CN115758303A - Authority control method, device, equipment and storage medium - Google Patents
Authority control method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115758303A CN115758303A CN202211663588.XA CN202211663588A CN115758303A CN 115758303 A CN115758303 A CN 115758303A CN 202211663588 A CN202211663588 A CN 202211663588A CN 115758303 A CN115758303 A CN 115758303A
- Authority
- CN
- China
- Prior art keywords
- authority
- agent
- identifier
- permission
- identity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The application provides a permission control method, a device, equipment and a storage medium, wherein the method comprises the following steps: acquiring an agent authority setting request sent by an entity user terminal; the proxy permission setting request comprises the following steps: personal user identification and at least one authority set corresponding identification; the permission set comprises at least one permission; generating an agent identity for the personal user identifier according to the agent authority setting request and storing the agent identity and the personal user identifier in a database in an associated manner; and determining the authority in the corresponding identifier of at least one authority set as the authority corresponding to the agent identity identifier according to the agent authority setting request, and determining the authority corresponding to the agent identity identifier as the authority corresponding to the individual user according to the association relation. The authority set is adopted to determine the authority of the agent identity, so that the quick and flexible setting of the authority of the agent identity is realized; the authority of the individual user is determined by granting the proxy identity to the individual user, so that the quick and flexible setting of the authority of the individual user is realized.
Description
Technical Field
The present application relates to the field of information security, and in particular, to a method, an apparatus, a device, and a storage medium for controlling a right.
Background
The current common authority management method comprises authority control (RBAC for short) based on roles, and the user authority is indirectly given by the way of role association with users and role association authority.
However, the role-based permission control RBAC is limited in authorization flexibility and maintainability, and if the existing role permission does not satisfy the permission requirement of a certain user, only new roles can be set for the user and the corresponding permission for the roles can be configured one by one, so that the permission is difficult to maintain, and quick and flexible permission configuration cannot be performed according to the difference of the permission requirements of each user.
Disclosure of Invention
The application provides a permission control method, a permission control device, permission control equipment and a storage medium, which are used for solving the problems.
In a first aspect, the present application provides a method for controlling a right, including:
acquiring an agent authority setting request sent by an entity user terminal; the proxy permission setting request comprises the following steps: personal user identification and at least one authority set corresponding identification; the set of permissions comprises at least one permission;
generating an agent identity for the personal user identifier according to the agent authority setting request and storing the agent identity and the personal user identifier in a database in an associated manner;
and determining the authority in at least one authority set corresponding identifier as the authority corresponding to the agent identity identifier according to the agent authority setting request, and determining the authority corresponding to the agent identity identifier as the authority corresponding to the individual user according to the association relationship between the agent identity identifier and the individual user identifier.
Optionally, the presetting of the permissions included in the permission set includes:
acquiring a permission set generation request sent through a permission set setting interface in an entity user terminal, and determining at least one permission selected in the permission set setting interface; the selected at least one authority is in the authority corresponding to the entity user identifier;
and generating a corresponding identifier of the authority set and determining at least one selected authority as the authority included in the authority set.
Optionally, after determining, according to the proxy permission setting request, a permission in the identifier corresponding to the at least one permission set as a permission corresponding to the proxy identity identifier, the method further includes:
acquiring an agent authority change request sent through an authority management interface in an entity user terminal; the proxy permission change request comprises a proxy identity identifier and corresponding permission change information;
and changing the corresponding authority of the agent identity identification by adopting the access control list according to the corresponding authority change information.
Optionally, the method of the first aspect further includes:
acquiring an entity user permission change request sent through a permission management interface in an entity user terminal; the entity user permission change request comprises an entity user identifier and corresponding permission change information;
and changing the authority corresponding to the entity user identification by adopting the access control list according to the corresponding authority change information.
Optionally, after determining, according to the proxy permission setting request, a permission in the identifier corresponding to the at least one permission set as a permission corresponding to the proxy identity identifier, the method further includes:
acquiring an access request sent by a personal user terminal;
if the access request does not include the agent identity, performing user-level authentication on the access request according to the personal general basic authority;
and if the user-level authentication is determined to pass, determining to execute the access operation according to the access request.
Optionally, after obtaining the access request sent by the personal user terminal, the method further includes:
if the access request comprises the agent identity identification, determining the corresponding authority of the agent identity identification according to the access control list, and performing agent-level authentication on the access request according to the corresponding authority of the agent identity identification;
and if the agent-level authentication is determined to pass, determining to execute the access operation according to the access request.
Optionally, the proxy permission setting request further includes: an entity user identifier; storing the agent identity and the individual user identity in a database in an associated manner, including:
storing the entity user identification and the agent identity identification in the agent permission setting request in a database in an associated manner;
the access request comprises authentication mode information; before performing a proxy-level authentication request on the access request according to the corresponding authority of the proxy identity identifier, the method further comprises the following steps:
if the access request is determined to be subjected to secondary authentication according to the authentication mode information, determining an entity user identifier having an association relation with the agent identity identifier;
determining the authority corresponding to the entity user according to the access control list and the entity user identification, and performing root-level authentication on the access request according to the authority corresponding to the entity user;
and if the root-level authentication is determined to pass, performing proxy-level authentication on the access request according to the authority corresponding to the proxy identity identification.
In a second aspect, the present application provides an authority control device, including:
the acquisition module is used for acquiring an agent authority setting request sent by an entity user terminal; the proxy permission setting request comprises the following steps: personal user identification and at least one authority set corresponding identification; the set of permissions comprises at least one permission;
the storage module is used for generating an agent identity for the personal user identifier according to the agent authority setting request and storing the agent identity and the personal user identifier in a database in a correlation manner;
and the determining module is used for determining the authority in the identifier corresponding to at least one authority set as the authority corresponding to the agent identity identifier according to the agent authority setting request, and determining the authority corresponding to the agent identity identifier as the authority corresponding to the individual user according to the incidence relation between the agent identity identifier and the individual user identifier.
In a third aspect, the present application provides an electronic device, comprising: a processor, and a memory and transceiver communicatively coupled to the processor;
the memory stores computer-executable instructions; the transceiver is used for transceiving data;
the processor executes computer-executable instructions stored in the memory to implement the method of any one of the above aspects.
In a fourth aspect, the present application provides a computer-readable storage medium, in which computer-executable instructions are stored, and the computer-executable instructions are executed by a processor to implement the method for controlling authority according to any one of the above aspects.
In a fifth aspect, the present application provides a computer program product comprising computer executable instructions, which when executed by a processor, implement the method of controlling rights according to any of the above aspects.
The authority control method, the device, the equipment and the storage medium provided by the application acquire an agent authority setting request sent by an entity user terminal; the proxy permission setting request comprises the following steps: personal user identification and at least one authority set corresponding identification; the set of permissions comprises at least one permission; generating an agent identity for the personal user identifier according to the agent authority setting request and storing the agent identity and the personal user identifier in a database in an associated manner; and determining the authority in at least one authority set corresponding identifier as the authority corresponding to the agent identity identifier according to the agent authority setting request, and determining the authority corresponding to the agent identity identifier as the authority corresponding to the individual user according to the association relationship between the agent identity identifier and the individual user identifier. The authority set is adopted to determine the authority of the agent identity, so that the quick and flexible setting of the authority of the agent identity is realized; the proxy identity is granted to the individual user to determine the authority of the individual user, so that the quick and flexible setting of the authority of the individual user is realized.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
FIG. 1 is a schematic diagram of a network architecture according to the present application;
fig. 2 is a flowchart of an authority control method according to an embodiment of the present application;
fig. 3 is a flowchart of an authority control method according to a fourth embodiment of the present application;
fig. 4 is a schematic structural diagram of an authority control device according to a fifth embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to a sixth embodiment of the present application.
With the above figures, there are shown specific embodiments of the present application, which will be described in more detail below. The drawings and written description are not intended to limit the scope of the inventive concepts in any manner, but rather to illustrate the concepts of the application by those skilled in the art with reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. The following description refers to the accompanying drawings
In the drawings, the same reference numerals are used throughout the different drawings to designate the same or similar elements unless otherwise indicated. The embodiment described in the following exemplary embodiment 5 does not represent all embodiments consistent with the present application. Rather, they are merely as set forth in the appended claims
Examples of apparatus and methods consistent with aspects of the present application are set forth in the claims.
The terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. In the description of the following examples, "plurality" means two or more unless specifically limited otherwise.
0 the prior art according to the present invention will be described and analyzed in detail.
Because role-based permission control RBAC is limited in authorization flexibility and maintainability, if the existing role permission does not meet the permission requirement of a certain user, the direct change of the role permission synchronously changes the user permission with the role, which can cause confusion of the permission, so that the permission is difficult to maintain, and quick and flexible permission configuration can not be performed according to the difference of the permission requirements of each user.
5 the inventor finds in research that the authority of the proxy identity can be determined by adopting the authority set, and the authority of the proxy identity can be realized
The limit is set quickly and flexibly; the method for controlling the authority of the individual user can realize the quick and flexible setting of the authority of the individual user by granting the agent identity to the individual user and determining the authority of the individual user through the agent identity, and generates an agent body for the identification of the individual user according to the agent authority setting request after acquiring the agent authority setting request sent by the entity user terminal
The identity is identified and the agent identity and the personal user identity are stored in a database in a correlation way; determining the authority in the at least one authority set corresponding identifier of 0 as the authority corresponding to the agent identity identifier according to the agent authority setting request, and according to the agent identity identifier and the agent identity identifier
And determining the authority corresponding to the agent identity identifier as the authority corresponding to the individual user by the incidence relation of the individual user identifier.
Fig. 1 is a schematic diagram of a network architecture according to the present application, as shown in fig. 1, including: a personal user terminal 1, an entity user terminal 2 and an electronic device 3; the individual user can perform the proxy identity application operation in the individual user terminal 1 so that the individual user can perform the proxy identity application operation
The personal user terminal 1 sends an agent identity application request to the entity user terminal 2; after receiving the agent 5 identity application request, the entity user terminal 2 may send an agent identity to the electronic device 3 if determining to establish an agent identity for the personal user identifier
An authority setting request; after receiving the proxy permission setting request, the electronic device 3 may execute a permission control method to determine the permission of the proxy identity and grant the proxy identity to the individual user, thereby determining the permission corresponding to the proxy identity as the permission corresponding to the individual user.
In the technical scheme of the application, the collection, storage, use, 0 processing, transmission, provision, disclosure and other processing of the related information such as financial data or user data and the like all accord with the regulations of related laws and regulations and do not violate the good custom of the public order.
The following describes the technical solution of the present application and how to solve the above technical problems in detail by specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Example one
Fig. 2 is a flowchart of an authority control method according to an embodiment of the present application, which is provided to solve the problem in the embodiment of the present application. The method in this embodiment is applied to an authority control device, and the authority control device may be located in an electronic device. Among other things, the electronic device may be a digital computer that represents various forms. Such as laptop computers, desktop computers, workstations, personal digital assistants, servers, blade servers, mainframe computers, and other suitable computers.
As shown in fig. 2, the method comprises the following specific steps:
and step S101, acquiring an agent authority setting request sent by an entity user terminal.
And S102, generating an agent identity for the personal user identifier according to the agent permission setting request, and storing the agent identity and the personal user identifier in a database in a correlation manner.
Step S103, determining the authority in the at least one authority set corresponding identifier as the authority corresponding to the agent identity identifier according to the agent authority setting request, and determining the authority corresponding to the agent identity identifier as the authority corresponding to the individual user according to the incidence relation between the agent identity identifier and the individual user identifier.
In the embodiment of the application, the authority corresponding to the agent identity identification is the authority of the agent identity.
In the embodiment of the application, the entity user can be a manager of the accessed resource, and the individual user is a visitor of the accessed resource. For example, the entity user may be a business user or an entity-level user with unique identification information, and the individual user is a specific employee or an individual client of the business.
In the embodiment of the application, the entity user and the individual user are not associated through upper and lower levels or membership, so that the authority constraint of the individual user is realized, and the entity user grants the agent identity to the individual user and authorizes the user through the agent identity.
Wherein, the proxy authority setting request comprises: personal user identification and at least one authority set corresponding identification; the set of permissions includes at least one permission.
The embodiment of the application does not limit the way in which the entity user terminal sends the proxy permission setting request. For example, an individual user may apply for an agent identity and corresponding rights to an enterprise user, and after receiving an agent identity application request, the entity user terminal may respond to an agent rights setting request sent by the enterprise user to the electronic device in response to a determination operation of the agent identity application request. Optionally, the agent identity application request may include: agent identity usage description; so that the entity user can determine the authority to be granted to the proxy identity through the proxy identity use description, thereby determining the corresponding identifier of at least one authority set in the proxy authority setting request.
Illustratively, the entity user terminal can also send the electronic device in response to the proxy identity granting operation of the entity user
An agent authority setting request; the entity user can select at least one authority set corresponding identifier to generate 5 agent identities corresponding to the individual user, the authority in the authority set is determined as the authority of the agent identities, and after the entity user triggers the determination control, the entity user realizes the identification
The individual user terminal can send an agent authority setting request comprising the personal user identification and the identification corresponding to at least one authority set to the electronic equipment.
In the embodiment of the application, the agent identity is generated for the personal user identity according to the agent authority setting request and the agent is used
And the identity identification and the personal user identification are stored in a database in a correlation manner to generate an agent identity for the personal user identification, so that the personal 0 user can use the agent identity and access resources by adopting the authority of the agent identity.
In the embodiment of the application, at least one permission set can be preset, and the entity user can determine the permission in the identification corresponding to the permission set as the permission corresponding to the agent identity identification by selecting the at least one permission set so as to determine the permission corresponding to the agent identity identification as the permission corresponding to the individual user according to the incidence relation between the agent identity identification and the individual user identification.
Optionally, the proxy permission setting request may further include: agent identity usage description; so that the user can access the information on demand
When the resource is used, the agent identity which should be selected can be determined through the agent identity use description.
The authority control method provided by the embodiment of the application acquires an agent authority setting request sent by an entity user terminal; the proxy permission setting request comprises the following steps: personal user identification and at least one authority set corresponding identification; the permission set comprises at least one
A bar right; generating an agent identity for the personal user identity according to the agent permission setting request and storing the agent identity and the personal 0 user identity in a database in an associated manner; and determining the authority in the at least one authority set corresponding identifier as the authority corresponding to the agent identity identifier according to the agent authority setting request, and determining the authority corresponding to the agent identity identifier as the authority corresponding to the individual user according to the incidence relation between the agent identity identifier and the individual user identifier. The authority set is adopted to determine the authority of the agent identity, so that the quick and flexible setting of the authority of the agent identity is realized; the proxy identity is granted to the individual user to determine the authority of the individual user, so that the quick and flexible setting of the authority of the individual user is realized.
Optionally, the access control list may be used to determine the authority in the identifier corresponding to at least one authority set as the proxy identity
The corresponding rights are identified.
Specifically, the agent-level authority access control model may be preset as an identity recognition and access management (english is abbreviated as:
IAM, english full name: identity and Access Management) model, access adopted for rights control in IAM model
Access Control Lists (ACL, access Control Lists); configuring an IAM model according to at least one authority set corresponding identifier and an agent identity identifier of 0 by adopting a json format; and configuring an access control list according to the configured IAM by adopting an analysis conversion strategy so as to determine the authority in the identifier corresponding to at least one authority set as the authority corresponding to the agent identity identifier according to the agent authority setting request.
The IAM can control resource access based on the user and start single sign-on to carry out user identity authentication. The IAM may authenticate the user access request and may grant or deny permission to access the resource. An ACL may control the resources that a principal can access by associating the principal (user or group of users) and rights (including operations and resources) into a list. The user includes: personal users, physical users.
It should be appreciated that the IAM may have the appropriate rights to access the appropriate resources by the appropriate person or thing. Where "person or thing" is referred to as a subject and "resource" is referred to as an object). Conventional IAMs typically contain several parts, often referred to as "4A" or "5A": account number, authentication, authority, application, audit. In the present application, the right control uses an access control list ACL. The IAM can carry out logic expression operation based on a main body, resource and operation ternary ACL authority strategy provided by the ACL; the logic AND operation can be carried out on the authentication results of the plurality of ACL authorities according to the authorization effect element; the analysis and conversion of the IAM permission strategy and the ACL permission strategy can be carried out by adopting an analysis and conversion strategy, and the IAM permission strategy is different from the ACL permission strategy in that the IAM permission strategy is a superset of the ACL permission strategy and comprises more permission elements except a main body, resources and operations, such as authorization effectiveness elements; the IAM authority strategy can be queried, added, deleted and updated.
In the embodiment of the application, the IAM model comprises an IAM authority policy, and elements in the IAM authority policy can be configured in a json format; elements in the IAM rights policy include: an authorization effectiveness Effect element, a Resource element and an operation Action element; the resource elements may include: the system comprises an object name, a service name, an account identifier and a specific resource identifier. An authorization effect element, which can be analogized to the forward authorization and reverse authorization represented by the white list and the black list respectively; the resource element represents the specific object authorized; the operation element refers to an operation on a specific resource, and may be defined by a service name and a specific operation behavior in the resource element.
Specifically, the access control list is configured according to the configured IAM model by adopting an analytic transformation strategy in the following manner: acquiring identity information of an authorization request main body according to the format of the IAM model, and acquiring a resource element array and an operation element array; after the main body identity information is determined, traversing the resource element array, generating a first ACL authority strategy for each resource element, and filling the main body information and the resource information in the ACL authority strategy according to the resource elements; traversing the operation element array, generating a second ACL permission strategy for each operation element, and filling operation information in the ACL permission strategy according to the operation element; and combining the first ACL permission strategy and the second ACL permission strategy to obtain a complete main body, resource and operation ternary ACL permission strategy. Optionally, after the ternary ACL policy is obtained after the analysis and conversion is completed, it is determined that the number of the converted ternary ACL policy is equal to the number of the combination of the resource elements and the operation elements in the IAM policy, and if the ternary ACL policy is not equal to the combination of the resource elements and the operation elements in the IAM policy, the ACL policy is configured again. The identity information of the main body is an agent identity.
Example two
On the basis of the first embodiment, the specific steps of the right control method further include entity user registration and authorization, and specifically include:
step S201, acquiring an entity user registration request sent by an entity user terminal.
Step S202, generating an entity user account according to the entity user registration request and determining a corresponding entity user identifier.
Step S203, initializing the authority corresponding to the entity user identification so that the entity user can obtain the entity user basic authority.
If the entity user may be an enterprise user, the entity user registration request may include: a social credit code; the method can also comprise the following steps: business name, corporate information, etc.
Optionally, after the entity user registration request sent by the entity user terminal is obtained, information in the entity user registration request may also be verified; and after the information verification is determined to be passed, generating an entity user account according to the entity user registration request and determining a corresponding entity user identifier.
In the embodiment of the present application, the social credit code may be determined as the identifier of the entity user, or the unique identifier of the entity user may be generated according to a preset rule, which is not limited in the embodiment of the present application.
After generating the entity user account and determining the corresponding entity user identifier, the authority corresponding to the entity user identifier needs to be initialized to complete the configuration of the basic authority of the entity user, and the basic authority of the entity user may include: basic authorities such as system login authority, authentication information viewing authority, product subscription authority, system console access authority and the like are used for ensuring that entity users can complete basic operations.
In the embodiment of the application, after the entity user registers for the first time and sends the entity user registration request and passes the authentication, the subsequent login does not need repeated authentication, and the login is verified only after the account number and the password information are input.
On the basis of the above embodiment, after the entity user registers and acquires the basic authority of the entity user, the entity user can change the authority of the entity user, and the method of changing the authority of the entity user specifically includes the following steps:
and step S204, acquiring an entity user permission change request sent through a permission management interface in the entity user terminal.
The entity user permission change request comprises an entity user identifier and corresponding permission change information. The corresponding permission change information includes the permission to be changed and the operation on the permission, such as adding or deleting operation.
And S205, changing the authority corresponding to the entity user identification by adopting the access control list according to the corresponding authority change information.
In the embodiment of the application, the authority corresponding to the entity user identification is the authority of the entity user, and the authority corresponding to the agent identity identification is the authority of the agent identity.
The embodiment of the application does not limit the manner of the entity user permission change request sent by the entity user terminal, and the entity user permission change request can be sent to the electronic equipment in response to the operation of the entity user. For example, if an accessible resource is newly added, the entity user may send an entity user permission change request for the newly added resource to increase the access permission for the newly added resource.
In the embodiment of the application, the access authority of the entity user is controlled by an Access Control List (ACL). And configuring an access control list for controlling the authority of the entity user according to the entity user authority change request so as to change the authority corresponding to the entity user identifier.
The authority control method provided by the embodiment of the application acquires an entity user authority change request sent through an authority management interface in an entity user terminal; the entity user permission change request comprises an entity user identifier and corresponding permission change information; and changing the authority corresponding to the entity user identification by adopting the access control list according to the corresponding authority change information. By adopting the access control list, more flexible access authority control can be realized, the change of the authority corresponding to the entity user identification is convenient, and the authority corresponding to the entity user identification is flexible and can be matched.
On the basis of the above embodiment, the entity user may set the permission set according to the permission of the entity user, and the manner of setting the permission set specifically includes the following steps:
and S206, acquiring a permission set generation request sent through a permission set setting interface in the entity user terminal, and determining at least one permission selected in the permission set setting interface.
And step S207, generating corresponding identification of the authority set and determining at least one selected authority as the authority included in the authority set.
And the selected at least one authority is in the authority corresponding to the entity user identifier.
In the embodiment of the application, after the entity user determines the authority corresponding to the entity user identifier, at least one authority set can be determined according to requirements.
Specifically, the authority set setting interface in the entity user terminal may display the authority corresponding to the entity user identifier, and the entity user may select at least one authority from the authority set setting interface and send an authority set generation request to the electronic device. After receiving the permission set generation request, the electronic device can generate a permission set and a permission set corresponding identifier, and determine at least one selected permission as the permission included in the permission set. Optionally, the entity user may also delete the set of permissions it sets.
The authority control method provided by the embodiment of the application obtains an authority set generation request sent through an authority set setting interface in an entity user terminal, and determines at least one authority selected in the authority set setting interface; the selected at least one authority is in the authority corresponding to the entity user identifier; and generating a corresponding identifier of the authority set and determining at least one selected authority as the authority included in the authority set. The entity user can flexibly set the authority set according to the own authority, the flexibility of setting the authority set can be improved, the flexibility and the personalized degree of setting the proxy authority according to the authority set are further improved, and the efficiency of setting the proxy authority is ensured while the proxy authority can be set in a personalized manner.
On the basis of the above embodiment, after the entity user registers and determines the authority corresponding to the entity user identifier, an access request may be initiated, and the authority control method provided in the embodiment of the present application may authenticate the access request, specifically including the following steps:
and step S208, acquiring the access request sent by the entity user terminal.
Step S209, the access control list is adopted to authenticate the access request according to the authority corresponding to the entity user identification.
Specifically, after logging in, the entity user may initiate an access request to a resource that needs to be accessed or operated, and the entity user terminal sends the access request to the electronic device, so that the electronic device authenticates the access request by using the access control list. The access request may include: entity user identification, accessed resource information and operation information.
After receiving the access request, the electronic device can determine an authentication main body, resources and operation information in the access request, obtain authorized authority information of the main body based on main body information inquiry, and perform matching operation by using an ACL logical expression operation to obtain a result of whether the authentication is passed or not. If the authentication is determined to pass, determining to execute the access operation according to the access request; if the authentication is not passed, the corresponding error code and the prompt can be sent to the entity user terminal. The main body information is an entity user identifier, and the authorized authority of the main body is the authority corresponding to the entity user identifier.
EXAMPLE III
On the basis of any of the above embodiments, the specific steps of the right control method further include individual user registration and authorization, specifically including:
step S301, acquiring a personal user registration request sent by a personal user terminal.
Step S302, generating a personal user account according to the personal user registration request and determining a corresponding personal user identifier.
Step S303, initializing the authority corresponding to the personal user identifier so that the personal user can obtain the personal general basic authority.
Wherein, the personal general basic authority can include: system login authority, subscription authority, console access authority and the like.
In the embodiment of the present application, the manner of individual user registration is similar to that of entity registration, and is not described in detail herein.
Optionally, the individual user registration request may include a mobile phone number, and the mobile phone number may be determined as the individual user identifier.
On the basis of the foregoing embodiment, after the individual user registers and acquires the basic authority of the individual user, the method from step S101 to step S103 in the first embodiment may be adopted to enable the individual user to acquire the proxy identity and the authority corresponding to the proxy identity identifier.
After the individual user obtains the agent identity and the authority corresponding to the agent identity identifier, the authority of the individual user can be changed, and the mode of changing the authority of the individual user specifically comprises the following steps:
and step S304, acquiring an entity user permission change request sent through a permission management interface in the entity user terminal.
The entity user permission change request comprises an entity user identifier and corresponding permission change information.
And S305, changing the authority corresponding to the entity user identification by adopting the access control list according to the corresponding authority change information.
The method for sending the agent permission setting request by the entity user terminal is not limited, and is similar to the method for sending the agent permission setting request by the entity user terminal, the entity user terminal can send the agent permission setting request after receiving the agent permission setting application sent by the personal user terminal, and can also send the agent permission setting request to the electronic equipment in response to the agent identity granting operation of the entity user.
For example, when the individual user accesses the resource by using the proxy identity, if the system prompts that the authentication is not passed, the individual user may send a proxy permission setting application to the electronic device through the individual user terminal to apply for adding the related resource permission to the proxy identity. The electronic device may query an entity user having a related right, and send an authorization application notification for applying authorization to a corresponding entity user terminal, where the authorization application notification may include: basic information and agent identity detailed information of an individual user; the agent identity detail information includes: agent identity grantor, agent identity usage description. After the entity user terminal receives the authorization application notification, the entity user can check the qualification of the individual user and judge whether to authorize or not; and if the authorization is determined, sending an agent permission change request to the electronic equipment through a permission management interface in the entity user terminal.
Optionally, if the entity user terminal does not have the authority of the individual user for applying authorization, the authority of the entity user may be changed by adopting step S204 and step S205; the entity user can define a new IAM authority policy through configuring resource elements and operation elements in the IAM model to authorize the proxy identity.
The authority control method provided by the embodiment of the application acquires an agent authority change request sent through an authority management interface in an entity user terminal; the proxy permission change request comprises a proxy identity identifier and corresponding permission change information; and changing the authority corresponding to the entity user identification by adopting the access control list according to the corresponding authority change information. The authority corresponding to the agent identity identification can be only changed, the influence on the corresponding authority or authority set of other agent identities can be avoided when the authority of a certain agent identity is changed, the safety problem caused by the disordered authority can be avoided, and the safety of resources can be improved.
Optionally, various operation information of the entity user may be stored in a log, where the various operation information of the entity user includes: the entity user operates time and operation content. Specifically, the operation of the entity user may include: changing the authority corresponding to the entity user identification, changing the authority corresponding to the agent identity identification, creating the agent identity for the individual user identification and the like. Permission configuration and operation information derivation functions can also be provided to periodically check the granted permission.
Example four
Fig. 3 is a flowchart of an authorization control method provided in a fourth embodiment of the present application, where on the basis of any of the foregoing embodiments, an individual user may send an access request to an electronic device through an individual user terminal to access a resource, and what is involved in the embodiment of the present application is an authorization control method for authenticating an access request initiated by an individual user, as shown in fig. 3, specifically including the following steps:
step S401, obtaining an access request sent by a personal user terminal, and determining whether the access request includes an agent identity.
In the embodiment of the application, the access request comprises subject information, and the subject information in the access request sent by the personal user terminal is an agent identity or a personal user identity.
In the embodiment of the application, before the individual user initiates access, the individual user can check the agent identity detailed information of the granted agent identity, select the adopted agent identity or not select the agent identity; if the adopted agent identity is selected, the access request includes the agent identity identifier of the adopted agent identity, and step S403 or step S407 may be executed to perform agent on the agent identity; if the agent identity is not selected, the access request does not include the agent identity, and step S402 may be performed to perform user-level authentication on the individual user.
Step S402, if the access request does not include the agent identity, the user-level authentication is carried out on the access request according to the personal general basic authority.
In the embodiment of the application, the personal general basic permission is a permission corresponding to a user identifier of a user initialized after the user is registered, and can include permissions such as a system login permission, a subscription permission, a console access permission and the like.
In the embodiment of the present application, if it is determined that the access request does not include the agent identity, the access request includes: a personal user identification; the access request can further comprise: accessed resource information, operation information, identity type information. Optionally, it may also be determined whether the authentication subject is an individual user or a proxy identity according to the identity type information.
In the embodiment of the application, if it is determined that the access request does not include the agent identity, it may be determined that the authentication subject is an individual user. After the authentication subject is determined to be the individual user, the access request can be authenticated at the user level according to the individual general basic authority.
The authority control method provided by the embodiment of the application acquires an access request sent by an individual user terminal; if the access request does not include the agent identity, performing user-level authentication on the access request according to the personal general basic authority; and if the user-level authentication is determined to pass, determining to execute the access operation according to the access request. The access request sent by the personal user terminal can be authenticated; and the individual user can initiate the access request without adopting the agent identity, thereby improving the flexibility of initiating the access request and authenticating and enabling the individual user who does not acquire the agent identity to carry out basic operation.
Optionally, after the entity user creates a proxy identity for the individual user, an authentication mode may be configured for the proxy identity; the access request may include authentication mode information, and after determining that the access request includes the agent identity, it may be determined whether to perform secondary authentication and perform subsequent steps, including:
and S403, determining whether to perform secondary authentication according to the authentication mode information.
In the embodiment of the application, if it is determined that the access request includes the agent identity and includes the authentication mode information, whether to perform secondary authentication may be determined according to the authentication mode information. The access request can further comprise: personal user identification, accessed resource information, operational information, authorization effectiveness information, identity type information, and the like. Optionally, it may also be determined whether the authentication subject is an individual user or a proxy identity according to the identity type information.
In the embodiment of the application, if it is determined that the access request includes the proxy identity, it may be determined that the authentication subject is the proxy identity. After the authentication main body is determined to be the proxy identity, whether secondary authentication is performed or not can be determined according to the authentication mode information.
Specifically, if the authentication mode information is the secondary authentication, the step S404 and subsequent steps are executed to perform the secondary authentication for the response request; if the authentication mode information is an authentication, step S407 and the following steps are executed to perform proxy-level authentication on the response request.
And S404, determining an entity user identifier having an association relation with the agent identity identifier.
And the entity user identifier which has an association relation with the agent identity identifier is the identifier of the entity user granted to the agent identity.
In the embodiment of the application, after the agent identity is generated for the personal user identity according to the agent authority setting request, the entity user identity in the agent authority setting request and the agent identity can be stored in the database in an associated mode, so that the entity user identity having an association relation with the agent identity can be determined according to the database during secondary authentication.
And S405, determining the authority corresponding to the entity user according to the access control list and the entity user identification, and performing root-level authentication on the access request according to the authority corresponding to the entity user.
Wherein the root level authentication is the authentication of the authority of the entity user granted to the personal user agent identity. And after the root-level authentication is passed, performing proxy authority authentication.
Specifically, if it is determined that the root-level authentication passes, performing step S406 and subsequent steps to perform proxy-level authentication on the access request according to the authority corresponding to the proxy identity; if the root-level authentication is determined not to pass, a feedback error code and a prompt can be sent to the personal user terminal to prompt the user that the authority of the entity user authorized by the agent identity of the user is invalid.
It should be understood that, after an entity user grants a certain right to a proxy identity, the entity user deletes the right in the right corresponding to the entity user identifier, and then the right given to the entity user authorized by the proxy identity is invalid, the root-level authentication does not pass, and the proxy-level authentication passes.
According to the authority control method provided by the embodiment of the application, if the access request is determined to be subjected to secondary authentication according to the authentication mode information, the entity user identification having the incidence relation with the agent identity identification is determined; determining the corresponding authority of the entity user according to the access control list and the entity user identification, and performing root-level authentication on the access request according to the corresponding authority of the entity user; and if the root-level authentication is determined to pass, performing proxy-level authentication on the access request according to the authority corresponding to the proxy identity identification. The access request can be authenticated for the second time, so that the root-level authority, namely the corresponding entity user authority, is authenticated before the proxy-level authority is authenticated, the problem of security control vulnerability caused by the fact that the proxy-level authority fails and has no corresponding adjustment if the root-level authority fails when only the proxy-level authority is verified can be avoided, and the security of resources can be improved.
Step S406, determining the corresponding authority of the agent identity according to the access control list, and performing agent-level authentication on the access request according to the corresponding authority of the agent identity.
In the embodiment of the application, if the proxy-level authentication is determined to be performed on the access request, the proxy identity identifier can be obtained from the access request, the authority corresponding to the proxy identity identifier is determined according to the access control list, and the proxy-level authentication is performed on the access request according to the authority corresponding to the proxy identity identifier.
Specifically, authorized agent-level authority information can be determined according to the access control list based on the agent identity, and an IAM model is called to perform matching operation on the access request and the authority corresponding to the agent identity, so as to obtain a result of whether the authentication is passed.
Step S407, if it is determined that the proxy-level authentication passes, it is determined to execute an access operation according to the access request.
Specifically, if it is determined that the proxy-level authentication passes, step S408 is executed to determine to execute an access operation according to the access request; if the agent-level authentication is determined not to pass, a feedback error code and a prompt can be sent to the personal user terminal to prompt the user that the user is not granted the related authority.
According to the authority control method provided by the embodiment of the application, if the access request is determined to include the agent identity identifier, the corresponding authority of the agent identity identifier is determined according to the access control list, and the agent-level authentication is carried out on the access request according to the corresponding authority of the agent identity identifier; and if the agent-level authentication is determined to pass, determining to execute the access operation according to the access request. The authentication of the proxy-level authority can be realized, and the safety of resources is ensured.
EXAMPLE five
Fig. 4 is a schematic structural diagram of an authority control device according to the fifth embodiment of the present application. The authority control device provided by the embodiment of the application can execute the processing flow provided by the authority control method embodiment. As shown in fig. 4, the right control device 50 includes: an interface module 501, a storage module 502 and a permission control module 503.
Specifically, the interface module 501 is configured to obtain an agent permission setting request sent by an entity user terminal; the proxy permission setting request comprises the following steps: personal user identification and at least one authority set corresponding identification; the set of permissions includes at least one permission.
The storage module 502 is configured to generate an agent identity for the personal user identifier according to the agent permission setting request, and store the agent identity and the personal user identifier in a database in an associated manner.
And the authority control module 503 is configured to determine, according to the proxy authority setting request, an authority in the identifier corresponding to the at least one authority set as an authority corresponding to the proxy identity identifier, and determine, according to the association relationship between the proxy identity identifier and the personal user identifier, an authority corresponding to the proxy identity identifier as an authority corresponding to the personal user.
The apparatus provided in this embodiment of the present application may be specifically configured to execute the method embodiment provided in the first embodiment, and specific functions are not described herein again.
Optionally, the interface module 501 is further configured to obtain a permission set generation request sent through a permission set setting interface in the entity user terminal; the authority control module 503 is further configured to determine at least one authority selected in the authority set setting interface; the selected at least one authority is in the authority corresponding to the entity user identifier; and generating a corresponding identifier of the authority set and determining at least one selected authority as the authority included in the authority set.
Optionally, the interface module 501 is further configured to obtain an agent permission change request sent through a permission management interface in the entity user terminal; the proxy permission change request comprises a proxy identity identifier and corresponding permission change information; the authority control module 503 is further configured to change the authority corresponding to the agent identity identifier by using the access control list according to the corresponding authority change information.
Optionally, the interface module 501 is further configured to obtain an entity user permission change request sent through a permission management interface in the entity user terminal; the entity user permission change request comprises an entity user identifier and corresponding permission change information; the authority control module 503 is further configured to change the authority corresponding to the entity user identifier by using the access control list according to the corresponding authority change information.
Optionally, the right control device 50 further comprises: an authentication module; the interface module 501 is further configured to obtain an access request sent by a personal user terminal; the authentication module is used for: if the access request does not comprise the agent identity identification, performing user-level authentication on the access request according to the personal general basic authority; and if the user-level authentication is determined to pass, determining to execute the access operation according to the access request.
Optionally, the authentication module is further configured to: if the access request comprises the agent identity identification, determining the corresponding authority of the agent identity identification according to the access control list, and performing agent-level authentication on the access request according to the corresponding authority of the agent identity identification; and if the agent-level authentication is determined to pass, determining to execute the access operation according to the access request.
Optionally, the proxy permission setting request further includes: an entity user identifier; the storage module 502 is further configured to store the entity user identifier and the agent identity identifier in the agent permission setting request in a database in an associated manner; the authentication module is further configured to: if the access request is determined to be subjected to secondary authentication according to the authentication mode information, determining an entity user identifier having an association relation with the agent identity identifier; determining the authority corresponding to the entity user according to the access control list and the entity user identification, and performing root-level authentication on the access request according to the authority corresponding to the entity user; and if the root-level authentication is determined to pass, performing proxy-level authentication on the access request according to the authority corresponding to the proxy identity identification.
Optionally, the right control device 50 further comprises: a log module; the log module is to: storing various operation information of the entity user, wherein the various operation information of the entity user comprises: the entity user operates time and operation content. The log module is further to: and exporting the authority configuration and the operation information so as to perform periodic investigation according to the granted authority.
The apparatus provided in the embodiment of the present application may be specifically configured to execute the method embodiment, and specific functions are not described herein again.
EXAMPLE six
Fig. 5 is a schematic structural diagram of an electronic device according to a sixth embodiment of the present application, and as shown in fig. 5, the present application further provides an electronic device 60, including: memory 601, processor 602, and transceiver 603.
The memory 601 is used for storing computer-executable instructions, the transceiver 603 is used for transmitting and receiving data, and the memory 601, the processor 602 and the transceiver 603 are communicatively connected. In particular, the program may include program code comprising computer-executable instructions. Memory 601 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
A processor 602 for executing stored computer-executable instructions stored in the memory 601.
Wherein computer executable instructions are stored in the memory 601 and configured to be executed by the processor 602 to implement the method provided by any one of the embodiments of the present application. The related descriptions and effects corresponding to the steps in the drawings can be correspondingly understood, and redundant description is not repeated here.
In the embodiment of the present application, the memory 601 and the processor 602 are connected by a bus. The bus may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (Extended Industry Standard Architecture) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 5, but this is not intended to represent only one bus or type of bus.
The embodiment of the present application further provides a computer-readable storage medium, in which computer-executable instructions are stored, and when the computer-executable instructions are executed by a processor, the computer-executable instructions are used to implement the method provided in any one of the embodiments of the present application.
The embodiment of the present application further provides a computer program product, which includes computer executable instructions, and when the computer executable instructions are executed by a processor, the method provided in any embodiment of the present application is implemented.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of modules is merely a division of logical functions, and an actual implementation may have another division, for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
Modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present application may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a mode of hardware and a software functional module.
Program code for implementing the methods of the present application may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable full path trajectory fusion device such that the program code, when executed by the processor or controller, causes the functions/acts specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this application, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are depicted in a particular order, this should be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the application. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single implementation. Conversely, various features that are described in the context of a single implementation can also be implemented in multiple implementations separately or in any suitable subcombination.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (10)
1. An authority control method, comprising:
acquiring an agent authority setting request sent by an entity user terminal; the proxy permission setting request comprises the following steps: personal user identification and at least one authority set corresponding identification; the set of permissions comprises at least one permission;
generating an agent identity for the personal user identifier according to the agent authority setting request and storing the agent identity and the personal user identifier in a database in an associated manner;
and determining the authority in at least one authority set corresponding identifier as the authority corresponding to the agent identity identifier according to the agent authority setting request, and determining the authority corresponding to the agent identity identifier as the authority corresponding to the individual user according to the association relationship between the agent identity identifier and the individual user identifier.
2. The method according to claim 1, wherein presetting the rights included in the set of rights comprises:
acquiring a permission set generation request sent through a permission set setting interface in an entity user terminal, and determining at least one permission selected in the permission set setting interface; the selected at least one authority is in the authority corresponding to the entity user identifier;
and generating a corresponding identifier of the authority set and determining at least one selected authority as the authority included in the authority set.
3. The method according to claim 1, wherein after determining the right in the identifier corresponding to at least one right set as the right corresponding to the proxy identity identifier according to the proxy right setting request, the method further comprises:
acquiring an agent authority change request sent through an authority management interface in an entity user terminal; the proxy permission change request comprises a proxy identity identifier and corresponding permission change information;
and changing the authority corresponding to the agent identity identification by adopting an access control list according to the corresponding authority change information.
4. The method of claim 2, further comprising:
acquiring an entity user permission change request sent through a permission management interface in an entity user terminal; the entity user permission change request comprises an entity user identifier and corresponding permission change information;
and changing the authority corresponding to the entity user identification by adopting the access control list according to the corresponding authority change information.
5. The method according to any one of claims 1 to 4, wherein after determining the right in the identifier corresponding to at least one right set as the right corresponding to the proxy identity identifier according to the proxy right setting request, the method further comprises:
acquiring an access request sent by a personal user terminal;
if the access request does not include the agent identity, performing user-level authentication on the access request according to the personal general basic authority;
and if the user-level authentication is determined to pass, determining to execute the access operation according to the access request.
6. The method of claim 5, wherein after obtaining the access request sent by the personal user terminal, further comprising:
if the access request comprises the agent identity identification, determining the corresponding authority of the agent identity identification according to the access control list, and performing agent-level authentication on the access request according to the corresponding authority of the agent identity identification;
and if the agent-level authentication is determined to pass, determining to execute the access operation according to the access request.
7. The method of claim 6, wherein the proxy permission setting request further comprises: an entity user identifier; storing the agent identity and the individual user identity in a database in an associated manner, including:
storing the entity user identification and the proxy identity identification in the proxy permission setting request in a database in an associated manner;
the access request comprises authentication mode information; before performing a proxy-level authentication request on the access request according to the corresponding authority of the proxy identity identifier, the method further comprises the following steps:
if the access request is determined to be subjected to secondary authentication according to the authentication mode information, determining an entity user identifier having an association relation with the agent identity identifier;
determining the corresponding authority of the entity user according to the access control list and the entity user identification, and performing root-level authentication on the access request according to the corresponding authority of the entity user;
and if the root-level authentication is determined to pass, performing proxy-level authentication on the access request according to the authority corresponding to the proxy identity identification.
8. An authorization control device, comprising:
the interface module is used for acquiring an agent authority setting request sent by an entity user terminal; the proxy permission setting request comprises: personal user identification and at least one authority set corresponding identification; the set of permissions comprises at least one permission;
the storage module is used for generating an agent identity for the personal user identifier according to the agent authority setting request and storing the agent identity and the personal user identifier in a database in a correlation manner;
and the authority control module is used for determining the authority in the identifier corresponding to at least one authority set as the authority corresponding to the agent identity identifier according to the agent authority setting request, and determining the authority corresponding to the agent identity identifier as the authority corresponding to the individual user according to the incidence relation between the agent identity identifier and the individual user identifier.
9. An electronic device, comprising: a processor, and a memory and transceiver communicatively coupled to the processor;
the memory stores computer-executable instructions; the transceiver is used for transceiving data;
the processor executes computer-executable instructions stored by the memory to implement the method of any of claims 1-7.
10. A computer-readable storage medium having computer-executable instructions stored therein, which when executed by a processor, are configured to implement the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211663588.XA CN115758303A (en) | 2022-12-23 | 2022-12-23 | Authority control method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211663588.XA CN115758303A (en) | 2022-12-23 | 2022-12-23 | Authority control method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115758303A true CN115758303A (en) | 2023-03-07 |
Family
ID=85347359
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211663588.XA Pending CN115758303A (en) | 2022-12-23 | 2022-12-23 | Authority control method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115758303A (en) |
-
2022
- 2022-12-23 CN CN202211663588.XA patent/CN115758303A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109510849B (en) | Cloud-storage account authentication method and device | |
| CN106537403B (en) | System for accessing data from multiple devices | |
| US10270741B2 (en) | Personal authentication and access | |
| US10922401B2 (en) | Delegated authorization with multi-factor authentication | |
| US8533797B2 (en) | Using windows authentication in a workgroup to manage application users | |
| US20220086166A1 (en) | Access Control Based on Combined Multi-System Authentication Factors | |
| US7908648B2 (en) | Method and system for enabling remote access to a computer system | |
| US20050177724A1 (en) | Authentication system and method | |
| US20140189799A1 (en) | Multi-factor authorization for authorizing a third-party application to use a resource | |
| US20040088543A1 (en) | Selective cross-realm authentication | |
| CN110781468A (en) | Identity authentication processing method and device, electronic equipment and storage medium | |
| US11956228B2 (en) | Method and apparatus for securely managing computer process access to network resources through delegated system credentials | |
| CN112019543A (en) | Multi-tenant permission system based on BRAC model | |
| CN113111339A (en) | Access control method, device, equipment and medium for application service | |
| CN107645474B (en) | Method and device for logging in open platform | |
| EP3759629B1 (en) | Method, entity and system for managing access to data through a late dynamic binding of its associated metadata | |
| US20090327704A1 (en) | Strong authentication to a network | |
| CN112187725A (en) | Cloud computing resource access method and device, service line service and gateway | |
| CN114641767A (en) | Managing user identities in managed multi-tenant services | |
| CN115758303A (en) | Authority control method, device, equipment and storage medium | |
| CN112039851B (en) | Server login method, system and device | |
| KR101545897B1 (en) | A server access control system by periodic authentification of the smart card | |
| CN113849798A (en) | Secure login authentication method, system, computer equipment and storage medium | |
| US20220116217A1 (en) | Secure linking of device to cloud storage | |
| US20230020445A1 (en) | Systems and methods for controlling access to data records |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |