WO2020248284A1 - Method and apparatus for access control, and storage medium - Google Patents

Abstract

A method for access control, comprising: a server (304) receiving an access request for accessing a target device that is sent from a first access device (301) on the basis of a first user identification; according to at least one user group, the server determining access rights of the first user identification for the target device (S404); and the server processing the access request according to the access rights (S405).

Description

Access control method, device and storage medium Technical field

The invention relates to the Internet of Things (IoT) technology, and in particular to a method, device and storage medium for party access control.

Background technique

The Open Connectivity Foundation (Open Connectivity Foundation, OCF) uses a RESTful architecture to represent physical Internet of Things devices through resources, as well as information such as the functional services provided by the devices and the status of the devices. The resource is provided by the server, and the resource is accessed by the client. The client and server defined in OCF are logical functional entities, and each device can be a client, a server, or both a client and a server. For example, a device (such as a light bulb) that implements a certain basic function can only be used as a server, and it can be provided to the client for query and control. It has no control or needs to query other devices.

The business interaction between the client and the server is realized by performing RESTful operations on resources, that is, CRUDN operation methods of Create, Retrieve, Update, Delete, and Notify. The client is the initiator of the RESTful operation, and the server is the responder of the RESTful operation. The client sends a resource operation request to the server, requesting to operate the resource on the server, the server performs the resource operation, and returns a response to the client , The response carries the content and description of the resource.

Devices that are not in the same local network can communicate with each other through the cloud. The cloud groups devices belonging to the same user under the same user ID created in the cloud. All devices registered to the cloud and belonging to the same user ID can communicate according to the device authorization cloud permission policy (for example: ACE2 policy). Therefore, the device can only be remotely accessed by one user through the cloud platform, which cannot meet the multi-user application scenario.

Summary of the invention

In order to solve the above technical problems, embodiments of the present invention provide an access control method, device, and storage medium, which can share the remote access authority of the device with other users, and realize multi-user access.

The technical solution of the embodiment of the present invention is realized as follows:

In the first aspect, an embodiment of the present invention provides an access control method, including:

The server receives an access request sent by the first access device to access the target device based on the first user identifier;

Determining, by the server, the access authority of the first user identifier to the target device according to at least one user group;

The server processes the access request according to the access authority.

In the second aspect, an embodiment of the present invention provides an access control method, including:

The first access device determines the target device selected by the received selection operation;

The first access device generates an access request based on the device identifier corresponding to the target device, and sends the access request to a server, so that the server determines the first user used by the first access device according to at least one user group Identify the access authority to the target device.

In a third aspect, an embodiment of the present invention provides an access control method, including:

The second access device sends an update request to the server based on the second user ID. The update request is used to cause the server to generate a user group, and the generated user group is used to determine whether the first access device using the first user ID has a connection to the target device. Access authority, the second user identifier has a binding relationship with the target device.

In a fourth aspect, an embodiment of the present invention provides a server, including:

A receiving unit configured to receive an access request for accessing the target device sent by the first access device based on the first user identifier;

An authority unit configured to determine the access authority of the first user identifier to the target device according to at least one user group;

The processing unit is configured to process the access request according to the access authority.

In a fifth aspect, an embodiment of the present invention provides an access device, including:

The selection unit is configured to determine the target device selected by the received selection operation;

The first sending unit is configured to generate an access request based on the device identifier corresponding to the target device, and send the access request to a server, so that the server determines the first user used by the access device according to at least one user group Identify the access authority to the target device.

In a sixth aspect, an embodiment of the present invention provides an access device, including: a group establishment unit configured to send an update request to a server based on a second user identifier, the update request being used for causing the server to generate a user group, The user group is used to determine the access authority of the first access device using the first user identifier to the target device, and the second user identifier has a binding relationship with the target device.

In a seventh aspect, an embodiment of the present invention provides a server, including: a processor and a memory configured to store a computer program that can run on the processor, wherein the processor is configured to execute the server when the computer program is running. The steps of the access control method performed.

In an eighth aspect, an embodiment of the present invention provides an access device, including: a processor and a memory configured to store a computer program that can run on the processor, wherein the processor is configured to execute the above-mentioned computer program when the computer program is running. Steps of the access control method executed by the first access device.

In a ninth aspect, an embodiment of the present invention provides an access device, including: a processor and a memory configured to store a computer program that can run on the processor, wherein the processor is configured to execute the above-mentioned computer program when the computer program is running. Steps of the access control method executed by the second access device.

In a tenth aspect, an embodiment of the present invention provides a storage medium storing an executable program, and when the executable program is executed by a processor, the access control method executed by the server is implemented.

In an eleventh aspect, an embodiment of the present invention provides a storage medium that stores an executable program, and when the executable program is executed by a processor, it implements the access control method executed by the first access device.

In a twelfth aspect, an embodiment of the present invention provides a storage medium that stores an executable program, and when the executable program is executed by a processor, the above-mentioned access control method executed by the second access device is implemented.

The access control method provided in the embodiment of the present invention includes: a server receives an access request for accessing a target device sent by a first access device based on a first user identity; the server determines that the first user identity is The access authority of the target device; the server processes the access request according to the access authority. Since the user group is set in the server, when the first user ID accesses the target device, it can be judged based on the set user group whether the first user ID has access authority to the target device, so as to realize the access authority of different user IDs based on the user group The control can realize multi-user access without being restricted by the access of the target device only by the user ID with the binding relationship.

Description of the drawings

FIG. 1 is an optional structural diagram of an Internet of Things system provided by an embodiment of the present invention;

FIG. 2 is an optional flowchart of an access control method provided by an embodiment of the present invention;

FIG. 3 is an optional structural diagram of the Internet of Things system provided by an embodiment of the present invention;

FIG. 4 is an optional flowchart of an access control method provided by an embodiment of the present invention;

FIG. 5 is an optional flowchart of an access control method provided by an embodiment of the present invention;

Fig. 6 is an optional flowchart of an access control method provided by an embodiment of the present invention;

Fig. 7 is an optional flowchart of an access control method provided by an embodiment of the present invention;

FIG. 8 is an optional flowchart of an access control method provided by an embodiment of the present invention;

FIG. 9 is an optional structural diagram of a server provided by an embodiment of the present invention;

FIG. 10A is a schematic diagram of an optional structure of an access device provided by an embodiment of the present invention;

FIG. 10B is a schematic diagram of an optional structure of an access device provided by an embodiment of the present invention

FIG. 11 is a schematic diagram of an optional structure of an electronic device provided by an embodiment of the present invention.

Detailed ways

In order to make the objectives, technical solutions, and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings. The described embodiments should not be regarded as limiting the present invention. Those of ordinary skill in the art have not made All other embodiments obtained under the premise of creative work belong to the protection scope of the present invention.

Before describing in detail the access control method provided by the embodiment of the present invention, a brief description of the access control of the Internet of Things system will be given first.

The structure of the Internet of Things system is shown in Figure 1, including: client 101, server 102 and cloud 103. The client 101 accesses resources of the server 102, and the server 102 provides the resources accessed by the client 101. And the client 101 and the server 102 communicate with each other through the cloud 103.

When the client 101 requests a CRUDN operation to the resource referenced by the resource Links carried by the cloud 103, the client 101 sends a CRUDN request to the cloud 103, and the cloud 103 forwards the CRUDN request of the client 101 to the server 102 that actually carries the resource. The terminal 102 responds to the CRUDN request of the cloud 103, and the cloud 103 forwards the response of the server 102 to the client 101, that is, the communication path is client 101->cloud 103->server 102->cloud 103->client 101.

Exemplarily, the cloud 103 may include three functional entities:

Cloud interface 1031: Anchor on the cloud, responsible for server access management, and message routing for remote communication between the client and server. The cloud interface provides a unified address and port number, such as coaps+tcp://example.com: 443.

Authorization server 1032: Responsible for server registration and authentication of the client and server.

Resource catalog 1033: the index of the server resources, the client can obtain the resources of the target device by searching the resource catalog.

The authorization server 1032 and the cloud may be the same physical entity, or may be different physical entities.

Among them, each device can be a client, a server, or both a client and a server.

The device registration process in the cloud is shown in Figure 2, including:

Step S201: The configurator obtains the access token (Access Token) of the user from the authorization server.

The Mediator function is provided in the user APP to configure the device to connect to the cloud. The configurator is configured with a uniform resource locator (URL) for cloud access, and the user has registered a user name and password, so that the authorization server can authorize the user and return an access token to the configurator. Among them, the user APP can be located on the device as the client.

Step S202: The configurator is registered in the cloud.

The configurator provides an access token to the cloud for configurator registration, and the cloud verifies the Access Token provided by the configurator and assigns a user ID. If the same user uses different configurators, the authorization server will provide different Access Tokens, but any configurator used by the same user is associated with the same User ID.

Step S203: The configurator is connected to the device to configure the device.

The configurator connects to the device through the normal device discovery process, and then requests an Access Token from the cloud for the configured device. The configurator uses the Access Token authorized from the cloud, the Uniform Resource Identifier (URI) and the Universal Unique Identifier (UUID) of the cloud to update the cloud configuration resources on the device for cloud information configuration, such as: "Oic.r.coapcloudconf" resource. The Access Token provided by the cloud is used when the device performs initial registration with the cloud.

Step S204: The device establishes a Transport Layer Security (TLS) connection with the cloud.

After the configurator configures the configuration resources of the device, the device uses a preset digital certificate to establish a TLS connection with the cloud. The preset digital certificates include: the manufacturer's certificate of the device and the trust anchor certificate.

Step S205: The device is registered in the cloud.

To register in the cloud, a device needs to send an update (UPDATE) operation request to the account resource on the cloud. The resource update request includes the Access Token and User ID configured in the cloud configuration resource. The cloud maintains a unique instance of account resources for each device. Among them, the account resource can be the "/oic/sec/account" resource.

Step S206 to step S207, the access token provided by the cloud verification device.

The cloud sends the User ID and Access Token provided by the device to the authorization server. When the authorization server successfully verifies the update operation request, the cloud responds to the update operation. The response will provide the device with an updated Access Token and the validity period of the Access Token. In addition, the cloud also records the User ID that is associated with this device, that is, has a binding relationship.

It should be noted that when the cloud is integrated with an authorization server, step S201 is completed between the cloud and the configurator, and step S207 is not required.

The device needs to log in to the cloud to transfer data between the device and the cloud, and the device sends an update (UPDATE) operation request to the cloud session resource. After the cloud successfully verifies the update operation request, the device and the cloud establish a TLS connection, and data can be exchanged. Among them, the session resource can be a "/oic/sec/session" resource.

The device in Figure 2 can be a client or a server. If the device is used as a server, after the device establishes a TLS connection with the cloud, the device discloses the resources it carries in the resource directory of the cloud, so as to facilitate remote access to these resources of the client.

Devices that are not in the same local network can communicate with each other through the cloud using a restricted application (CoAP over TCP) protocol based on the Transmission Control Protocol (TCP). The cloud groups devices belonging to the same User ID under the same User ID. All devices registered to the cloud and belonging to the same User ID can communicate according to the ACE2 policy of the device authorization cloud. In the embodiment of the present invention, a device under a User ID is referred to as a device that has a binding relationship with the User ID.

However, in this solution, only devices associated with the same User ID can access each other, and the devices can only be remotely accessed by one User ID through the cloud platform. In a multi-member family, this solution restricts only one User ID to control the devices in the family, and other family members can only log in with the same User ID. If multiple family members have registered User IDs on the cloud platform, they can only control the devices managed by their User IDs, and cannot control the devices associated with other User IDs in the family through the cloud platform, which cannot meet the multi-user application scenario .

Based on the above problems, the present invention provides an access control method. The access control entry method of the embodiment of the present invention can be applied to the Internet of Things system 300 shown in FIG. 3, including: a first access device 301, a second access device 302, and a target Device 303 and server 304; among them, the first access device 301 and the second access device are clients, the target device is the server, and the server 304 is the cloud. The client accesses the resources of the server based on the cloud.

The first access device 301 logs in to the server 304 with the first user ID, and the second access device 302 logs in to the server 304 with the second user ID. The first user ID is not associated with the target device, and the second user ID is associated with the target device, that is, the first access device and the target device are not devices under the same user ID, and the second access device and the target device are under the same user ID device of.

The client, server, and cloud in the IoT system 300 can communicate based on various communication systems, such as: Global System of Mobile Communication (GSM) system, Code Division Multiple Access (CDMA) System, Wideband Code Division Multiple Access (WCDMA) system, General Packet Radio Service (GPRS), Long Term Evolution (LTE) system, LTE Frequency Division Duplex (Frequency Division) Duplex (FDD) system, LTE Time Division Duplex (TDD), Universal Mobile Telecommunication System (UMTS), Worldwide Interoperability for Microwave Access (WiMAX) communication system or 5G system Wait.

The first access device 301 and the second access device can be terminal devices, which can refer to access terminals, user equipment (UE), user units, user stations, mobile stations, mobile stations, remote stations, remote terminals, Mobile device, user terminal, terminal, wireless communication device, user agent or user device. The access terminal can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a wireless local loop (Wireless Local Loop, WLL) station, a personal digital processing (Personal Digital Assistant, PDA), with wireless communication Functional handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in 5G networks, or terminal devices in the future evolution of PLMN, etc.

The target device can be IoT devices such as sensors, laser scanning systems, and smart home appliances.

Figure 3 exemplarily shows one server and two clients. Optionally, the IoT system 300 may include multiple servers and clients that have a binding relationship with the server or do not have a binding relationship with the server. Clients that define a relationship are not limited in this embodiment of the present invention.

An optional processing flow of the access control method provided by the embodiment of the present invention, as shown in FIG. 4, includes the following steps:

Step S401: The first access device determines the target device selected by the received selection operation;

When the user using the first access device controls the target device in the Internet of Things system, the first access device receives the user's selection operation, and the operation object of the selection operation is the device identification of the target device.

In the embodiment of the present invention, the first access device uses the first user ID to log in to the server, establishes a session with the server, and displays the device ID of the device that has a binding relationship with the first user ID and the first user ID A device ID of a device whose user ID does not have a binding relationship. The device that has a binding relationship with the first user ID and the first access device are devices that are associated with the same user ID; the device that does not have a binding relationship with the first user ID and the first access device are not associated with the same user ID equipment. The first user identifier may be a registered user name, or a User ID assigned by the server to the registered user name, and the registered user name and User ID have a one-to-one correspondence relationship. When the first user ID is User ID, the first access device uses the first user ID to log in to the server, which can be understood as: the first access device logs in to the server with the registered user name and the login account, and the server identifies the first access device using the registered user name to correspond Login to the server with your User ID.

Step S402: The first access device generates an access request based on the device identifier corresponding to the target device, and sends the access request to the server.

The first access device generates an access request according to the device identification of the target device. Wherein, the access request carries the device identification of the target device, so that the server determines the access authority of the first user identification used by the first access device to the target device.

The access request may or may not carry the first user identification. When the access request does not carry the first user identification, the server determines the first user identification used by the first access device based on the session connection established with the first access device.

In the case that the target device has a binding relationship with the first user identification, the access request may further include an access token associated with the first user identification.

Optionally, the access request is sent in the form of an Update request.

Step S403: The server receives an access request for accessing the target device sent by the first access device based on the first user identifier.

When the access request carries the first user ID, the server obtains the first user ID by analyzing the access request. When the access request does not carry the first user identification, the server obtains the first user identification through the session established by the first access device and the server.

Step S404: The server determines the access authority of the first user identifier to the target device according to at least one user group.

The server is provided with user groups corresponding to different user IDs, and one user group ID can correspond to one or more user groups. Among multiple user groups corresponding to the same user ID, different user groups are distinguished by different user group names.

The group information of the user group includes: the group name, the ID of the group member, and the device ID of the shared device. The group name is a string and is set by the user. The group member is a list containing the user identification (user ID) of each group member, wherein a user group includes at least one group member. Shared devices are also a list, including device IDs of shared devices in the group. A user group includes at least one shared device.

Optionally, the group members include a second user identifier, and the second user identifier has a binding relationship with the target device. For example: the second user ID is U2, and the group information of a user group is as follows: group name: family, group members include: U2, U1, and the device ID of the shared device: D1, which means that the user group family will have binding with U2 The related device D1 is shared with U1 that does not have a binding relationship with the device D1.

When the group members include the second user ID, the server may only determine the access authority of the first user ID to the target device according to the user group.

Optionally, the group members do not include the second user identifier. For another example: the group information of a user group corresponding to U2 as the second user ID is as follows: group name: family, group members include: U1, device ID of the shared device: D1, the characterization is based on the user group family will be bound to U2 The related device D1 is shared with U1 that does not have a binding relationship with the device D1.

When the group members do not include the second user ID, the server determines the access authority of the first user ID to the target device according to the user group and the second user ID.

Optionally, the group information of the user group may further include: validity period. The validity period is the survival time of the user group, which can be counted in seconds. A value of -1 means permanent validity. When the creation time of a user group reaches the validity period, the server deletes the user group.

In an example, the representation of a user group is:

In the above example, the group name gn is family, which contains two group members, and the user identifiers gmids of the group members are U001 and U002 respectively. The device identifier dids of the shared device is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1. The validity period of a user group expires in 10000 seconds. The cloud platform starts counting from the moment the user group is created, and automatically deletes the user group after 10000 seconds.

In the embodiment of the present invention, the server allocates different user group resources, namely user spaces, to different user IDs based on user IDs, and manages the user group corresponding to each user ID in the user space allocated for the user ID. Each user space includes one or more user groups. The server searches for the user space corresponding to the user ID according to the user ID, and obtains the user group corresponding to the user ID.

Exemplarily, the user space including two user groups may be as follows:

Among them, the user identification uid of the user is U001, the access token accesstoken is XXXXXXXXXX, and groups is a list of user groups corresponding to the user.

In the above example, user U001 created two user groups: family and guest. The group members of the user group family include: U001 and U002, the device identifier of the shared device is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1, and the validity period is permanent. The group members of the user group guest include: U001 and U002. The device identifiers of the shared device are 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, and the validity period is 1000 seconds.

Based on the above example, the characterization user U001 created a family group on the cloud platform and shared the device 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 with U002. The family group is permanently valid. In addition, user U001 created a visitor group for visitor U003, and temporarily shared the devices 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, with a valid period of 10,000 seconds.

Here, U002 may be a family member of the household where the user U001 is located, and U004 may be a visitor.

In at least one user group set by the server, whether the target user group is included to determine the access authority of the first user ID to the target device, wherein, in the searched user group, the group members include the first user ID and the shared device includes The user group of the target device is called the target user group.

When the target user group included in the at least one user group, the group members include the first user ID and the device ID of the shared device includes the device ID of the target device, that is, at least one user group includes the target device For the user group, the server determines that the access authority of the first user identifier to the target device is allowed to access.

When the group members of each user group in the at least one user group do not include the first user ID, or the device ID of the shared device of each user group does not include the device ID of the target device, or when the at least one user In the group, the user group whose members do not include the first user ID and the user group whose device ID of the shared device does not include the device ID of the target device are not the same user group, that is, at least one user group does not include For the target user group, the server determines that the access permission of the first user ID to the target device is forbidden, that is, it is considered that the first user ID cannot access the resources of the target device.

In practical applications, the server can search for candidate user groups from at least one user group using the second user ID as a keyword or the device ID of the target device as a keyword, and determine the access authority of the first user ID to the target device according to the candidate user group. , Thereby narrowing the search scope of the target user group and improving the processing speed of access control.

When the user IDs of group members of the user group do not include user IDs that have a binding relationship with the target device, and the first user ID does not have a binding relationship with the device, according to at least one user group To determine the access authority of the first user identifier to the target device.

Here, when the user ID of the group member of the user group does not include the second user ID, it is determined whether the first user ID has a binding relationship with the target device, and when the first user ID has a binding relationship with the target device, the access is determined The permission is to allow access. When the first user identifier does not have a binding relationship with the target device, the access authority of the first user identifier to the target device is determined according to at least one user group.

In practical applications, the access authority of the first user ID can be judged based on the binding relationship and the user group side by side, when the first user ID has a binding relationship with the target device, or when at least one user group includes the target user group , It is determined that the access permission is access permitted, and when the first user identifier does not have a binding relationship with the target device, and the target user group is not included in the at least one user group, the access permission is determined to be access prohibited.

Step S405: The server processes the access request according to the access authority.

When the access permission is allowed to access, the server forwards the access request to the target device; when the access permission is forbidden to access, the server rejects the access request.

In the embodiment of the present invention, the second access device sends an update request to the server based on the second user identifier. The update request is used to make the server generate a user group, and the generated user group is used to determine whether to use the first The first access device identified by the user has access authority to the target device, and the second user identifier has a binding relationship with the target device. Taking the creation and update of a new user group as an example, the server receives an update request sent by the second access device based on the second user ID; the server obtains a new user group corresponding to the second user ID according to the update request .

The second access device logs in to the server with the second user ID, configures the group information of the new user group, generates an update request based on the group information of the new user group, and sends the generated update request to the server. Among them, the group information of the new user group includes at least: the user group name, the identifier of the group member and the device identifier of the shared device.

Optionally, the identity of the group member includes: the first user identity, and the shared device includes: the target device. At this time, the new user group created by the service is the target user group.

Optionally, the identity of the group member further includes: a second user identity.

The second access device uses the second user ID to log in to the server in the same manner as the first access device uses the first user ID to log in to the server, which will not be repeated here.

In some embodiments, configuring the group information of the new user group by the second access device may be performed as follows: the second access device obtains the group information of the new user group; and includes the group information of the new user group in the update request in.

The second access device obtains the identity of the group member to be configured to the new user group, and obtains the device identity of the shared device to be configured to the new user group. Wherein, the identifier of the group member may include the first user identifier, and the acquired shared device may include the target device. The second access device can obtain the group member's identities by means of LAN transmission, QR code scanning, etc. The second access device may obtain the identity of the shared device by way of local area network transmission, or obtain the identity of the target device from the identity of the device configured in the server that has a binding relationship with the second user identity.

Based on the difference in the information carried in the update request, the server obtains the new user group according to the update request in the following two ways:

method one

The update request only carries the group information of the new user group to be created this time. For example, when the new user group to be created this time is the user group family, only the group information of the new user group family is carried in the update message.

In mode 1, after receiving the update request, the server obtains the new user group corresponding to the second user identifier according to the update request, including:

When there is no existing user group corresponding to the second user ID, create a new user group according to the user group name of the new user group, the ID of the group member, and the device ID of the shared device carried in the update request; when there is The existing user group corresponding to the second user identifier, and the group name of the existing user group does not include the user group name of the new user group carried in the update request, according to the new user group carried in the update request Create a new user group with the name of the user group, the ID of the group member, and the device ID of the shared device; when there is an existing user group corresponding to the second user ID, and the group name of the existing user group includes the The user group name of the new user group carried in the update request, using the user group corresponding to the user group name of the new user group as the reference user group, and according to the group member identification and the device identification of the shared device carried in the update request, The group information of the reference user group is updated to obtain a new user group.

Way two

The update request may carry the group information of the user group groups after the user group is created. For example: the group information of the existing user group guest of the created user group family.

In the second manner, the second access device queries the server for the group information of the existing user group corresponding to the second user identifier, and carries the obtained group information of the existing user group in the update request in. Here, the information carried in the update request is the group information of the new user group and the group information of the existing user group queried from the server.

The second access device may send a query request to the server to obtain the existing user group corresponding to the second user identifier. After acquiring the existing user group of the second user identifier, the second access device updates the existing user group to obtain the updated user group. The updated user group includes a new user group and an existing user group corresponding to the second user identifier.

Optionally, the new user group is a newly added user group or a user group obtained by updating a reference user group in the existing user group.

Based on whether the existing user group includes a user group with the same group name as the new user group, the existing user group can be updated to obtain the updated user group. When the existing user group does not include a user group with the same group name as the new user group, a new user group is created, and the new user group is the newly added user group. When an existing user group includes a user group with the same group name as the new user group, the user group with the same group name as the new user group is called the reference user group, and the group information of the reference user group is updated to New user group. At this time, the new user group is a user group obtained by updating the reference user group in the existing user group.

In the second manner, after the server receives the update request, the obtaining a new user group corresponding to the second user identifier according to the update request includes: according to the updated group information of at least one user group, The group information of the existing user group corresponding to the second user identifier is overwritten to obtain at least one updated user group.

In the embodiment of the present invention, after receiving the update request sent by the second access device, the server detects the relationship between the shared device and the second user identity according to the second user identity carried in the update request; when it has a binding relationship with the shared device The user ID of is the second user ID, and a new user group corresponding to the second user ID is obtained according to the update request. Here, only when the second user equipment is a user identification associated with the shared device, which characterizes that the second user identification is an administrator account of the shared device, the user group corresponding to the second user identification can be updated according to the update request.

In the embodiment of the present invention, the new user group created by the server based on the update request may include other user groups in addition to the target user group, and one or more new user groups may be created based on one update request.

In the embodiment of the present invention, a user group is created in a server serving as a cloud, and based on the user group, the access authority of the second user ID to the resources of the target device is shared with the first user ID, where the first user ID is different from the target device There is no binding relationship between them, and there is no binding relationship between the second user identifier and the target device. When the first user identifier accesses the resources of the target device, the server determines based on the user group that the access permission of the first user identifier to the target device is allowed to access, and controls the first user identifier to access the resources of the target device. When the server determines, based on the user group, that the access permission of the first user identifier to the target device is forbidden, it denies the first user identifier to access the resources of the target device.

In the embodiment of the present invention, the server may also query the user group corresponding to the second user identifier based on the query request sent by the second access device. The content of the query can be all user groups, or the corresponding user group can be queried based on the group name carried in the query request.

Taking the content of the query as an example of all user groups, the server receives the query request sent by the second access device based on the second user identifier; the server obtains the query corresponding to the second user identifier based on the query request Group information of all user groups; the server sends the group information of the existing user groups to the second access device.

Taking the content of the query as an example of the user group corresponding to the group name carried in the query request, the server receives the query request sent by the second access device based on the second user identifier; the query request carries the user to be queried The user group name of the group; the server obtains the group information of the user group to be queried based on the query request; the server sends the group information of the user group to be queried to the second access device.

In the embodiment of the present invention, the server may also delete the user group corresponding to the second user identifier based on the delete request sent by the second access device. The content to be deleted may be all user groups, or the corresponding user group may be deleted based on the group name carried in the query request.

Taking the deleted content as an example of all user groups, the server receives a delete request sent by the second access device based on the second user ID; the server deletes the corresponding user group according to the delete request. All user groups. .

Taking the deleted content may be a user group corresponding to the group name carried in the delete request as an example, the server receives a delete request sent by the second access device based on the second user identifier; the delete request carries the user group to be deleted The name of the user group; the server deletes the group information of the user group to be deleted from at least one user group corresponding to the second user group according to the deletion request.

The present invention will be described in detail below in conjunction with specific embodiments. Among them, the cloud platform is a control system in a server as a cloud.

Example one

A resource interface for creating user groups is added to the cloud platform. Registered users of the cloud platform can create user groups for shared devices through the resource interface for creating user groups. For example, the cloud platform provides a resource interface (also referred to as a resource link) /group/gen, and a registered user of the cloud platform updates the information of the corresponding user group through the resource interface to create a user group on the cloud platform.

The user group is identified by a group name, and the user group includes: group members, shared devices, and optionally, a validity period. The group name is a string and can be set by the user. Group members are a list of User IDs, including the User ID of each group member. Among them, a user group includes at least one group member. The shared device is a list of device IDs, including the device IDs of the shared devices in the group. The shared device of a user group includes at least one device. The validity period is the survival time of the user group, which is counted in seconds. A value of -1 means permanent validity.

The following example is a representation of a user group:

In the above example, the group name gn is family, and contains two members: the user identifiers gmids are U001 and U002 respectively. The two users share a device, and the device identifier dids is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1. The validity period of a user group expiresin is 10,000 seconds. The cloud platform starts counting from the moment the user group is created, and automatically deletes the user group after 10,000 seconds.

A cloud platform user can create multiple user groups. The cloud platform manages these user groups in the space allocated for the user, and identifies the user with the user ID of the user. The space for a user who created two groups is shown in the following example:

Among them, the user identification uid of the user is U001, the access token is XXXXXXXXXX, and groups is a list of user groups corresponding to the user.

In the above example, user U001 created two user groups: family and guest. The group members of the user group family include: U001 and U002, the device identifier of the shared device is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1, and the validity period is permanent. The group members of the user group guest include: U001 and U003. The device identifiers of the shared devices are 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, and the validity period is 1000 seconds.

Based on the above example, the characterization user U001 created a family group on the cloud platform and shared the device 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 with U002. The family group is permanently valid. In addition, user U001 created a visitor group for visitor U003, and temporarily shared the devices 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, with a valid period of 10,000 seconds.

Here, U002 may be a family member of the household where the user U001 is located, and U004 may be a visitor.

The following describes the creation, query, and deletion of user groups.

(1), create and update user groups

Assume that user A has registered the account userA_ID of the cloud platform, and configured a device to connect to the cloud platform, and user A is the administrator of the device on the cloud platform. At this time, another user B who is registered on the cloud platform also wants to control the device through the cloud platform. User A creates a user group to share the device with user B. The specific operation steps, as shown in Figure 5, include:

Step S501: The user A uses the client A (Client A) to obtain the User ID (userB_ID) stored in the user B's terminal client B (Client B) by means of LAN transmission, scanning a QR code, and the like.

Among them, the User ID of client A is userA_ID).

Step S502: Client A obtains the device ID of the target device to be configured in the user group through the local area network or the cloud platform. Since user A is the administrator of the target device, it is also possible that Client A has always stored the device ID of the target device after configuring the device. In this case, step S502 can be skipped.

Step S503: ClientA sends an update request to the resource interface of the cloud platform. The parameters carried in the update request include userA_ID, access token, group name, group name, user ID of group members (including: userA_ID and userB_ID), The device ID and expiration of the shared device. Among them, the shared device in the group is the target device. The address of the resource interface can be a fixed address, such as /group/gen.

Step S504: After receiving the update request from ClientA, the cloud platform verifies the userA_ID and the access token based on the corresponding relationship between the User ID and the access token stored on the cloud platform, and confirms that User A is a legitimate user after the verification is passed.

Step S505: The cloud platform checks the binding relationship between the target device and user A in the update request according to the binding relationship between userA's ID and the device, that is, checks whether the target device is a device managed by user A.

In practical applications, when the user group includes multiple shared devices, the cloud platform checks the binding relationship between each device in the update request and user A according to the binding relationship between userA_ID and the device, that is, it checks whether each device is a user Equipment managed by A. Among them, for each device and its administrator user, the cloud platform stores the binding relationship between the user ID and the device.

Step S506: The cloud platform searches for the user group corresponding to user A according to userA_ID.

The cloud platform finds the entry corresponding to user A in the user group list according to userA_ID, and finds the user group in the entry according to the group name carried in the update request. Among them, the entry corresponding to user A includes all existing user groups corresponding to user A.

Step S507: If the user group corresponding to the group name is not found in the entry corresponding to user A, the cloud platform creates a new user group under the entry corresponding to user A, which is the target user group. The target user group is named after the group name carried in the update request, the member IDs in the group are userA_ID and userB_ID carried in the update request, and the device ID in the group is the device ID of the target device.

If there is a user group with the group name under the corresponding entry of user A, find the user group corresponding to the group name in the entry corresponding to user A, and use the user group as the reference user group. If the group members of the reference user group already contain userA_ID, the User ID of the group members increases userB_ID, and the devices shared in the group increase the device ID of the incoming target device.

Step S508: After the cloud platform successfully establishes the user group, it returns a response OK to ClientA.

Step S509: Client B accesses the target device through the cloud platform.

Step S5010: The cloud platform judges whether user B and the accessed target device are in the same user group. If so, the cloud platform allows the access request and forwards the access request to the target device; if not, it rejects the access request.

Step S5011, if the target device has been shared with user B based on the user group, the target device executes an access request, and executes step S5012 to return a response to ClientB.

(2) View user group

After the cloud platform creates a user group, the group administrator can view the user group.

User A sends a query request RETRIEVE request to the resource interface of the cloud platform, and uses uid=userA_ID as the query condition. For example, the address of the resource interface is /group/gen, and the query request can be retrieve/group/gen? uid=U001. Here, the cloud platform can also determine the user ID by itself through the access information of user A, and the query condition of uid=userA_ID may not be included in the query request.

After the cloud platform receives the query request, it first verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the content of groups is returned to User A as a response.

If user A wants to query a user group, the sent RETRIEVE request uses uid=userA_ID and gn=groupname as the query conditions. For example, when the address of the resource interface is /group/gen, can the query request be retrieve/group/gen? uid=U001&gn=guest.

Here, the cloud platform can also determine the user ID by itself through the access information of user A, at this time, the query request may not include the query condition of uid=userA_ID)

After the cloud platform receives the query request, it verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the user group whose group name is guest in groups is returned to User A as a response.

(3), delete user group

The user can also delete the created user group.

User A sends a delete request DELETE request to the resource interface of the cloud platform, with uid=userA_ID as the query condition. For example, when the address of the resource interface is /group/gen, can the delete request be delete/group/gen? uid=U001. Here, the cloud platform can also determine the user ID by itself through the access information of user A, and the query condition of uid=userA_ID may not be included.

After the cloud platform receives the delete request, it first verifies the User ID of A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the contents of the groups are cleared, and a response to the successful operation of User A is returned.

If user A wants to delete a user group, he sends a DELETE request with uid=userA_ID and gn=groupname as the query conditions. For example, when the address of the resource interface is /group/gen, can the delete request be delete/group/gen? uid=U001&gn=guest. Here, the cloud platform can also determine the user ID by itself through the access information of user A, and the query condition of uid=userA_ID may not be included in this case.

After the cloud platform receives the delete request, it first verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, delete the user group whose group name is guest in groups, and return to User A a successful response.

Example two

A resource interface for creating user groups is added to the cloud platform. Registered users of the cloud platform can create user groups for shared devices through the resource interface for creating user groups. For example, the cloud platform provides a resource interface /group/gen. Registered users of the cloud platform update the information of the corresponding user group through the resource interface, and then create a user group on the cloud platform.

The user group is identified by a group name, and the user group includes: group members, shared devices, and optionally, a validity period. The group name is a string and can be set by the user. Group members are a list of User IDs, including the User ID of each group member. Among them, a user group includes at least one group member. The shared device is also a device ID (device ID) list, which contains the device IDs of the shared devices in the group. Among them, the shared device of a user group includes at least one device. The validity period is the survival time of the user group, which is counted in seconds. A value of -1 means permanent validity.

The following example is a representation of a user group:

In the above example, the group name gn is family, and the user identifier gmids of the group members included is U002. The user shares a device with the device administrator, and the device identifier dids is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1. The validity period of a user group expiresin is 10,000 seconds. The cloud platform starts counting from the moment the user group is created, and automatically deletes the user group after 10,000 seconds.

A cloud platform user can create multiple user groups. The cloud platform manages these user groups in the space allocated for the user, and identifies the user with the user ID of the user. The space for a user who created two groups is shown in the following example:

Among them, the user identification uid of the user is U001, the access token is XXXXXXXXXX, and groups is a list of user groups corresponding to the user.

In the above example, user U001 created two user groups: family and guest. Among them, the group members of user group family include: U002 and U003, and the device ID of the shared device is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1, and the validity period is Permanent. The group members of the user group guest include: U004, the device identifiers of the shared device are 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, and the validity period is 1000 seconds.

Based on the above example, the characterization user U001 created a family group on the cloud platform and shared the device 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 to U002 and U003. The family group is permanently valid. In addition, user U001 created a visitor group for visitor U004 and temporarily shared the devices 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, and the effective time is 10,000 seconds.

Here, U002 and U003 may be family members of the household where the user U001 is located, and U004 may be a visitor.

The following describes the creation, query, and deletion of user groups.

(1), create and update user groups

Assume that user A has registered the account userA_ID of the cloud platform, and configured a device to connect to the cloud platform, and user A is the administrator of the device on the cloud platform. At this time, another user B who is registered on the cloud platform also wants to control the device through the cloud platform. User A creates a user group to share the device with user B. The specific operation steps, as shown in Figure 6, include:

In step S601, the user A uses the client A (ClientA) to obtain the User ID (userB_ID) stored in the user B's terminal client B (ClientB) by means of local area network transmission, scanning the QR code, etc.

Among them, the User ID of client A is userA_ID).

Step S602: Client A obtains the device ID of the target device to be configured in the user group through the local area network or the cloud platform. Since user A is the administrator of the target device, it is also possible that Client A has always stored the device ID of the device after configuring the device, and step S602 can be skipped.

Step S603: ClientA sends an update request to the resource interface of the cloud platform. The update request carries parameters including userA_ID, access token, group name, group member ID (userB_ID), device ID of the shared device in the group, and expiration of the validity period. Among them, the shared device in the group is the target device.

Step S604: After receiving the update request from ClientA, the cloud platform verifies the userA_ID and the access token through the corresponding relationship between the UserID and the access token stored in the cloud platform, and confirms that the user A is a legitimate user after the verification is passed.

Step S605: The cloud platform checks the binding relationship between the target device and user A in the update request according to the binding relationship between userA's ID and the device, that is, checks whether the target device is a device managed by user A.

In practical applications, when the user group includes multiple shared devices, the cloud platform checks the binding relationship between each device in the update request and user A according to the binding relationship between userA_ID and the device, that is, it checks whether each device is a user Equipment managed by A. Among them, for each device and its administrator user, the cloud platform stores the binding relationship between the user ID and the device.

Step S606: The cloud platform searches for the user group corresponding to user A according to userA_ID.

The cloud platform finds the entry corresponding to user A in the user group list according to userA_ID, and finds the user group in the entry according to the group name carried in the update request. Among them, the entry corresponding to user A includes all existing user groups corresponding to user A.

Step S607: If the user group corresponding to the group name is not found in the entry corresponding to user A, the cloud platform creates a new user group under the entry corresponding to user A, that is, the target user group. Among them, the target user group is named after the group name carried in the update request, the member ID in the group is the userB_ID carried in the update request, and the device ID in the group is the device ID of the target device carried in the update request.

If there is a user group with the group name under the corresponding entry of user A, find the user group corresponding to the group name in the entry corresponding to user A, and use the user group as the reference user group, in the group members of the reference user group userB_ID , The devices shared in the group increase the incoming device ID.

Step S608: After the cloud platform successfully establishes the user group, it returns a response OK to ClientA.

Step S609: Client B accesses the target device through the cloud platform.

Step S6010: The cloud platform checks the binding relationship between ClientB and the target device, and if the binding relationship is established, the access request is directly allowed. Since the target device is bound to ClientA, the binding relationship between ClientB and the target device is not established, and it is necessary to further check whether the group permissions can be accessed.

Step S6011, the cloud platform judges whether the user B and the accessed target device are in the same user group, if yes, the cloud platform allows the access request and forwards the access request to the target device; if not, it rejects the access request.

Step S6012, if the target device has been shared with user B based on the user group, the target device executes an access request, and executes step S6013 to return a response to Client B.

(2) View user group

After the cloud platform creates a user group, the group administrator can view the user group.

User A sends a query request RETRIEVE request to the resource interface of the cloud platform, and uses uid=userA_ID as the query condition. For example, if the address of the resource interface is: /group/gen, the query request can be: retrieve/group/gen? uid=U001. Here, the cloud platform can also determine the user ID by itself through the access information of user A, and the query condition of uid=userA_ID may not be included in the query request.

After the cloud platform receives the query request, it first verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the content of groups is returned to User A as a response.

If user A wants to query a certain user group, the sent RETRIEVE request uses uid=userA_ID and gn=groupname as the query conditions, for example: retrieve/group/gen? uid=U001&gn=guest.

Here, the cloud platform can also determine the user ID by itself through the access information of user A, at this time, the query request may not include the query condition of uid=userA_ID)

After the cloud platform receives the query request, it first verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the user group whose group name is guest in groups is returned to User A as a response.

(3), delete user group

The user can also delete the created user group.

User A sends a delete request DELETE request to the resource interface of the cloud platform, with uid=userA_ID as the query condition. For example, if the address of the resource interface is: /group/gen, the delete request can be: delete/group/gen? uid=U001. Here, the cloud platform can also determine the user ID by itself through the access information of user A, and the query condition of uid=userA_ID may not be included in this case.

After the cloud platform receives the delete request, it first verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the contents of the groups are cleared, and a response to the successful operation of User A is returned.

If user A wants to delete a user group, the sent DELETE request uses uid=userA_ID and gn=groupname as the query conditions, for example: the address of the resource interface is: /group/gen, the delete request can be: delete/group/ gen? uid=U001&gn=guest. Here, the cloud platform can also determine the user ID by itself through user A's access information, and the query condition of uid=userA_ID can be omitted.

After the cloud platform receives the delete request, it first verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, delete the user group whose group name is guest in groups, and return to User A a successful response.

Example three

A resource interface for creating user groups is added to the cloud platform. Registered users of the cloud platform can create user groups for shared devices through the resource interface for creating user groups. For example, the cloud platform provides a resource interface /group/gen. Registered users of the cloud platform update the information of the corresponding user group through the resource interface, and then create a user group on the cloud platform.

The user group is identified by a group name, and the user group includes: group members, shared devices, and optionally, a validity period. The group name is a string and can be set by the user. Group members are a list of User IDs, including the User ID of each group member. Among them, a user group includes at least one group member. The shared device is also a device ID (device ID) list, which contains the device IDs of the shared devices in the group. Among them, the shared device of a user group includes at least one device. The validity period is the survival time of the user group, which is counted in seconds. A value of -1 means permanent validity.

The following example is a representation of a user group:

In the above example, the group name gn is family, and contains two members: the user identifiers gmids are U001 and U002 respectively. The two users share a device, and the device identifier dids is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1. The validity period of a user group expiresin is 10,000 seconds. The cloud platform starts counting from the moment the user group is created, and automatically deletes the user group after 10,000 seconds.

A cloud platform user can create multiple user groups. The cloud platform manages these user groups in the space allocated for the user, and identifies the user with the user ID of the user. The space for a user who created two groups is shown in the following example:

Among them, the user identification uid of the user is U001, the access token accesstoken is XXXXXXXXXX, and groups is a list of user groups corresponding to the user.

In the above example, user U001 created two user groups: family and guest. Among them, the group members of user group family include: U001 and U002, and the device identifier of the shared device is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1, and the validity period is Permanent. The group members of the user group guest include: U001 and U003. The device identifiers of the shared devices are 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, and the validity period is 1000 seconds.

Based on the above example, the characterization user U001 created a family group on the cloud platform and shared the device 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 with U002. The family group is permanently valid. In addition, user U001 created a visitor group for visitor U003 and temporarily shared the devices 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, and the effective time was 10,000 seconds.

Here, U002 may be a family member of the household where the user U001 is located, and U004 may be a visitor.

The following describes the creation, query, and deletion of user groups.

(1), create a user group

Assume that user A has registered the account userA_ID of the cloud platform, and configured a device to connect to the cloud platform, and user A is the administrator of the device on the cloud platform. At this time, another user B who is registered on the cloud platform also wants to control the device through the cloud platform. User A creates a user group to share the device with user B. The specific operation steps, as shown in Figure 7, include:

Step S701: User A uses ClientA to obtain the user ID (userB_ID) stored in the terminal ClientB of user B through LAN transmission, scanning a two-dimensional code, etc.

Among them, the User ID of Client A is userA_ID).

Step S702. Client A obtains the device ID of the device to be configured into the group through the local area network or the cloud platform. Since user A is the administrator of the target device, it is also possible that Client A has always stored the device ID of the target device after configuring the device. In this case, step S702 can be skipped.

Step S703: ClientA sends a query request to the resource interface of the cloud platform.

Here, when the address of the resource interface is /group/gen, the query request can be retrieve/group/gen.

Step S704: After receiving the inquiry request, the cloud platform verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the content of groups is returned to the user as a response. The content of groups includes the group name of each user group, the group member ID, the device ID of the shared device, and the validity period.

Step S705: ClientA adds a new user group to the groups obtained by the query to obtain the updated groups. The group information of the newly added user group includes the group name, group member ID (userA_ID and userB_ID), the device ID of the target device, and the validity period. .

Step S706: ClientA sends an update request to the resource interface of the cloud platform. The parameters included in the update request include userA_ID, access token, and updated groups.

Step S707: After receiving the update request, the cloud platform verifies the userA_ID and the access token through the corresponding relationship between the user ID and the access token stored in the cloud platform, and confirms that the user A is a legitimate user after the verification is passed.

Step S708: The cloud platform checks the binding relationship between the newly added target device and the user A according to the binding relationship between the userA_ID and the device, that is, checks whether the newly added target device is a device managed by the user A.

In practical applications, when the user group includes multiple shared devices, the cloud platform checks the binding relationship between each newly added device in the update request and user A according to the binding relationship between userA_ID and the device, that is, checking each new Whether the added device is a device managed by user A. Among them, for each device and its administrator user, the cloud platform stores the binding relationship between the user ID and the device.

Step S709: The cloud platform updates the groups corresponding to user A.

Step S7010: After the cloud platform successfully establishes the user group, it returns a response OK to ClientA.

Step S7011. Client B accesses the target device through the cloud platform.

In step S7012, the cloud platform judges whether the user B and the accessed device are in the same group. If so, the cloud platform allows the access request and forwards the access request to the target device; if not, it rejects the access request.

Step S7013: If the target device has been shared with user B based on the user group, the target device executes an access request, and executes step S7014 to return a response to Client B.

(2) Update user group

User A updates the user group based on the existing user group and shares the target device with user B. The specific operation steps, as shown in Figure 8, include:

In step S801, the user A uses Client A to obtain the user ID (userB_ID) stored in the terminal ClientB of the user B through LAN transmission, scanning a two-dimensional code, or the like.

Among them, the User ID of Client A is userA_ID).

Step S802. Client A obtains the device ID of the device to be configured into the group through the local area network or the cloud platform. Since user A is the administrator of the target device, it is also possible that Client A has always stored the device ID of the target device after configuring the device. In this case, step S702 can be skipped.

Step S803: ClientA sends a query request to the resource interface of the cloud platform.

For example, when the fixed address is /group/gen, the query request can be retrieve/group/gen.

Step S804: After receiving the inquiry request, the cloud platform verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the content of groups is returned to the user as a response. The content of groups includes the group name of each user group, the group member ID, the device ID of the shared device, and the validity period.

Step S805: Client A adds a group member ID (userB ID) and a target device (device ID) to an existing group in the groups obtained by the query, to obtain the updated groups.

Step S806: ClientA sends an update request to the resource interface of the cloud platform. The update request carries parameters including userA_ID, access token, and updated groups.

Step S807: After the cloud platform receives the update request, it verifies the userA_ID and the access token through the corresponding relationship between the user ID and the access token stored in the cloud platform, and confirms that the user A is a legitimate user after the verification is passed.

Step S808: The cloud platform checks the binding relationship between the newly added target device and the user A according to the binding relationship between the userA_ID and the device, that is, checks whether the newly added target device is a device managed by the user A.

In practical applications, when the user group includes multiple shared devices, the cloud platform checks the binding relationship between each newly added device in the update request and user A according to the binding relationship between userA_ID and the device, that is, checking each new Whether the added device is a device managed by user A. Among them, for each device and its administrator user, the cloud platform stores the binding relationship between the user ID and the device.

Step S809: The cloud platform updates the groups corresponding to user A.

Step S8010: After the cloud platform successfully establishes the user group, it returns a response OK to ClientA.

Step S8011, ClientB accesses the target device through the cloud platform.

Step S8012, the cloud platform judges whether the user B and the accessed target device are in the same group, if so, the cloud platform allows the access request and forwards the access request to the target device; if not, it rejects the access request.

Step S8013: If the device has been shared with user B based on the user group, the device executes an access request, and executes step S8014 to return a response to Client B.

(3), delete user group

The user can also delete the created user group.

User A sends a delete request DELETE request to the resource interface of the cloud platform, with uid=userA_ID as the query condition, for example: when the resource interface is /group/gen, delete/group/gen? uid=U001. Here, the cloud platform can also determine the user ID by itself through the access information of user A, and the query condition of uid=userA_ID may not be included in this case.

After the cloud platform receives the delete request, it first verifies the userID of user A. After the userID verification is passed, the content of the groups is cleared under the entry corresponding to the userID of user A, and a response to the successful operation of user A is returned.

If user A wants to delete a certain user group, the DELETE request sent uses uid=userA_ID and gn=groupname as the query conditions, for example: delete/group/gen? uid=U001&gn=guest. Here, the cloud platform can also determine the user ID by itself through the access information of user A, and the query condition of uid=userA_ID may not be included in this case.

After the cloud platform receives the delete request, it first verifies the userID of user A. After the userID verification is passed, under the entry corresponding to user A's userID, delete the user group whose group name is guest in groups, and return to user A a successful response.

In order to implement the above access control method, an embodiment of the present invention also provides a server. The composition structure of the server is as shown in FIG. 9, and the server 304 includes:

The receiving unit 901 is configured to receive an access request sent by the first access device to access the target device based on the first user identifier;

The authority unit 902 is configured to determine the access authority of the first user identifier to the target device according to at least one user group;

The processing unit 903 is configured to process the access request according to the access authority.

In the embodiment of the present invention, the access authority includes: access permitted and access prohibited; the processing unit 903 is configured to:

When the access authority is permission to access, forward the access request to the target device;

When the access authority is forbidden, the access request is rejected.

In the embodiment of the present invention, the authority unit 902 is configured as:

When the at least one user group includes a target user group, the server determines that the access authority of the first user ID is permission to access; the group members of the target user group include the first user ID, and the target The device identifier of the shared device in the user group includes the device identifier of the target device.

In the embodiment of the present invention, the authority unit 902 is configured as:

When the group members of each user group in the at least one user group do not include the first user ID, the server determines that the access authority of the first user ID is forbidden; or

When the device identification of the shared device of each user group in the at least one user group does not include the device identification of the target device, the server determines that the access authority of the first user identification is forbidden; or

When in the at least one user group, the user group whose group members do not include the first user ID and the user group whose device ID of the shared device does not include the device ID of the target device are not the same user group, the server determines The access authority of the first user identifier to the target device is forbidden.

In the embodiment of the present invention, the authority unit 902 is further configured as:

The user IDs of the group members of the user group do not include user IDs that have a binding relationship with the target device, and the first user ID does not have a binding relationship with the device, according to at least one user group, Determine the access authority of the first user identifier to the target device.

In the embodiment of the present invention, the server 304 further includes: an update unit configured to:

Receiving an update request sent by the second access device based on the second user identifier;

According to the update request, a new user group corresponding to the second user identifier is obtained.

In the embodiment of the present invention, the group information of the new user group carried in the update request includes at least: the user group name, the identifier of the group member, and the device identifier of the shared device.

In the embodiment of the present invention, the identifier of the group member includes: the first user identifier, and the sharing device includes: the target device.

In the embodiment of the present invention, the identity of the group member further includes: the second user identity.

In the embodiment of the present invention, the updating unit is further configured as:

When there is no existing user group corresponding to the second user ID, create a new user group according to the user group name of the new user group, the ID of the group member, and the device ID of the shared device carried in the update request;

When there is an existing user group corresponding to the second user ID, and the group name of the existing user group does not include the user group name of the new user group carried in the update request, according to the new user group carried in the update request The user group name of the user group, the ID of the group member and the device ID of the shared device, create a new user group;

When there is an existing user group corresponding to the second user identifier, and the group name of the existing user group includes the user group name of the new user group carried in the update request, the user group of the new user group The user group corresponding to the name is a reference user group, and the group information of the reference user group is updated according to the group member identification and the device identification of the shared device carried in the update request to obtain a new user group.

In the embodiment of the present invention, the update request carries the updated group information of at least one user group; the updated at least one user group includes: a new user group and an existing user group corresponding to the second user identifier; The update unit is also configured as:

According to the updated group information of the at least one user group, the group information of the existing user group corresponding to the second user identifier is overwritten to obtain the updated at least one user group.

In the embodiment of the present invention, the new user group is a newly added user group or a user group obtained by updating a reference user group in the existing user group.

In the embodiment of the present invention, the group information of the new user group includes: the user group name, the identifier of the group member, and the device identifier of the shared device;

In the embodiment of the present invention, the identifier of the group member includes: the first user identifier, and the sharing device includes: the target device.

In the embodiment of the present invention, the identity of the group member further includes: the second user identity.

In the embodiment of the present invention, the updating unit is further configured to:

When the user identifier that has a binding relationship with the shared device is the second user identifier, a new user group corresponding to the second user identifier is obtained according to the update request.

In the embodiment of the present invention, the group information of the new user group further includes: a validity period; the server further includes: a first deleting unit configured to, when the creation time of the new user group reaches the validity period, the server Delete the new user group.

In the embodiment of the present invention, the server further includes: a first query unit configured to:

Receiving a query request sent by the second access device based on the second user identifier;

Acquiring group information of all user groups corresponding to the second user identifier based on the query request;

Sending the group information of the existing user group to the second access device.

In the embodiment of the present invention, the server further includes: a second query unit configured to:

Receiving a query request sent by the second access device based on the second user identifier; the query request carries the user group name of the user group to be queried;

Acquiring the group information of the user group to be queried based on the query request;

Sending the group information of the user group to be queried to the second access device.

In the embodiment of the present invention, the server further includes: a second deleting unit configured to:

Receiving a deletion request sent by the second access device based on the second user identifier;

Deleting all user groups corresponding to the second user group according to the deletion request.

In the embodiment of the present invention, the server further includes: a third deleting unit configured to:

Receiving a deletion request sent by the second access device based on the second user identifier; the deletion request carrying the user group name of the user group to be deleted;

Delete the group information of the user group to be deleted from at least one user group corresponding to the second user group according to the deletion request.

The embodiment of the present invention also provides an access device 1000, as the first access device 301 in FIG. 3, the structure diagram of the access device, as shown in FIG. 10A, includes:

The selection unit 1001 is configured to determine the target device selected by the received selection operation;

The first sending unit 1002 is configured to generate an access request based on the device identifier corresponding to the target device, and send the access request to a server, so that the server determines the first access device used by the access device according to at least one user group. The user identifies the access authority to the target device.

In the embodiment of the present invention, the access device 1000 further includes: a second sending unit configured to send the first user identification to a second access device using the second user identification, so that the second access device is based on The first user identifier generates an update request, and the update request is used by the server to establish a new user group, and group members of the new user group include the first access device.

The embodiment of the present invention also provides an access device 1010, as the second access device 302 in FIG. 3, the structure diagram of the access device, as shown in FIG. 10B, includes:

The group establishing unit 1011 is configured to send an update request to the server based on the second user ID, the update request is used to make the server generate a user group, and the generated user group is used to determine the first access device using the first user ID For access rights to the target device, the second user identifier has a binding relationship with the target device.

In the embodiment of the present invention, the access device 1010 further includes:

The first acquiring unit is configured to acquire group information of a new user group, and carry the group information of the new user group in the update request.

In the embodiment of the present invention, the access device 1010 further includes: a second obtaining unit configured to query the server for the group information of the existing user group corresponding to the second user identifier, and obtain the information of the existing user group The group information is carried in the update request.

In the embodiment of the present invention, the access device 1010 further includes:

The group update unit is configured to use the existing user group corresponding to the user group name of the new user group as the reference user when the user group name of the existing user group includes the user group name of the new user group Group, the group information of the reference user group is updated through the group information of the new user group.

An embodiment of the present invention also provides a server, including a processor and a memory for storing a computer program that can run on the processor, wherein the processor is used to execute the access control performed by the server when the computer program is running. Method steps.

An embodiment of the present invention also provides an access device, including a processor and a memory for storing a computer program that can run on the processor, wherein, when the processor is used to run the computer program, the access device 1000 executes The steps of the access control method.

An embodiment of the present invention also provides an access device, including a processor and a memory for storing a computer program that can run on the processor. When the processor is used to run the computer program, the access device 1010 executes Steps of the access control method

11 is a schematic diagram of the hardware composition structure of an electronic device (access device or server) according to an embodiment of the present invention. The electronic device 1100 includes: at least one processor 1101, a memory 1102, and at least one network interface 1104. The various components in the electronic device 1100 are coupled together through the bus system 1105. It can be understood that the bus system 1105 is used to implement connection and communication between these components. In addition to the data bus, the bus system 1105 also includes a power bus, a control bus, and a status signal bus. However, for clarity of description, various buses are marked as the bus system 1105 in FIG. 11.

It can be understood that the memory 1102 may be a volatile memory or a non-volatile memory, and may also include both volatile and non-volatile memory. Among them, the non-volatile memory may be ROM, Programmable Read-Only Memory (PROM), Erasable Programmable Read-Only Memory (EPROM), and electrically erasable Programmable read-only memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), magnetic random access memory (FRAM, ferromagnetic random access memory), flash memory (Flash Memory), magnetic surface memory, optical disk, or CD-ROM -ROM, Compact Disc Read-Only Memory); Magnetic surface memory can be disk storage or tape storage. The volatile memory may be random access memory (RAM, Random Access Memory), which is used as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (SRAM, Static Random Access Memory), synchronous static random access memory (SSRAM, Synchronous Static Random Access Memory), and dynamic random access Memory (DRAM, Dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, Synchronous Dynamic Random Access Memory), double data rate synchronous dynamic random access memory (DDRSDRAM, Double Data Rate Synchronous Dynamic Random Access Memory), enhanced -Type synchronous dynamic random access memory (ESDRAM, Enhanced Synchronous Dynamic Random Access Memory), synchronous connection dynamic random access memory (SLDRAM, SyncLink Dynamic Random Access Memory), direct memory bus random access memory (DRRAM, Direct Rambus Random Access Memory) ). The memory 1102 described in the embodiment of the present invention is intended to include, but is not limited to, these and any other suitable types of memory.

The memory 1102 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device 1100. Examples of these data include: any computer program used to operate on the electronic device 1100, such as an application program 11021. The program for implementing the method of the embodiment of the present invention may be included in the application program 11021.

The method disclosed in the foregoing embodiment of the present invention may be applied to the processor 1101 or implemented by the processor 1101. The processor 1101 may be an integrated circuit chip with signal processing capabilities. In the implementation process, the steps of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 1101 or instructions in the form of software. The aforementioned processor 1101 may be a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, and the like. The processor 1101 may implement or execute various methods, steps, and logical block diagrams disclosed in the embodiments of the present invention. The general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of the present invention can be directly embodied as being executed and completed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium. The storage medium is located in the memory 1102. The processor 1101 reads the information in the memory 1102, and completes the steps of the foregoing method in combination with its hardware.

In an exemplary embodiment, the electronic device 1100 may be used by one or more application specific integrated circuits (ASIC, Application Specific Integrated Circuit), DSP, programmable logic device (PLD, Programmable Logic Device), and complex programmable logic device (CPLD). , Complex Programmable Logic Device), FPGA, general-purpose processor, controller, MCU, MPU, or other electronic components to implement the foregoing method.

The embodiment of the present invention also provides a storage medium for storing computer programs.

Optionally, the storage medium can be applied to the server in the embodiment of the present invention, and the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention. For brevity, details are not described herein again.

Optionally, the storage medium can be applied to the access device in the embodiment of the present invention, and the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention. For brevity, details are not repeated here.

The present invention is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are generated It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

The above are only the embodiments of the present invention and are not used to limit the protection scope of the present invention. Any modification, equivalent replacement and improvement made within the spirit and scope of the present invention are all included in the protection scope of the present invention.

Claims (60)

1. An access control method, including:

   The server receives an access request sent by the first access device to access the target device based on the first user identifier;

   Determining, by the server, the access authority of the first user identifier to the target device according to at least one user group;

   The server processes the access request according to the access authority.
2. The method according to claim 1, wherein the access authority includes: permitting access and prohibiting access; and processing the access request according to the access authority includes:

   When the access authority is permission to access, forward the access request to the target device;

   When the access authority is forbidden, the access request is rejected.
3. The method according to claim 2, wherein the determining the access authority of the first user identifier to the target device according to at least one user group comprises:

   When the at least one user group includes a target user group, the server determines that the access authority of the first user ID to the target device is allowed to access; the group members of the target user group include the first user ID, and The device identifier of the shared device in the target user group includes the device identifier of the target device.
4. The method according to claim 2, wherein the determining the access authority of the first user identifier to the target device according to at least one user group comprises:

   When the group members of each user group in the at least one user group do not include the first user ID, the server determines that the access authority of the first user ID to the target device is forbidden; or

   When the device ID of the shared device of each user group in the at least one user group does not include the device ID of the target device, the server determines that the access authority of the first user ID to the target device is forbidden; or when In the at least one user group, the user group whose group members do not include the first user ID and the user group whose device ID of the shared device does not include the device ID of the target device are not the same user group, and the server determines that the The access authority of the first user identifier to the target device is forbidden.
5. The method according to claim 1, wherein the determining the access authority of the first user identifier to the target device according to at least one user group comprises:

   When the user IDs of group members of the user group do not include user IDs that have a binding relationship with the target device, and the first user ID does not have a binding relationship with the device, according to at least one user group To determine the access authority of the first user identifier to the target device.
6. The method according to any one of claims 1 to 5, further comprising:

   Receiving, by the server, an update request sent by the second access device based on a second user ID; the second user ID has a binding relationship with the target device;

   The server obtains a new user group corresponding to the second user identifier according to the update request.
7. The method according to claim 6, wherein the group information of the new user group carried in the update request, the group information includes at least: a user group name, an identifier of a group member, and a device identifier of a shared device.
8. The method according to claim 7, wherein the identification of the group member includes: the first user identification, and the sharing device includes: the target device.
9. According to the method of claim 8, the identification of the group member further comprises: the second user identification.
10. The method according to any one of claims 7 to 9, wherein the obtaining a new user group corresponding to the second user identifier according to the update request includes:

    When there is no existing user group corresponding to the second user ID, create a new user group according to the user group name of the new user group, the ID of the group member, and the device ID of the shared device carried in the update request;

    When there is an existing user group corresponding to the second user ID, and the group name of the existing user group does not include the user group name of the new user group carried in the update request, according to the new user group carried in the update request The user group name of the user group, the ID of the group member and the device ID of the shared device, create a new user group;

    When there is an existing user group corresponding to the second user identifier, and the group name of the existing user group includes the user group name of the new user group carried in the update request, the user group of the new user group The user group corresponding to the name is a reference user group, and the group information of the reference user group is updated according to the group member identification and the device identification of the shared device carried in the update request to obtain a new user group.
11. The method according to claim 6, wherein the update request carries the updated group information of at least one user group; the updated at least one user group includes: a new user group and an existing user group corresponding to the second user ID The user group; the obtaining a new user group corresponding to the second user identifier according to the update request includes:

    According to the updated group information of the at least one user group, the group information of the existing user group corresponding to the second user identifier is overwritten to obtain the updated at least one user group.
12. According to the method of claim 11, the new user group is a newly added user group or a user group obtained by updating a reference user group in the existing user group.
13. According to the method according to claim 11 or 12, the group information of the new user group includes at least: the user group name, the identification of the group member, and the device identification of the shared device.
14. The method according to claim 13, wherein the identity of the group member includes: the first user identity, and the shared device includes: the target device.
15. According to the method of claim 14, the identification of the group member further comprises: the second user identification.
16. According to the method of claim 7 or 13, obtaining a new user group corresponding to the second user identifier according to the update request, including:

    When the user identifier that has a binding relationship with the shared device is the second user identifier, a new user group corresponding to the second user identifier is obtained according to the update request.
17. According to the method of claim 7 or 16, the group information of the new user group further includes: a validity period; the method further includes:

    When the creation time of the new user group reaches the validity period, the server deletes the new user group.
18. The method according to any one of claims 1 to 17, further comprising:

    Receiving, by the server, a query request sent by the second access device based on the second user identifier;

    Obtaining, by the server, group information of all user groups corresponding to the second user identifier based on the query request;

    The server sends the group information of the existing user group to the second access device.
19. The method according to any one of claims 1 to 17, further comprising:

    The server receives a query request sent by the second access device based on the second user identifier; the query request carries the user group name of the user group to be queried;

    Obtaining, by the server, the group information of the user group to be queried based on the query request;

    The server sends the group information of the user group to be queried to the second access device.
20. The method according to any one of claims 1 to 17, further comprising:

    Receiving, by the server, a deletion request sent by the second access device based on the second user identifier;

    The server deletes all user groups corresponding to the second user group according to the deletion request.
21. The method according to any one of claims 1 to 17, further comprising:

    Receiving, by the server, a deletion request sent by the second access device based on the second user identifier; the deletion request carries the user group name of the user group to be deleted;

    The server deletes the group information of the user group to be deleted from at least one user group corresponding to the second user group according to the deletion request.
22. An access control method, the method includes:

    The first access device determines the target device selected by the received selection operation;

    The first access device generates an access request based on the device identifier corresponding to the target device, and sends the access request to a server, so that the server determines the first user used by the first access device according to at least one user group Identify the access authority to the target device.
23. The method according to claim 22, further comprising:

    The first access device sends the first user identification to a second access device using the second user identification, so that the second access device generates an update request based on the first user identification, the update request Used by the server to establish a new user group, and group members of the new user group include the first access device.
24. An access control method, the method includes:

    The second access device sends an update request to the server based on the second user ID. The update request is used to cause the server to generate a user group, and the generated user group is used to determine whether the first access device using the first user ID has a target device Access authority, the second user identifier has a binding relationship with the target device.
25. The method according to claim 24, further comprising:

    The second access device obtains the group information of the new user group; and carries the group information of the new user group in the update request.
26. The method according to claim 25, further comprising:

    The second access device queries the server for the group information of the existing user group corresponding to the second user identifier, and carries the obtained group information of the existing user group in the update request.
27. The method according to claim 26, further comprising:

    When the user group name of the existing user group includes the user group name of the new user group, the second access device uses the existing user group corresponding to the user group name of the new user group as a reference user group , Updating the group information of the reference user group through the group information of the new user group.
28. A server that includes:

    A receiving unit configured to receive an access request for accessing the target device sent by the first access device based on the first user identifier;

    An authority unit configured to determine the access authority of the first user identifier to the target device according to at least one user group;

    The processing unit is configured to process the access request according to the access authority.
29. The server according to claim 28, wherein the access authority includes: access allowed and access prohibited; and the processing unit is configured to:

    When the access authority is permission to access, forward the access request to the target device;

    When the access authority is forbidden, the access request is rejected.
30. The server according to claim 29, wherein the authority unit is configured to:

    When the at least one user group includes a target user group, the server determines that the access authority of the first user ID is permission to access; the group members of the target user group include the first user ID, and the target user group The device identification of the shared device in the user group includes the device identification of the target device.
31. The server according to claim 29, wherein the authority unit is configured to:

    When the group members of each user group in the at least one user group do not include the first user ID, the server determines that the access authority of the first user ID to the target device is forbidden; or

    When the device ID of the shared device of each user group in the at least one user group does not include the device ID of the target device, the server determines that the access authority of the first user ID to the target device is forbidden; or when In the at least one user group, the user group whose group members do not include the first user ID and the user group whose device ID of the shared device does not include the device ID of the target device are not the same user group, and the server determines that the The access authority of the first user identifier to the target device is forbidden.
32. The server according to claim 28, wherein the authority unit is further configured to:

    When the user IDs of group members of the user group do not include user IDs that have a binding relationship with the target device, and the first user ID does not have a binding relationship with the device, according to at least one user group To determine the access authority of the first user identifier to the target device.
33. The server according to any one of claims 29 to 32, the server further comprising: an update unit configured to:

    Receiving an update request sent by the second access device based on the second user identifier;

    According to the update request, a new user group corresponding to the second user identifier is obtained.
34. The server according to claim 33, wherein the group information of the new user group carried in the update request, the group information includes at least: user group name, group member identification, and shared device identification.
35. The server according to claim 34, wherein the identification of the group member includes: the first user identification, and the shared device includes: the target device.
36. The server according to claim 34, the identification of the group member further comprises: the second user identification.
37. The server according to any one of claims 34 to 36, the update unit is further configured to:

    When there is no existing user group corresponding to the second user ID, create a new user group according to the user group name of the new user group, the ID of the group member, and the device ID of the shared device carried in the update request;

    When there is an existing user group corresponding to the second user ID, and the group name of the existing user group does not include the user group name of the new user group carried in the update request, according to the new user group carried in the update request The user group name of the user group, the ID of the group member and the device ID of the shared device, create a new user group;

    When there is an existing user group corresponding to the second user identifier, and the group name of the existing user group includes the user group name of the new user group carried in the update request, the user group of the new user group The user group corresponding to the name is a reference user group, and the group information of the reference user group is updated according to the group member identification and the device identification of the shared device carried in the update request to obtain a new user group.
38. The server according to claim 33, wherein the update request carries the updated group information of at least one user group; the updated at least one user group includes: a new user group and an existing user group corresponding to the second user ID The user group; the update unit is also configured to:

    According to the updated group information of the at least one user group, the group information of the existing user group corresponding to the second user identifier is overwritten to obtain the updated at least one user group.
39. The server according to claim 38, wherein the new user group is a newly added user group or a user group obtained by updating a reference user group in the existing user group.
40. The server according to claim 38 or 39, the group information of the new user group includes: user group name, group member identification, and device identification of the shared device;
41. The server according to claim 40, wherein the identity of the group member includes: the first user identity, and the shared device includes: the target device.
42. The server according to claim 40, the identification of the group member further comprises: the second user identification.
43. The server according to claim 34 or 40, wherein the updating unit is further configured to:

    When the user identifier that has a binding relationship with the shared device is the second user identifier, a new user group corresponding to the second user identifier is obtained according to the update request.
44. The server according to claim 34 or 43, wherein the group information of the new user group further includes: a validity period; the server further includes: a first deleting unit configured to when the creation time of the new user group reaches the During the validity period, the server deletes the new user group.
45. The server according to any one of claims 28 to 44, the server further comprising: a first query unit configured to:

    Receiving a query request sent by the second access device based on the second user identifier;

    Acquiring group information of all user groups corresponding to the second user identifier based on the query request;

    Sending the group information of the existing user group to the second access device.
46. The server according to any one of claims 28 to 44, the server further comprising: a second query unit configured to:

    Receiving a query request sent by the second access device based on the second user identifier; the query request carries the user group name of the user group to be queried;

    Acquiring the group information of the user group to be queried based on the query request;

    Sending the group information of the user group to be queried to the second access device.
47. The server according to any one of claims 28 to 44, the server further comprising: a second deleting unit configured to:

    Receiving a deletion request sent by the second access device based on the second user identifier;

    Deleting all user groups corresponding to the second user group according to the deletion request.
48. The server according to any one of claims 28 to 44, the server further comprising: a third deleting unit configured to:

    Receiving a deletion request sent by the second access device based on the second user identifier; the deletion request carrying the user group name of the user group to be deleted;

    Delete the group information of the user group to be deleted from at least one user group corresponding to the second user group according to the deletion request.
49. An access device, the access device includes:

    The selection unit is configured to determine the target device selected by the received selection operation;

    The first sending unit is configured to generate an access request based on the device identifier corresponding to the target device, and send the access request to a server, so that the server determines the first used device of the access device according to at least one user group. The user identifies the access authority to the target device.
50. The access device according to claim 49, the access device further comprising:

    The second sending unit is configured to send the first user identification to a second access device using the second user identification, so that the second access device generates an update request based on the first user identification, the The update request is used by the server to establish a new user group, and group members of the new user group include the first access device.
51. An access device, the access device includes:

    The group establishing unit is configured to send an update request to the server based on the second user identifier, the update request is used to make the server generate a user group, and the generated user group is used to determine the pair of the first access device using the first user identifier The access authority of the target device, and the second user identifier has a binding relationship with the target device.
52. The access device according to claim 51, the access device further comprising:

    The first acquiring unit is configured to acquire group information of a new user group, and carry the group information of the new user group in the update request.
53. The access device according to claim 52, the access device further comprising: a second obtaining unit configured to query the server for group information of an existing user group corresponding to the second user identifier, and to obtain The group information of the existing user group is carried in the update request.
54. The access device according to claim 53, the access device further comprising:

    The group update unit is configured to use the existing user group corresponding to the user group name of the new user group as the reference user when the user group name of the existing user group includes the user group name of the new user group Group, the group information of the reference user group is updated through the group information of the new user group.
55. A server including a processor and a memory for storing computer programs that can run on the processor, wherein

    When the processor is used to run the computer program, it executes the steps of the access control method according to any one of claims 1 to 21.
56. An access device includes a processor and a memory for storing a computer program that can run on the processor, wherein:

    When the processor is used to run the computer program, it executes the steps of the access control method according to any one of claims 22 to 23.
57. An access device includes a processor and a memory for storing a computer program that can run on the processor, wherein:

    When the processor is used to run the computer program, it executes the steps of the access control method according to any one of claims 24 to 27.
58. A storage medium storing an executable program, and when the executable program is executed by a processor, the access control method according to any one of claims 1 to 21 is implemented.
59. A storage medium storing an executable program, and when the executable program is executed by a processor, the access control method according to any one of claims 22 to 23 is implemented.
60. A storage medium storing an executable program, and when the executable program is executed by a processor, the access control method according to any one of claims 24 to 27 is implemented.

Images