WO2020156135A1 - Method and device for processing access control policy and computer-readable storage medium - Google Patents

Abstract

Disclosed by the present disclosure are a method and device for processing an access control policy and a computer-readable storage medium. The method comprises: receiving a resource access request for target resources of a resource access initiating party; according to the resource access request, determining a target access control policy for the target resources, wherein the target access control policy is an access control policy possessing a scheduling capability; acquiring a policy evaluation result for the target resources according to the target access control policy; and executing an access control decision according to the policy evaluation result.

Description

Method, device and computer readable storage medium for processing access control strategy

Cross references to related applications

This application claims the priority of Chinese Patent Application No. 201910079440.3 filed in China on January 28, 2019, the entire content of which is incorporated herein by reference.

Technical field

The present disclosure relates to the field of communication technology, and in particular, to a method, device, and computer-readable storage medium for processing an access control policy.

Background technique

oneM2M (International Organization for Standardization in the Internet of Things) adopts an access control mechanism based on Access Control List (ACL). The access control list is bound to the resources in the oneM2M resource tree. The access control policy can be stored locally or provided through a token. The current oneM2M stipulation is: when the local policy is empty, if there is a token policy, the token policy is used. In addition, it is expected that oneM2M will support new types of access control policies, such as attribute-based access control policies. However, oneM2M does not yet support the combination of local policy and token policy.

Therefore, it is necessary to solve the cooperative work problem of different types of access control policies in the access control process.

Summary of the invention

The embodiments of the present disclosure provide a processing method, a device, and a computer-readable storage medium for access control policies to solve the problem of cooperative work of different types of access control policies in the access control process.

In order to solve the above technical problems, the present disclosure is implemented as follows:

In the first aspect, embodiments of the present disclosure provide a method for processing an access control policy, including:

Receive the resource access request of the resource access initiator for the target resource;

Determining a target access control strategy for the target resource according to the resource access request, wherein the target access control strategy is an access control strategy with scheduling capability;

Obtaining a policy evaluation result of the target resource according to the target access control strategy;

Perform access control decisions based on the results of the policy evaluation;

Wherein, the target access control policy is used for scheduling the access control policy associated with the target resource, and the access control policy associated with the target resource includes one or more access control policies of the same type, or includes one of different types. Or multiple access control policies.

Wherein, the resource attribute or subresource of the target access control policy includes at least one of the following:

The resource identifier is used to uniquely identify the target access control policy;

Policy management authority, used to describe the access control strategy for the target access control strategy;

The policy application scope is used to describe the resource access initiator applicable to the target access control policy and/or the resources applicable to the target access control policy;

Strategy merging algorithm, used to describe the method of merging the evaluation results of multiple access control policies;

Token policy application rules are used to describe the use of token policies;

Privacy policy, used to describe the information that needs to be filtered out from the results returned to the resource access initiator;

The access control policy list is used to describe one or more access control policies, where the one or more access control policies are the same type of access control policies or different types of access control policies;

PDP (Policy Decision Point)-CSE (Common Services entity, public service entity) address list, used to describe the CSE that provides access control decisions for the host CSE of the PEP as the policy enforcement point;

PRP (Policy Retrieval Point)-CSE address list, used to describe the CSE that provides access control policies for the PDP host CSE;

PIP (Policy Information Point)-CSE address list, used to describe the CSE that provides access control information for the PDP host CSE.

Wherein, the access control strategy associated with the target resource includes one or more of a local access control strategy, a token strategy, and an access control strategy for distributed storage;

The local access control policy includes a first local access control policy and/or a second local access control policy;

Wherein, the first local access control policy is stored in the access control policy list of the target access control policy, and the second local access control policy is stored in the resources of other access control policies by way of resource reference.

Wherein, the obtaining a policy evaluation result of the target resource according to the target access control policy includes:

Determine whether the resource access initiator and/or the target resource are applicable to the target access control policy according to the policy application scope;

If the resource access initiator and/or the target resource are applicable to the target access control policy, obtain the access control policy associated with the target resource;

Evaluate the access control policy associated with the target resource, and obtain a policy evaluation result.

Wherein, if the resource access request includes an access control token, if the token policy application rule indicates that a token policy needs to be used, the access control policy associated with the target resource is evaluated to obtain the policy Evaluation results, including:

The token strategy is evaluated, and the token strategy evaluation result is obtained.

Wherein, when the strategy evaluation results are multiple, the method further includes:

Combine the evaluation results of multiple strategies according to the strategy merging algorithm.

Wherein, the method further includes:

Get privacy policy;

The executing the access control decision according to the result of the policy evaluation includes:

In the case that the result of the policy evaluation indicates that access is permitted, the access to the target resource is permitted, and the resource attribute and/or sub-resource corresponding to the privacy policy in the target resource is filtered out.

Wherein, when the token policy application rule indicates that a token policy needs to be used, if the resource access request does not include an access control token, the method further includes:

Send the address of the token authorization entity to the resource access initiator.

Wherein, the receiving the resource access request of the resource access initiator for the target resource includes:

Hosting CSE (Hosting CSE) PEP-CSE as the policy enforcement point receives the resource access request, and sends the resource access request to the policy decision point PDP-CSE according to the PDP-CSE address list;

The determining the target access control policy of the target resource according to the resource access request includes:

The CSE that is the host of the PDP-CSE determines the target access control policy according to the resource access request, and obtains the access control policy associated with the target resource from the policy acquisition point PRP-CSE according to the PRP-CSE address list;

The obtaining a policy evaluation result of the target resource according to the target access control policy includes:

As the host of the PDP-CSE, the CSE evaluates the access control policy associated with the target resource, obtains the policy evaluation result of the target resource, and sends the policy evaluation result to the PEP-CSE;

The executing the access control decision according to the result of the policy evaluation includes:

The PEP-CSE executes an access control decision according to the result of the policy evaluation.

Wherein, the method further includes:

The CSE that is the host of the PDP-CSE obtains access control information from the policy information point PIP-CSE according to the PIP-CSE address list.

Wherein, the method further includes:

As the host of the PDP-CSE, the CSE combines multiple policy evaluation results according to the policy combination algorithm.

Wherein, the method further includes:

As the host of the PDP-CSE, the CSE obtains the privacy policy, determines the resource attributes and/or sub-resources to be filtered according to the privacy policy, and sends the resource attributes and/or sub-resources to the PEP-CSE;

The PEP-CSE executes an access control decision based on the result of the policy evaluation, including:

In the case where the policy evaluation result indicates that access to the target resource is permitted, the PEP-CSE filters out the resource attribute and/or corresponding to the privacy policy in the target resource according to the resource attribute and/or sub-resource Or sub-resources.

In a second aspect, embodiments of the present disclosure provide an access control policy processing device, including:

The receiving module is used to receive the resource access request of the resource access initiator to the target resource;

A determining module, configured to determine a target access control strategy of the target resource according to the resource access request, wherein the target access control strategy is an access control strategy with scheduling capability;

An obtaining module, configured to obtain a policy evaluation result of the target resource according to the target access control policy;

The execution module is used to execute the access control decision according to the evaluation result of the strategy;

Wherein, the target access control policy is used for scheduling the access control policy associated with the target resource, and the access control policy associated with the target resource includes one or more access control policies of the same type, or includes one of different types. Or multiple access control policies.

Wherein, the resource attribute or subresource of the target access control policy includes at least one of the following:

The resource identifier is used to uniquely identify the target access control policy;

Policy management authority, used to describe the access control strategy for the target access control strategy;

The policy application scope is used to describe the resource access initiator applicable to the target access control policy and/or the resources applicable to the target access control policy;

Strategy merging algorithm, used to describe the method of merging the evaluation results of multiple access control policies;

Token policy application rules are used to describe the use of token policies;

Privacy policy, used to describe the information that needs to be filtered out from the results returned to the resource access initiator;

The access control policy list is used to describe one or more access control policies, where the one or more access control policies are the same type of access control policies or different types of access control policies;

PDP-CSE address list, used to describe the CSE that provides access control decisions for the host CSE as the policy enforcement point PEP;

PRP-CSE address list, used to describe the CSE that provides access control policies for the CSE that is the host of the PDP;

The PIP-CSE address list is used to describe the CSE that provides access control information for the PDP host CSE.

In a third aspect, embodiments of the present disclosure provide a communication device, including: a transceiver, a memory, a processor, and a computer program stored on the memory and capable of running on the processor;

The transceiver is used to receive a resource access request from a resource access initiator to a target resource;

The processor is used to read the program in the memory and execute the following process:

Determining a target access control strategy for the target resource according to the resource access request, wherein the target access control strategy is an access control strategy with scheduling capability;

Obtaining a policy evaluation result of the target resource according to the target access control strategy;

Perform access control decisions based on the results of the policy evaluation;

Wherein, the target access control policy is used for scheduling the access control policy associated with the target resource, and the access control policy associated with the target resource includes one or more access control policies of the same type, or includes one of different types. Or multiple access control policies.

Wherein, the resource attribute or subresource of the target access control policy includes at least one of the following:

The resource identifier is used to uniquely identify the target access control policy;

Policy management authority, used to describe the access control strategy for the target access control strategy;

The policy application scope is used to describe the resource access initiator applicable to the target access control policy and/or the resources applicable to the target access control policy;

Strategy merging algorithm, used to describe the method of merging the evaluation results of multiple access control policies;

Token policy application rules are used to describe the use of token policies;

Privacy policy, used to describe the information that needs to be filtered out from the results returned to the resource access initiator;

The access control policy list is used to describe one or more access control policies, where the one or more access control policies are the same type of access control policies or different types of access control policies;

PDP-CSE address list, used to describe the CSE that provides access control decisions for the host CSE as the policy enforcement point PEP;

PRP-CSE address list, used to describe the CSE that provides access control policies for the CSE that is the host of the PDP;

The PIP-CSE address list is used to describe the CSE that provides access control information for the PDP host CSE.

Wherein, the access control strategy associated with the target resource includes one or more of a local access control strategy, a token strategy, and an access control strategy for distributed storage;

The local access control policy includes a first local access control policy and/or a second local access control policy;

Wherein, the first local access control policy is stored in an access control policy list of the target access control policy, and the second local access control policy is stored in resources of other access control policies by way of resource reference.

Wherein, the processor is also used to read the program in the memory and execute the following process:

Determine whether the resource access initiator and/or the target resource are applicable to the target access control policy according to the policy application scope;

If the resource access initiator and/or the target resource are applicable to the target access control policy, obtain the access control policy associated with the target resource;

Evaluate the access control policy associated with the target resource, and obtain a policy evaluation result.

Wherein, the processor is also used to read the program in the memory and execute the following process:

If the resource access request includes an access control token, in a case where the token policy application rule indicates that a token policy needs to be used, the token policy is evaluated to obtain a token policy evaluation result.

Wherein, the processor is also used to read the program in the memory and execute the following process:

Combine the evaluation results of multiple strategies according to the strategy merging algorithm.

Wherein, the processor is also used to read the program in the memory and execute the following process:

Get privacy policy;

In the case that the result of the policy evaluation indicates that access is permitted, the access to the target resource is permitted, and the resource attribute and/or sub-resource corresponding to the privacy policy in the target resource are filtered out.

Wherein, the processor is also used to read the program in the memory and execute the following process:

When the token policy application rule indicates that a token policy needs to be used, if the resource access request does not include an access control token, the address of the token authorization entity is sent to the resource access initiator.

Wherein, the processor is also used to read the program in the memory and execute the following process:

The host CSE PEP-CSE serving as the policy enforcement point receives the resource access request, and sends the resource access request to the policy decision point PDP-CSE according to the PDP-CSE address list;

To act as the host of the PDP-CSE, the CSE determines the target access control policy according to the resource access request, and obtains the access control policy associated with the target resource from the policy acquisition point PRP-CSE according to the PRP-CSE address list;

To serve as the host of the PDP-CSE, the CSE evaluates the access control policy associated with the target resource, obtains the policy evaluation result of the target resource, and sends the policy evaluation result to the PEP-CSE;

Perform an access control decision for the PEP-CSE according to the policy evaluation result.

Wherein, the processor is also used to read the program in the memory and execute the following process:

In order to be the host of the PDP-CSE, the CSE obtains access control information from the policy information point PIP-CSE according to the PIP-CSE address list.

Wherein, the processor is also used to read the program in the memory and execute the following process:

In order to be the host of the PDP-CSE, the CSE merges multiple policy evaluation results according to the policy merging algorithm.

Wherein, the processor is also used to read the program in the memory and execute the following process:

To obtain the privacy policy for the CSE as the host of the PDP-CSE, determine the resource attributes and/or sub-resources to be filtered according to the privacy policy, and send the resource attributes and/or sub-resources to the PEP-CSE;

In the case where the result of the policy evaluation indicates that access to the target resource is permitted, the PEP-CSE filters out the resource attribute and the resource attribute corresponding to the privacy policy in the target resource according to the resource attribute and/or sub-resource. /Or sub-resources.

In a fourth aspect, embodiments of the present disclosure provide a computer-readable storage medium for storing a computer program, which, when executed by a processor, implements the steps in the method described in the first aspect.

In the embodiments of the present disclosure, since the target access control policy is an access control policy with scheduling capability, the same type or different types of access control policies associated with the target resource can be scheduled through the policy, so that the present disclosure can be used to implement Examples can solve the problem of collaborative work of different types of access control policies in the access control process.

Description of the drawings

In order to explain the technical solutions of the embodiments of the present disclosure more clearly, the following will briefly introduce the accompanying drawings used in the description of the embodiments of the present disclosure. Obviously, the drawings in the following description are only some embodiments of the present disclosure. For those of ordinary skill in the art, other drawings may be obtained based on these drawings without creative labor.

Fig. 1 is a flowchart of a processing method of an access control policy provided by an embodiment of the present disclosure;

2 is a structural diagram of an access control policy processing device provided by an embodiment of the present disclosure;

Fig. 3 is a structural diagram of a communication device provided by an embodiment of the present disclosure.

detailed description

The technical solutions in the embodiments of the present disclosure will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present disclosure. Obviously, the described embodiments are part of the embodiments of the present disclosure, rather than all of the embodiments. Based on the embodiments in the present disclosure, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present disclosure.

Referring to FIG. 1, FIG. 1 is a flowchart of a method for processing an access control policy provided by an embodiment of the present disclosure. As shown in FIG. 1, it includes the following steps:

Step 101: Receive a resource access request for a target resource from a resource access initiator.

Wherein, the target resource can refer to any resource.

Step 102: Determine a target access control policy of the target resource according to the resource access request, where the target access control policy is an access control policy with scheduling capability.

Wherein, the target access control policy is used for scheduling the access control policy associated with the target resource, and the access control policy associated with the target resource includes one or more access control policies of the same type, or includes one of different types. Or multiple access control policies.

In practical applications, the resource attributes or sub-resources of the target access control policy may include at least one of the following:

The resource identifier is used to uniquely identify the target access control policy;

Policy management authority, used to describe the access control strategy for the target access control strategy;

The policy application scope is used to describe the resource access initiator applicable to the target access control policy and/or the resources applicable to the target access control policy;

Strategy merging algorithm, used to describe the method of merging the evaluation results of multiple access control policies;

Token policy application rules are used to describe the use of token policies;

Privacy policy, used to describe the information that needs to be filtered out from the results returned to the resource access initiator;

The access control policy list is used to describe one or more access control policies, where the one or more access control policies are the same type of access control policies or different types of access control policies;

PDP-CSE address list, used to describe the CSE that provides access control decisions for the host CSE as the policy enforcement point PEP;

PRP-CSE address list, used to describe the CSE that provides access control policies for the CSE that is the host of the PDP;

The PIP-CSE address list is used to describe the CSE that provides access control information for the CSE that is the host of the PDP.

Therefore, in this step, the target access control strategy corresponding to the target resource can be determined according to the resource identifier of the target resource.

Step 103: Obtain a policy evaluation result of the target resource according to the target access control policy.

In the embodiment of the present disclosure, in order to make the determined policy evaluation result more comprehensive, the access control policy associated with the target resource may include any one or more of the following:

One or more of local access control strategy, token strategy, and distributed storage access control strategy. Wherein, the local access control policy includes a first local access control policy and/or a second local access control policy. The first local access control policy is stored in an access control policy list of the target access control policy, and the second local access control policy is stored in resources of other access control policies by way of resource reference. Wherein, the other access control policies refer to access control policies other than the target access control policy.

According to different resource attributes included in the target access control policy, there may be different processing methods in the embodiments of the present disclosure.

Specifically, it may be determined whether the resource access initiator and/or the target resource are applicable to the target access control policy according to the scope of application of the policy. If the resource access initiator and/or the target resource are applicable to the target access control policy, obtain the access control policy associated with the target resource. For example, if the applicable scope of the policy is empty, it means that both the resource access initiator and the target resource are applicable to the target access control policy, and then the access control policy associated with the target resource is obtained, such as local access control policy, token policy, distributed storage Access control policies, etc. Afterwards, the access control strategy associated with the target resource is evaluated, and the strategy evaluation result is obtained.

If the resource access request includes an access control token, if the token policy application rule indicates that a token policy needs to be used, the token policy needs to be evaluated to obtain the token policy evaluation result. If the resource access request does not include an access control token, the address of the token authorization entity needs to be sent to the resource access initiator.

When there are multiple strategy evaluation results, multiple strategy evaluation results can also be combined according to the strategy combination algorithm.

Step 104: Perform an access control decision based on the result of the policy evaluation.

If the resource attribute includes a privacy policy, then the privacy policy can also be obtained. In the case that the result of the policy evaluation indicates that access is permitted, the access to the target resource is permitted, and the resource attribute and/or sub-resource corresponding to the privacy policy in the target resource are filtered out. Therefore, privacy can be better protected in this way.

In the embodiments of the present disclosure, since the target access control policy is an access control policy with scheduling capability, the same type or different types of access control policies associated with the target resource can be scheduled through the policy, so that the present disclosure can be used to implement Examples can solve the problem of collaborative work of different types of access control policies in the access control process.

For the distributed authorization architecture, then, in the above process, step 101 is specifically: the host CSE PEP-CSE as the policy enforcement point receives the resource access request, and accesses the resource according to the PDP-CSE address list The request is sent to the policy decision point PDP-CSE;

Step 102 is specifically: the CSE as the host of the PDP-CSE determines the target access control policy according to the resource access request, and obtains the target resource-related information from the policy acquisition point PRP-CSE according to the PRP-CSE address list. Access control strategy;

Step 103 is specifically: the CSE as the host of the PDP-CSE evaluates the access control policy associated with the target resource, obtains the policy evaluation result of the target resource, and sends the policy evaluation result to the PEP-CSE;

Step 104 is specifically: the PEP-CSE executes an access control decision according to the result of the policy evaluation.

If access control information needs to be acquired during the evaluation process, the CSE as the host of the PDP-CSE obtains the access control information from the policy information point PIP-CSE according to the PIP-CSE address list. If multiple policy evaluation results need to be merged, the CSE as the host of the PDP-CSE merges the multiple policy evaluation results according to the policy merging algorithm. If the resource attribute also includes a privacy policy, the CSE as the host of the PDP-CSE obtains the privacy policy, determines the resource attribute and/or subresource to be filtered according to the privacy policy, and sends the resource attribute to the PEP-CSE And/or sub-resources; in the case where the policy evaluation result indicates that access to the target resource is allowed, the PEP-CSE filters out the privacy policy in the target resource according to the resource attribute and/or sub-resource Corresponding resource attributes and/or sub-resources.

After research, the oneM2M architecture of related technologies may have the following problems:

(1) New types of access control strategies are not supported. For example, it is expected that oneM2M will support attribute-based access control policies, which will lead to the coexistence of new and old policies. The current oneM2M access control system has no relevant solutions.

(2) Does not support the processing method when the local access policy and token policy exist at the same time. For example, the initiator provides a token policy, but the local policy also applies to the processing method.

(3) Privacy policy is not supported. The characteristic of the privacy policy is usually to prohibit certain personal-related information from being provided to the resource visitor, rather than prohibiting access to all data.

(4) Does not support complex strategy application methods. For example, calling another access control policy within one access control policy, and a variety of policy merging algorithms.

In order to solve the above problems, the embodiments of the present disclosure propose an access control system for oneM2M system that can integrate different types of access control policies, access control policies from different sources, and privacy policies. The core of this access control system is "access control strategy with scheduling capability", referred to as "scheduling strategy". In the oneM2M system, the access control policy is stored in oneM2M resources. In the embodiment of the present disclosure, the scheduling policy is stored in the oneM2M resource named <accessControlSchedulingPolicy>.

The access control strategy with scheduling capability includes two aspects:

Describe the access control policies of resource access rights and the access control configuration information describing how to use these access control policies. These access control policies and access control configuration information are stored in the resource attributes or sub-resources of the <accessControlSchedulingPolicy> resource. The embodiments of the present disclosure do not specify whether to use resource attributes or sub-resources to store access control policies or configuration information.

The <accessControlSchedulingPolicy> resource can include the following main resource attributes or sub-resources:

Resource ID: It is a common attribute (resourceID) of oneM2M resources, which uniquely identifies the resource in the CSE resource tree. The target resource accessed by the resource access initiator is associated with the corresponding scheduling policy through the resource identifier. Specifically, the resource identifier is stored using the accessControlPolicyIDs attribute of the target resource.

Policy management authority: Describe the access control policy for this scheduling policy, such as modifying, reading and deleting this scheduling policy. The policy management authority can be directly stored in the <accessControlSchedulingPolicy> resource, or stored in a separately defined <policy management authority> resource, and then refer to the resource that actually stores the policy management authority through resource reference.

Policy application scope: Describe the resource access initiator applicable to this scheduling policy and/or the target resource applicable to this scheduling policy. If the field is empty, this check is not done, and it is applied to the associated target resource by default.

Strategy merging algorithm: describe how to merge the evaluation results of these strategies when multiple strategies are included in the scheduling strategy to obtain a final evaluation result. For example, "permission priority" or "negative priority".

Token policy application rules: describe whether the token policy is allowed to be used, the relationship between the token policy and the local policy, and how to obtain the token policy. For example, only use the token strategy, only use the local strategy, the token strategy takes precedence (if there is a token strategy, the local strategy is not used), the local strategy takes priority (if there is a local strategy, the token strategy is not used), the token strategy Treat the same as local policy, etc.

Privacy policy: Regarding the resource access request of the resource access initiator, the privacy policy describes which information (resource attributes and/or sub-resources) need to be filtered from the results returned to the resource access initiator to protect the user's private information.

Access control policy list: Describe one or more access control policies. These access control policies can be of the same type or of different types. These policies can also be described by means of resource references, which refer to another resource that actually stores access control policies. The resources storing these access control policies may be defined specifically for storing certain types of access control policies.

PDP-CSE address list: Describe to which CSE the host CSE can send access control decision requests in order to obtain corresponding access control decisions. The host CSE uses a policy merging algorithm to merge the access control decision obtained from the PDP-CSE with the access control decision obtained locally. The relationship between the PDP-CSE in the list can be separately specified for the strategy combination algorithm.

PRP-CSE address list: Describe which CSE the host CSE can send access control policy requests to in order to obtain the applicable access control policy. The relationship between PRP-CSE in the list can be separately specified strategy merging algorithm.

PIP-CSE address list: Describes to which CSE the host CSE can send access control information requests, such as role information needed in the policy evaluation process, in order to obtain applicable access control information.

Based on the above content, in practical applications, the general process of the execution of an access control policy with scheduling capability is:

(1) The resource access initiator sends a resource access request to the target resource in the host CSE.

(2) The host CSE obtains the associated access control policy according to the target resource attribute accessControlPolicyIDs.

The accessControlPolicyIDs can be the resource ID of oneM2M's original access control policy resource <accessControlPolicy>, or the resource ID of the newly defined access control policy resource <accessControlSchedulingPolicy> in this embodiment, or other types of access control policies. The ID of the resource. Here, take the resource ID of the newly defined scheduling policy <accessControlSchedulingPolicy> in this embodiment as an example.

(3) The host CSE checks the policy application scope of the <accessControlSchedulingPolicy> resource to determine whether the resource access control policy is applicable to the resource access initiator and target resource involved in this access. If the policy scope is empty, the default access control policy applies to the current resource access request. If the policy scope is not empty, check whether the current resource access request is applicable to the access control policy.

(4) Obtain a policy merging algorithm for merging multiple access control policies.

(5) Obtain the token policy application rules to determine how to process the token policy.

If the initiator is required to provide a token policy, but there is no token in the access request, the initiator's resource access request is rejected and the initiator is required to provide the required access control token. If the initiator is required to provide a token, and the token policy application rules also describe how to obtain the token policy, the response should also provide information on how to obtain the token, such as the address of the token authorization entity.

(6) Obtain and evaluate applicable access control strategies, which may include:

Obtain and evaluate the access control policy stored in the access control policy resource, and/or

Obtain and evaluate the access control policy specified by the policy reference, and/or

Obtain and evaluate the access control policy stored in the access control token.

(7) When there are multiple applicable access control strategies, use the strategy merging algorithm to merge the evaluation results of these strategies.

(8) If the combined policy evaluation result is that access is allowed and the privacy policy is not empty, then the privacy policy is obtained.

(9) Return the policy evaluation result to the decision requester. If the evaluation result is that access is allowed and the privacy policy is not empty, then the privacy policy should also be included.

(10) The host CSE performs access control decisions. For example, deny the initiator's current resource access, or allow the initiator's current resource access and implement the privacy policy.

The following is a possible definition that can implement the scheduling policy <accessControlSchedulingPolicy> described in the embodiment of the present disclosure. Specifically:

-resourceID: It is a universal attribute of oneM2M, and other resources refer to this newly defined resource through its resource attribute accessControlPolicyIDs.

-adminPrivileges: Store access permissions for resources of this policy, such as modification, deletion, or reading of resources. The embodiment of the present disclosure does not specify a specific format for describing the strategy.

-adminPrivilegesReferences: point to another policy resource that stores access rights for this policy resource.

-ApplicableSubjects: The resource access initiator applicable to this access control policy.

-applicableResources: applicable to the target resources of this access control strategy.

-policyCombiningAlgorithm: The algorithm identifier used to combine multiple access control policies:

opermit-overrides: Priority for access permission, or

odeny-overrides: access negation priority.

-privileges: equivalent to the privileges attribute in the oneM2M<accessControlPolicy> resource, used to store the currently defined access control policies of oneM2M.

-newPrivileges: used to store newly defined oneM2M interrogation control policies, such as attribute-based access control policies. The embodiment of the present disclosure does not specify a specific format for describing the strategy.

-newPrivilegesReference: point to another policy resource that stores the newly defined oneM2M access control policy.

-tokenPolicyPriority: describes how the token policy should be used, and its value can be:

onot-permit: The token policy is not allowed, or

ooverride-local-policy: The evaluation result of the token policy takes precedence, or

ooverride-token-policy: The evaluation result of the local policy takes precedence, or

ocombining-with-local-policy: The evaluation results of the token policy and the local policy are combined according to the algorithm specified by policyCombiningAlgorithm.

-tokenAuthorityURI: The address of an authorized entity that can issue policy tokens. The host CSE can provide the address to the resource access initiator so that the latter can apply for an access control token.

-privacyPolicy: privacy policy, describing the resource attribute list or sub-resource list that needs to be filtered from the results returned to the resource access initiator:

ofiltered-attributes: list of attribute names that need to be filtered

ofiltered-resources: list of subresource names to be filtered

-PDPs: Applicable PDP-CSE list, its value can be:

opolicyCombiningAlgorithm: strategy combination algorithm;

oPDP-CSEs: CSE address list.

-PRPs: Applicable PRP-CSE list, its value can be:

opolicyCombiningAlgorithm: strategy combination algorithm;

oPRP-CSEs: CSE address list.

-PIPs: Applicable PIP-CSE list, its value can be a list of CSE addresses.

Below, based on the above definitions, specific processing procedures in different scenarios are described.

1. Based on the above definition, this embodiment describes an application scenario in which a token strategy and a local strategy are combined.

Specifically, the value of the relevant content in the <accessControlSchedulingPolicy> policy resource is:

The value of the relevant content in the <accessControlSchedulingPolicy> policy resource is:

-resourceID: The target resource references the ID of this access control policy resource through its attribute accessControlPolicyIDs so as to be associated with this access control policy resource.

-policyCombiningAlgorithm: The value is permit-overrides, which means that when there are multiple access control policies, the evaluation result of any one of them is permit, and the combined policy evaluation result is permit.

-abacPrivileges: It stores the newly defined attribute-based access control policy (Attribute-Based Access Control Policy, ABAC policy) for oneM2M. This patent does not specify the format of this ABAC strategy.

-tokenPolicyPriority: The value is combining-with-local-policy, which describes the combined use of token policy and local policy.

In this case, the specific access control process is:

(1) The resource access initiator sends a resource access request to the host CSE, and the request contains an access control token. Access control policies are stored in the token, for example, resource access rights described in oneM2M's existing access control policy format are used.

(2) The host CSE is associated with the applicable scheduling policy resource <accessControlSchedulingPolicy> according to the value of the accessControlPolicyIDs attribute of the target resource.

(3) Obtain the strategy merging algorithm.

Because the value of the resource attribute tokenPolicyPriority in the <accessControlSchedulingPolicy> resource is combining-with-local-policy, it is necessary to combine the access control policy stored locally and the access control policy stored in the access control token.

(4) Host CSE:

Obtain the local ABAC policy from abacPrivileges, and evaluate whether the policy allows the initiator to access this resource;

Verify the validity of the token, obtain the access control policy stored in the token, and evaluate whether the policy allows the initiator to access this resource.

(5) The host CSE uses the policy combination algorithm permit-overrides provided by policyCombiningAlgorithm to merge the policy evaluation results of step (4), and obtain the final policy evaluation result.

2. Based on the above definition, this embodiment describes an application scenario for realizing dynamic authorization.

The value of the relevant content in the <accessControlSchedulingPolicy> policy resource is:

-resourceID: The target resource references the ID of this access control policy resource through its attribute accessControlPolicyIDs so as to be associated with this access control policy resource.

-policyCombiningAlgorithm: The value is permit-overrides, which means that when there are multiple access control policies, and the evaluation result of any one of them is permit (allow), the final policy evaluation result is permit.

-privileges: The value is null, indicating that there is no access control policy in oneM2M format.

-newPrivileges: The value is null, indicating that there is no access control policy in oneM2M ABAC format locally.

-tokenPolicyPriority: The value is override-local-policy, which describes the need to use the token policy first.

-tokenAuthorityURI: The value is https://oneM2M.authorization.com, which is the address of an authorized entity that can issue policy tokens.

In this case, the specific access control process is:

(1) The resource access initiator sends a resource access request to the host CSE, and the request does not contain an access control token.

(2) The host CSE is associated with the applicable scheduling policy resource <accessControlSchedulingPolicy> according to the value of the accessControlPolicyIDs attribute of the target resource.

(3) Because the value of tokenPolicyPriority in the policy is override-local-policy, it means that the token policy or local policy can be used to evaluate the resource access request of the resource access initiator, but the token policy needs to be used first.

(4) The host CSE finds that no policy token is provided in the resource access request, and the local access control policy resource does not store any access control policy, so the host CSE will reject the resource access request. Because the tokenAuthorityURI is not empty, the address of the token authorization entity will be provided in the response sent to the resource access initiator.

(5) The resource access initiator will use the URI (Uniform Resource Identifier) token authorization entity provided by the host CSE to request the policy token.

(6) The token authorization entity decides whether to issue a token to the initiator according to the local authorization policy, and then sends the issued token to the initiator.

3. Based on the above definitions, the implementation of privacy policies in distributed authorization application scenarios is described in the embodiments of the present disclosure.

The value of the relevant content in the <accessControlSchedulingPolicy> policy resource is:

-resourceID: The target resource references the ID of this access control policy resource through its attribute accessControlPolicyIDs so as to be associated with this access control policy resource.

-policyCombiningAlgorithm: The value is permit-overrides, which means that when there are multiple access control policies, and the evaluation result of any one of them is permit (allow), the final policy evaluation result is permit.

-privileges: stores the access control policies described in the existing format of oneM2M.

-abacPrivileges: Stores access control policies described in oneM2M ABAC format.

-privacyPolicy: The stored privacy policy describes the resource attribute list or sub-resource list that needs to be filtered from the results returned to the resource access initiator:

-filtered-attributes: Values are resourceID, resourceName, parentID, labels, indicating that these resource attributes need to be filtered from the response returned to the initiator.

-filtered-resources: The value is nul, indicating that there are no sub-resources to be filtered.

-PDPs: PDP-CSE list, its value is:

-policyCombiningAlgorithm: the value is permit-overrides

-PDP-CSEs: CSE address list.

In this case, the specific access control process is:

(1) The resource access initiator sends a resource access request to the host CSE, and the request does not contain an access control token.

(2) The PEP host CSE (PEP-CSE) sends the resource request to another CSE (PDP-CSE) as the PDP according to the information described in the PDPs.

(3) PDP-CSE obtains applicable <accessControlSchedulingPolicy> policy resources.

(4) PDP-CSE uses the access control policies stored in privileges and abacPrivileges to evaluate the resource access request of the initiator, and uses the policy combination algorithm given by policyCombiningAlgorithm to merge the policy evaluation results. It is assumed that the final result of the merger is permit, which means that the resource access request of the initiator is allowed.

(5) PDP-CSE finds that the privacy policy in <accessControlSchedulingPolicy> is not empty, so it reads the privacy policy and obtains a list of resource attributes that need to be filtered.

(6) The PDP-CSE returns the decision request and privacy policy to allow access to the PEP-CSE.

(7) The PEP-CSE obtains the target resources that the initiator expects to access, and filters out the specified resource attributes from the obtained results according to the privacy policy.

(8) The host CSE returns the resource access result to the initiator.

Referring to FIG. 2, FIG. 2 is a structural diagram of an access control policy processing device provided by an embodiment of the present disclosure. As shown in FIG. 2, the access control policy processing device includes:

The receiving module 201 is configured to receive the resource access request of the resource access initiator for the target resource;

The determining module 202 is configured to determine a target access control policy of the target resource according to the resource access request, where the target access control policy is an access control policy with scheduling capability;

The obtaining module 203 is configured to obtain a policy evaluation result of the target resource according to the target access control policy;

The execution module 204 is configured to execute an access control decision according to the policy evaluation result;

Wherein, the target access control policy is used for scheduling the access control policy associated with the target resource, and the access control policy associated with the target resource includes one or more access control policies of the same type, or includes one of different types. Or multiple access control policies.

Wherein, the resource attribute or subresource of the target access control policy includes at least one of the following:

The resource identifier is used to uniquely identify the target access control policy;

Policy management authority, used to describe the access control strategy for the target access control strategy;

The policy application scope is used to describe the resource access initiator applicable to the target access control policy and/or the resources applicable to the target access control policy;

Strategy merging algorithm, used to describe the method of merging the evaluation results of multiple access control policies;

Token policy application rules are used to describe the use of token policies;

Privacy policy, used to describe the information that needs to be filtered out from the results returned to the resource access initiator;

The access control policy list is used to describe one or more access control policies, where the one or more access control policies are the same type of access control policies or different types of access control policies;

PDP-CSE address list, used to describe the CSE that provides access control decisions for the host CSE as the policy enforcement point PEP;

PRP-CSE address list, used to describe the CSE that provides access control policies for the CSE that is the host of the PDP;

The PIP-CSE address list is used to describe the CSE that provides access control information for the PDP host CSE.

Wherein, the access control strategy associated with the target resource includes one or more of a local access control strategy, a token strategy, and an access control strategy for distributed storage;

The local access control policy includes a first local access control policy and/or a second local access control policy;

Wherein, the first local access control policy is stored in an access control policy list of the target access control policy, and the second local access control policy is stored in resources of other access control policies by way of resource reference.

Optionally, the obtaining module 203 includes:

The determining sub-module is configured to determine whether the resource access initiator and/or the target resource are applicable to the target access control policy according to the policy application scope;

The first obtaining submodule is configured to obtain the access control policy associated with the target resource if the resource access initiator and/or the target resource are applicable to the target access control policy;

The second acquisition sub-module is used to evaluate the access control policy associated with the target resource and obtain the policy evaluation result.

Optionally, if the resource access request includes an access control token, in the case that the token policy application rule indicates that a token policy needs to be used, the acquisition module 203 is specifically configured to: Carry out the evaluation and obtain the token strategy evaluation result.

Optionally, the device may further include: a first merging module 205, configured to merge multiple strategy evaluation results according to a strategy merging algorithm.

Optionally, the device may further include: a second obtaining module 206, configured to obtain a privacy policy; the execution module 204 is specifically configured to allow access to the target resource when the result of the policy evaluation indicates that access is permitted Access and filter out the resource attributes and/or sub-resources corresponding to the privacy policy in the target resource.

Optionally, the apparatus may further include: a sending module 207, configured to send a notification to the resource access request if the resource access request does not include an access control token when the token policy application rule indicates that the token policy needs to be used The address of the resource access initiator sending the token authorization entity.

Under the distributed authorization architecture, the receiving module 201 is specifically configured to receive the resource access request for the host CSE and PEP-CSE as the policy enforcement point, and send the resource access request according to the PDP-CSE address list Give policy decision point PDP-CSE;

The determining module 202 is specifically configured to determine the target access control policy for the PDP-CSE host CSE according to the resource access request, and obtain the target access control policy from the policy acquisition point PRP-CSE according to the PRP-CSE address list. The access control strategy associated with the target resource;

The obtaining module 203 is specifically configured to evaluate the access control policy associated with the target resource by the CSE as the host of the PDP-CSE, obtain the policy evaluation result for the target resource, and send the PEP-CSE Strategy evaluation results;

The execution module 204 is specifically configured to execute an access control decision for the PEP-CSE according to the policy evaluation result.

Under this architecture, the device may further include: an information acquisition module 207, configured to obtain access control information from the policy information point PIP-CSE according to the PIP-CSE address list for the PDP-CSE host CSE. The merging module 208 is used for merging multiple policy evaluation results for the PDP-CSE host CSE according to the policy merging algorithm. The privacy policy obtaining module 209 is configured to obtain a privacy policy for the CSE as the host of the PDP-CSE, determine the resource attributes and/or sub-resources to be filtered according to the privacy policy, and send the resource attributes and the sub-resources to the PEP-CSE /Or sub-resources; at this time, the execution module 204 is specifically configured to, in the case that the policy evaluation result indicates that access to the target resource is allowed, for the PEP-CSE according to the resource attribute and/or sub-resource To filter out resource attributes and/or sub-resources corresponding to the privacy policy in the target resource.

In the embodiments of the present disclosure, since the target access control policy is an access control policy with scheduling capability, the same type or different types of access control policies associated with the target resource can be scheduled through the policy, so that the present disclosure can be used to implement Examples can solve the problem of collaborative work of different types of access control policies in the access control process.

As shown in FIG. 3, the communication device of the embodiment of the present disclosure includes:

The transceiver 310 is configured to receive a resource access request for a target resource from a resource access initiator;

The processor 300 is configured to read a program in the memory 320 and execute the following process:

Read the program in the memory and execute the following process:

Determining a target access control strategy for the target resource according to the resource access request, wherein the target access control strategy is an access control strategy with scheduling capability;

Obtaining a policy evaluation result of the target resource according to the target access control strategy;

Perform access control decisions based on the results of the policy evaluation;

Wherein, the target access control policy is used for scheduling the access control policy associated with the target resource, and the access control policy associated with the target resource includes one or more access control policies of the same type, or includes one of different types. Or multiple access control policies.

Wherein, in FIG. 3, the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 300 and various circuits of the memory represented by the memory 320 are linked together. The bus architecture can also link various other circuits such as peripherals, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, no further description will be given herein. The bus interface provides the interface. The transceiver 310 may be a plurality of elements, including a transmitter and a transceiver, and provide a unit for communicating with various other devices on a transmission medium. The processor 300 is responsible for managing the bus architecture and general processing, and the memory 320 can store data used by the processor 300 when performing operations.

The processor 300 is responsible for managing the bus architecture and general processing, and the memory 320 can store data used by the processor 300 when performing operations.

Wherein, the resource attribute or subresource of the target access control policy includes at least one of the following:

The resource identifier is used to uniquely identify the target access control policy;

Policy management authority, used to describe the access control strategy for the target access control strategy;

The policy application scope is used to describe the resource access initiator applicable to the target access control policy and/or the resources applicable to the target access control policy;

Strategy merging algorithm, used to describe the method of merging the evaluation results of multiple access control policies;

Token policy application rules are used to describe the use of token policies;

Privacy policy, used to describe the information that needs to be filtered out from the results returned to the resource access initiator;

The access control policy list is used to describe one or more access control policies, where the one or more access control policies are the same type of access control policies or different types of access control policies;

PDP-CSE address list, used to describe the CSE that provides access control decisions for the host CSE as the policy enforcement point PEP;

PRP-CSE address list, used to describe the CSE that provides access control policies for the CSE that is the host of the PDP;

The PIP-CSE address list is used to describe the CSE that provides access control information for the PDP host CSE.

Wherein, the access control strategy associated with the target resource includes one or more of a local access control strategy, a token strategy, and an access control strategy for distributed storage;

The local access control policy includes a first local access control policy and/or a second local access control policy;

Wherein, the first local access control policy is stored in an access control policy list of the target access control policy, and the second local access control policy is stored in resources of other access control policies by way of resource reference.

The processor 300 is also used to read the computer program and execute the following steps:

Determine whether the resource access initiator and/or the target resource are applicable to the target access control policy according to the policy application scope;

If the resource access initiator and/or the target resource are applicable to the target access control policy, obtain the access control policy associated with the target resource;

Evaluate the access control policy associated with the target resource, and obtain a policy evaluation result.

The processor 300 is also used to read the computer program and execute the following steps:

If the resource access request includes an access control token, in a case where the token policy application rule indicates that a token policy needs to be used, the token policy is evaluated to obtain a token policy evaluation result.

The processor 300 is also used to read the computer program and execute the following steps:

Get privacy policy;

In the case that the result of the policy evaluation indicates that access is permitted, the access to the target resource is permitted, and the resource attribute and/or sub-resource corresponding to the privacy policy in the target resource are filtered out.

The processor 300 is also used to read the computer program and execute the following steps:

When the token policy application rule indicates that a token policy needs to be used, if the resource access request does not include an access control token, the address of the token authorization entity is sent to the resource access initiator.

The processor 300 is also used to read the computer program and execute the following steps:

The host CSE PEP-CSE serving as the policy enforcement point receives the resource access request, and sends the resource access request to the policy decision point PDP-CSE according to the PDP-CSE address list;

To act as the host of the PDP-CSE, the CSE determines the target access control policy according to the resource access request, and obtains the access control policy associated with the target resource from the policy acquisition point PRP-CSE according to the PRP-CSE address list;

In order to serve as the host of the PDP-CSE, the CSE evaluates the access control policy associated with the target resource, obtains the policy evaluation result of the target resource, and sends the policy evaluation result to the PEP-CSE;

Perform an access control decision for the PEP-CSE according to the policy evaluation result.

The processor 300 is also used to read the computer program and execute the following steps:

In order to be the host of the PDP-CSE, the CSE obtains access control information from the policy information point PIP-CSE according to the PIP-CSE address list.

The processor 300 is also used to read the computer program and execute the following steps:

In order to be the host of the PDP-CSE, the CSE merges multiple policy evaluation results according to the policy merging algorithm.

The processor 300 is also used to read the computer program and execute the following steps:

To obtain the privacy policy for the CSE as the host of the PDP-CSE, determine the resource attributes and/or sub-resources to be filtered according to the privacy policy, and send the resource attributes and/or sub-resources to the PEP-CSE;

In the case where the result of the policy evaluation indicates that access to the target resource is permitted, the PEP-CSE filters out the resource attribute and the resource attribute corresponding to the privacy policy in the target resource according to the resource attribute and/or sub-resource. /Or sub-resources.

In addition, the computer-readable storage medium of the embodiment of the present disclosure is used to store a computer program, and the computer program can be executed by a processor to implement the following steps:

Receive the resource access request of the resource access initiator for the target resource;

Determining a target access control strategy for the target resource according to the resource access request, wherein the target access control strategy is an access control strategy with scheduling capability;

Obtaining a policy evaluation result of the target resource according to the target access control strategy;

Perform access control decisions based on the results of the policy evaluation;

Wherein, the target access control policy is used for scheduling the access control policy associated with the target resource, and the access control policy associated with the target resource includes one or more access control policies of the same type, or includes one of different types. Or multiple access control policies.

Wherein, the resource attribute or subresource of the target access control policy includes at least one of the following:

The resource identifier is used to uniquely identify the target access control policy;

Policy management authority, used to describe the access control strategy for the target access control strategy;

The policy application scope is used to describe the resource access initiator applicable to the target access control policy and/or the resources applicable to the target access control policy;

Strategy merging algorithm, used to describe the method of merging the evaluation results of multiple access control policies;

Token policy application rules are used to describe the use of token policies;

Privacy policy, used to describe the information that needs to be filtered out from the results returned to the resource access initiator;

The access control policy list is used to describe one or more access control policies, where the one or more access control policies are the same type of access control policies or different types of access control policies;

Policy decision point-public service entity PDP-CSE address list, used to describe the CSE that provides access control decisions for the host CSE as the policy enforcement point PEP;

The policy acquisition point PRP-CSE address list is used to describe the CSE that provides access control policies for the PDP host CSE;

The policy information point PIP-CSE address list is used to describe the CSE that provides access control information for the PDP host CSE.

Wherein, the access control strategy associated with the target resource includes one or more of a local access control strategy, a token strategy, and an access control strategy for distributed storage;

The local access control policy includes a first local access control policy and/or a second local access control policy;

Wherein, the first local access control policy is stored in an access control policy list of the target access control policy, and the second local access control policy is stored in resources of other access control policies by way of resource reference.

Wherein, the obtaining a policy evaluation result of the target resource according to the target access control policy includes:

Determine whether the resource access initiator and/or the target resource are applicable to the target access control policy according to the policy application scope;

If the resource access initiator and/or the target resource are applicable to the target access control policy, obtain the access control policy associated with the target resource;

Evaluate the access control policy associated with the target resource, and obtain a policy evaluation result.

Wherein, if the resource access request includes an access control token, if the token policy application rule indicates that a token policy needs to be used, the access control policy associated with the target resource is evaluated to obtain the policy Evaluation results, including:

The token strategy is evaluated, and the token strategy evaluation result is obtained.

Wherein, when the strategy evaluation results are multiple, the method further includes:

Combine the evaluation results of multiple strategies according to the strategy merging algorithm.

Wherein, the method further includes:

Get privacy policy;

The executing the access control decision according to the result of the policy evaluation includes:

In the case that the result of the policy evaluation indicates that access is permitted, the access to the target resource is permitted, and the resource attribute and/or sub-resource corresponding to the privacy policy in the target resource are filtered out.

Wherein, when the token policy application rule indicates that a token policy needs to be used, if the resource access request does not include an access control token, the method further includes:

Send the address of the token authorization entity to the resource access initiator.

Wherein, the receiving the resource access request of the resource access initiator for the target resource includes:

The host CSE PEP-CSE as the policy enforcement point receives the resource access request, and sends the resource access request to the policy decision point PDP-CSE according to the PDP-CSE address list;

The determining the target access control policy of the target resource according to the resource access request includes:

The CSE that is the host of the PDP-CSE determines the target access control policy according to the resource access request, and obtains the access control policy associated with the target resource from the policy acquisition point PRP-CSE according to the PRP-CSE address list;

The obtaining a policy evaluation result of the target resource according to the target access control policy includes:

As the host of the PDP-CSE, the CSE evaluates the access control policy associated with the target resource, obtains the policy evaluation result of the target resource, and sends the policy evaluation result to the PEP-CSE;

The executing the access control decision according to the result of the policy evaluation includes:

The PEP-CSE executes an access control decision according to the result of the policy evaluation.

Wherein, the method further includes:

The CSE that is the host of the PDP-CSE obtains access control information from the policy information point PIP-CSE according to the PIP-CSE address list.

Wherein, the method further includes:

As the host of the PDP-CSE, the CSE combines multiple policy evaluation results according to the policy combination algorithm.

Wherein, the method further includes:

As the host of the PDP-CSE, the CSE obtains the privacy policy, determines the resource attributes and/or sub-resources to be filtered according to the privacy policy, and sends the resource attributes and/or sub-resources to the PEP-CSE;

The PEP-CSE executes an access control decision based on the result of the policy evaluation, including:

In the case where the policy evaluation result indicates that access to the target resource is permitted, the PEP-CSE filters out the resource attribute and/or corresponding to the privacy policy in the target resource according to the resource attribute and/or sub-resource Or sub-resources.

In the several embodiments provided in this application, it should be understood that the disclosed method and device can be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.

In addition, the functional units in the various embodiments of the present disclosure may be integrated into one processing unit, or each unit may be separately physically included, or two or more units may be integrated into one unit. The above-mentioned integrated unit can be realized in the form of hardware, or in the form of hardware plus software functional unit.

The above-mentioned integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The above-mentioned software functional unit is stored in a storage medium, and includes several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute part of the steps of the transceiver method described in each embodiment of the present disclosure. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disks or optical disks, etc., which can store program codes Medium.

The above are some embodiments of the present disclosure. It should be pointed out that for those of ordinary skill in the art, without departing from the principles of the present disclosure, several improvements and modifications can be made, and these improvements and modifications are also It should be regarded as the protection scope of this disclosure.

Claims (27)

1. An access control strategy processing method, including:

   Receive the resource access request of the resource access initiator for the target resource;

   Determining a target access control strategy for the target resource according to the resource access request, wherein the target access control strategy is an access control strategy with scheduling capability;

   Obtaining a policy evaluation result of the target resource according to the target access control strategy;

   Perform access control decisions based on the results of the policy evaluation;

   Wherein, the target access control policy is used for scheduling the access control policy associated with the target resource, and the access control policy associated with the target resource includes one or more access control policies of the same type, or includes one of different types. Or multiple access control policies.
2. The method according to claim 1, wherein the resource attribute or sub-resource of the target access control policy includes at least one of the following:

   The resource identifier is used to uniquely identify the target access control policy;

   Policy management authority, used to describe the access control strategy for the target access control strategy;

   The policy application scope is used to describe the resource access initiator applicable to the target access control policy and/or the resources applicable to the target access control policy;

   Strategy merging algorithm, used to describe the method of merging the evaluation results of multiple access control policies;

   Token policy application rules are used to describe the use of token policies;

   Privacy policy, used to describe the information that needs to be filtered out from the results returned to the resource access initiator;

   The access control policy list is used to describe one or more access control policies, where the one or more access control policies are the same type of access control policies or different types of access control policies;

   Policy decision point-public service entity PDP-CSE address list, used to describe the CSE that provides access control decisions for the host CSE as the policy enforcement point PEP;

   The policy acquisition point PRP-CSE address list is used to describe the CSE that provides access control policies for the PDP host CSE;

   The policy information point PIP-CSE address list is used to describe the CSE that provides access control information for the PDP host CSE.
3. The method according to claim 2, wherein the access control policy associated with the target resource includes one or more of: a local access control policy, a token policy, and an access control policy for distributed storage;

   The local access control policy includes a first local access control policy and/or a second local access control policy;

   Wherein, the first local access control policy is stored in an access control policy list of the target access control policy, and the second local access control policy is stored in resources of other access control policies by way of resource reference.
4. The method according to claim 3, wherein said obtaining a policy evaluation result of said target resource according to said target access control policy comprises:

   Determine whether the resource access initiator and/or the target resource are applicable to the target access control policy according to the policy application scope;

   If the resource access initiator and/or the target resource are applicable to the target access control policy, obtain the access control policy associated with the target resource;

   Evaluate the access control policy associated with the target resource, and obtain a policy evaluation result.
5. The method according to claim 4, wherein, if the resource access request includes an access control token, in the case that the token policy application rule indicates that a token policy needs to be used, the association with the target resource The access control strategy is evaluated and the results of the strategy evaluation are obtained, including:

   The token strategy is evaluated, and the token strategy evaluation result is obtained.
6. The method according to claim 4, wherein when there are multiple results of the strategy evaluation, the method further comprises:

   Combine the evaluation results of multiple strategies according to the strategy merging algorithm.
7. The method according to any one of claims 4-6, further comprising:

   Get privacy policy;

   The executing the access control decision according to the result of the policy evaluation includes:

   In the case that the result of the policy evaluation indicates that access is permitted, the access to the target resource is permitted, and the resource attribute and/or sub-resource corresponding to the privacy policy in the target resource are filtered out.
8. The method according to claim 2, wherein when the token policy application rule indicates that a token policy needs to be used, if the resource access request does not include an access control token, the method further comprises:

   Send the address of the token authorization entity to the resource access initiator.
9. The method of claim 2, wherein:

   The receiving the resource access request of the resource access initiator for the target resource includes:

   The host CSE PEP-CSE as the policy enforcement point receives the resource access request, and sends the resource access request to the policy decision point PDP-CSE according to the PDP-CSE address list;

   The determining the target access control policy of the target resource according to the resource access request includes:

   The CSE that is the host of the PDP-CSE determines the target access control policy according to the resource access request, and obtains the access control policy associated with the target resource from the policy acquisition point PRP-CSE according to the PRP-CSE address list;

   The obtaining a policy evaluation result of the target resource according to the target access control policy includes:

   As the host of the PDP-CSE, the CSE evaluates the access control policy associated with the target resource, obtains the policy evaluation result of the target resource, and sends the policy evaluation result to the PEP-CSE;

   The executing the access control decision according to the result of the policy evaluation includes:

   The PEP-CSE executes an access control decision according to the result of the policy evaluation.
10. The method according to claim 9, further comprising:

    The CSE that is the host of the PDP-CSE obtains access control information from the policy information point PIP-CSE according to the PIP-CSE address list.
11. The method according to claim 9, further comprising:

    As the host of the PDP-CSE, the CSE combines multiple policy evaluation results according to the policy combination algorithm.
12. The method according to claim 9, further comprising:

    As the host of the PDP-CSE, the CSE obtains the privacy policy, determines the resource attributes and/or sub-resources to be filtered according to the privacy policy, and sends the resource attributes and/or sub-resources to the PEP-CSE;

    The PEP-CSE executes an access control decision based on the result of the policy evaluation, including:

    In the case where the policy evaluation result indicates that access to the target resource is permitted, the PEP-CSE filters out the resource attribute and/or corresponding to the privacy policy in the target resource according to the resource attribute and/or sub-resource Or sub-resources.
13. An access control strategy processing device, including:

    The receiving module is used to receive the resource access request of the resource access initiator to the target resource;

    A determining module, configured to determine a target access control strategy of the target resource according to the resource access request, wherein the target access control strategy is an access control strategy with scheduling capability;

    An obtaining module, configured to obtain a policy evaluation result of the target resource according to the target access control policy;

    The execution module is used to execute the access control decision according to the evaluation result of the strategy;

    Wherein, the target access control policy is used for scheduling the access control policy associated with the target resource, and the access control policy associated with the target resource includes one or more access control policies of the same type, or includes one of different types. Or multiple access control policies.
14. The apparatus according to claim 13, wherein the resource attribute or sub-resource of the target access control policy comprises at least one of the following:

    The resource identifier is used to uniquely identify the target access control policy;

    Policy management authority, used to describe the access control strategy for the target access control strategy;

    The policy application scope is used to describe the resource access initiator applicable to the target access control policy and/or the resources applicable to the target access control policy;

    Strategy merging algorithm, used to describe the method of merging the evaluation results of multiple access control policies;

    Token policy application rules are used to describe the use of token policies;

    Privacy policy, used to describe the information that needs to be filtered out from the results returned to the resource access initiator;

    The access control policy list is used to describe one or more access control policies, where the one or more access control policies are the same type of access control policies or different types of access control policies;

    PDP-CSE address list, used to describe the CSE that provides access control decisions for the host CSE as the policy enforcement point PEP;

    PRP-CSE address list, used to describe the CSE that provides access control policies for the CSE that is the host of the PDP;

    The PIP-CSE address list is used to describe the CSE that provides access control information for the CSE that is the host of the PDP.
15. A communication device, comprising: a transceiver, a memory, a processor, and a computer program stored on the memory and running on the processor; wherein,

    The transceiver is used to receive a resource access request from a resource access initiator to a target resource;

    The processor is used to read the program in the memory and execute the following process:

    Determining a target access control strategy for the target resource according to the resource access request, wherein the target access control strategy is an access control strategy with scheduling capability;

    Obtaining a policy evaluation result of the target resource according to the target access control strategy;

    Perform access control decisions based on the results of the policy evaluation;

    Wherein, the target access control policy is used for scheduling the access control policy associated with the target resource, and the access control policy associated with the target resource includes one or more access control policies of the same type, or includes one of different types. Or multiple access control policies.
16. The device according to claim 15, wherein the resource attribute or sub-resource of the target access control policy includes at least one of the following:

    The resource identifier is used to uniquely identify the target access control policy;

    Policy management authority, used to describe the access control strategy for the target access control strategy;

    The policy application scope is used to describe the resource access initiator applicable to the target access control policy and/or the resources applicable to the target access control policy;

    Strategy merging algorithm, used to describe the method of merging the evaluation results of multiple access control policies;

    Token policy application rules are used to describe the use of token policies;

    Privacy policy, used to describe the information that needs to be filtered out from the results returned to the resource access initiator;

    The access control policy list is used to describe one or more access control policies, where the one or more access control policies are the same type of access control policies or different types of access control policies;

    PDP-CSE address list, used to describe the CSE that provides access control decisions for the host CSE as the policy enforcement point PEP;

    PRP-CSE address list, used to describe the CSE that provides access control policies for the CSE that is the host of the PDP;

    The PIP-CSE address list is used to describe the CSE that provides access control information for the CSE that is the host of the PDP.
17. The device according to claim 16, wherein the access control policy associated with the target resource comprises one or more of a local access control policy, a token policy, and an access control policy for distributed storage;

    The local access control policy includes a first local access control policy and/or a second local access control policy;

    Wherein, the first local access control policy is stored in an access control policy list of the target access control policy, and the second local access control policy is stored in resources of other access control policies by way of resource reference.
18. The device according to claim 17, wherein the processor is further configured to read the program in the memory and execute the following process:

    Determine whether the resource access initiator and/or the target resource are applicable to the target access control policy according to the policy application scope;

    If the resource access initiator and/or the target resource are applicable to the target access control policy, obtain the access control policy associated with the target resource;

    Evaluate the access control policy associated with the target resource, and obtain a policy evaluation result.
19. The device according to claim 18, wherein the processor is further configured to read a program in the memory and execute the following process:

    If the resource access request includes an access control token, in a case where the token policy application rule indicates that a token policy needs to be used, the token policy is evaluated to obtain a token policy evaluation result.
20. The device according to claim 18, wherein the processor is further configured to read a program in the memory and execute the following process:

    Combine the evaluation results of multiple strategies according to the strategy merging algorithm.
21. The device according to any one of claims 18-20, wherein the processor is further configured to read a program in the memory and execute the following process:

    Get privacy policy;

    In the case that the result of the policy evaluation indicates that access is permitted, the access to the target resource is permitted, and the resource attribute and/or sub-resource corresponding to the privacy policy in the target resource are filtered out.
22. The device according to claim 16, wherein the processor is further configured to read the program in the memory and execute the following process:

    When the token policy application rule indicates that a token policy needs to be used, if the resource access request does not include an access control token, the address of the token authorization entity is sent to the resource access initiator.
23. The device according to claim 16, wherein the processor is further configured to read the program in the memory and execute the following process:

    The host CSE PEP-CSE serving as the policy enforcement point receives the resource access request, and sends the resource access request to the policy decision point PDP-CSE according to the PDP-CSE address list;

    To act as the host of the PDP-CSE, the CSE determines the target access control policy according to the resource access request, and obtains the access control policy associated with the target resource from the policy acquisition point PRP-CSE according to the PRP-CSE address list;

    To serve as the host of the PDP-CSE, the CSE evaluates the access control policy associated with the target resource, obtains the policy evaluation result of the target resource, and sends the policy evaluation result to the PEP-CSE;

    Perform an access control decision for the PEP-CSE according to the policy evaluation result.
24. The device according to claim 23, wherein the processor is further configured to read a program in the memory and execute the following process:

    In order to be the host of the PDP-CSE, the CSE obtains access control information from the policy information point PIP-CSE according to the PIP-CSE address list.
25. The device according to claim 23, wherein the processor is further configured to read a program in the memory and execute the following process:

    In order to be the host of the PDP-CSE, the CSE merges multiple policy evaluation results according to the policy merging algorithm.
26. The device according to claim 23, wherein the processor is further configured to read a program in the memory and execute the following process:

    To obtain the privacy policy for the CSE as the host of the PDP-CSE, determine the resource attributes and/or sub-resources to be filtered according to the privacy policy, and send the resource attributes and/or sub-resources to the PEP-CSE;

    In the case where the result of the policy evaluation indicates that access to the target resource is permitted, the PEP-CSE filters out the resource attribute and the resource attribute corresponding to the privacy policy in the target resource according to the resource attribute and/or sub-resource. /Or sub-resources.
27. A computer-readable storage medium for storing a computer program, wherein the computer program implements the steps in the method according to any one of claims 1 to 12 when the computer program is executed by a processor.

Images