WO2017040570A1 - System and method for authentication - Google Patents

System and method for authentication Download PDF

Info

Publication number
WO2017040570A1
WO2017040570A1 PCT/US2016/049562 US2016049562W WO2017040570A1 WO 2017040570 A1 WO2017040570 A1 WO 2017040570A1 US 2016049562 W US2016049562 W US 2016049562W WO 2017040570 A1 WO2017040570 A1 WO 2017040570A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
permission
upper layer
piece
permission point
Prior art date
Application number
PCT/US2016/049562
Other languages
French (fr)
Inventor
Dong Guo
Panfeng YUAN
Xin Liu
Tingliang CHEN
Original Assignee
Alibaba Group Holding Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Limited filed Critical Alibaba Group Holding Limited
Priority to EP16842848.0A priority Critical patent/EP3345371A4/en
Publication of WO2017040570A1 publication Critical patent/WO2017040570A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the present disclosure generally relates to authorization management in computer systems, and in particular, relates to systems and methods for facilitating the authentication of users.
  • Authorization management refers to how users may access authorized resources, and only authorized resources, in accordance with the security rules or policies defined by a system.
  • Authorization management technology manages the permissions of subjects to access objects in application systems, and may be applied to any application system after a user logs into the system (e.g., using a user account and a password).
  • subjects may be a variety of users, and the access objects may be resources controlled or used by the system, including, without limitation, resources utilized by each module of the system such as server resources, data services, database resources, or the like.
  • Application systems generally map permission information to individual users in advance and store these mappings using, for example, an ID of the user. In this manner, during the process of system authentication, the permission information of a user is identified according to the logged in user's ID. The identified permissions may then be used to control access to resources for the logged in user, thereby implementing a basic authorization management system.
  • subjects may comprise other entities, such as tenants, projects, and the like, depending on the needs of the application system.
  • users are often assigned to one or more projects or tenants in order to implement authorization management.
  • an authentication method and an authentication apparatus that solve the prior art shortcomings of authorization management in an application system comprising a plurality of subjects.
  • an authentication method and an authentication apparatus according to the embodiments of the present disclosure are implemented as follows.
  • One aspect of the present disclosure is drawn to a method for authentication of user information in an application system.
  • the method includes receiving an authentication request, the authentication request including user information and candidate permission point information, confirming at least one piece of upper layer subject information associated with the user information, and acquiring a first set of permission point information associated with the user information, the first set of permission point information including at least one piece of permission point information associated with the user information.
  • the method also includes acquiring a second set of permission point information corresponding to the at least one upper layer subject information and including at least one piece of permission point information according to the at least one piece of upper layer subject information, and determining an intersection of the first set and the second set as an authentication set.
  • the method further includes determining that the authentication is successful if the candidate permission point information is in the authentication set.
  • One aspect of the present disclosure is drawn to a method for authentication of user information in an application system.
  • the method includes receiving an authentication request including user information and a candidate information set, the candidate information set including at least one piece of candidate permission point information, and confirming at least one piece of upper layer subject information associated with the user information.
  • the method also includes acquiring a first set of permission point information associated with the user information and including at least one piece of permission point information associated with the user information, and acquiring a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subject information.
  • the method further includes determining an authentication set based on an intersection of the first set of permission point information and the second set of permission point information, and determining a third set of permission point information associated with the authentication request as passing authentication if the candidate information set intersects with the authentication set.
  • the apparatus includes a processor and a non- transitory memory storing computer-executable instructions. When executed by the processor, the instructions cause the apparatus to receive an authentication request, the authentication request including user information and candidate permission point information, and confirm at least one piece of upper layer subject information associated with the user information.
  • the instructions also cause the apparatus to acquire a first set of permission point information associated with the user information, the first set of permission point information including at least one piece of permission point information associated with the user information, and acquire a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subject information.
  • the instructions further cause the apparatus to determine an authentication set based on an intersection of the first set of permission point information and the second set of permission point information and to determine that the authentication is successful if the candidate permission point information is in the authentication set.
  • the apparatus includes a processor and a non- transitory memory storing computer-executable instructions. When executed by the processor, the instructions cause the apparatus to receive an authentication request including user information and a candidate information set, the candidate information set including at least one piece of candidate permission point information, and confirm at least one piece of upper layer subject information associated with the user information.
  • the instructions also cause the apparatus to acquire a first set of permission point information associated with the user information and including at least one piece of permission point information associated with the user information, and acquire a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subject information.
  • the instructions further cause the apparatus to determine an authentication set based on an intersection of the first set of permission point information and the second set of permission point information, and determine a third set of permission point information associated with the authentication request as passing authentication if the candidate information set intersects with the authentication set.
  • Figure 1 is a diagram illustrating an architecture of an application system including a plurality of subjects according to some embodiments of the present disclosure.
  • Figure 2 is a flowchart of an authentication method according to some embodiments of the present disclosure.
  • FIG. 3 is a flowchart of an authentication method according to some embodiments of the present disclosure.
  • Figure 4 is a diagram illustrating an authentication apparatus according to some embodiments of the present disclosure.
  • Figure 5 is a diagram illustrating an authentication apparatus according to some embodiments of the present disclosure.
  • Figure 1 is a diagram illustrating an architecture of an application system including a plurality of subjects according to some embodiments of the present disclosure.
  • the subjects of the architecture may include one or more users and an upper layer subject corresponding to each user.
  • the upper layer subject may be a tenant or a project.
  • a platform management In the application system illustrated in Figure 1 , a platform management
  • administration-class subject may also be included.
  • management administration-class subject may include a platform administrator.
  • the application system includes one or more tenants with each tenant being associated with one or more projects and each project being associated with one or more users.
  • a tenant may comprise a client group (e.g., a company) that uses or accesses resources of the application system or third-party systems.
  • a project may comprise a subgroup of the tenant (e.g., an organizational unit of a company or a product or task under development by the company).
  • Each proj ect may have a corresponding project space, the project space corresponding to a location in the application system where the users process data. Users may define different project spaces for different product lines.
  • the application system may assign a role for each subject in the system.
  • the roles may include roles of the users, projects, tenants, and administration-class members.
  • the roles of the users may also be categorized into roles of the users at the project level, tenant level, or both the project and tenant level.
  • the roles of each tenant include owner of the tenant, administrator, and members.
  • the business roles of the members may include tenant-class director, tenant-class section chief, tenant-class engineer, and the like.
  • the roles of the members may be administered by the administrator and the owner of the tenant may add or delete an administrator.
  • Each tenant may additionally create, update, delete, or otherwise administer projects.
  • the roles in a project may include the roles of owner, administrator, and members of the project.
  • the business roles of members may include project-class director, project-class section chief, project-class engineer, and the like.
  • the roles of the members may be administered by an administrator and the owner of the tenant may add or delete an
  • the roles of the platform administration-class members may include platform administrator, and the like. Roles assigned to the administrator may allow the platform administrator to administer platform-class roles and permission point information. As described more fully herein, permission point information includes a subject (e.g., a resource) and operations. Examples of operations include, a create operation of the administrator, view operation of an administrator list, create operation of a project, execution of an SQL operation, execution of a user-defined function, use operation of a data service, and the like.
  • a subject e.g., a resource
  • operations include, a create operation of the administrator, view operation of an administrator list, create operation of a project, execution of an SQL operation, execution of a user-defined function, use operation of a data service, and the like.
  • a tenant and project may be used as a group, and the group itself may have one or more corresponding roles.
  • an application system may comprise 1000 tenants and roles of the tenants may be categorized according to the classes of the tenants. That is, the roles of the tenants may include a set of n roles (e.g., ⁇ TenantRolei, TenantRole 2 , ... TenantRole tension ⁇ ) and the 1000 tenants may be mapped to these n roles, according to the classes of the tenants.
  • the tenants may also define permissions for the projects administered by the tenants according to the needs of the tenants or projects.
  • a tenant may be associated with 100 projects and the roles of the projects may include a set of m roles (e.g., ⁇ ProjectRolei, ProjectRole 2 , ... ProjectRole m ⁇ ) and the 100 projects may be mapped to these m roles.
  • the projects of other tenants on the application system may also be mapped to the set of m project roles.
  • the application system may additionally map role information to one or more pieces of permission point information (also referred to as a set comprising at least one piece of permission point information).
  • the application system may store a mapping between the tenants and tenant role information associated with each tenant.
  • the application system may further store a mapping between the tenants and the one or more pieces of permission point information.
  • the application system may map relationships between the projects and tenant role information and map relationships between the projects and the one or more pieces of permission point information.
  • the application system may map relationships between the user information and the user role information (including project-class role information of the users, and tenant-class role information of the users) and map relationships between the user role information and the one or more pieces of permission point information.
  • an upper layer subject may be a tenant or a project.
  • upper layer subjects may also include other subjects, such as a group, a subsidiary of a group, a department of a subsidiary, or the like.
  • the preceding examples illustrate a single layer of upper level subjects, the number of subjects is not subject to a particular limitation.
  • the application system may utilize three layers of subjects, or more than three layers of subjects. The embodiments described herein are described using two layers of upper layer subjects (e.g., projects and tenants) solely as an example.
  • FIG. 2 is a flowchart of an authentication method according to some embodiments of the present disclosure.
  • the authentication method may be executed, for example, by a server of the application system.
  • step SI 01 the method receives an authentication request that includes user information and candidate permission point information.
  • the method may receive the authentication request from a user terminal.
  • the terminal may be a computer, a smart wireless terminal, a server, or the like accessing the server of the application system.
  • a user may log into the application system using user information (e.g., a user name or identifier) and/or a password. After successfully logging in, the user may transmit an authentication request including the user information and candidate permission point information to the server.
  • the user information of the authentication request is based on, or includes, the user information used previously for logging in to the application system.
  • the candidate permission point information may include one or more pieces of candidate permission point information and may additionally be confirmed by the server based on the user information.
  • the candidate permission point information may be confirmed in response to specific operations performed by the user. For example, when the authenticated user attempts to perform an operation, the method may confirm that the user has permission to perform such an operation in response to the attempt to perform the operation.
  • step S I 02 the method confirms at least one piece of upper layer subject information associated with the user information. For example, if there are two pieces of upper layer subject information, that is, tenant information and project information, then the method, in step S I 02, confirms the tenant information associated with the user information and confirms the project information associated with both the tenant information and the user information.
  • each user may be categorized in advance in a corresponding upper layer subject (e.g., a tenant or project).
  • the user information may include the name "Zhang San,” and the upper layer subject information associated with this user information may be: "X tenant,” "Y project under X tenant.”
  • the user information and upper layer subject information may be stored in any suitable format for retrieval by the application system.
  • step SI 03 the method acquires a first set of permission point information associated with the user information that includes at least one piece of permission point information associated with the user information.
  • the permission point information included in the first set of permission point information, A may correspond to the permissions of the users, that is, the permission subject is the user.
  • the method may also query first role information mapped to the received user information.
  • the first role information may be used for identifying a role of a user identified by the user information in an upper layer subject corresponding to the upper layer subject information.
  • the method may then acquire a first set of permission point information, A, comprising at least one piece of permission point information mapped to the first role information.
  • the first role information mapped to the user information may include the tenant-class role of the user and the project-class role of the user.
  • the user associated with the user information "Zhang San” has a tenant-class role of "tenant-class director," and a project-class role of "project supervisor.”
  • two sets Al and A2 including at least one piece of permission point information corresponding to the respective user roles may be acquired by means of the aforementioned querying of first role information.
  • a first set of permission point information, A may be an intersection of the sets Al and A2. Specifically, if Al includes a set of permission points ⁇ Ql, Q2, Q3, Q4 ⁇ and A2 includes a set of permission points ⁇ Ql, Q3, Q5, Q4 ⁇ the first set of permission points comprises the intersection of Al and A2 (i.e., ⁇ 1 ⁇ 2), that is, the set ⁇ Ql, Q3, Q4 ⁇ .
  • the upper layer subject in the application system may only include a tenant if there are no projects under the tenant.
  • the role information and the corresponding permission set of the user in the tenant class only need to be acquired.
  • a permission set may be configured to ensure that the finally acquired permission intersection is not empty for a given upper layer subject.
  • the permission set corresponding to an empty one or more upper layer subjects may comprise all possible permission points.
  • step S I 04 the method acquires a second set of permission point information associated with the upper layer subject information that includes at least one piece of permission point information.
  • each of the upper layer subjects in the application system possess corresponding permissions.
  • the method, in step SI 04 may acquire a permission set corresponding to each of the two pieces of upper layer subject information, and determine the intersection of the permission sets
  • the method may also query second role information mapped to the upper layer subject information, the second role information used to identify a role of an upper layer subject corresponding to the upper layer subject information in an application system. After querying the second role information, the method may then acquire a second set of permission point information, B, that includes at least one piece of permission point information mapped to the second role information.
  • the upper layer subject information may include tenant information and project information.
  • the corresponding second role information may include the role information of the tenant in the application system and the role information of the project in the application system.
  • the specific process of acquiring the second set B may include acquiring a permission set, Bl, corresponding to the tenant information and including at least one piece of permission point information.
  • the method may then acquire a permission set, B2, corresponding to the project information and including at least one piece of permission point information.
  • the method may determine the intersection of the permission set Bl and the permission set B2 as a second set of permission point information, B.
  • the method may query a mapping table between users and upper subjects and determine that the project information corresponding to the user information may be, for example, "Y project under X tenant.” Additionally, the method may determine that the corresponding tenant information may be, for example, "X tenant.” By using a mapping table between upper layer subject and subject roles, the method may determine that the role information corresponding to the identified project information ("Y project under X tenant”) is "ProjectRolen”, and the role information corresponding to the identified tenant information (“X tenant”) is "TenantRolei2.”
  • the method may determine that the permission set corresponding to the identified role information (“ProjectRolen”) is the set Bl including the set of permission points ⁇ Ql, Q2, Q3, Q4, Q5, Q6, Q8, Q10 ⁇ , and that the permission set corresponding to the identified role information (“TenantRole ⁇ ”) is the set B2 including the set of permission points ⁇ Q2, Q3, Q4, Q5, Q6, Q9, QIO ⁇ .
  • the method may determine a second set of permission points by determining the intersection of sets Bl and B2 (i.e., ⁇ 1 ⁇ 2), that is, the set ⁇ Q2, Q3, Q4, Q5, Q6, Q10 ⁇ .
  • step SI 05 the method determines the intersection of the first set of permission point information, A, and the second set of permission point information, B.
  • the first set of permission point information, A is a set of permission point information associated with the user in various upper layer subjects.
  • the second set of permission point information, B is a set of permission point information possessed by various upper layer subjects to which the user belongs.
  • a set of permission point information corresponding to lower layer subjects e.g., users
  • the user may be a lower layer subject of the project and tenant, and the project and tenant are the upper layer subjects of the user.
  • the set of permission point information corresponding to the user is a subset of the set of permission point information corresponding to various tenants and projects. Therefore, an intersection of the first set of permission point information A and the second set of permission point information B (i.e., ⁇ ) needs to be confirmed as the authentication set C to confirm the permissions that the user actually possesses.
  • step SI 06 the method determines whether the candidate permission point information is in the authentication set C and, in step SI 07, determines that the authentication is successful if the candidate permission point information is in the authentication set. Alternatively, if the candidate permission point information is not in the authentication set, the method determines that authentication is unsuccessful in step SI 08.
  • a first set of permission point information contains permission points ⁇ Ql, Q3, Q4 ⁇ and a second set of permission point information, B, contains permission points ⁇ Q2, Q3, Q4, Q5, Q6, QIO ⁇ .
  • the method may determine that the authentication set, C, is equal to the intersection of sets A and B (i.e., ⁇ ), that is, the set including permission points ⁇ Q3, Q4 ⁇ .
  • the method can confirm that the authentication is successful and that the user of the terminal possesses the corresponding permission to access the resources of the application system since these permission points (Q3 and Q4) are present in the authentication set C. Conversely, if the authentication request sent by the terminal carries candidate permission point information which is not in the authentication set C, for example, Q5, the method can confirm that the authentication is unsuccessful, and the user of the terminal does not possess the
  • FIG. 3 is a flowchart of an authentication method according to some embodiments of the present disclosure.
  • the authentication method may be executed, for example, by a server of an application system.
  • step S201 the method receives an authentication request that includes user information and a candidate information set from a terminal, wherein the candidate information set includes at least one piece of candidate permission point.
  • step S202 the method acquires a first set of permission point information, A, based on the user information and including at least one piece of permission point information based on the user information.
  • step S203 the method confirms at least one piece of upper layer subject information associated with the user information.
  • step S204 the method acquires a second set of permission point information, B corresponding to the upper layer subject information and including at least one piece of permission point information according to the at least one piece of upper layer subject information.
  • step S205 the method determines the intersection of the first set of permission point information A and the second set of permission point information B as an authentication set C.
  • the candidate information set, D, utilized in steps S201 to S205 may be received in a similar manner as described with respect to steps SI 01 to SI 05, and is not repeated herein for the sake of clarity.
  • step S206 the method determines whether the candidate information set D intersects with the authentication set C.
  • step S207 if the candidate information set, D, intersects with the
  • the method determines the intersection of the candidate information set D and the authentication set C as a set of permission point information, E (i.e.,
  • step S208 determines that authentication is unsuccessful in step S208.
  • FIG. 4 is a diagram illustrating an authentication apparatus according to some embodiments of the present disclosure.
  • the authentication apparatus includes the elements 301 to 306.
  • a receiving unit 301 is configured to receive an authentication request that includes user information and candidate permission point information.
  • the receiving unit 301 may receive the authentication request from a user terminal.
  • a first confirming unit 302 is configured to confirm at least one piece of upper layer subj ect information associated with the user information.
  • a first acquiring unit 303 is configured to acquire a first set of permission point information associated with the user information that includes at least one piece of permission point information according associated with the user information.
  • a second acquiring unit 304 is configured to acquire a second set of permission point information associated with the upper layer subject information that includes at least one piece of permission point information.
  • a second confirming unit 305 is configured to determine the intersection of the first set of permission point information and the second set of permission point information. The resulting intersection represents an authentication set.
  • An authentication determining unit 306 is configured to determine whether the candidate permission point information is in the authentication set, and determine that the authentication is successful if the candidate permission point information is in the authentication set.
  • the second acquiring unit 304 is configured to, if there are at least two pieces of upper layer subject information, acquire a permission set including the at least one piece of permission point information
  • the first confirming unit 302 is further configured to confirm tenant information associated with the user information and confirm project information pertaining to the tenant information and associated with the user information.
  • the second acquiring unit 304 is then further configured to acquire a permission set corresponding to the tenant information and including at least one piece of permission point information, acquire a permission set corresponding to the project information and including at least one piece of permission point information, and determine the intersection of the permission set corresponding to the tenant information and the permission set
  • the first acquiring unit 302 may further be configured to query first role information mapped to the received user information, wherein the first role information may be used for identifying a role of a user identified by the user information in an upper layer subject corresponding to the upper layer subject information.
  • the first acquiring unit 302 may additionally acquire a first set of permission point information including at least one piece of permission point information and the first set being mapped to the first role information.
  • the second acquiring unit 304 may further be configured to query at least one second role information mapped to the at least one piece of upper layer subject information, wherein the second role information is used for identifying a role of an upper layer subj ect corresponding to each of the at least one upper layer subject information in an application system.
  • the second acquiring unit 304 may additionally acquire a second set including at least one piece of permission point information and the second set being mapped to the second role information.
  • FIG. 5 is a diagram illustrating an authentication apparatus according to some embodiments of the present disclosure.
  • the authentication apparatus 400 includes the elements 401 to 406.
  • a receiving unit 401 is configured to receive an authentication request that includes user information and a candidate information set from a terminal, wherein the candidate information set includes at least one piece of candidate permission point information.
  • a first confirming unit 402 is configured to confirm at least one piece of upper layer subj ect information associated with the user information.
  • a first acquiring unit 403 is configured to acquire a first set of permission point information associated with the user information that includes at least one piece of permission point information associated with the user information.
  • a second acquiring unit 404 is configured to acquire a second set of permission point information associated with the upper layer subj ect information that includes at least one piece of permission point information according to the at least one piece of upper layer subj ect information.
  • a second confirming unit 405 is configured to determine the intersection of the first set of permission point information and the second set of permission point information. The resulting intersection represents an authentication set.
  • An authentication determining unit 406 is configured to determine whether the candidate information set intersects with the authentication set, and if the candidate information set intersects with the authentication set, confirm the intersection of the candidate information set and the authentication set as a set of permission point information which passes the
  • the second acquiring unit 404 is configured to, if there are at least two pieces of upper layer subject information, acquire a permission set including the at least one piece of permission point information
  • the first confirming unit 402 is further configured to confirm tenant information associated with the user information, and confirm project information pertaining to the tenant information and associated with the user information.
  • the second acquiring unit 404 is may further be configured to acquire a permission set corresponding to the tenant information and comprising at least one piece of permission point information, acquire a permission set corresponding to the project information and including at least one piece of permission point information, and determine an intersection of the permission set corresponding to the tenant information and the permission set corresponding to the project information as the second set of permission point information.
  • the first acquiring unit 402 is further configured to query a first role information mapped to the user information, wherein the first role information is used for identifying a role of a user corresponding to the received user information in an upper layer subject corresponding to the upper layer subject information, and query a first set including at least one piece of permission point information and the first set being mapped to the first role information.
  • the second acquiring unit 404 is then further configured to query at least one second role information mapped to the at least one piece of upper layer subject information, wherein the second role information is used for identifying a role of an upper layer subj ect corresponding to each of the at least one upper layer subject information in an application system, and query a second set including at least one piece of permission point information and the second set being mapped to the second role information.
  • each unit may be implemented as the described unit or as a plurality of software and/or hardware components in other embodiments.
  • the embodiments may be described as illustrating methods, systems, or computer program products. Therefore, hardware embodiments, software embodiments, or hardware-plus-software embodiments may be used to illustrate the present invention.
  • the present invention may further employ a computer program product which may be implemented by at least one non-transitory computer-readable storage medium with an executable program code stored thereon.
  • the non-transitory computer-readable storage medium comprises but not limited to a disk memory, a CD-ROM, and an optical memory.
  • These computer program instructions may also be stored a non-transitory computer-readable memory capable of causing a computer or other programmable data processing devices to work in a specific mode, such that the instructions stored on the non- transitory computer-readable memory implement a product comprising an instruction apparatus, wherein the instruction apparatus implements specific functions in at least one process in the flowcharts and/or at least one block in the block diagrams.
  • These computer program instructions may also be stored on a computer or other programmable data processing devices, such that the computer or the other programmable data processing devices execute a series of operations or steps to implement processing of the computer.
  • the instructions when executed on the computer or the other programmable data processing devices, implement the specific functions in at least one process in the flowcharts and/or at least one block in the block diagrams.
  • the present disclosure may be described in the general context of the computer executable instructions executed by the computer, for example, a program module.
  • the program module comprises a routine, program, object, component or data structure for executing specific tasks or implementing specific abstract data types.
  • the present disclosure may also be practiced in distributed computer environments. In such distributed computer environments, the tasks are executed by a remote device connected via a communication network. In the distributed computer environments, the program module may be located in the local and remote computer storage medium including the storage device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Information Transfer Between Computers (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

An apparatus and a method allow for authentication of user information in an application system. The method includes receiving an authentication request, the authentication request including user information and candidate permission point information, and confirming at least one piece of upper layer subject information associated with the user information. The method also includes acquiring a first set of permission point information associated with the user information, and acquiring a second set of permission point information associated with the at least one upper layer subject information. The method continues with determining an authentication set based on an intersection of the first set of permission point information and the second set of permission point information, and determining that the authentication is successful if the candidate permission point information is in the authentication set.

Description

SYSTEM AND METHOD FOR AUTHENTICATION
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application claims the benefit of priority from Chinese Patent Application No. 201510551943.8, filed on September 1, 2015, entitled "Method and Apparatus for Authentication," and U.S. Patent Application No. 15/251,336, filed on August 30, 2016, entitled "System and Method for Authentication," both of which are incorporated herein by reference in their entirety.
BACKGROUND
Field of the Disclosure
[0002] The present disclosure generally relates to authorization management in computer systems, and in particular, relates to systems and methods for facilitating the authentication of users.
Description of Related Art
[0003] In general, "authorization management" refers to how users may access authorized resources, and only authorized resources, in accordance with the security rules or policies defined by a system. Authorization management technology manages the permissions of subjects to access objects in application systems, and may be applied to any application system after a user logs into the system (e.g., using a user account and a password).
[0004] In the related art, subjects may be a variety of users, and the access objects may be resources controlled or used by the system, including, without limitation, resources utilized by each module of the system such as server resources, data services, database resources, or the like. Application systems generally map permission information to individual users in advance and store these mappings using, for example, an ID of the user. In this manner, during the process of system authentication, the permission information of a user is identified according to the logged in user's ID. The identified permissions may then be used to control access to resources for the logged in user, thereby implementing a basic authorization management system.
[0005] In some specialized application systems (e.g., big data platforms), subjects may comprise other entities, such as tenants, projects, and the like, depending on the needs of the application system. In systems that include a variety of subjects, users are often assigned to one or more projects or tenants in order to implement authorization management.
Additionally, permissions to access system resources are also different with respect to the different projects or tenants. Thus the current technology of authorization management in application systems including a variety of subjects is still deficient.
BRIEF SUMMARY
[0006] Among the solutions realized with the embodiments of the present disclosure is the provision of an authentication method and an authentication apparatus that solve the prior art shortcomings of authorization management in an application system comprising a plurality of subjects. To solve the above technical problem, an authentication method and an authentication apparatus according to the embodiments of the present disclosure are implemented as follows.
[0007] One aspect of the present disclosure is drawn to a method for authentication of user information in an application system. The method includes receiving an authentication request, the authentication request including user information and candidate permission point information, confirming at least one piece of upper layer subject information associated with the user information, and acquiring a first set of permission point information associated with the user information, the first set of permission point information including at least one piece of permission point information associated with the user information. The method also includes acquiring a second set of permission point information corresponding to the at least one upper layer subject information and including at least one piece of permission point information according to the at least one piece of upper layer subject information, and determining an intersection of the first set and the second set as an authentication set. The method further includes determining that the authentication is successful if the candidate permission point information is in the authentication set.
[0008] One aspect of the present disclosure is drawn to a method for authentication of user information in an application system. The method includes receiving an authentication request including user information and a candidate information set, the candidate information set including at least one piece of candidate permission point information, and confirming at least one piece of upper layer subject information associated with the user information.
[0009] The method also includes acquiring a first set of permission point information associated with the user information and including at least one piece of permission point information associated with the user information, and acquiring a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subject information. The method further includes determining an authentication set based on an intersection of the first set of permission point information and the second set of permission point information, and determining a third set of permission point information associated with the authentication request as passing authentication if the candidate information set intersects with the authentication set.
[0010] One aspect of the present disclosure is drawn to an apparatus for authentication of user information in an application system. The apparatus includes a processor and a non- transitory memory storing computer-executable instructions. When executed by the processor, the instructions cause the apparatus to receive an authentication request, the authentication request including user information and candidate permission point information, and confirm at least one piece of upper layer subject information associated with the user information.
[0011] The instructions also cause the apparatus to acquire a first set of permission point information associated with the user information, the first set of permission point information including at least one piece of permission point information associated with the user information, and acquire a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subject information. The instructions further cause the apparatus to determine an authentication set based on an intersection of the first set of permission point information and the second set of permission point information and to determine that the authentication is successful if the candidate permission point information is in the authentication set.
[0012] One aspect of the present disclosure is drawn to an apparatus for authentication of user information in an application system. The apparatus includes a processor and a non- transitory memory storing computer-executable instructions. When executed by the processor, the instructions cause the apparatus to receive an authentication request including user information and a candidate information set, the candidate information set including at least one piece of candidate permission point information, and confirm at least one piece of upper layer subject information associated with the user information.
[0013] The instructions also cause the apparatus to acquire a first set of permission point information associated with the user information and including at least one piece of permission point information associated with the user information, and acquire a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subject information. The instructions further cause the apparatus to determine an authentication set based on an intersection of the first set of permission point information and the second set of permission point information, and determine a third set of permission point information associated with the authentication request as passing authentication if the candidate information set intersects with the authentication set. BRIEF DESCRIPTION OF THE DRAWINGS
[0014] The accompanying drawings described herein are intended, when taken together with the following detailed description, to provide further understanding of the present disclosure. The embodiments of the present disclosure and the description thereof are intended for further explaining and clarifying the present disclosure; the scope of the present disclosure is not defined by the description or the accompanying drawings of any specific embodiments, but rather by the claims. The present disclosure includes the following accompanying drawings.
[0015] Figure 1 is a diagram illustrating an architecture of an application system including a plurality of subjects according to some embodiments of the present disclosure.
[0016] Figure 2 is a flowchart of an authentication method according to some embodiments of the present disclosure.
[0017] Figure 3 is a flowchart of an authentication method according to some embodiments of the present disclosure.
[0018] Figure 4 is a diagram illustrating an authentication apparatus according to some embodiments of the present disclosure.
[0019] Figure 5 is a diagram illustrating an authentication apparatus according to some embodiments of the present disclosure.
DETAILED DESCRIPTION
[0020] In order to make the objectives, technical solutions, and advantages of the present disclosure more clear, the present disclosure will be described below in detail with reference to the accompanying drawings and the particular embodiments.
[0021] Figure 1 is a diagram illustrating an architecture of an application system including a plurality of subjects according to some embodiments of the present disclosure. The subjects of the architecture may include one or more users and an upper layer subject corresponding to each user. In one embodiment, the upper layer subject may be a tenant or a project. In the application system illustrated in Figure 1 , a platform management
administration-class subject may also be included. In one embodiment, a platform
management administration-class subject may include a platform administrator.
[0022] Generally, the application system includes one or more tenants with each tenant being associated with one or more projects and each project being associated with one or more users. A tenant may comprise a client group (e.g., a company) that uses or accesses resources of the application system or third-party systems. Likewise, a project may comprise a subgroup of the tenant (e.g., an organizational unit of a company or a product or task under development by the company). Each proj ect may have a corresponding project space, the project space corresponding to a location in the application system where the users process data. Users may define different project spaces for different product lines.
[0023] The application system may assign a role for each subject in the system. The roles may include roles of the users, projects, tenants, and administration-class members. In the context of the projects and tenants, the roles of the users may also be categorized into roles of the users at the project level, tenant level, or both the project and tenant level. For example, as illustrated in Figure 1 , the roles of each tenant include owner of the tenant, administrator, and members. The business roles of the members may include tenant-class director, tenant-class section chief, tenant-class engineer, and the like. The roles of the members may be administered by the administrator and the owner of the tenant may add or delete an administrator.
[0024] Each tenant may additionally create, update, delete, or otherwise administer projects. The roles in a project may include the roles of owner, administrator, and members of the project. The business roles of members may include project-class director, project-class section chief, project-class engineer, and the like. The roles of the members may be administered by an administrator and the owner of the tenant may add or delete an
administrator.
[0025] The roles of the platform administration-class members may include platform administrator, and the like. Roles assigned to the administrator may allow the platform administrator to administer platform-class roles and permission point information. As described more fully herein, permission point information includes a subject (e.g., a resource) and operations. Examples of operations include, a create operation of the administrator, view operation of an administrator list, create operation of a project, execution of an SQL operation, execution of a user-defined function, use operation of a data service, and the like.
[0026] In one embodiment, a tenant and project may be used as a group, and the group itself may have one or more corresponding roles. For example, an application system may comprise 1000 tenants and roles of the tenants may be categorized according to the classes of the tenants. That is, the roles of the tenants may include a set of n roles (e.g., {TenantRolei, TenantRole2, ... TenantRole„}) and the 1000 tenants may be mapped to these n roles, according to the classes of the tenants. Likewise, the tenants may also define permissions for the projects administered by the tenants according to the needs of the tenants or projects. For example, a tenant may be associated with 100 projects and the roles of the projects may include a set of m roles (e.g., {ProjectRolei, ProjectRole2, ... ProjectRolem}) and the 100 projects may be mapped to these m roles. The projects of other tenants on the application system may also be mapped to the set of m project roles.
[0027] The application system may additionally map role information to one or more pieces of permission point information (also referred to as a set comprising at least one piece of permission point information). For tenants, the application system may store a mapping between the tenants and tenant role information associated with each tenant. The application system may further store a mapping between the tenants and the one or more pieces of permission point information. For projects, the application system may map relationships between the projects and tenant role information and map relationships between the projects and the one or more pieces of permission point information. For the users, the application system may map relationships between the user information and the user role information (including project-class role information of the users, and tenant-class role information of the users) and map relationships between the user role information and the one or more pieces of permission point information. [0028] As discussed above, an upper layer subject may be a tenant or a project. However, in alternative embodiments, upper layer subjects may also include other subjects, such as a group, a subsidiary of a group, a department of a subsidiary, or the like. In addition, while the preceding examples illustrate a single layer of upper level subjects, the number of subjects is not subject to a particular limitation. For example, the application system may utilize three layers of subjects, or more than three layers of subjects. The embodiments described herein are described using two layers of upper layer subjects (e.g., projects and tenants) solely as an example.
[0029] Figure 2 is a flowchart of an authentication method according to some embodiments of the present disclosure. The authentication method may be executed, for example, by a server of the application system.
[0030] In step SI 01 the method receives an authentication request that includes user information and candidate permission point information. In one embodiment, the method may receive the authentication request from a user terminal. The terminal may be a computer, a smart wireless terminal, a server, or the like accessing the server of the application system.
[0031] A user may log into the application system using user information (e.g., a user name or identifier) and/or a password. After successfully logging in, the user may transmit an authentication request including the user information and candidate permission point information to the server. In one embodiment, the user information of the authentication request is based on, or includes, the user information used previously for logging in to the application system.
[0032] In some embodiments, the candidate permission point information may include one or more pieces of candidate permission point information and may additionally be confirmed by the server based on the user information. In alternative embodiments, the candidate permission point information may be confirmed in response to specific operations performed by the user. For example, when the authenticated user attempts to perform an operation, the method may confirm that the user has permission to perform such an operation in response to the attempt to perform the operation.
[0033] In step S I 02, the method confirms at least one piece of upper layer subject information associated with the user information. For example, if there are two pieces of upper layer subject information, that is, tenant information and project information, then the method, in step S I 02, confirms the tenant information associated with the user information and confirms the project information associated with both the tenant information and the user information.
[0034] In one embodiment, each user may be categorized in advance in a corresponding upper layer subject (e.g., a tenant or project). For example, the user information may include the name "Zhang San," and the upper layer subject information associated with this user information may be: "X tenant," "Y project under X tenant." Although illustrated as textual values, the user information and upper layer subject information may be stored in any suitable format for retrieval by the application system.
[0035] In step SI 03, the method acquires a first set of permission point information associated with the user information that includes at least one piece of permission point information associated with the user information. In this embodiment, the permission point information included in the first set of permission point information, A, may correspond to the permissions of the users, that is, the permission subject is the user.
[0036] In some embodiments, as part of acquiring a first set of permission point information in step SI 03, the method may also query first role information mapped to the received user information. As discussed previously, the first role information may be used for identifying a role of a user identified by the user information in an upper layer subject corresponding to the upper layer subject information. After querying the first role information, the method may then acquire a first set of permission point information, A, comprising at least one piece of permission point information mapped to the first role information.
[0037] For example, in an application system having tenants and projects, the first role information mapped to the user information may include the tenant-class role of the user and the project-class role of the user. Continuing the previous example, it may be confirmed that the user associated with the user information "Zhang San" has a tenant-class role of "tenant-class director," and a project-class role of "project supervisor." According to the different user roles of the user in different upper layer subjects (e.g., "tenant-class director" and "project-class supervisor"), two sets Al and A2 including at least one piece of permission point information corresponding to the respective user roles may be acquired by means of the aforementioned querying of first role information. That is, the two sets Al and A2 respectively indicate the permissions possessed by the user in the tenant class and the project class. A first set of permission point information, A, may be an intersection of the sets Al and A2. Specifically, if Al includes a set of permission points {Ql, Q2, Q3, Q4} and A2 includes a set of permission points {Ql, Q3, Q5, Q4} the first set of permission points comprises the intersection of Al and A2 (i.e., Α1 ΓΊΑ2), that is, the set {Ql, Q3, Q4} .
[0038] According to some embodiments of the present disclosure, the upper layer subject in the application system may only include a tenant if there are no projects under the tenant. In these embodiments, the role information and the corresponding permission set of the user in the tenant class only need to be acquired. In addition, if the application system includes a large number of upper layer subjects, and one or more upper layer subjects are empty, a permission set may be configured to ensure that the finally acquired permission intersection is not empty for a given upper layer subject. For example, the permission set corresponding to an empty one or more upper layer subjects may comprise all possible permission points.
[0039] In step S I 04, the method acquires a second set of permission point information associated with the upper layer subject information that includes at least one piece of permission point information.
[0040] As described above, each of the upper layer subjects in the application system possess corresponding permissions. According to some embodiments of the present disclosure, if there are at least two pieces of upper layer subject information, the method, in step SI 04 may acquire a permission set corresponding to each of the two pieces of upper layer subject information, and determine the intersection of the permission sets
corresponding to each of the at least two pieces of upper layer subject information as the second set of permission point information.
[0041] In some embodiments, as part of acquiring a second set of permission point information in the method in step SI 04, the method may also query second role information mapped to the upper layer subject information, the second role information used to identify a role of an upper layer subject corresponding to the upper layer subject information in an application system. After querying the second role information, the method may then acquire a second set of permission point information, B, that includes at least one piece of permission point information mapped to the second role information.
[0042] As discussed previously, in an application system having tenants and projects, the upper layer subject information may include tenant information and project information. In this embodiment, the corresponding second role information may include the role information of the tenant in the application system and the role information of the project in the application system. In some embodiments, the specific process of acquiring the second set B may include acquiring a permission set, Bl, corresponding to the tenant information and including at least one piece of permission point information. The method may then acquire a permission set, B2, corresponding to the project information and including at least one piece of permission point information. Finally, the method may determine the intersection of the permission set Bl and the permission set B2 as a second set of permission point information, B.
[0043] Continuing the previous example with respect to the user identified by the user information "Zhang San," the method may query a mapping table between users and upper subjects and determine that the project information corresponding to the user information may be, for example, "Y project under X tenant." Additionally, the method may determine that the corresponding tenant information may be, for example, "X tenant." By using a mapping table between upper layer subject and subject roles, the method may determine that the role information corresponding to the identified project information ("Y project under X tenant") is "ProjectRolen", and the role information corresponding to the identified tenant information ("X tenant") is "TenantRolei2."
[0044] By querying a mapping table between subject role information and permission point information, the method may determine that the permission set corresponding to the identified role information ("ProjectRolen") is the set Bl including the set of permission points{Ql, Q2, Q3, Q4, Q5, Q6, Q8, Q10}, and that the permission set corresponding to the identified role information ("TenantRole^") is the set B2 including the set of permission points {Q2, Q3, Q4, Q5, Q6, Q9, QIO} . In this example, the method may determine a second set of permission points by determining the intersection of sets Bl and B2 (i.e., Β1 ΓΊΒ2), that is, the set {Q2, Q3, Q4, Q5, Q6, Q10}.
[0045] In step SI 05, the method determines the intersection of the first set of permission point information, A, and the second set of permission point information, B. The resulting intersection represents an authentication set C (i.e., C=AnB).
[0046] In the some embodiments, the first set of permission point information, A, is a set of permission point information associated with the user in various upper layer subjects. The second set of permission point information, B, is a set of permission point information possessed by various upper layer subjects to which the user belongs. In the authorization management mechanism of the above application system, a set of permission point information corresponding to lower layer subjects (e.g., users) may be a subset of the set of permission point information corresponding to the upper layer subjects (e.g., tenants or projects).
[0047] For example, the user may be a lower layer subject of the project and tenant, and the project and tenant are the upper layer subjects of the user. In this case, the set of permission point information corresponding to the user is a subset of the set of permission point information corresponding to various tenants and projects. Therefore, an intersection of the first set of permission point information A and the second set of permission point information B (i.e., ΑΓΊΒ) needs to be confirmed as the authentication set C to confirm the permissions that the user actually possesses.
[0048] In step SI 06, the method determines whether the candidate permission point information is in the authentication set C and, in step SI 07, determines that the authentication is successful if the candidate permission point information is in the authentication set. Alternatively, if the candidate permission point information is not in the authentication set, the method determines that authentication is unsuccessful in step SI 08.
[0049] Continuing the previous example, if a first set of permission point information, A, contains permission points {Ql, Q3, Q4} and a second set of permission point information, B, contains permission points {Q2, Q3, Q4, Q5, Q6, QIO}. Then the method may determine that the authentication set, C, is equal to the intersection of sets A and B (i.e., ΑΓΊΒ), that is, the set including permission points {Q3, Q4}.
[0050] If the authentication request sent by the terminal carries the candidate permission point information Q3 and Q4, that is, the set {Q3, Q4}, the method can confirm that the authentication is successful and that the user of the terminal possesses the corresponding permission to access the resources of the application system since these permission points (Q3 and Q4) are present in the authentication set C. Conversely, if the authentication request sent by the terminal carries candidate permission point information which is not in the authentication set C, for example, Q5, the method can confirm that the authentication is unsuccessful, and the user of the terminal does not possess the
corresponding permission to access the resources of the application system.
[0051] Figure 3 is a flowchart of an authentication method according to some embodiments of the present disclosure. The authentication method may be executed, for example, by a server of an application system.
[0052] In step S201, the method receives an authentication request that includes user information and a candidate information set from a terminal, wherein the candidate information set includes at least one piece of candidate permission point.
[0053] In step S202, the method acquires a first set of permission point information, A, based on the user information and including at least one piece of permission point information based on the user information.
[0054] In step S203, the method confirms at least one piece of upper layer subject information associated with the user information.
[0055] In step S204, the method acquires a second set of permission point information, B corresponding to the upper layer subject information and including at least one piece of permission point information according to the at least one piece of upper layer subject information.
[0056] In step S205, the method determines the intersection of the first set of permission point information A and the second set of permission point information B as an authentication set C.
[0057] The candidate information set, D, utilized in steps S201 to S205 may be received in a similar manner as described with respect to steps SI 01 to SI 05, and is not repeated herein for the sake of clarity.
[0058] In step S206, the method determines whether the candidate information set D intersects with the authentication set C.
[0059] In step S207, if the candidate information set, D, intersects with the
authentication set, C, the method determines the intersection of the candidate information set D and the authentication set C as a set of permission point information, E (i.e.,
E=DnC), corresponding to the current authentication request and determines that the authentication request passes authentication. Alternatively, if the candidate information set D does not intersect with the authentication set C, the method determines that authentication is unsuccessful in step S208.
[0060] In the embodiments of the present disclosure, if the set E is equal to both set D and the intersection of sets D and C (i.e., E=DnC=D), this indicates that the candidate information set D is a subset of the authentication set C. That is, all the candidate permission point information included in the candidate information set D falls within the authentication set C. In this case, it may be determined that the authentication is successful. If the set E and the intersection of sets D and C, are empty sets (i.e., E=DnC= 0), this indicates that none of the candidate permission point information included in the candidate information set D falls in the authentication set C. In this case, it may be confirmed that the authentication is unsuccessful. If the set E and the intersection of sets D and C are a non-empty set (i.e., E=DnC=a non-empty set), but set E is a subset of set D, this indicates that some of the candidate permission point information included in the candidate information set D falls in the authentication set C. In this case, it may be determined that the authentication is partially successful.
[0061] Through the above process, the successfully authenticated permissions of the user using the terminal may be confirmed according to the permission point information included in the set E, wherein E is the intersection of sets D and C (i. e. , E=DnC).
[0062] Figure 4 is a diagram illustrating an authentication apparatus according to some embodiments of the present disclosure. The authentication apparatus includes the elements 301 to 306.
[0063] A receiving unit 301 is configured to receive an authentication request that includes user information and candidate permission point information. In one embodiment, the receiving unit 301 may receive the authentication request from a user terminal.
[0064] A first confirming unit 302 is configured to confirm at least one piece of upper layer subj ect information associated with the user information.
[0065] A first acquiring unit 303 is configured to acquire a first set of permission point information associated with the user information that includes at least one piece of permission point information according associated with the user information.
[0066] A second acquiring unit 304 is configured to acquire a second set of permission point information associated with the upper layer subject information that includes at least one piece of permission point information.
[0067] A second confirming unit 305 is configured to determine the intersection of the first set of permission point information and the second set of permission point information. The resulting intersection represents an authentication set.
[0068] An authentication determining unit 306 is configured to determine whether the candidate permission point information is in the authentication set, and determine that the authentication is successful if the candidate permission point information is in the authentication set.
[0069] In some embodiments of the present disclosure, the second acquiring unit 304 is configured to, if there are at least two pieces of upper layer subject information, acquire a permission set including the at least one piece of permission point information
corresponding to each of the two pieces of upper layer subject information, and determine the intersection of the permission sets corresponding to each of the at least two pieces of upper layer subject information as the second set.
[0070] In some embodiments of the present disclosure, if the upper layer subject information includes tenant information and project information, then the first confirming unit 302 is further configured to confirm tenant information associated with the user information and confirm project information pertaining to the tenant information and associated with the user information.
[0071] The second acquiring unit 304 is then further configured to acquire a permission set corresponding to the tenant information and including at least one piece of permission point information, acquire a permission set corresponding to the project information and including at least one piece of permission point information, and determine the intersection of the permission set corresponding to the tenant information and the permission set
corresponding to the project information as the second set of permission point information.
[0072] In some embodiments of the present disclosure, the first acquiring unit 302 may further be configured to query first role information mapped to the received user information, wherein the first role information may be used for identifying a role of a user identified by the user information in an upper layer subject corresponding to the upper layer subject information. The first acquiring unit 302 may additionally acquire a first set of permission point information including at least one piece of permission point information and the first set being mapped to the first role information.
[0073] The second acquiring unit 304 may further be configured to query at least one second role information mapped to the at least one piece of upper layer subject information, wherein the second role information is used for identifying a role of an upper layer subj ect corresponding to each of the at least one upper layer subject information in an application system. The second acquiring unit 304 may additionally acquire a second set including at least one piece of permission point information and the second set being mapped to the second role information.
[0074] Figure 5 is a diagram illustrating an authentication apparatus according to some embodiments of the present disclosure. The authentication apparatus 400 includes the elements 401 to 406.
[0075] A receiving unit 401 is configured to receive an authentication request that includes user information and a candidate information set from a terminal, wherein the candidate information set includes at least one piece of candidate permission point information.
[0076] A first confirming unit 402 is configured to confirm at least one piece of upper layer subj ect information associated with the user information.
[0077] A first acquiring unit 403 is configured to acquire a first set of permission point information associated with the user information that includes at least one piece of permission point information associated with the user information.
[0078] A second acquiring unit 404 is configured to acquire a second set of permission point information associated with the upper layer subj ect information that includes at least one piece of permission point information according to the at least one piece of upper layer subj ect information.
[0079] A second confirming unit 405 is configured to determine the intersection of the first set of permission point information and the second set of permission point information. The resulting intersection represents an authentication set.
[0080] An authentication determining unit 406 is configured to determine whether the candidate information set intersects with the authentication set, and if the candidate information set intersects with the authentication set, confirm the intersection of the candidate information set and the authentication set as a set of permission point information which passes the
authentication.
[0081] In some embodiments of the present disclosure, the second acquiring unit 404 is configured to, if there are at least two pieces of upper layer subject information, acquire a permission set including the at least one piece of permission point information
corresponding to each of the two pieces of upper layer subject information and determine an intersection of the permission sets corresponding to each of the two pieces of upper layer subj ect information as the second set of permission point information.
[0082] In some embodiments of the present disclosure, if the upper layer subject information includes tenant information and project information, then the first confirming unit 402 is further configured to confirm tenant information associated with the user information, and confirm project information pertaining to the tenant information and associated with the user information.
[0083] The second acquiring unit 404 is may further be configured to acquire a permission set corresponding to the tenant information and comprising at least one piece of permission point information, acquire a permission set corresponding to the project information and including at least one piece of permission point information, and determine an intersection of the permission set corresponding to the tenant information and the permission set corresponding to the project information as the second set of permission point information.
[0084] In some embodiments of the present disclosure, the first acquiring unit 402 is further configured to query a first role information mapped to the user information, wherein the first role information is used for identifying a role of a user corresponding to the received user information in an upper layer subject corresponding to the upper layer subject information, and query a first set including at least one piece of permission point information and the first set being mapped to the first role information.
[0085] The second acquiring unit 404 is then further configured to query at least one second role information mapped to the at least one piece of upper layer subject information, wherein the second role information is used for identifying a role of an upper layer subj ect corresponding to each of the at least one upper layer subject information in an application system, and query a second set including at least one piece of permission point information and the second set being mapped to the second role information.
[0086] For ease of description, in the descriptions above the apparatuses are divided into various units according to function for separate description. Nevertheless, the function of each unit may be implemented as the described unit or as a plurality of software and/or hardware components in other embodiments.
[0087] Those skilled in the art will understand that the embodiments may be described as illustrating methods, systems, or computer program products. Therefore, hardware embodiments, software embodiments, or hardware-plus-software embodiments may be used to illustrate the present invention. In addition, the present invention may further employ a computer program product which may be implemented by at least one non-transitory computer-readable storage medium with an executable program code stored thereon. The non-transitory computer-readable storage medium comprises but not limited to a disk memory, a CD-ROM, and an optical memory.
[0088] The present invention is described based on the flowcharts and/or block diagrams of the method, device (system), and computer program product. It should be understood that each process and/or block in the flowcharts and/or block diagrams, and any combination of the processes and/or blocks in the flowcharts and/or block diagrams may be implemented using computer program instructions. These computer program instructions may be issued to a computer, a dedicated computer, an embedded processor, or processors of other programmable data processing device to generate a machine, which enables the computer or the processors of other programmable data processing devices to execute the instructions to implement an apparatus for implementing specific functions in at least one process in the flowcharts and/or at least one block in the block diagrams.
[0089] These computer program instructions may also be stored a non-transitory computer-readable memory capable of causing a computer or other programmable data processing devices to work in a specific mode, such that the instructions stored on the non- transitory computer-readable memory implement a product comprising an instruction apparatus, wherein the instruction apparatus implements specific functions in at least one process in the flowcharts and/or at least one block in the block diagrams.
[0090] These computer program instructions may also be stored on a computer or other programmable data processing devices, such that the computer or the other programmable data processing devices execute a series of operations or steps to implement processing of the computer. In this way, the instructions, when executed on the computer or the other programmable data processing devices, implement the specific functions in at least one process in the flowcharts and/or at least one block in the block diagrams.
[0091] It should be noted that, in this specification, terms "comprises", "comprising", "has", "having", "includes", "including", "contains", "containing" or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or device, that comprises, has, includes, contains a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or device. An element proceeded by "comprises... a", "has... a", "includes... a", "contains... a" does not, without more constraints, preclude the existence of additional identical elements in the process, method, article, or device.
[0092] The present disclosure may be described in the general context of the computer executable instructions executed by the computer, for example, a program module.
Generally, the program module comprises a routine, program, object, component or data structure for executing specific tasks or implementing specific abstract data types. The present disclosure may also be practiced in distributed computer environments. In such distributed computer environments, the tasks are executed by a remote device connected via a communication network. In the distributed computer environments, the program module may be located in the local and remote computer storage medium including the storage device.
[0093] Various embodiments in the specification are described in a progressive manner. The same or similar parts between the embodiments may be referenced to each other. In each embodiment, the portion that is different from other embodiments is concentrated and described. In particular, with respect to a system, since it is substantially similar to the method embodiment, brief description is given. The related portions may be referenced to the description of the portions in the method embodiments.
[0094] Detailed above are embodiments of the present disclosure, and are not intended to limit the present disclosure. For those skilled in the art, the present disclosure may be subjected to various modifications and variations. Any modification, equivalent replacement, or improvement made without departing from the spirit and principle of the present disclosure should fall within the protection scope of the present disclosure.

Claims

CLAIMS What is claimed is:
1. A method for authenticating a user in an application system, the method comprising:
receiving, at a server, an authentication request, the authentication request including user information and candidate permission point information;
confirming, by the server, at least one piece of upper layer subject information associated with the user information;
acquiring, by the server, a first set of permission point information associated with the user information, the first set of permission point information including at least one piece of permission point information associated with the user information;
acquiring, by the server, a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subject information;
determining, by the server, an authentication set based on an intersection of the first set of permission point information and the second set of permission point information; and determining, by the server, that the authentication is successful if the candidate permission point information is in the authentication set.
2. The method according to claim 1, wherein the user information includes at least two pieces of upper layer subject information and wherein the acquiring the second set of permission point information comprises:
acquiring, by the server, permission sets associated with the at least two pieces of the upper layer subject information; and
determining, by the server, an intersection of the permission sets as the second set of permission point information.
3. The method according to claim 1 , wherein the at least one piece of upper layer subject information includes tenant information and project information, wherein the confirming at least one piece of upper layer subject information comprises:
confirming, by the server, tenant information associated with the user information; and
confirming, by the server, project information associated with the tenant information and associated with the user information, and
wherein acquiring the second set of permission point information comprises:
acquiring, by the server, a permission set associated with the tenant information and including at least one piece of permission point information;
acquiring, by the server, a permission set associated with the project information and including at least one piece of permission point information; and determining, by the server, an intersection of the permission set associated with the tenant information and the permission set associated with the project information as the second set of permission point information.
4. The method according to claim 1, wherein acquiring the first set of permission point information includes querying first role information mapped to the user information, the first role information identifying a role associated with the user information in an upper layer subject identified by the at least one piece of upper layer subject information, and wherein the first set of permission point information is mapped to the first role information.
5. The method according to claim 1, wherein acquiring the second set of permission point information includes querying at least one piece of second role information mapped to the at least one piece of upper layer subject information, the second role information identifying a role of an upper layer subject for each piece of upper layer subject information in the application system, and wherein the second set is mapped to the second role information.
6. A method for authenticating a user in an application system, the method comprising:
receiving, by a server, an authentication request including user information and a candidate information set, the candidate information set including at least one piece of candidate permission point information;
confirming, by the server, at least one piece of upper layer subject information associated with the user information;
acquiring, by the server, a first set of permission point information associated with the user information and including at least one piece of permission point information associated with the user information;
acquiring, by the server, a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subject information;
determining, by the server, an authentication set based on an intersection of the first set of permission point information and the second set of permission point information; and determining, by the server, a third set of permission point information associated with the authentication request as passing authentication if the candidate information set intersects with the authentication set.
7. The method according to claim 6, wherein the user information includes at least two pieces of upper layer subject information and wherein the acquiring the second set of permission point information comprises:
acquiring, by the server, permission sets associated with the at least two pieces of the upper layer subject information; and
determining, by the server, an intersection of the permission sets as the second set of permission point information.
8. The method according to claim 6, wherein confirming at least one piece of upper layer subj ect information comprises:
confirming, by the server, tenant information associated with the user information; and
confirming, by the server, project information associated with the tenant information and associated with the user information, and
wherein acquiring the second set, when the upper layer subject information includes tenant information and project information, comprises:
acquiring, by the server, a permission set associated with the tenant information and including at least one piece of permission point information;
acquiring, by the server, a permission set associated with the project information and including at least one piece of permission point information; and determining, by the server, an intersection of the permission set associated with the tenant information and the permission set associated with the project information as the second set of permission point information.
9. The method according to claim 6, wherein the acquiring the first set of permission point information comprises querying first role information mapped to the user information, the first role information identifying a role associated with the user information in an upper layer subject identified by at least one piece of upper layer subject information, and wherein the first set of permission point information is mapped to the first role information.
10. The method according to claim 6, wherein acquiring the second set of permission point information comprises querying at least one piece of second role information mapped to the at least one piece of upper layer subject information, the second role information identifying a role of an upper layer subject for each piece of upper layer subject information in the application system, and wherein the second set is mapped to the second role information.
11. An apparatus for authenticating a user in an application system, the apparatus comprising:
a processor; and
a non-transitory memory storing computer-executable instructions therein that, when executed by the processor, cause the apparatus to:
receive an authentication request, the authentication request including user information and candidate permission point information;
confirm at least one piece of upper layer subject information associated with the user information;
acquire a first set of permission point information associated with the user information, the first set of permission point information including at least one piece of permission point information associated with the user information;
acquire a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subj ect information;
determine an authentication set based on an intersection of the first set of permission point information and the second set of permission point information; and
determine that the authentication is successful if the candidate permission point information is in the authentication set.
12. The apparatus according to claim 11 , wherein the user information includes at least two pieces of upper layer subject information and wherein the instruction to acquire a second set of permission point information further causes the apparatus to: acquire permission sets associated with the at least two pieces of the upper layer subject information; and
determine an intersection of the permission sets as the second set of permission point information.
13. The apparatus according to claim 11, wherein the at least one piece of upper layer subject information includes tenant information and project information, wherein the instruction to confirm at least one piece of upper layer subject information further causes the apparatus to:
confirm tenant information associated with the user information; and
confirm project information associated with the tenant information and associated with the user information, and
wherein the instruction to acquire the second set of permission point information further causes the apparatus to:
acquire a permission set associated with the tenant information and including at least one piece of permission point information;
acquire a permission set associated with the project information and including at least one piece of permission point information; and
determine an intersection of the permission set associated with the tenant information and the permission set associated with the project information as the second set of permission point information.
14. The apparatus according to claim 11 , wherein the instruction to acquire the first set of permission point information further causes the apparatus to query first role information mapped to the user information, the first role information identifying a role associated with the user information in an upper layer subject identified by the at least one piece of upper layer subject information, and wherein the first set of permission point information is mapped to the first role information.
15. The apparatus according to claim 11, wherein the instruction to acquire the second set of permission point information further causes the apparatus to query at least one piece of second role information mapped to the at least one piece of upper layer subject information, the second role information identifying a role of an upper layer subject for each piece of upper layer subject information in the application system, and wherein the second set is mapped to the second role information.
16. An apparatus for authenticating a user in an application system, the apparatus comprising:
a processor; and
a non-transitory memory storing computer-executable instructions therein that, when executed by the processor, cause the apparatus to:
receive an authentication request including user information and a candidate information set, the candidate information set including at least one piece of candidate permission point information;
confirm at least one piece of upper layer subject information associated with the user information;
acquire a first set of permission point information associated with the user information and including at least one piece of permission point information associated with the user information;
acquire a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subject information;
determine an authentication set based on an intersection of the first set of permission point information and the second set of permission point information; and determine a third set of permission point information associated with the authentication request as passing authentication if the candidate information set intersects with the authentication set .
17. The apparatus according to claim 16, wherein the user information includes at least two pieces of upper layer subject information wherein the instruction to acquire a second set of permission point information further causes the apparatus to:
acquire permission sets associated with the at least two pieces of the upper layer subject information; and
determine an intersection of the permission sets as the second set of permission point information .
18. The apparatus according to claim 16, wherein the upper layer subject information includes tenant information and project information, wherein the instruction to confirm at least one piece of upper layer subject information further causes the apparatus to:
confirm tenant information associated with the user information; and
confirm project information associated with the tenant information and associated with the user information, and
wherein the instruction to acquire the second set of permission point information further causes the apparatus to:
acquire a permission set associated with the tenant information and including at least one piece of permission point information;
acquire a permission set associated with the project information and including at least one piece of permission point information; and
determine an intersection of the permission set associated with the tenant information and the permission set associated with the project information as the second set of permission point information.
19. The apparatus according to claim 16, wherein the instruction to acquire the first set of permission point information further causes the apparatus to query first role information mapped to the user information, the first role information identifying a role associated with the user information in an upper layer subject identified by at least one piece of upper layer subj ect information, and wherein the first set of permission point information is mapped to the first role information.
20. The apparatus according to claim 16, wherein the instruction to acquire the second set of permission point information further causes the apparatus to query at least one piece of second role information mapped to the at least one piece of upper layer subject information, the second role information identifying a role of an upper layer subj ect for each piece of upper layer subject information in the application system, and wherein the second set is mapped to the second role information.
PCT/US2016/049562 2015-09-01 2016-08-31 System and method for authentication WO2017040570A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP16842848.0A EP3345371A4 (en) 2015-09-01 2016-08-31 System and method for authentication

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201510551943.8A CN106487770B (en) 2015-09-01 2015-09-01 Method for authenticating and authentication device
CN201510551943.8 2015-09-01
US15/251,336 2016-08-30
US15/251,336 US10333939B2 (en) 2015-09-01 2016-08-30 System and method for authentication

Publications (1)

Publication Number Publication Date
WO2017040570A1 true WO2017040570A1 (en) 2017-03-09

Family

ID=58097051

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2016/049562 WO2017040570A1 (en) 2015-09-01 2016-08-31 System and method for authentication

Country Status (5)

Country Link
US (1) US10333939B2 (en)
EP (1) EP3345371A4 (en)
CN (1) CN106487770B (en)
TW (1) TWI716385B (en)
WO (1) WO2017040570A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10311248B1 (en) * 2017-01-27 2019-06-04 Intuit Inc. Managing delegated access permissions
CN110968858B (en) * 2018-09-30 2022-04-01 北京国双科技有限公司 User authority control method and system
CN109039792A (en) * 2018-10-30 2018-12-18 深信服科技股份有限公司 Management method, device, equipment and the storage medium of network management device
CN113704285A (en) * 2021-08-30 2021-11-26 北京达佳互联信息技术有限公司 Permission-based retrieval method, device and equipment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030154406A1 (en) * 2002-02-14 2003-08-14 American Management Systems, Inc. User authentication system and methods thereof
US20070214364A1 (en) * 2006-03-07 2007-09-13 Roberts Nicole A Dual layer authentication system for securing user access to remote systems and associated methods
US20090249477A1 (en) * 2008-03-28 2009-10-01 Yahoo! Inc. Method and system for determining whether a computer user is human
US20110191838A1 (en) * 2010-02-02 2011-08-04 Kazu Yanagihara Authentication Using Transient Event Data
US20120233668A1 (en) 2011-03-08 2012-09-13 Rackspace Us, Inc. Pluggable Allocation in a Cloud Computing System
US20140282889A1 (en) 2013-03-14 2014-09-18 Rackspace Us, Inc. Method and System for Identity-Based Authentication of Virtual Machines
US8856954B1 (en) 2010-12-29 2014-10-07 Emc Corporation Authenticating using organization based information
WO2015013745A1 (en) 2013-07-29 2015-02-05 Berkeley Information Technology Pty Ltd Systems and methodologies for managing document access permissions

Family Cites Families (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8447630B2 (en) 2004-02-26 2013-05-21 Payment Pathways, Inc. Systems and methods for managing permissions for information ownership in the cloud
US7664751B2 (en) * 2004-09-30 2010-02-16 Google Inc. Variable user interface based on document access privileges
US7644086B2 (en) * 2005-03-29 2010-01-05 Sas Institute Inc. Computer-implemented authorization systems and methods using associations
US20070083915A1 (en) * 2005-10-06 2007-04-12 Janani Janakiraman Method and system for dynamic adjustment of computer security based on personal proximity
CN100542140C (en) * 2006-12-15 2009-09-16 华为技术有限公司 A kind of method of calling party data and management server for user archive
US8332922B2 (en) * 2007-08-31 2012-12-11 Microsoft Corporation Transferable restricted security tokens
US8196175B2 (en) 2008-03-05 2012-06-05 Microsoft Corporation Self-describing authorization policy for accessing cloud-based resources
US8418222B2 (en) 2008-03-05 2013-04-09 Microsoft Corporation Flexible scalable application authorization for cloud computing environments
CN102236750B (en) 2010-04-29 2016-03-30 国际商业机器公司 The method and apparatus of control of authority is carried out in cloud storage system
US8381285B2 (en) * 2010-06-25 2013-02-19 Sap Ag Systems and methods for generating constraints for use in access control
US8689298B2 (en) * 2011-05-31 2014-04-01 Red Hat, Inc. Resource-centric authorization schemes
US8769622B2 (en) 2011-06-30 2014-07-01 International Business Machines Corporation Authentication and authorization methods for cloud computing security
US20130074158A1 (en) * 2011-09-20 2013-03-21 Nokia Corporation Method and apparatus for domain-based data security
US8682958B2 (en) 2011-11-17 2014-03-25 Microsoft Corporation Decoupling cluster data from cloud deployment
US9483491B2 (en) 2011-11-29 2016-11-01 Egnyte, Inc. Flexible permission management framework for cloud attached file systems
US9460303B2 (en) 2012-03-06 2016-10-04 Microsoft Technology Licensing, Llc Operating large scale systems and cloud services with zero-standing elevated permissions
US9319286B2 (en) 2012-03-30 2016-04-19 Cognizant Business Services Limited Apparatus and methods for managing applications in multi-cloud environments
US8595799B2 (en) * 2012-04-18 2013-11-26 Hewlett-Packard Development Company, L.P. Access authorization
US9210178B1 (en) 2012-06-15 2015-12-08 Amazon Technologies, Inc. Mixed-mode authorization metadata manager for cloud computing environments
US9209973B2 (en) 2012-11-20 2015-12-08 Google Inc. Delegate authorization in cloud-based storage system
US10235383B2 (en) 2012-12-19 2019-03-19 Box, Inc. Method and apparatus for synchronization of items with read-only permissions in a cloud-based environment
US8769644B1 (en) 2013-03-15 2014-07-01 Rightscale, Inc. Systems and methods for establishing cloud-based instances with independent permissions
TWI537850B (en) 2013-03-27 2016-06-11 Cloud Control System and Method for Controlled Equipment
CN103312721B (en) * 2013-07-04 2016-12-28 北京迈普华兴信息技术有限公司 A kind of cloud platform accesses and controls framework and implementation method thereof
CN103324487B (en) * 2013-07-10 2014-09-10 浙江中新力合控股有限公司 Method for achieving SaaS for workflow engine
US9805106B2 (en) 2013-10-04 2017-10-31 Alfresco Software, Inc. Hybrid synchronization between cloud and on-premise systems in a content management system
CN104573430B (en) * 2013-10-21 2018-05-18 华为技术有限公司 A kind of data access authority control method and device
KR101583356B1 (en) 2013-11-01 2016-01-07 주식회사 케이티 Method of using cloud storages through home gateway and home gateway used therein
US9397990B1 (en) 2013-11-08 2016-07-19 Google Inc. Methods and systems of generating and using authentication credentials for decentralized authorization in the cloud
US9386007B2 (en) 2013-12-27 2016-07-05 Sap Se Multi-domain applications with authorization and authentication in cloud environment
TWI590172B (en) * 2014-01-09 2017-07-01 全宏科技股份有限公司 Authorizing server,authorizing method and computer program product
US9300660B1 (en) 2015-05-29 2016-03-29 Pure Storage, Inc. Providing authorization and authentication in a cloud for a user of a storage array

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030154406A1 (en) * 2002-02-14 2003-08-14 American Management Systems, Inc. User authentication system and methods thereof
US20070214364A1 (en) * 2006-03-07 2007-09-13 Roberts Nicole A Dual layer authentication system for securing user access to remote systems and associated methods
US20090249477A1 (en) * 2008-03-28 2009-10-01 Yahoo! Inc. Method and system for determining whether a computer user is human
US20110191838A1 (en) * 2010-02-02 2011-08-04 Kazu Yanagihara Authentication Using Transient Event Data
US8856954B1 (en) 2010-12-29 2014-10-07 Emc Corporation Authenticating using organization based information
US20120233668A1 (en) 2011-03-08 2012-09-13 Rackspace Us, Inc. Pluggable Allocation in a Cloud Computing System
US20140282889A1 (en) 2013-03-14 2014-09-18 Rackspace Us, Inc. Method and System for Identity-Based Authentication of Virtual Machines
WO2015013745A1 (en) 2013-07-29 2015-02-05 Berkeley Information Technology Pty Ltd Systems and methodologies for managing document access permissions

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3345371A4 *

Also Published As

Publication number Publication date
EP3345371A4 (en) 2019-05-01
EP3345371A1 (en) 2018-07-11
TW201710944A (en) 2017-03-16
CN106487770A (en) 2017-03-08
TWI716385B (en) 2021-01-21
CN106487770B (en) 2019-07-30
US10333939B2 (en) 2019-06-25
US20170063862A1 (en) 2017-03-02

Similar Documents

Publication Publication Date Title
WO2022126968A1 (en) Micro-service access method, apparatus and device, and storage medium
AU2018374912B2 (en) Model training system and method, and storage medium
CN102497635B (en) Server, terminal and account password acquisition method
US20170237729A1 (en) Securing user-accessed applications in a distributed computing environment
CN108259422B (en) Multi-tenant access control method and device
CN110912938A (en) Access verification method and device for network access terminal, storage medium and electronic equipment
CN107645532B (en) User management method and device of hybrid cloud
US10333939B2 (en) System and method for authentication
CN103095720B (en) A kind of method for managing security of cloud storage system of dialogue-based management server
CN107196951A (en) The implementation method and firewall system of a kind of HDFS systems fire wall
CN110602216A (en) Method and device for using single account by multiple terminals, cloud server and storage medium
CN107872440B (en) Identity authentication method, device and system
CN111400355B (en) Data query method and device
CN110290150A (en) A kind of login validation method and login authentication device of Virtual Private Network VPN
CN105933374A (en) Mobile terminal data backup method, system and mobile terminal
CN102685122B (en) The method of the software protection based on cloud server
CN114422197A (en) Permission access control method and system based on policy management
CN112910904A (en) Login method and device of multi-service system
CN106330836B (en) Access control method of server to client
CN104796432A (en) Data protection method and safety bastion host
CN106534102A (en) Device access method and device and electronic device
CN105069366A (en) Account registration and management method and device
JP6186013B2 (en) System, method and computer program product for providing universal sustainability cloud service
CN108494749B (en) Method, device and equipment for disabling IP address and computer readable storage medium
WO2017112484A1 (en) Data breach detection system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16842848

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE