KR102587106B1 - IoT portal server, IoT platform server, Method for managing authority using AN ACP data field and token obtained from authentication server and Computer program for executing the method - Google Patents

Abstract

According to the present invention, data in the ACP field can be minimized, and the token obtained through the IoT portal server, IoT platform server, and authentication server that provides IoT platform data for each group using an authentication server and the ACP data field can be used to minimize data in the ACP field. A method for managing authority and a computer program for executing the method may be provided.

Description

IoT portal server, IoT platform server, method for managing authority using tokens and ACP data fields obtained through an authentication server, and a computer program for executing the method {IoT portal server, IoT platform server, Method for managing authority using AN ACP data field and token obtained from authentication server and Computer program for executing the method}

According to embodiments of the present disclosure, a method for managing authority using tokens and ACP data fields obtained through an IoT portal server, an IoT platform server, and an authentication server, and a computer program for executing the method may be disclosed. there is.

As IoT develops, various IoT platforms are being developed. The IoT platform is software that provides common functions required by IoT devices, and is one of the important elements in the future IoT environment.

The IoT platform standard transmits data with certain rules when transmitting data. This is to adopt a method of communicating in a fixed data format because the data of various IoT devices are in different forms and cannot be interconnected. At this time, a field called ACP (Access Control Policy) exists to determine the data structure or set data permissions. Since users who do not exist in the ACP cannot even access it, the more users there are and the more complex the permissions are, the more the data in the ACP field becomes. There was a problem in that the ACP data grew larger than the actual amount of data, increasing the overhead of internal communication.

The present invention can minimize data in the ACP field and provide IoT platform data for each group using an authentication server.

A method according to embodiments of the present disclosure includes receiving, by an IoT portal server, a task request signal from a first terminal to a first device to perform a first requested task; The IoT portal server transmitting a verification request of the first terminal for the task request signal to an authentication server in response to the task request signal; In the authentication server, the token of the first terminal included in the verification request is used to check the account of the first terminal and whether permission for the first request operation for the first device is authorized for the first terminal. Receiving a success signal for a verification request for verifying the generated token of the first terminal from the authentication server;

transmitting, from the IoT portal server to the authentication server, a request to authorize the first terminal to perform the first requested task; Receiving, by the IoT portal server, a success response signal for a request to authorize authority for the first requested task generated by checking from an authority authorization list managed by the authentication server; And when it is determined that the first terminal has authority for the first requested task based on the success response signal, the IoT portal server sends a command signal to the IoT platform to allow the first device to perform the first requested task. Authorization can be managed using the token obtained through the authentication server and the ACP data field, including the step of transmitting to the server.

According to embodiments of the present disclosure, after transmitting the verification request of the first terminal, if a success signal for the verification request for verifying the token of the first terminal is not received, the first request task is performed. Authorization can be managed using the token obtained through the authentication server and the ACP data field, which further includes the step of transmitting a rejection signal to the first terminal.

According to embodiments of the present disclosure, after the step of transmitting a verification request of the first terminal, the authentication server uses the token of the first terminal to determine the account of the first terminal, and the first terminal For the terminal account, a step of generating authentication information accessible to the IoT platform server may be further included.

According to embodiments of the present disclosure, the authentication server transmits authentication information accessible to the IoT platform server to the IoT platform server, and may further include processing the information to be stored in the ACP field of the IoT platform server. .

According to embodiments of the present disclosure, account information of the first terminal may be stored in the ACP field of the IoT platform server.

According to embodiments of the present disclosure, the IoT platform server receives a command signal from the IoT portal server to perform a second requested task from the second terminal to the requested second device; The IoT platform server transmitting a verification request signal for the token included in the command signal to an authentication server; Receiving, from the authentication server, a success response signal as to whether the token confirmed using the token included in the verification request signal has been verified; The IoT platform server responds to the success response signal, extracts resource path information to be processed by analyzing the command signal, and requests from an authentication server whether it has authority for the resource path information using the token; Receiving a success response from the authentication server as to whether or not authority is available for the resource path information using the token, and determining whether the command signal includes an authority allowance range using the success response and the ACP field; And when the IoT platform server is authorized for the authority permission range of the command signal, generating and processing a second command signal for the second requested task may further include.

According to embodiments of the present disclosure, the account ID of the second terminal is requested from the authentication server to check whether the account of the second terminal is verified, and authority for the second requested task requested by the second terminal is confirmed. The presence or absence can be confirmed from the authentication server.

According to embodiments of the present disclosure, processing the IoT platform server to perform the second request task in a second device according to a second command signal for the second request task may further include. .

According to embodiments of the present disclosure, it includes a processor and a communication unit, wherein the processor receives a task request signal from a first terminal to a first device to perform a first requested task, and responds to the task request signal. , transmitting a verification request of the first terminal for the job request signal to an authentication server, and in the authentication server, using the token of the first terminal included in the verification request to establish an account of the first terminal and the first terminal For the terminal, receive a success signal from the authentication server for a verification request for verifying the token of the first terminal generated by checking whether authorization for the first request operation for the first device is authorized, and the authentication server A request for authorizing the first requested task is sent to the first terminal, and a request for authorizing the first requested task generated by checking the authorization list managed by the authentication server is sent to the first terminal. receives a success signal for the IoT platform, and when it is determined that the first terminal has authority for the first requested task based on the success signal, a command signal is sent to the IoT platform to perform the first requested task to the first device. It can be sent to the server.

According to embodiments of the present disclosure, it includes a processor and a communication unit, wherein the processor receives a command signal from an IoT portal server to perform a second requested task from a second terminal to a second device requested, and the command Transmit a verification request signal for the token included in the signal to the authentication server, and receive a success response signal from the authentication server as to whether the token confirmed using the token included in the verification request signal has been verified. In response to the success response signal, extract resource path information to be processed by analyzing the command signal, request from the authentication server whether there is authority for the resource path information with the token, and receive from the authentication server Receive a success response of whether authority is present for the resource path information with the token, determine whether the authority allowance range of the command signal is included using the success response and the ACP field, and determine whether the permission allowance range of the command signal is included. If the authority for is approved, a second command signal for the second requested task can be generated and processed.

The processor requests the authentication server for the account ID of the second terminal, checks whether the account of the second terminal is verified, and determines whether the authentication server has authority for the second request task requested by the second terminal. You can check from .

The processor may process the second requested task to be performed in the second device according to a second command signal for the second requested task.

A computer program according to an embodiment of the present invention may be stored in a medium to execute any one of the methods according to an embodiment of the present invention using a computer.

In addition to this, another method for implementing the present invention, another system, and a computer-readable recording medium for recording a computer program for executing the method are further provided.

Other aspects, features and advantages in addition to those described above will become apparent from the following drawings, claims and detailed description of the invention.

According to the present invention, data in the ACP field can be minimized, and the token obtained through the IoT portal server, IoT platform server, and authentication server that provides IoT platform data for each group using an authentication server and the ACP data field can be used to minimize data in the ACP field. A method for managing authority and a computer program for executing the method may be provided.

1 is a diagram of the network environment of the rights management system 1 according to an embodiment of the present disclosure.
Figure 2 is a diagram of the network environment of the rights management system 1' according to other embodiments of the present disclosure.
Figure 3 is a block diagram of the IoT portal server 100 according to embodiments of the present disclosure.
Figure 4 is a block diagram of the IoT platform server 200 according to embodiments of the present disclosure.
Figure 5 is a flowchart of a rights management method according to embodiments of the present disclosure.
Figure 6 is a flowchart of a method for receiving authorization through an authentication server in an IoT portal server, according to embodiments of the present disclosure.
Figure 7 is a flowchart of a method of performing a request for a resource using ACP in an IoT platform server according to embodiments of the present disclosure.
Figure 8 is a flowchart of a method for determining whether a token is verified in an authentication server according to an embodiment of the present disclosure.
Figure 9 is a flowchart of a method for determining whether authorization is granted for a token verified in an authentication server according to embodiments of the present disclosure.
Figure 10 is a flowchart explaining the process of adding authority to an account ID in an authentication server in an embodiment of the present disclosure.

Hereinafter, the configuration and operation of the present invention will be described in detail with reference to embodiments of the present invention shown in the attached drawings.

Since the present invention can be modified in various ways and can have various embodiments, specific embodiments will be illustrated in the drawings and described in detail in the detailed description. The effects and features of the present invention and methods for achieving them will become clear by referring to the embodiments described in detail below along with the drawings. However, the present invention is not limited to the embodiments disclosed below and may be implemented in various forms.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. When describing with reference to the drawings, identical or corresponding components will be assigned the same reference numerals and redundant description thereof will be omitted. .

In this specification, terms such as “learning” and “learning” are not intended to refer to mental operations such as human educational activities, but are terms that refer to performing machine learning through procedural computing. interpret.

In the following embodiments, terms such as first and second are used not in a limiting sense but for the purpose of distinguishing one component from another component.

In the following examples, singular terms include plural terms unless the context clearly dictates otherwise.

In the following embodiments, terms such as include or have mean that the features or components described in the specification exist, and do not exclude in advance the possibility of adding one or more other features or components.

In the drawings, the sizes of components may be exaggerated or reduced for convenience of explanation. For example, the size and thickness of each component shown in the drawings are shown arbitrarily for convenience of explanation, so the present invention is not necessarily limited to what is shown.

In cases where an embodiment can be implemented differently, a specific process sequence may be performed differently from the described sequence. For example, two processes described in succession may be performed substantially at the same time, or may be performed in an order opposite to that in which they are described.

Here, token refers to data generated in response to authority. According to an embodiment of the present disclosure, a token is required to access an IoT platform or resource, and the authentication server performs a process related to issuing the token.

Here, an app is a type of program implemented as software and is short for application.

Here, IoT stands for Internet of Things and refers to connecting and controlling multiple devices.

Here, an account is created to manage users connected to the system, and can be used in correspondence with users in the system. Accounts can be distinguished by ID. According to embodiments of the present disclosure, accounts may be grouped into groups and managed. Through the permission approval list for the group, a permission approval list of accounts belonging to the group can be created. The account's permissions include all group permissions, but it may have permissions that are not included in the group's permissions.

Here, resources refer to devices controlled by the system, including sensors that detect temperature, humidity, and movement, devices that check operation, electronic devices such as microwave ovens, washing machines, TVs, air purifiers, air conditioners, dehumidifiers, and ventilators, etc. It may include devices such as stands, lights, blinds, etc., but is not limited to this and may include various devices.

1 is a diagram of the network environment of the rights management system 1 according to an embodiment of the present disclosure.

The rights management system 1 may include an IoT portal server 10, an IoT platform server 20, and an authentication server 30.

The IoT portal server 10 can store and manage device authorization information. The IoT portal server 10 can store device information, IoT platform information, and authentication server information. The IoT portal server 10 may store identification codes of a plurality of devices electrically connected and controlled, rules for control signals transmitted to the devices, information controlled by the devices, etc. IoT portal server 10 may include information about one or more platforms. Each platform can be implemented to control designated devices. Information on the authentication server may include information necessary to access the authentication server.

The IoT portal server 10 sets the relationship information with the device as a data field of a predetermined data set, for example, ACP, and provides a token used to authorize authority. Here, ACP refers to the Access Control Policy and refers to a data field stored on the platform server. According to an embodiment of the present disclosure, the ID when accessing the ACP data field is managed by the authentication server, and the ACP ID can be obtained after transmitting information about the verified token. At this time, one or more account IDs can be converted into one ACP ID if they have the same authority. Since it is converted to ACP ID according to authority, ACP ID does not need to be assigned to all accounts, so less ACP data capacity may be required.

The IoT portal server 10 may provide data and tokens related to authorization to the connected device. The token may be issued and registered by the authentication server 30.

The IoT portal server 10 performs a function of managing one or more IoT platforms and may be implemented to perform all operations of the IoT platform server 20.

The IoT platform server 20 can identify and provide desired device and authorization data from the IoT portal server 10. The IoT platform server 20 may be implemented to process a request signal that a user terminal accesses to control other resources. The IoT platform server 20 performs a process of obtaining a verified token before determining whether the account ID is authorized.

The IoT portal server 10 or the IoT platform server 20 may generate and transmit a signal requesting authorization to the authentication server 30. The IoT portal server 10 or the IoT platform server 20 may generate and transmit a signal requesting verification of the user account to the authentication server 30. Verification of the user account can be confirmed by the presence or absence of a token corresponding to the account ID. The IoT portal server 10 or the IoT platform server 20 may generate and transmit a signal requesting whether to authorize the user account to the authentication server 30. The authentication server 30 creates an authority authorization list for the account ID, determines whether the account ID has authority based on this, and if it is determined that the authority is not present, the authority may be newly approved. At this time, permissions can be set on a platform-by-platform, device-by-device, or app-by-app basis. A platform is a superordinate concept of a device or an app, and an account ID with permission for the platform can be set to have permission for lower-level devices and lower-level apps belonging to the platform.

The IoT portal server 10 or the IoT platform server 20 may perform an authentication process to access resources through the authentication server 30.

The IoT portal server 10 or the IoT platform server 20 can check the authorization information of the user or terminal requesting authentication through the ACP data field. At this time, the method of checking permission is to record the requested account ID in the ACP field and compare them to check the presence or absence of permission.

The authentication server 30 may generate a token corresponding to the account ID in response to a token creation request from the IoT portal server 10. The authentication server 30 can check the presence or absence of authority to access the device and use the IoT portal server 10 or the IoT portal server 10 to check whether there is authority to access the device. If there is no requested authority, the authentication server 30 may add the requested authority information to the authority authorization list.

Figure 2 is a diagram of the network environment of the rights management system 1' according to other embodiments of the present disclosure.

The rights management system 1' includes a first IoT device 51, a second IoT device 52,... , may further include an nth IoT device (5n), an administrator terminal 61, and a user terminal 62.

The manager terminal 61 connects to the IoT platform server 20 and connects the first IoT device 51, the second IoT device 52, . , a work request for the nth IoT device (5n) can be transmitted. The IoT platform server 20 can access the authentication server 30 through the IoT portal server 10 to check whether the administrator terminal 61 has access rights. If there is access authority and the scope of access authority is appropriate, the work request of the manager terminal 61 can be processed.

The user terminal 62 connects to the IoT platform server 20 and uses the first IoT device 51, the second IoT device 52, . , a work request for the nth IoT device (5n) can be transmitted. The IoT platform server 20 can access the authentication server 30 through the IoT portal server 10 to check whether the user terminal 62 has access rights. If there is access authority and the scope of access authority is appropriate, the work request of the manager terminal 61 can be processed.

Figure 3 is a block diagram of the IoT portal server 100 according to embodiments of the present disclosure.

The communication unit 110 can communicate with various types of external devices or servers according to various types of communication methods. The communication unit 110 of one device 100 is connected to the communication unit of other devices 20, 30, 51, 52, 53, 61, and 62 through a network and can exchange data with each other.

The processor 120 may use various programs stored in the memory 130 to generally control each device 100 having each memory. The processor 220 includes a microprocessor, a central processing unit (CPU), a processor core, a multiprocessor, an application-specific integrated circuit (ASIC), and a field programmable gate array (FPGA). ), etc., but the present invention is not limited thereto.

The memory 130 may temporarily or permanently store data processed by each device 100 or servers 200 and 30 having each memory. The memory 130 may include a non-permanent mass storage device such as Random Access Memory (RAM), Read Only Memory (ROM), and a disk drive, but the present invention is not limited thereto.

The device 100 as shown in FIG. 3 may further include a storage medium (not shown) storing various data for overall operation, such as a program for processing or controlling the processor 120. The storage medium may store a number of application programs (application programs or applications) running on the device 100, data for operating the servers 200 and 30, and commands. At least some of these applications may be downloaded from an external server via wireless communication. Additionally, at least some of these application programs may exist on the device 100 from the time of shipment for the basic functions of the device 100. The application program may be stored in a storage medium and driven by the processor 120 to perform the operation (or function) of the device 100.

The rights management system and each module or unit included therein may be entirely hardware, or may have aspects that are partly hardware and partly software. For example, the rights management system and each module or unit included therein may collectively refer to hardware and related software for processing data of a specific format and content or exchanging it through electronic communication. In this specification, terms such as “unit,” “module,” “device,” “terminal,” “server,” or “system” may be interpreted as referring to a combination of hardware and software driven by the hardware. For example, hardware may be a data processing device including a CPU or other processor. Additionally, software driven by hardware may refer to a running process, object, executable file, thread of execution, program, etc.

Additionally, each element constituting the rights management system is not necessarily limited to referring to a separate device that is physically distinct from each other. That is, the communication unit 110, processor 120, and memory 130 in FIG. 3 are functionally divided according to the operations performed by the IoT portal server 10, and are not necessarily divided independently from each other. . Of course, depending on the embodiment, these may be implemented as separate devices that are physically distinct from each other.

Hereinafter, the transmission and reception of information between each component of the rights management system that can have the above-described configuration will be described along with the rights management method.

Figure 4 is a block diagram of the IoT platform server 200 according to embodiments of the present disclosure.

The communication unit 210 can communicate with various types of external devices or servers according to various types of communication methods. The communication unit 210 of one device 200 is connected to the communication unit 210 of another device 200 through a network and can exchange data with each other.

The processor 220 may use various programs stored in the memory 230 to generally control each device 200 or servers 100 and 30 having each memory. The processor 220 includes a microprocessor, a central processing unit (CPU), a processor core, a multiprocessor, an application-specific integrated circuit (ASIC), and a field programmable gate array (FPGA). ), etc., but the present invention is not limited thereto.

The memory 230 may temporarily or permanently store data processed by each device 200 or servers 100 and 30 having each memory. The memory 230 may include a non-permanent mass storage device such as random access memory (RAM), read only memory (ROM), and a disk drive, but the present invention is not limited thereto.

The device 200 as shown in FIG. 4 may further include a storage medium (not shown) storing various data for overall operation, such as a program for processing or controlling the processor 220. The storage medium may store a number of application programs (application programs or applications) running on the device 200, data for operating the servers 40, 50, 60, and 80, and commands. At least some of these applications may be downloaded from an external server via wireless communication. Additionally, at least some of these application programs may exist on the device 200 from the time of shipment for the basic functions of the device 200. The application program may be stored in a storage medium and driven by the processor 220 to perform the operation (or function) of the device 200.

The rights management system and each module or unit included therein may be entirely hardware, or may have aspects that are partly hardware and partly software. For example, the rights management system and each module or unit included therein may collectively refer to hardware and related software for processing data of a specific format and content or exchanging it through electronic communication. In this specification, terms such as “unit,” “module,” “device,” “terminal,” “server,” or “system” may be interpreted as referring to a combination of hardware and software driven by the hardware. For example, hardware may be a data processing device including a CPU or other processor. Additionally, software driven by hardware may refer to a running process, object, executable file, thread of execution, program, etc.

Additionally, each element constituting the rights management system is not necessarily limited to referring to a separate device that is physically distinct from each other. That is, the communication unit 210, processor 220, and memory 230 in FIG. 4 are functionally divided according to the operations performed by the IoT platform server 20, and are not necessarily divided independently from each other. . Of course, depending on the embodiment, these may be implemented as separate devices that are physically distinct from each other.

Hereinafter, the transmission and reception of information between each component of the rights management system that can have the above-described configuration will be described along with the rights management method.

Figure 5 is a flowchart of a rights management method according to embodiments of the present disclosure.

In S10, when the rights management system receives a request for work on a device from a terminal, it can perform verification on the terminal.

In S20, the rights management system can verify the token corresponding to the terminal's account ID. In S25, the rights management system may register an account ID/token if the token corresponding to the account ID is not verified.

In S30, if it is determined that the token corresponding to the terminal's account ID has been verified, the authority management system can determine whether there is authority for the task request.

In S40, the rights management system may determine whether there is an ACP for the token. In S45, the rights management system can register an ACP/Group for a token if there is no ACP for the token.

In S50, the rights management system can map and store account IDs in ACP.

Figure 6 is a flowchart of a method for receiving authorization through an authentication server in an IoT portal server, according to embodiments of the present disclosure.

In S110, the IoT portal server 100 may receive a first task request signal from the first terminal to the first device to perform the first requested task.

In S120, the IoT portal server 100 may transmit a verification request for the first terminal to the authentication server in response to the first task request. The IoT portal server 100 is connected to the authentication server through a network and can transmit a verification request through the network.

In S130, the IoT portal server 100 verifies the account ID of the first terminal using the token of the first terminal included in the verification request from the authentication server, and includes verification information for the token of the first terminal, A success signal for the verification request of the first terminal may be received from the authentication server.

The authentication server may determine whether there is a token for the account ID of the first terminal, and if there is a token of the first terminal, it may determine that the token has been verified.

In S140, the IoT portal server 100 may transmit a signal requesting authorization for the first requested task to the authentication server.

In S150, the IoT portal server 100 may receive a completion signal for authorization from the authentication server.

In S160, the IoT portal server 100 may generate a command signal for the first requested task and transmit it to the first device through the IoT platform server.

Figure 7 is a flowchart of a method of performing a request for a resource using ACP in an IoT platform server according to embodiments of the present disclosure.

In S210, the IoT platform server 200 may receive a command signal that causes the second requested task to be performed by the second device requested by the second terminal.

In S220, the IoT platform server 200 may transmit a verification request signal for the token included in the command signal to the authentication server.

In S230, the IoT platform server 200 may receive a success response signal from the authentication server regarding whether the token confirmed using the token included in the verification request signal has been verified.

In S240, when the IoT platform server 200 receives a success response signal indicating that the token has been verified, it can extract resource path information to be processed by analyzing the command signal.

In S250, the IoT platform server 200 may request from the authentication server whether the account ID of the second terminal has authority for resource path information.

In S260, the IoT platform server 200 may receive a success response signal from the authentication server indicating that the account ID of the second terminal has authority for resource path information. The success response signal may include the ACP-ID associated with the second terminal.

In S270, when a success response signal is received, the IoT platform server 200 may determine whether the second requested task falls within the operation range allowed for the ACP. The IoT platform server 200 may use the ACP-ID to determine whether the second requested task falls within the operation range allowed for the ACP.

In S280, the IoT platform server 200 may generate a command signal for the second request task if it falls within the operation range allowed by the ACP data field. The IoT platform server 200 can access the ACP data field of the second terminal using the ACP-ID and read data.

Figure 8 is a flowchart of a method for determining whether a token is verified in an authentication server according to an embodiment of the present disclosure.

In S310, the authentication server may receive a signal requesting verification of the received requester's token. The authentication server may receive a signal requesting verification of the token from the IoT portal server 100 or the IoT platform server 200.

In S320, the authentication server performs verification on the token.

In S330, the authentication server may determine whether the requester's token is a verified token.

In S340, the authentication server may transmit a response signal including whether the token has been verified for the verified token. In S335, if the token is not verified, the authentication server may transmit a verification failure response signal.

The authentication server may transmit a response signal regarding whether or not to verify verification to the IoT portal server 100 or the IoT platform server 200 that transmitted the verification request signal.

At this time, whether or not the token is verified may be determined in accordance with the domain of the IoT platform. The same token may be verified for the domain of the first IoT platform and may not be verified for the domain of the second IoT platform, but is not limited to this.

Figure 9 is a flowchart of a method for determining whether authorization is granted for a token verified in an authentication server according to embodiments of the present disclosure.

In S410, the authentication server may receive an authorization request. The authentication server may receive a signal requesting authorization from the IoT portal server or IoT platform server. The authority authorization request may include a token for the object to which authority is to be granted and information on the object to be accessed (resource, resource path information, etc.).

In S420, the authentication server can verify the account ID using the token included in the request.

In S430, the authentication server can create and initialize an authorization list of account IDs.

In S440, the authentication server may check the authority that the account ID may have and add the authority information that the account ID may have to the authority authorization list for the account ID.

In S450, the authentication server can determine whether there are permissions that have not been added.

In S460, the authentication server checks permissions that have not been added to the corresponding account ID and transmits a response signal to the permission request. At this time, for the IoT platform, the authentication server allows the account ID requested in the authorization request signal to access resource path information and can transmit the ACP-ID as a response signal. The authentication server can obtain group information to which the account ID belongs and search for the ACP-ID corresponding to the group information.

Figure 10 is a flowchart explaining the process of adding authority to an account ID in an authentication server in an embodiment of the present disclosure.

In S510, the authentication server can check whether IoT platform permissions have been added to the account ID obtained with the token.

In S540, if IoT platform permissions have been added to an account ID, the authentication server allows the account ID to access resource path information without the process of adding additional permissions, and can transmit ACP-ID as a response signal. The authentication server can obtain group information to which the account ID belongs and search for the ACP-ID corresponding to the group information.

In S520, the authentication server can check whether device or app permissions have been added to the account ID.

If device or app permissions have been added to the account ID, the requested IoT resource path information can be checked (S530). The authentication server allows the account ID to access resource path information without adding additional authority and can transmit the ACP-ID as a response signal (S540).

The authentication server may transmit an access denial response to the requested resource if device or app permissions have not been added for the account ID.

The device described above may be implemented with hardware components, software components, and/or a combination of hardware components and software components. For example, devices and components described in embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA), etc. , may be implemented using one or more general-purpose or special-purpose computers, such as a programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. Additionally, a processing device may access, store, manipulate, process, and generate data in response to the execution of software. For ease of understanding, a single processing device may be described as being used; however, those skilled in the art will understand that a processing device includes multiple processing elements and/or multiple types of processing elements. It can be seen that it may include. For example, a processing device may include a plurality of processors or one processor and one controller. Additionally, other processing configurations, such as parallel processors, are possible.

Software may include a computer program, code, instructions, or a combination of one or more of these, which may configure a processing unit to operate as desired, or may be processed independently or collectively. You can command the device. Software and/or data may be used on any type of machine, component, physical device, virtual equipment, computer storage medium or device to be interpreted by or to provide instructions or data to a processing device. , or may be permanently or temporarily embodied in a transmitted signal wave. Software may be distributed over networked computer systems and stored or executed in a distributed manner. Software and data may be stored on one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc., singly or in combination. Program instructions recorded on the medium may be specially designed and configured for the embodiment or may be known and available to those skilled in the art of computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floptical disks. -Includes optical media (magneto-optical media) and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, etc. Examples of program instructions include machine language code, such as that produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter, etc. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

As described above, although the embodiments have been described with limited examples and drawings, various modifications and variations can be made by those skilled in the art from the above description. For example, the described techniques are performed in a different order than the described method, and/or components of the described system, structure, device, circuit, etc. are combined or combined in a different form than the described method, or other components are used. Alternatively, appropriate results may be achieved even if substituted or substituted by an equivalent.

Therefore, other implementations, other embodiments, and equivalents of the claims also fall within the scope of the claims described below.

1, 1': Rights management system
10, 100: IoT portal server
20, 200: IoT platform server
30: Authentication server

Claims (17)

Receiving, by the IoT portal server, a job request signal from a first terminal owned by an administrator to perform a first requested job with a first device;
The IoT portal server transmitting a verification request of the first terminal for the task request signal to an authentication server in response to the task request signal;
If the IoT portal server does not receive a success signal for a verification request for verifying the token of the first terminal, transmitting a signal rejecting the first request task to the first terminal;
The authentication server uses the token of the first terminal to determine the account ID of the first terminal, and generates authentication information accessible from the IoT platform server for the account ID of the first terminal;
Processing the authentication server to transmit authentication information accessible to the IoT platform server to the IoT platform server and store it in the ACP data field of the IoT platform server;
In the authentication server, the token of the first terminal included in the verification request is used to check whether the account ID of the first terminal is authorized for the first request operation for the first device. Receiving a success signal for a verification request for verifying the token of the first terminal from the authentication server;
transmitting, from the IoT portal server to the authentication server, a request to authorize the first terminal to perform the first requested task;
Receiving, by the IoT portal server, a success response signal or an access denial response to a request for authorizing authority for the first requested task generated by checking from an authority authorization list managed by the authentication server; and
In response to receiving the success response signal, when it is determined that the first terminal has authority for the first requested task, the IoT portal server provides authentication information that can access a command signal to perform the first requested task. A method of managing authority using a token obtained through an authentication server and an ACP data field, comprising: transmitting to the first device through the stored IoT platform server. delete delete delete According to paragraph 1,
A method of managing authority using a token obtained through an authentication server and an ACP data field, in which account information of the first terminal is stored in the ACP data field of the IoT platform server. The IoT platform server receiving a command signal from the IoT portal server to cause a second requested task to be performed from the second terminal to the requested second device;
The IoT platform server transmitting a verification request signal for the token included in the command signal to an authentication server;
The IoT platform server receiving a success response signal from the authentication server as to whether the token confirmed using the token included in the verification request signal has been verified;
The IoT platform server responds to the success response signal, analyzes the command signal, extracts resource path information to be processed, and determines whether the account ID of the second terminal has authority for the resource path information with the token. requesting the authentication server whether to do so;
The IoT platform server receives a success response from the authentication server regarding the presence or absence of authority for the resource path information with the token for the account ID of the second terminal, and ACP-related to the second terminal included in the success response. Using the ID, accessing the ACP data field of the second terminal and reading data, thereby determining whether the second requested task falls within an operation range allowed in the ACP data field; and
The IoT platform server generating and processing a second command signal for the second requested task when the second requested task falls within an operation range allowed by the ACP data field; further comprising: authentication server A method of managing permissions using tokens obtained through and ACP data fields. According to clause 6,
Request the account ID of the second terminal to the authentication server to check whether the account of the second terminal is verified,
A method of managing authority using a token obtained through an authentication server and an ACP data field to check from the authentication server whether the authority for the second request task requested by the second terminal is present. According to clause 6,
Processing the IoT platform server to perform the second request task in a second device according to a second command signal for the second request task; further comprising the token and ACP data obtained through the authentication server. How to manage permissions using fields. Includes a processor and a communication unit,
The processor,
Receiving a task request signal from the first terminal to cause the first device to perform the first requested task,
In response to the job request signal, transmitting a verification request from the first terminal for the job request signal to the authentication server,
If a success signal for a verification request for verifying the token of the first terminal is not received, a signal rejecting the first request operation is transmitted to the first terminal,
In the authentication server, the token of the first terminal is used to obtain an account ID of the first terminal, and authentication information accessible to the IoT platform server is generated for the account ID of the first terminal to access the IoT platform server. Send accessible authentication information to the IoT platform server and store it in the ACP data field of the IoT platform server,
In the authentication server, the token of the first terminal included in the verification request is used to check whether the account ID of the first terminal is authorized for the first request operation for the first device. Receiving a success signal for a verification request for verifying the token of the first terminal from the authentication server,
Transmitting, to the authentication server, a request to authorize the first terminal to perform the first requested task,
Receiving a success response signal or an access denial response to a request for authorizing the first requested task created by checking from an authorization list managed by the authentication server,
If it is determined that the first terminal has authority for the first requested task in response to receiving the success response signal, the IoT platform server stores authentication information that can access a command signal to perform the first requested task. An IoT portal server that transmits to the first device through. delete delete delete According to clause 9,
An IoT portal server in which account information of the first terminal is stored in the ACP field of the IoT platform server. Includes a processor and a communication unit,
The processor,
Receiving a command signal from the IoT portal server to cause a second requested task to be performed from the second terminal to the requested second device,
Transmitting a verification request signal for the token included in the command signal to the authentication server,
Receive a success response signal from the authentication server as to whether the token confirmed using the token included in the verification request signal has been verified,
In response to the success response signal, the authentication server extracts resource path information to be processed by analyzing the command signal, and determines whether the account ID of the second terminal is authorized to the resource path information using the token. Request with,
Receiving a success response from the authentication server regarding the presence or absence of authority for the resource path information with the token for the account ID of the second terminal, using the ACP-ID related to the second terminal included in the success response, By accessing the ACP data field of the second terminal and reading data, determining whether the second requested task falls within an operation range allowed in the ACP data field,
When the second requested task falls within an operation range allowed by the ACP data field, an IoT platform server generates and processes a second command signal for the second requested task. According to clause 14,
The processor,
Request the account ID of the second terminal to the authentication server to check whether the account of the second terminal is verified,
An IoT platform server that checks from the authentication server whether there is authority for the second request task requested by the second terminal. According to clause 14,
The IoT platform server wherein the processor processes the second requested task to be performed in a second device according to a second command signal for the second requested task. A computer program stored in a computer-readable storage medium to execute the method of any one of claims 1 and 6 using a computer.

Images