CN117792753A

CN117792753A - Access control method, device, computer equipment and storage medium

Info

Publication number: CN117792753A
Application number: CN202311838841.5A
Authority: CN
Inventors: 谭洪华; 萧展辉; 罗欢; 喻厅; 米钦文; 徐律冠; 李慧娟; 母天石; 陈梁; 杨岚; 高洁玲; 许露珉; 张丽娟; 连晨
Original assignee: China Southern Power Grid Digital Platform Technology Guangdong Co ltd
Current assignee: China Southern Power Grid Digital Platform Technology Guangdong Co ltd
Priority date: 2023-12-28
Filing date: 2023-12-28
Publication date: 2024-03-29

Abstract

The application relates to an access control method, an access control device and computer equipment, and relates to the technical field of vehicle control. Since the authentication policy can be selected to perform identity verification on the access request sent by the device, the risk caused by unsafe devices sending the service request can be improved. Furthermore, the two-way communication channel between the SDP controller and the equipment can be encrypted through the encryption strategy, so that the security in the service request communication process can be improved. In addition, because the SDP equipment can carry out gateway authentication on the equipment for sending the service request, illegal access can be filtered by utilizing the zero trust security capability of the SDP gateway, and the overall security is improved. Finally, when the authentication strategy and the encryption strategy are selected, the selection can be performed according to the transmitted access request, so that the encryption strategy and the authentication strategy can be dynamically changed, the cracking difficulty of the encryption strategy is improved, and the safety of information transmission and equipment access is ensured.

Description

Access control method, device, computer equipment and storage medium

Technical Field

The present disclosure relates to the field of internet of things, and in particular, to an access control method, an access control device, a computer device, and a storage medium.

Background

With the development of the internet of things technology, the network environment of the power service server changes. The high-level threat attack frequently occurs to the power service server, the system data of the power service server is multiplied by the security impact suffered by the increase of the exposed surface and the lack of trust policy, and the security requirement of the corresponding monitoring scene of the cloud platform data of the Internet of things cannot be met by the static security defense traditionally deployed at the boundary. In the related art, in order to ensure the security when the power service server communicates with the external device, the risk of exposure of the power service server is reduced, and the power service server is usually accessed in a VPN manner, however, the external access device cannot be trusted and authenticated in this manner, and the access right of the external device cannot be dynamically managed when the security environment information where the external device is located changes.

Disclosure of Invention

In view of the foregoing, it is desirable to provide an access control method, apparatus, computer device, storage medium, and computer program product that improve the security of a business system.

In a first aspect, the present application provides an access control method, including:

acquiring an access request sent by equipment and a selected authentication policy sent by a policy server, and verifying the identity of the equipment based on the access request and the authentication policy;

under the condition that the authentication is successful, acquiring the selected encryption strategy sent by the strategy server, establishing a bidirectional encryption communication channel with equipment based on the encryption strategy, and receiving a service request sent by the equipment based on the bidirectional encryption communication channel;

after the equipment passes through the gateway authentication of the SDP gateway, a gateway communication channel between the equipment and the SDP gateway is established, and the service request is forwarded to the SDP gateway through the gateway communication channel, so that the SDP gateway forwards the service request to the power service server, and the power service server responds to the service request.

In one embodiment, the authentication process of the SDP gateway includes:

and performing risk assessment audit on the access request through the multi-source data to obtain an audit result for representing whether gateway authentication passes or not.

In one embodiment, the response process to the access request includes:

and determining the access authority of the equipment to the power service server, and responding to the service request according to the access authority.

In one embodiment, the access rights are updated periodically; the updating process of the access right comprises the following steps:

acquiring the safety environment information of the equipment, and determining the access right of the logged account on the equipment to the power service based on the safety environment information and the locally stored equipment basic information;

generating a corresponding authority identification code of the logged-in account according to the access authority and the basic information of the equipment, and sending the authority identification code to the equipment and the SDP gateway, wherein the authority identification code is used for limiting the logged-in user to access the power service in the access authority.

In one embodiment, the device basic information includes an IP address, a MAC address, a security level, and user basic information; the user basic information comprises an account name, an account password, an account type, a user login state and a user security state.

In one embodiment, the user login state is at least divided into a logged-in state and an offline state; the user safety state is classified into at least a dangerous state, a warning state, and a normal state.

In a second aspect, the present application further provides an access control apparatus, including:

the authentication module is used for acquiring an access request sent by the equipment and a selected authentication policy sent by the policy server, and authenticating the equipment based on the access request and the authentication policy;

the establishing module is used for acquiring the selected encryption strategy sent by the strategy server under the condition that the identity authentication is successful, establishing a bidirectional encryption communication channel with the equipment based on the encryption strategy, and receiving a service request sent by the equipment based on the bidirectional encryption communication channel;

and the service processing module is used for establishing a gateway communication channel between the equipment and the SDP gateway after the equipment passes through the gateway authentication of the software defined boundary SDP gateway, and forwarding the service request to the SDP gateway through the gateway communication channel so that the SDP gateway forwards the service request to the power service server, and the power service server responds to the service request.

In a third aspect, the present application also provides a computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:

In a fourth aspect, the present application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:

In a fifth aspect, the present application also provides a computer program product. Computer program product comprising a computer program which, when executed by a processor, realizes the steps of:

According to the access control method, the access control device, the computer equipment, the storage medium and the computer program product, the authentication policy can be selected to verify the identity of the access request sent by the equipment, so that the risk caused by unsafe equipment for sending the service request can be improved. Furthermore, the two-way communication channel between the SDP controller and the equipment can be encrypted through the encryption strategy, so that the security in the service request communication process can be improved. In addition, because the SDP equipment can carry out gateway authentication on the equipment for sending the service request, illegal access can be filtered by utilizing the zero trust security capability of the SDP gateway, and the overall security is improved. Finally, when the authentication strategy and the encryption strategy are selected, the selection can be performed according to the transmitted access request, so that the encryption strategy and the authentication strategy can be dynamically changed, the cracking difficulty of the encryption strategy is improved, and the safety of information transmission and equipment access is ensured.

Drawings

FIG. 1 is a schematic diagram of an implementation scenario of an access control method in one embodiment;

FIG. 2 is a flow diagram of a method of access control in one embodiment;

FIG. 3 is a flow chart of an access control method according to another embodiment;

FIG. 4 is a block diagram of an access control device in one embodiment;

fig. 5 is an internal structural diagram of a computer device in one embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.

It will be understood that the terms "first," "second," and the like, as used herein, may be used to describe various terms, but are not limited by these terms unless otherwise specified. These terms are only used to distinguish one term from another. For example, the third and fourth preset thresholds may be the same or different without departing from the scope of the present application.

In view of the above-mentioned problems, the embodiments of the present application provide an access control method, which may be applied (Software Defined Perimeter, software defined boundary) between an SDP controller and a device, and in particular, may be applied in an application environment as shown in fig. 1. The SDP controller 104 obtains an access request sent by the device and a selected authentication policy sent by the policy server 106, and performs identity verification on the device 102 based on the access request and the authentication policy. In the event that authentication is successful, the selected encryption policy sent by policy server 106 is obtained and a bi-directional encrypted communication channel with device 102 is established based on the encryption policy. After passing the gateway authentication of the SDP gateway 108, a gateway communication channel is established with the SDP gateway 108, and the access request is forwarded to the SDP gateway 108, so that the SDP gateway 108 forwards the access request to the power service server 110, and the power service server 110 responds to the access request.

In some embodiments, referring to fig. 2, an access control method is provided. The SDP controller 104 in fig. 1 will be described by taking an example of the application of this method. Accordingly, the method comprises the steps of:

202. and acquiring an access request sent by the equipment and a selected authentication policy sent by the policy server, and verifying the identity of the equipment based on the access request and the authentication policy.

The SDP controller may be responsible for controlling the connection with an external power service server, where SDP refers to the creation of a security boundary based on policies for isolating the power service server from an unsafe network. The device may refer to a host, i.e., an external device, that accesses the power service server from the outside. The policy server may refer to a server for storing an authentication policy, which may refer to a policy for determining whether the external device has access rights.

Specifically, the device establishes an authentication connection with the SDP controller and sends an access request to the SDP controller. The SDP controller obtains an access request sent by the device and selects an authentication policy from the policy server based on the access request sent by the device. The SDP controller performs identity verification on the first equipment based on the selected authentication strategy, so that the trusted authentication on the external access equipment is realized, the access of external illegal equipment is avoided, and the exposure risk of the power service server is reduced. The authentication strategy can be selected according to the access request, so that the authentication strategy of the equipment is ensured to be dynamically changed, the cracking difficulty of the authentication strategy is improved, and the access security of the equipment is ensured.

204. And under the condition that the authentication is successful, acquiring the selected encryption strategy sent by the strategy server, establishing a bidirectional encryption communication channel with the equipment based on the encryption strategy, and receiving the service request sent by the equipment based on the bidirectional encryption communication channel.

The encryption policy may be a method for ensuring confidentiality of information in transmission, and may ensure that information is not illegally read in a network transmission process. Specifically, after the device passes the verification of the corresponding authentication policy, the SDP controller may select an encryption policy from the policy server for the device whose authentication is successful, thereby establishing a bidirectional communication channel between the SDP controller (may be a specific client terminal in the SDP controller) and the device, and encrypt the bidirectional communication channel through the encryption policy, to obtain a bidirectional encrypted communication channel. Based on the bidirectional encryption communication channel, the SDP controller and the device can carry out encryption communication, so that the SDP controller can acquire a service request sent by the device. The encryption strategy can also be selected according to the access request, so that the encryption strategy can be dynamically changed, the cracking difficulty of the encryption strategy is improved, and the safety of information transmission is ensured.

206. After the equipment passes through the gateway authentication of the SDP gateway, a gateway communication channel between the equipment and the SDP gateway is established, and the service request is forwarded to the SDP gateway through the gateway communication channel, so that the SDP gateway forwards the service request to the power service server, and the power service server responds to the service request.

Under the control of SDP controller, SDP gateway can set up gateway communication channel with client in SDP controller, and SDP gateway is connected with power service server. The SDP gateway analyzes the access request based on the access request received through the gateway communication channel, and performs gateway authentication on the access request according to the analysis result.

For example, S150 may include: the SDP gateway receives the access request sent by the second device based on the gateway communication channel, carries out continuous analysis and risk assessment audit on the access request sent by the second device through the multi-source data, carries out gateway authentication on the access request according to the analysis result and the audit result, and further determines the access authority of the logged account in the device to the SDP gateway, thereby filtering illegal access and guaranteeing the security of the service request.

The power service server may refer to a computer system for managing and transmitting power service information, and after the gateway authentication passes, the power service server receives a service request forwarded by the SDP controller, and determines access rights requirements corresponding to various power service applications based on various power service applications installed in the power service server. Based on the access right requirements corresponding to various power service application programs, the service request sent by the response equipment can only be accessed to the corresponding power service application program if the corresponding right is provided, so that the risk of exposing service data irrelevant to the service request in the power industry control system is reduced.

According to the access control method, the authentication policy can be selected to perform identity verification on the access request sent by the equipment, so that risks caused by unsafe equipment for sending the service request can be improved. Furthermore, the two-way communication channel between the SDP controller and the equipment can be encrypted through the encryption strategy, so that the security in the service request communication process can be improved. In addition, because the SDP equipment can carry out gateway authentication on the equipment for sending the service request, illegal access can be filtered by utilizing the zero trust security capability of the SDP gateway, and the overall security is improved. Finally, when the authentication strategy and the encryption strategy are selected, the selection can be performed according to the transmitted access request, so that the encryption strategy and the authentication strategy can be dynamically changed, the cracking difficulty of the encryption strategy is improved, and the safety of information transmission and equipment access is ensured.

In some embodiments, the authentication process of the SDP gateway includes: and performing risk assessment audit on the access request through the multi-source data to obtain an audit result for representing whether gateway authentication passes or not.

Wherein multi-source data may refer to data sets having different sources, such as data sets sent by the device and the SDP controller for describing the device. Specifically, the SDP gateway receives an access request forwarded by the SDP controller based on a gateway communication channel, compares the access request forwarded by the SDP controller with an access request directly sent by the equipment, and carries out risk assessment audit according to the corresponding consistency degree of the comparison result. For example, if the consistency degree is lower, the risk corresponding to the auditing result is higher; otherwise, the risk is lower. When the risk corresponding to the auditing result is higher and higher than the preset degree, the equipment does not pass the gateway authentication of the SDP gateway.

In the above embodiment, since the gateway authentication can be performed on the device based on the access request, illegal access can be filtered, and security of the access request is ensured.

In some embodiments, the response process to the access request includes:

Specifically, after the device passes through the gateway authentication of the SDP gateway, the SDP controller acquires user basic information of the logged-in account on the device, and determines the access right of the logged-in account to the power service server based on the user basic information, so as to respond to the service request of the device based on the access right.

In the above embodiment, the access right requirements corresponding to the various power service applications are determined by being based on the various power service applications installed in the power service server. Responding to the service request sent by the equipment based on the access right requirements corresponding to various power service application programs. The corresponding power service application program can be accessed only by the corresponding access right, so that the risk of service data exposure irrelevant to service requests in the power industry control system is reduced.

In some embodiments, the access rights are updated periodically; the updating process of the access right comprises the following steps:

acquiring the safety environment information of the equipment, and determining the access right of the logged account on the equipment to the power service based on the safety environment information and the locally stored equipment basic information; generating a corresponding authority identification code of the logged-in account according to the access authority and the basic information of the equipment, and sending the authority identification code to the equipment and the SDP gateway, wherein the authority identification code is used for limiting the logged-in user to access the power service in the access authority.

The period update corresponding to the preset period duration may refer to a preset time interval for executing the permission update operation by the SDP controller. The SDP controller can redetermine the access rights of the logged-in account on the device during each rights update period during which the device accesses the power service server, so that when the security of the device is damaged, the access rights of the device can be limited in time, and the exposure risk of the power service server is reduced. The safety environment information can be information such as theft prevention, destruction prevention, electromagnetic oil leakage prevention, line interception prevention, electromagnetic interference resistance, power supply protection, equipment aging and the like of the equipment. The device basic information may include device information and user-related information. The rights identification code may be unique for the device to interact with the SDP gateway during the validity period and to access the power service server within the rights permissions. The validity period of the permission identification code may be 1-2 times, such as 1.5 times, of the corresponding duration of the permission update period.

In the above embodiment, since the access right of the user can be dynamically adjusted continuously according to the security environment information of the connection initiation device during the login access of the user, when the security environment information of the device changes, the access right of the logged account is correspondingly adjusted, thereby ensuring the security when the power service server communicates with the device, and reducing the exposure risk of the power service server.

In some embodiments, the device base information includes an IP address, a MAC address, a security level, and user base information; the user basic information comprises an account name, an account password, an account type, a user login state and a user security state.

The account name, account number, account password and account type in the user basic information are stored locally in advance based on the registration information of the user, and can be added, modified or deleted later in the management process.

In the above embodiment, since the access rights of the user can be dynamically adjusted continuously according to the security environment information of the connection initiation device during the login access of the user, and the corresponding rights identification code of the logged-in account is generated according to the access rights and the device basic information, so as to limit the access rights of the logged-in user on the device, thereby ensuring that the access rights of the logged-in account are correspondingly adjusted when the security environment information of the device changes, further ensuring the security when the power service server communicates with the device, and reducing the exposure risk of the power service server.

In some embodiments, the user login state is divided into at least a logged-in state and an offline state; the user safety state is classified into at least a dangerous state, a warning state, and a normal state.

The user security state can be judged through the following processes: in a period of continuous time, if the number of times of login failure of the user account is 0-1, judging that the account is in a normal state; if the number of login failures of the user account is 2-5, judging that the account is in a warning state; if the number of times of login failure of the user account is greater than 5, judging that the account is in a dangerous state.

In the above embodiment, since the access rights of the user can be dynamically adjusted continuously according to the security environment information of the connection initiation device during the login access of the user, and the corresponding rights identification code of the logged-in account is generated according to the access rights and the real-time updated device basic information, so as to limit the access rights of the logged-in user on the device, thereby ensuring that the access rights of the logged-in account are correspondingly adjusted when the security environment information of the device changes, further ensuring the security when the power service server communicates with the device, and reducing the exposure risk of the power service server.

For ease of understanding, the method flow provided in the embodiments of the present application is described. Referring to fig. 3, the implementation may be as follows:

302. the SDP controller acquires an access request sent by the equipment and a selected authentication policy sent by the policy server, and performs identity verification on the equipment based on the access request and the authentication policy;

304. under the condition that the identity verification is successful, the SDP controller acquires the selected encryption strategy sent by the strategy server, establishes a bidirectional encryption communication channel with equipment based on the encryption strategy, and receives a service request sent by the equipment based on the bidirectional encryption communication channel;

306. after the equipment passes through the gateway authentication of the SDP gateway, a gateway communication channel between the SDP controller and the SDP gateway is established, and the SDP controller forwards the service request to the SDP gateway through the gateway communication channel;

308. the SDP gateway forwards the service request to the power service server, which responds to the service request.

It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.

Based on the same inventive concept, the embodiment of the application also provides an access control method device for realizing the above related access control method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in one or more embodiments of the access control device provided below may refer to the limitation of the access control method described above, and will not be repeated here.

In one embodiment, as shown in fig. 4, there is provided an access control apparatus including: an authentication module 402, a setup module 404, and a traffic handling module 406, wherein:

an identity verification module 402, configured to obtain an access request sent by the device and a selected authentication policy sent by the policy server, and perform identity verification on the device based on the access request and the authentication policy;

the establishing module 404 is configured to obtain the selected encryption policy sent by the policy server and establish a bidirectional encryption communication channel with the device based on the encryption policy, where the service request sent by the device based on the bidirectional encryption communication channel is received;

the service processing module 406 is configured to establish a gateway communication channel with the SDP gateway after the device passes through gateway authentication of the SDP gateway, and forward the service request to the SDP gateway through the gateway communication channel, so that the SDP gateway forwards the service request to the power service server, and the power service server responds to the service request.

In some embodiments, the service processing module 406 is further configured to perform risk assessment audit on the access request through the multi-source data, and obtain an audit result for characterizing whether the gateway authentication passes.

In some embodiments, the service processing module 406 is further configured to determine an access right of the device to the power service server, and respond to the service request according to the access right.

In some embodiments, the access rights are updated periodically; the service processing module 406 is further configured to obtain security environment information of the device, and determine access rights of the logged account on the device to the power service based on the security environment information and the locally stored device basic information; generating a corresponding authority identification code of the logged-in account according to the access authority and the basic information of the equipment, and sending the authority identification code to the equipment and the SDP gateway, wherein the authority identification code is used for limiting the logged-in user to access the power service in the access authority.

According to the access control device, the authentication policy can be selected to perform identity authentication on the access request sent by the equipment, so that risks caused by unsafe equipment for sending the service request can be improved. Furthermore, the two-way communication channel between the SDP controller and the equipment can be encrypted through the encryption strategy, so that the security in the service request communication process can be improved. In addition, because the SDP equipment can carry out gateway authentication on the equipment for sending the service request, illegal access can be filtered by utilizing the zero trust security capability of the SDP gateway, and the overall security is improved. Finally, when the authentication strategy and the encryption strategy are selected, the selection can be performed according to the transmitted access request, so that the encryption strategy and the authentication strategy can be dynamically changed, the cracking difficulty of the encryption strategy is improved, and the safety of information transmission and equipment access is ensured.

For specific limitations of the access control device, reference may be made to the above limitation of the access control method, and no further description is given here. The respective modules in the above-described access control apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 5. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used to store access requests and service requests. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement an access control method.

It will be appreciated by those skilled in the art that the structure shown in fig. 5 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor when executing the computer program performing the steps of:

In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:

In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of:

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.

Claims

1. An access control method is characterized by being applied to a software defined boundary SDP controller; the method comprises the following steps:

under the condition that the authentication is successful, acquiring a selected encryption strategy sent by a strategy server, establishing a bidirectional encryption communication channel with the equipment based on the encryption strategy, and receiving a service request sent by the equipment based on the bidirectional encryption communication channel;

after the equipment passes through the gateway authentication of the SDP gateway, a gateway communication channel between the equipment and the SDP gateway is established, and the service request is forwarded to the SDP gateway through the gateway communication channel, so that the SDP gateway forwards the service request to an electric service server, and the electric service server responds to the service request.

2. The method of claim 1, wherein the authentication procedure of the SDP gateway comprises:

and performing risk assessment audit on the access request through multi-source data to obtain an audit result for representing whether gateway authentication passes or not.

3. The method of claim 1, wherein the response to the access request comprises:

4. A method according to claim 3, wherein the access rights are updated periodically; the updating process of the access right comprises the following steps:

acquiring the safety environment information of the equipment, and determining the access right of the logged-in account on the equipment to the power service based on the safety environment information and the locally stored equipment basic information of the equipment;

generating a right identification code corresponding to the logged-in account according to the access right and the basic information of the equipment, and sending the right identification code to the equipment and the SDP gateway, wherein the right identification code is used for limiting the logged-in user to access the power service in the access right.

5. The method of claim 4, wherein the device basic information includes an IP address, a MAC address, a security level, and user basic information; the user basic information comprises an account name, an account password, an account type, a user login state and a user security state.

6. The method of claim 5, wherein the user login status is divided into at least a logged-in status and an offline status; the user safety state is classified into at least a dangerous state, a warning state, and a normal state.

7. An access control apparatus, the apparatus comprising:

the authentication module is used for acquiring an access request sent by equipment and a selected authentication policy sent by the policy server, and carrying out authentication on the equipment based on the access request and the authentication policy;

and the service processing module is used for establishing a gateway communication channel between the equipment and the SDP gateway after the equipment passes through the gateway authentication of the software defined boundary SDP gateway, and forwarding the service request to the SDP gateway through the gateway communication channel so that the SDP gateway forwards the service request to an electric service server, and the electric service server responds to the service request.

8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.

9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.

10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.