CN1848022A - Authority control method based on access control list - Google Patents
Authority control method based on access control list Download PDFInfo
- Publication number
- CN1848022A CN1848022A CN 200510064532 CN200510064532A CN1848022A CN 1848022 A CN1848022 A CN 1848022A CN 200510064532 CN200510064532 CN 200510064532 CN 200510064532 A CN200510064532 A CN 200510064532A CN 1848022 A CN1848022 A CN 1848022A
- Authority
- CN
- China
- Prior art keywords
- authority
- node
- access control
- user
- acl
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention is authority control method based on access control list. The method includes: for the computer to accept the behavior command the user inputs; for the computer to judge whether to have authority limit in the resource node the user's behavior command points at in the memory access list, and to execute relevant operation command if no or to inhibit the operation and end if yes; to judge the authority definition in next higher level of the current node, and to inhibit the operation of the user on the node of the next higher level if there is authority inheritance in the node of the next higher level or to further judge the authority definition in even higher level of node if no; and for the computer to judge whether to reach the root node of the access control list, and to end if yes or to proceed the upward judgment if not. The method is universal and has relatively small needed memory space.
Description
Technical field
The invention belongs to the Computer Applied Technology field, specifically a kind of authority control method based on Access Control List (ACL) indicates the operation behavior authority to computer resource with less storage space control user with inheritance.
Technical background
In the prior art, computer resource operating right define method commonly used is by Access Control List (ACL) (ACL, Access Control List) and access control unit (ACE, Access Control Entry) carry out authority and describe, an ACL is made up of several A CE.Each bar ACE has write down the operating right of certain user for certain resource.By some the ACL that form of ACE that comprise a cover zone bit all authorities in the system can be described fully like this.
The form of Microsoft (Windows) operating system promptly is based on the ACL authority definition, this permission system comprises that to computer file system file, file etc. carry out complicated control of authority, and the file authority comprises fully to be controlled, revise, reads and execution, files listed clip directory, read and write.In these authorities each all is made up of the logical groups that a series of special authority constituted, and may have certain file as certain user and read and revise authority, promptly constitutes a logical groups.As shown in Figure 1, be the interface synoptic diagram that in the prior art certain file system folder is provided with authority.
Another more complicated authority setting is that Windows provides an extra interface to realize, it is that whole authorities comprises whether can inheriting children nodes that authority wherein can be set, be a sign of the inheritance of describing authority, if be denoted as is promptly can inherit, its children nodes has all authorities that this node is authorized so, can be that whole authorities waits and realizes whether from paternal inherited rights, it also is a sign describing the authority inheritance, if be denoted as not, promptly do not inherit, present node is not inherited the authority of its parent nodes so.
But the degree of flexibility of authority definition of the prior art is relatively poor, its succession and forbid inheriting, object all is all authority behaviors, so can't define certain concrete authority action on certain node by increasing a description, be used to forbid inheriting lower level node and this node is inherited in other action, like this, if system need define the permission system of a complexity, just need many authorities of storage to describe, storage space expends and must increase several times.
Summary of the invention
For overcoming the deficiencies in the prior art, the object of the present invention is to provide a kind of authority control method based on Access Control List (ACL), describe storage space with less authority and express authority definition, user's operation behavior is carried out control of authority.
For achieving the above object, the technical scheme that the present invention takes is: a kind of authority control method based on Access Control List (ACL) may further comprise the steps:
Step 1, computer memory receive the operation behavior instruction of user's input;
Step 2, computing machine judge that user behavior instruction a certain resource node pointed has or not control of authority in the memory access control tabulation, have then and forbid that according to the authority definition of current resource node and the priority of user behavior instruction user's behavior command also finishes, and does not have and then carries out the operational order of user to current resource node;
The authority definition of the even higher level of node of step 3, judgement present node, if even higher level of node is forbidden current resource node and is inherited its authority, then forbid operation behavior and the end of user, otherwise continue upwards to judge the authority definition of even higher level of node on the present node even higher level of node;
Step 4, computing machine judge whether to arrive the root node of Access Control List (ACL), be then to finish the authority restriction, otherwise repeating step 3.
Also be included in the step of structure resource user authority index in the computer memory Access Control List (ACL) before the described step 1.
Described resource user authority index is a many-one relationship.
The behavior command of the user's input in the described step 1 comprises one or more in reading, revise, increase, deleting.
Access Control List (ACL) in the described step 2 is a tree form data structure.
Described authority control method based on Access Control List (ACL) adopts the relation between the inheritance sign description node, with the authority of decision node.
Described inheritance indicates content, comprises one of the following or combination:
Forbid node from it the one-level node inherit any authority;
Forbid that the next stage node of node inherits any authority from it;
The authority constraint is only effective to node next stage node, and is invalid to this node;
The authority constraint is only effective to the next stage node of catalogue type;
The authority constraint is only effective to the next stage node of non-catalogue type;
Do not inherit any authority from this node even higher level of node;
Do not allow to be inherited by its later release.
The present invention has tangible advantage and good effect.By authority describing mode of the present invention, can will the big complexity arbitrarily that arrives be described based on each node authority of tree-like system resource, satisfy the needs of complicated control of authority; Simultaneously, the present invention carries out the user behavior of control of authority to needs description can reach complexity arbitrarily, but storage space taken increase seldom, the invention provides a general authority control method, reached task of using less storage space to finish control of authority, the storage space expense is just smaller when a tree structures node is carried out control of authority, each tree-like node is carried out complicated control of authority just become more feasible.
Description of drawings
Fig. 1 is provided with the interface synoptic diagram of authority for file system in the prior art;
Fig. 2 is a main flow chart of the present invention;
Fig. 3 is an authority calculated direction synoptic diagram of the present invention.
Embodiment
Below in conjunction with Figure of description the specific embodiment of the present invention is described.
See also Fig. 2 main flow chart of the present invention.At first, the present invention sets up Access Control List (ACL) in computer memory, and constructs resource user authority index in Access Control List (ACL).
The in store all-access control module (ACE) relevant in the access control list (ACL) that the present invention is described authority definition with resource for computer system, access control unit carries out index according to user's operation behavior, and each user has a no more than record in access control unit.The present invention carries out control of authority according to the mode of resource user one-to-many.
The organization definition of access control unit comprises that authority inheritance that the authority inheritance of certain authority that the user has system resource in the Access Control List (ACL), authority priority, main body indicates position, resource indicates position definition and a behavior that allows, the behavior definition of forbidding and for the different rights of every attribute of system resource, for the definition of the different rights of the various dissimilar child nodes of system resource.
After the definition of Access Control List (ACL) and user right was finished, Access Control List (ACL) became tree form data structure.Then, computer memory receives the operation behavior instruction of user's input, and calls the resource node that Access Control List (ACL) is pointed in the storer.User behavior comprises the behavior of permission and the behavior of forbidding, these behaviors are read, revise, increase, deleted, also can be more.
Afterwards, computing machine judges that user behavior a certain resource node pointed has or not control of authority in the memory access control tabulation, do not have and then to carry out the user to the operational order of current resource node and finish, the behavior of forbidding the user according to the priority of the authority definition of current resource node and user behavior is arranged then.
Then, judge the authority definition of the even higher level of node of present node.The present invention introduces inheritance and indicates the relation of describing between current resource node and its even higher level of node, inheritance indicate comprise forbid system resource node from it the one-level node inherit any authority and the next stage node of forbidding system resource that is used in combination with its sign usually from inheriting any authority sign on one's body, can be made as 1,2 as indicating, if the authority of describing constraint is only effective to the next stage node of system resource, to own invalid, indicate the position and can be made as (1<<2).If inheritance indicates only effective to the next stage node of catalogue type, then indicate the position and be made as (1<<3), only effective to the next stage node of non-catalogue type, then be made as (1<<4), do not inherit any authority there and be made as (1<<5) from the even higher level of node of oneself.The authority of host's resource does not allow to be inherited by its later release, then is set to (1<<6) etc.In fact the present invention's sign that can increase any complexity authority of making up any complexity indicates.
Increase any complicated behavior and indicate to satisfy any complicated authority behavior definition in the behavior that allows and forbid, the behavior of definition indicates as follows: be read as 1, be revised as 1<<1, increase by 1<<7, delete 1<<8.
The present invention is owing to introduced the inheritance sign, the number that authority is described significantly reduces, the authority definition mode of catching up with the Windows system that states compares, the authority of a complexity of definition is described, the number that authority is described can reduce n * x doubly, wherein n is the number that children nodes need be forbidden the authority behavior of inheriting, x is the number of children nodes, required storage space also significantly reduces, the size of storage space depends on the number that authority is described, have n*x reducing doubly equally, but the calculating of authority simultaneously becomes relative complex many reduced too because calculative authority is described number, computing velocity does not have decline, under the authority definition complicated situation, can obtain the lifting of computing velocity on the contrary.Perhaps, the user does not exist authority to describe to some tree-like resource nodes, but there is the connection of an access control list ACL in this user for the even higher level of node of this resource node, and showing that it is can be heritable that this authority is described, authority was just calculated and should be searched authority along the root node direction of tree this time.At this moment, tree node and user have constituted a two dimensional surface.
See also Fig. 3 authority of the present invention and calculate synoptic diagram.If the even higher level of node of present node is forbidden current resource node and inherited its any authority, then forbid the operation behavior of user, otherwise continue upwards to judge the authority definition of even higher level of node on it even higher level of node.Computing machine judges whether to arrive the root node of Access Control List (ACL), is then to finish the authority restriction, otherwise repeats above-mentioned determining step, repeats to judge the authority definition of the even higher level of node of the node that arrives.When considering a user right, except considering himself authority, also should consider the influence that its even higher level of node resource is brought its authority.This can schematically illustrate with a coordinate system, and true origin is exactly to wish to calculate the resource node of authority among Fig. 3, is also arranging its upper layer node on the ordinate, until till the root node.Calculate the concrete authority of present node if desired, not only need to calculate the authority definition of present node correspondence, and need be along the direction of authority calculating, calculate the authority definition of its all upper layer node, according to the inheritance tag definitions of each authority, final just definite user is in the authority of present node.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within the claim scope of the present invention.
Claims (7)
1, a kind of authority control method based on Access Control List (ACL) is characterized in that, this method may further comprise the steps:
Step 1, computer memory receive the operation behavior instruction of user's input;
Step 2, computing machine judge that user behavior instruction a certain resource node pointed has or not control of authority in the memory access control tabulation, have then and forbid that according to the authority definition of current resource node and the priority of user behavior instruction user's behavior command also finishes, and does not have and then carries out the operational order of user to current resource node;
The authority definition of the even higher level of node of step 3, judgement present node, if even higher level of node is forbidden current resource node and is inherited its authority, then forbid operation behavior and the end of user, otherwise continue upwards to judge the authority definition of even higher level of node on the present node even higher level of node;
Step 4, computing machine judge whether to arrive the root node of Access Control List (ACL), be then to finish the authority restriction, otherwise repeating step 3.
2, the authority control method based on Access Control List (ACL) according to claim 1 is characterized in that: the step that also is included in structure resource user authority index in the computer memory Access Control List (ACL) before the described step 1.
3, the authority control method based on Access Control List (ACL) according to claim 2 is characterized in that: described resource user authority index is a many-one relationship.
4, the authority control method based on Access Control List (ACL) according to claim 1 is characterized in that: the behavior command of the user's input in the described step 1 comprises one or more in reading, revise, increase, deleting.
5, the authority control method based on Access Control List (ACL) according to claim 1 is characterized in that: the Access Control List (ACL) in the described step 2 is a tree form data structure.
6, the authority control method based on Access Control List (ACL) according to claim 1 is characterized in that: adopt the relation between the inheritance sign description node, with the authority of decision node.
7, the authority control method based on Access Control List (ACL) as claimed in claim 6 is characterized in that:
Described inheritance indicates content, comprises one of the following or combination:
Forbid node from it the one-level node inherit any authority;
Forbid that the next stage node of node inherits any authority from it;
The authority constraint is only effective to node next stage node, and is invalid to this node;
The authority constraint is only effective to the next stage node of catalogue type;
The authority constraint is only effective to the next stage node of non-catalogue type;
Do not inherit any authority from this node even higher level of node;
Do not allow to be inherited by its later release.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510064532 CN1848022A (en) | 2005-04-13 | 2005-04-13 | Authority control method based on access control list |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510064532 CN1848022A (en) | 2005-04-13 | 2005-04-13 | Authority control method based on access control list |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1848022A true CN1848022A (en) | 2006-10-18 |
Family
ID=37077611
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200510064532 Pending CN1848022A (en) | 2005-04-13 | 2005-04-13 | Authority control method based on access control list |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1848022A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102402652A (en) * | 2010-09-16 | 2012-04-04 | 金蝶软件(中国)有限公司 | Method, system and terminal for controlling authority |
| CN102467643A (en) * | 2010-11-18 | 2012-05-23 | 金蝶软件(中国)有限公司 | Method, device and terminal for controlling operation permission |
| CN102959923A (en) * | 2010-06-28 | 2013-03-06 | 诺基亚公司 | Method and apparatus providing for direct controlled access to dynamic user profile |
| WO2014005268A1 (en) * | 2012-07-02 | 2014-01-09 | 华为技术有限公司 | Resource access method and device |
| CN103620616A (en) * | 2013-03-28 | 2014-03-05 | 华为技术有限公司 | Access control right management method and device |
| CN103914489A (en) * | 2013-01-07 | 2014-07-09 | 杭州新世纪电子科技有限公司 | Control method and control device for enterprise search permission supporting multi-system access |
| CN104717206A (en) * | 2015-02-04 | 2015-06-17 | 中国科学院信息工程研究所 | Internet of things resource access authority control method and system |
| CN105468689A (en) * | 2015-11-17 | 2016-04-06 | 广东电网有限责任公司电力科学研究院 | Power grid object level authority configuration and inheritance method |
| CN105763522A (en) * | 2014-12-18 | 2016-07-13 | 中兴通讯股份有限公司 | Authorization processing method and device |
| CN104145468B (en) * | 2014-01-13 | 2017-02-22 | 华为技术有限公司 | File access authority control method and device thereof |
| CN109726579A (en) * | 2017-10-27 | 2019-05-07 | 阿里巴巴集团控股有限公司 | Resource access authority group technology and equipment |
| CN109788054A (en) * | 2019-01-07 | 2019-05-21 | 平安科技(深圳)有限公司 | A kind of configuration method, server and the medium of Distributed Application coordination service node |
| CN110889127A (en) * | 2019-11-27 | 2020-03-17 | 广州锦行网络科技有限公司 | Infinite subset and multi-dimensional authorization privileged account access control method and device |
| CN115934671A (en) * | 2023-03-15 | 2023-04-07 | 浪潮电子信息产业股份有限公司 | Processing method, device and equipment of access control list and storage medium |
-
2005
- 2005-04-13 CN CN 200510064532 patent/CN1848022A/en active Pending
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102959923A (en) * | 2010-06-28 | 2013-03-06 | 诺基亚公司 | Method and apparatus providing for direct controlled access to dynamic user profile |
| CN102402652A (en) * | 2010-09-16 | 2012-04-04 | 金蝶软件(中国)有限公司 | Method, system and terminal for controlling authority |
| CN102402652B (en) * | 2010-09-16 | 2014-12-10 | 金蝶软件(中国)有限公司 | Method, system and terminal for controlling authority |
| CN102467643B (en) * | 2010-11-18 | 2014-12-10 | 金蝶软件(中国)有限公司 | Method, device and terminal for controlling operation permission |
| CN102467643A (en) * | 2010-11-18 | 2012-05-23 | 金蝶软件(中国)有限公司 | Method, device and terminal for controlling operation permission |
| CN104169930B (en) * | 2012-07-02 | 2017-02-22 | 华为技术有限公司 | resource access method and device |
| CN104169930A (en) * | 2012-07-02 | 2014-11-26 | 华为技术有限公司 | Resource access method and device |
| WO2014005268A1 (en) * | 2012-07-02 | 2014-01-09 | 华为技术有限公司 | Resource access method and device |
| CN103914489A (en) * | 2013-01-07 | 2014-07-09 | 杭州新世纪电子科技有限公司 | Control method and control device for enterprise search permission supporting multi-system access |
| CN103914489B (en) * | 2013-01-07 | 2017-12-01 | 杭州新世纪电子科技有限公司 | Support the enterprise search authority control method and device of multisystem access |
| WO2014153759A1 (en) * | 2013-03-28 | 2014-10-02 | 华为技术有限公司 | Method and device for managing access control permission |
| CN103620616B (en) * | 2013-03-28 | 2016-03-09 | 华为技术有限公司 | A kind of access control right management method and device |
| CN103620616A (en) * | 2013-03-28 | 2014-03-05 | 华为技术有限公司 | Access control right management method and device |
| CN104145468B (en) * | 2014-01-13 | 2017-02-22 | 华为技术有限公司 | File access authority control method and device thereof |
| CN105763522B (en) * | 2014-12-18 | 2020-02-14 | 中兴通讯股份有限公司 | Authorization processing method and device |
| CN105763522A (en) * | 2014-12-18 | 2016-07-13 | 中兴通讯股份有限公司 | Authorization processing method and device |
| CN104717206A (en) * | 2015-02-04 | 2015-06-17 | 中国科学院信息工程研究所 | Internet of things resource access authority control method and system |
| CN104717206B (en) * | 2015-02-04 | 2018-01-05 | 中国科学院信息工程研究所 | A kind of Internet of Things resource access right control method and system |
| CN105468689A (en) * | 2015-11-17 | 2016-04-06 | 广东电网有限责任公司电力科学研究院 | Power grid object level authority configuration and inheritance method |
| CN109726579A (en) * | 2017-10-27 | 2019-05-07 | 阿里巴巴集团控股有限公司 | Resource access authority group technology and equipment |
| CN109788054A (en) * | 2019-01-07 | 2019-05-21 | 平安科技(深圳)有限公司 | A kind of configuration method, server and the medium of Distributed Application coordination service node |
| CN109788054B (en) * | 2019-01-07 | 2022-04-15 | 平安科技(深圳)有限公司 | Configuration method, server and medium for distributed application coordination service node |
| CN110889127A (en) * | 2019-11-27 | 2020-03-17 | 广州锦行网络科技有限公司 | Infinite subset and multi-dimensional authorization privileged account access control method and device |
| CN115934671A (en) * | 2023-03-15 | 2023-04-07 | 浪潮电子信息产业股份有限公司 | Processing method, device and equipment of access control list and storage medium |
| CN115934671B (en) * | 2023-03-15 | 2023-06-06 | 浪潮电子信息产业股份有限公司 | Access control list processing method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1848022A (en) | Authority control method based on access control list | |
| US10686840B1 (en) | System and architecture for electronic permissions and security policies for resources in a data system | |
| US11163749B2 (en) | Managing multiple locks for data set members in a data set index | |
| US8868531B2 (en) | Concurrent access methods for tree data structures | |
| Dinsdale-Young et al. | Concurrent abstract predicates | |
| KR101153152B1 (en) | System and methods providing enhanced security model | |
| US10990628B2 (en) | Systems and methods for performing a range query on a skiplist data structure | |
| CN1904901A (en) | System and method for actualizing content-based file system security | |
| US20110023007A1 (en) | Associating Workflows With Code Sections In A Document Control System | |
| US7895664B2 (en) | Determination of access checks in a mixed role based access control and discretionary access control environment | |
| Liu et al. | Model checking linearizability via refinement | |
| CN106055401B (en) | Magnanimity calculates the parallel automatic start-stop and calculating task dynamic allocation method of coarse granule | |
| US8914428B2 (en) | System and method for maintaining a file system at a computing device | |
| CN101853358A (en) | Method for implementing file object authority management | |
| IL186068A (en) | Region-based security | |
| CN102495730A (en) | Dynamic and extendable web interface method | |
| CN103064957A (en) | Method and client for achieving ACL (Access Control List) | |
| US20080222182A1 (en) | Method for Fast Deletion of Physically Clustered Data | |
| US20140189889A1 (en) | Managing authorization of actions associated with data objects | |
| US20150100730A1 (en) | Freeing Memory Safely with Low Performance Overhead in a Concurrent Environment | |
| CN1540544A (en) | Method for tracking and controlling users' online states and information | |
| US20110138337A1 (en) | Level based data supply for reusable interface components | |
| CN1581100A (en) | Data aging method for network processor | |
| US20140189715A1 (en) | Conversion of lightweight object to a heavyweight object | |
| US20110246542A1 (en) | System for lightweight objects |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |