various optional embodiments. As shown in fig. 6, the access control method may include the steps of:
s601, inputting an access request of a user into a TIR-PBAC model; wherein the access request includes at least: proxy users, actions, and objects.
S602, respectively determining the result of the user in the authorization phase and the result of the user in the rule collection phase based on the access control request.
S603, determining the result of the user in the behavior verification stage based on the access control request and the result of the user in the rule collection stage.
S604, judging whether the result of the user in the authorization stage is authorized to pass or not and whether the result of the user in the behavior verification stage is verified to pass or not, if so, executing S605; otherwise, S606 is performed.
S605, determining that the access control result corresponding to the access request is access permission.
In this step, if the result of the user in the authorization phase is that authorization passes and the result of the user in the behavior verification phase is that verification passes, it is determined that the access control result corresponding to the access request is allowed to access.
S606, determining that the access control result corresponding to the access request is not allowed to access.
In this step, if the result of the user in the authorization stage is that authorization is not passed, or the result of the user in the behavior verification stage is that verification is not passed, it is determined that the access control result corresponding to the access request is not allowed to be accessed.
The TIR-PBAC model in the embodiment of the application adopts OPM + as a basic model for collecting origin data, can capture basic origin, can collect environmental information when access occurs, and provides more detailed data origin information. And the finer-grained control can be performed during access control, and the complex requirements are met. The TIR-PBAC model explains the source of the origin data, namely transaction data at the time of access request and environment information at the time, and respectively introduces how the two origin data are applied to access control. The TIR-PBAC model introduces factors such as roles, authorities, transactions and the like, in a role authorization stage, whether a user has the right to initiate a request is determined by collecting the roles of the user and requesting corresponding authorities, the query in the user authorization stage is simplified, in a subsequent behavior verification stage, the factors of environment information are taken into consideration, the attributes of the user, the attributes of operation and the attributes of resources are taken as environment information during access, and the environment information is recorded in a transaction form after the access is accepted, so that origin data is enriched. The TIR-PBAC model introduces concepts such as roles and the like, increases related mapping relation and formalization definition, and provides a feasible scheme for the access control model based on origin data.
By combining the above analysis, it can be known that the TIR-PBAC model is a feasible origin data-based access control model provided for solving the increasingly complex access requirements at present, and combines the related concepts of roles, role inheritance and authority, thereby simplifying the access flow and realizing fine-grained access control.
The access control method provided by the embodiment of the application comprises the steps of firstly inputting an access request of a user into a TIR-PBAC model; wherein the access request comprises: proxy users, actions, and objects; then analyzing the access control request through a TIR-PBAC model to obtain an access control result corresponding to the access request; and outputting an access control result through the TIR-PBAC model. That is to say, in the technical solution of the present application, a new access control model TIR-PBAC is provided, where the authority of a type of user is predefined by introducing concepts of role and authority, so that, when accessing, the authority of a role becomes very simple, and only the role of the user needs to be queried, and then it is determined whether the authority in the access request is owned by the role. In the prior art, the conventional access control mode of the PBAC model requires the system to provide a user-oriented access policy when performing user authentication, which requires to refine related policies by extracting their origin data during continuous access of users. Therefore, compared with the prior art, the access control method provided by the embodiment of the application can further improve the fineness of access control and provide more refined granularity control for the access control; moreover, the technical scheme of the embodiment of the application is simple and convenient to implement, convenient to popularize and wide in application range.
Example four
Fig. 7 is a schematic structural diagram of an access control device according to an embodiment of the present application. As shown in fig. 7, the access control device includes: an input module 701, an analysis module 702 and an output module 703; wherein the content of the first and second substances,
the input module 701 is configured to input an access request of a user into the TIR-PBAC model; wherein the access request comprises at least: proxy users, actions, and objects;
the analysis module 702 is configured to analyze the access control request through the TIR-PBAC model to obtain an access control result corresponding to the access request;
the output module 703 is configured to output the access control result through the TIR-PBAC model.
Further, the parsing module 702 is specifically configured to determine, based on the access control request, a result of the user in an authorization stage and a result of the user in a rule collection stage respectively; determining a result of the user in a behavior verification phase based on the access control request and the result of the user in a rule collection phase; and determining an access control result corresponding to the access request according to the result of the user in the authorization stage and the result of the user in the behavior verification stage.
The access control device can execute the method provided by any embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to the access control method provided in any embodiment of the present application.
EXAMPLE five
Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application. FIG. 8 illustrates a block diagram of an exemplary electronic device suitable for use in implementing embodiments of the present application. The electronic device 12 shown in fig. 8 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 8, electronic device 12 is in the form of a general purpose computing device. The components of electronic device 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including the system memory 28 and the processing unit 16.
Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Electronic device 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by electronic device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM) 30 and/or cache memory 32. The electronic device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 8, and commonly referred to as a "hard drive"). Although not shown in FIG. 8, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the application.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in memory 28, such program modules 42 including but not limited to an operating system, one or more application programs, other program modules, and program data, each of which or some combination of which may comprise an implementation of a network environment. Program modules 42 generally perform the functions and/or methodologies of the embodiments described herein.
Electronic device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with electronic device 12, and/or with any devices (e.g., network card, modem, etc.) that enable electronic device 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, the electronic device 12 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) via the network adapter 20. As shown, the network adapter 20 communicates with other modules of the electronic device 12 via the bus 18. It should be appreciated that although not shown in FIG. 8, other hardware and/or software modules may be used in conjunction with electronic device 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 16 executes various functional applications and data processing, such as implementing the access control method provided in the embodiments of the present application, by running a program stored in the system memory 28.
EXAMPLE six
The embodiment of the application provides a computer storage medium.
The computer-readable storage media of the embodiments of the present application may take any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the presently preferred embodiments and application of the principles of the present invention. It will be understood by those skilled in the art that the present application is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the application. Therefore, although the present application has been described in more detail with reference to the above embodiments, the present application is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present application, and the scope of the present application is determined by the scope of the appended claims.

Claims (10)

1. An access control method, characterized in that the method comprises:
inputting an access request of a user into a TIR-PBAC model; wherein the access request comprises at least: proxy users, actions and objects;
analyzing the access control request through the TIR-PBAC model to obtain an access control result corresponding to the access request;
and outputting the access control result through the TIR-PBAC model.
2. The method of claim 1, wherein parsing the access control request through the TIR-PBAC model to obtain an access control result corresponding to the access request comprises:
respectively determining the result of the user in an authorization phase and the result of the user in a rule collection phase based on the access control request;
determining a result of the user in a behavior verification phase based on the access control request and the result of the user in a rule collection phase;
and determining an access control result corresponding to the access request according to the result of the user in the authorization stage and the result of the user in the behavior verification stage.
3. The method of claim 2, wherein determining the result of the user in the authorization phase based on the access control request comprises:
acquiring the role of the user through the agent user;
and determining the result of the user in an authorization stage by utilizing an access control algorithm in the TIR-PBAC model according to the role of the user.
4. The method of claim 2, wherein determining the result of the user in a rule collection phase based on the access control request comprises:
acquiring the behavior type of the user through the action;
acquiring an access strategy of the user according to the behavior type and a predetermined mapping relation between the behavior type and the access strategy;
and obtaining the result of the user in the rule collection stage according to the access strategy.
5. The method of claim 2, wherein determining the result of the user in a behavior verification phase based on the access control request and the result of the user in a rules collection phase comprises:
extracting a rule from the result of the user in the rule collection stage as a current rule; wherein the structure of the user in the rule collection phase comprises at least one rule;
determining a node associated with the access request under the current rule;
if the environment information of the node associated with the access request meets the preset operation requirement, determining the verification result of the user under the current rule as passing verification; and repeating the operation until the verification result of the user under each rule is determined.
6. The method of claim 2, wherein determining the access control result corresponding to the access request according to the result of the user in the authorization phase and the result of the user in the behavior verification phase comprises:
if the result of the user in the authorization stage is authorization passing and the result of the user in the behavior verification stage is verification passing, determining that the access control result corresponding to the access request is access permission;
and if the result of the user in the authorization stage is that the authorization is not passed or the result of the user in the behavior verification stage is that the verification is not passed, determining that the access control result corresponding to the access request is not allowed to be accessed.
7. An access control apparatus, characterized in that the apparatus comprises: the device comprises an input module, an analysis module and an output module; wherein the content of the first and second substances,
the input module is used for inputting the access request of the user into the TIR-PBAC model; wherein the access request comprises at least: proxy users, actions, and objects;
the analysis module is used for analyzing the access control request through the TIR-PBAC model to obtain an access control result corresponding to the access request;
the output module is used for outputting the access control result through the TIR-PBAC model.
8. The apparatus according to claim 7, wherein the parsing module is specifically configured to determine, based on the access control request, a result of the user in an authorization phase and a result of the user in a rule collection phase, respectively; determining a result of the user in a behavior verification phase based on the access control request and the result of the user in a rule collection phase; and determining an access control result corresponding to the access request according to the result of the user in the authorization stage and the result of the user in the behavior verification stage.
9. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the access control method of any one of claims 1 to 6.
10. A storage medium on which a computer program is stored, which program, when being executed by a processor, is adapted to carry out the access control method according to any one of claims 1 to 6.
CN202211015139.4A 2022-08-23 2022-08-23 Access control method and device, electronic equipment and storage medium Pending CN115357878A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211015139.4A CN115357878A (en) 2022-08-23 2022-08-23 Access control method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211015139.4A CN115357878A (en) 2022-08-23 2022-08-23 Access control method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115357878A true CN115357878A (en) 2022-11-18

Family

ID=84002424

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211015139.4A Pending CN115357878A (en) 2022-08-23 2022-08-23 Access control method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115357878A (en)

Similar Documents

Publication Publication Date Title
Lazouski et al. Usage control in computer security: A survey
Shafiq et al. Secure interoperation in a multidomain environment employing RBAC policies
Zhang et al. Formal model and policy specification of usage control
Hu et al. Assessment of access control systems
US8793781B2 (en) Method and system for analyzing policies for compliance with a specified policy using a policy template
JP2020519210A (en) Systems and methods for implementing centralized privacy controls in decentralized systems
Hu et al. Guidelines for access control system evaluation metrics
WO2019052496A1 (en) Account authentication method for cloud storage, and server
Bertino Data protection from insider threats
She et al. Role-based integrated access control and data provenance for SOA based net-centric systems
Nguyen et al. Dependency Path Patterns as the Foundation of Access Control in Provenance-aware Systems.
Rahman Scalable role-based access control using the eos blockchain
Ultra et al. A simple model of separation of duty for access control models
Fernandez et al. Abstract security patterns and the design of secure systems
Meis et al. Understanding the privacy goal intervenability
Gupta et al. A dynamic security policies generation model for access control in smart card based applications
Wirtz et al. A systematic method to describe and identify security threats based on functional requirements
Sohr et al. Formal specification of role-based security policies for clinical information systems
Chen et al. Dynamic and semantic-aware access-control model for privacy preservation in multiple data center environments
Rosado et al. A study of security architectural patterns
CN115357878A (en) Access control method and device, electronic equipment and storage medium
Crampton et al. Relationships, paths and principal matching: a new approach to access control
Padget et al. Fine-grained access control via policy-carrying data
Moniruzzaman et al. A study of privacy policy enforcement in access control models
Kneuper Integrating data protection into the software life cycle

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination