WO2020248284A1 - Procédé et appareil de commande d'accès et support d'informations - Google Patents

Procédé et appareil de commande d'accès et support d'informations Download PDF

Info

Publication number
WO2020248284A1
WO2020248284A1 PCT/CN2019/091410 CN2019091410W WO2020248284A1 WO 2020248284 A1 WO2020248284 A1 WO 2020248284A1 CN 2019091410 W CN2019091410 W CN 2019091410W WO 2020248284 A1 WO2020248284 A1 WO 2020248284A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
group
user group
access
server
Prior art date
Application number
PCT/CN2019/091410
Other languages
English (en)
Chinese (zh)
Inventor
张军
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to PCT/CN2019/091410 priority Critical patent/WO2020248284A1/fr
Priority to CN202311284666.XA priority patent/CN117336053A/zh
Priority to CN201980079278.3A priority patent/CN113169970B/zh
Publication of WO2020248284A1 publication Critical patent/WO2020248284A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • the invention relates to the Internet of Things (IoT) technology, and in particular to a method, device and storage medium for party access control.
  • IoT Internet of Things
  • the Open Connectivity Foundation uses a RESTful architecture to represent physical Internet of Things devices through resources, as well as information such as the functional services provided by the devices and the status of the devices.
  • the resource is provided by the server, and the resource is accessed by the client.
  • the client and server defined in OCF are logical functional entities, and each device can be a client, a server, or both a client and a server.
  • a device such as a light bulb
  • a device that implements a certain basic function can only be used as a server, and it can be provided to the client for query and control. It has no control or needs to query other devices.
  • the business interaction between the client and the server is realized by performing RESTful operations on resources, that is, CRUDN operation methods of Create, Retrieve, Update, Delete, and Notify.
  • resources that is, CRUDN operation methods of Create, Retrieve, Update, Delete, and Notify.
  • the client is the initiator of the RESTful operation
  • the server is the responder of the RESTful operation.
  • the client sends a resource operation request to the server, requesting to operate the resource on the server, the server performs the resource operation, and returns a response to the client ,
  • the response carries the content and description of the resource.
  • Devices that are not in the same local network can communicate with each other through the cloud.
  • the cloud groups devices belonging to the same user under the same user ID created in the cloud. All devices registered to the cloud and belonging to the same user ID can communicate according to the device authorization cloud permission policy (for example: ACE2 policy). Therefore, the device can only be remotely accessed by one user through the cloud platform, which cannot meet the multi-user application scenario.
  • ACE2 policy device authorization cloud permission policy
  • embodiments of the present invention provide an access control method, device, and storage medium, which can share the remote access authority of the device with other users, and realize multi-user access.
  • an embodiment of the present invention provides an access control method, including:
  • the server receives an access request sent by the first access device to access the target device based on the first user identifier
  • the server processes the access request according to the access authority.
  • an embodiment of the present invention provides an access control method, including:
  • the first access device determines the target device selected by the received selection operation
  • the first access device generates an access request based on the device identifier corresponding to the target device, and sends the access request to a server, so that the server determines the first user used by the first access device according to at least one user group Identify the access authority to the target device.
  • an embodiment of the present invention provides an access control method, including:
  • the second access device sends an update request to the server based on the second user ID.
  • the update request is used to cause the server to generate a user group, and the generated user group is used to determine whether the first access device using the first user ID has a connection to the target device.
  • Access authority, the second user identifier has a binding relationship with the target device.
  • an embodiment of the present invention provides a server, including:
  • a receiving unit configured to receive an access request for accessing the target device sent by the first access device based on the first user identifier
  • An authority unit configured to determine the access authority of the first user identifier to the target device according to at least one user group
  • the processing unit is configured to process the access request according to the access authority.
  • an embodiment of the present invention provides an access device, including:
  • the selection unit is configured to determine the target device selected by the received selection operation
  • the first sending unit is configured to generate an access request based on the device identifier corresponding to the target device, and send the access request to a server, so that the server determines the first user used by the access device according to at least one user group Identify the access authority to the target device.
  • an embodiment of the present invention provides an access device, including: a group establishment unit configured to send an update request to a server based on a second user identifier, the update request being used for causing the server to generate a user group,
  • the user group is used to determine the access authority of the first access device using the first user identifier to the target device, and the second user identifier has a binding relationship with the target device.
  • an embodiment of the present invention provides a server, including: a processor and a memory configured to store a computer program that can run on the processor, wherein the processor is configured to execute the server when the computer program is running. The steps of the access control method performed.
  • an embodiment of the present invention provides an access device, including: a processor and a memory configured to store a computer program that can run on the processor, wherein the processor is configured to execute the above-mentioned computer program when the computer program is running. Steps of the access control method executed by the first access device.
  • an embodiment of the present invention provides an access device, including: a processor and a memory configured to store a computer program that can run on the processor, wherein the processor is configured to execute the above-mentioned computer program when the computer program is running. Steps of the access control method executed by the second access device.
  • an embodiment of the present invention provides a storage medium storing an executable program, and when the executable program is executed by a processor, the access control method executed by the server is implemented.
  • an embodiment of the present invention provides a storage medium that stores an executable program, and when the executable program is executed by a processor, it implements the access control method executed by the first access device.
  • an embodiment of the present invention provides a storage medium that stores an executable program, and when the executable program is executed by a processor, the above-mentioned access control method executed by the second access device is implemented.
  • the access control method provided in the embodiment of the present invention includes: a server receives an access request for accessing a target device sent by a first access device based on a first user identity; the server determines that the first user identity is The access authority of the target device; the server processes the access request according to the access authority. Since the user group is set in the server, when the first user ID accesses the target device, it can be judged based on the set user group whether the first user ID has access authority to the target device, so as to realize the access authority of different user IDs based on the user group The control can realize multi-user access without being restricted by the access of the target device only by the user ID with the binding relationship.
  • FIG. 1 is an optional structural diagram of an Internet of Things system provided by an embodiment of the present invention
  • FIG. 2 is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • FIG. 3 is an optional structural diagram of the Internet of Things system provided by an embodiment of the present invention.
  • FIG. 4 is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • FIG. 5 is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • Fig. 6 is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • Fig. 7 is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • FIG. 8 is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • FIG. 9 is an optional structural diagram of a server provided by an embodiment of the present invention.
  • FIG. 10A is a schematic diagram of an optional structure of an access device provided by an embodiment of the present invention.
  • FIG. 10B is a schematic diagram of an optional structure of an access device provided by an embodiment of the present invention.
  • FIG. 11 is a schematic diagram of an optional structure of an electronic device provided by an embodiment of the present invention.
  • the structure of the Internet of Things system is shown in Figure 1, including: client 101, server 102 and cloud 103.
  • the client 101 accesses resources of the server 102, and the server 102 provides the resources accessed by the client 101.
  • the client 101 and the server 102 communicate with each other through the cloud 103.
  • the client 101 When the client 101 requests a CRUDN operation to the resource referenced by the resource Links carried by the cloud 103, the client 101 sends a CRUDN request to the cloud 103, and the cloud 103 forwards the CRUDN request of the client 101 to the server 102 that actually carries the resource.
  • the terminal 102 responds to the CRUDN request of the cloud 103, and the cloud 103 forwards the response of the server 102 to the client 101, that is, the communication path is client 101->cloud 103->server 102->cloud 103->client 101.
  • the cloud 103 may include three functional entities:
  • Cloud interface 1031 Anchor on the cloud, responsible for server access management, and message routing for remote communication between the client and server.
  • the cloud interface provides a unified address and port number, such as coaps+tcp://example.com: 443.
  • Authorization server 1032 Responsible for server registration and authentication of the client and server.
  • Resource catalog 1033 the index of the server resources, the client can obtain the resources of the target device by searching the resource catalog.
  • the authorization server 1032 and the cloud may be the same physical entity, or may be different physical entities.
  • each device can be a client, a server, or both a client and a server.
  • the device registration process in the cloud is shown in Figure 2, including:
  • Step S201 The configurator obtains the access token (Access Token) of the user from the authorization server.
  • the Mediator function is provided in the user APP to configure the device to connect to the cloud.
  • the configurator is configured with a uniform resource locator (URL) for cloud access, and the user has registered a user name and password, so that the authorization server can authorize the user and return an access token to the configurator.
  • the user APP can be located on the device as the client.
  • Step S202 The configurator is registered in the cloud.
  • the configurator provides an access token to the cloud for configurator registration, and the cloud verifies the Access Token provided by the configurator and assigns a user ID. If the same user uses different configurators, the authorization server will provide different Access Tokens, but any configurator used by the same user is associated with the same User ID.
  • Step S203 The configurator is connected to the device to configure the device.
  • the configurator connects to the device through the normal device discovery process, and then requests an Access Token from the cloud for the configured device.
  • the configurator uses the Access Token authorized from the cloud, the Uniform Resource Identifier (URI) and the Universal Unique Identifier (UUID) of the cloud to update the cloud configuration resources on the device for cloud information configuration, such as: "Oic.r.coapcloudconf" resource.
  • the Access Token provided by the cloud is used when the device performs initial registration with the cloud.
  • Step S204 The device establishes a Transport Layer Security (TLS) connection with the cloud.
  • TLS Transport Layer Security
  • the device uses a preset digital certificate to establish a TLS connection with the cloud.
  • the preset digital certificates include: the manufacturer's certificate of the device and the trust anchor certificate.
  • Step S205 The device is registered in the cloud.
  • a device To register in the cloud, a device needs to send an update (UPDATE) operation request to the account resource on the cloud.
  • the resource update request includes the Access Token and User ID configured in the cloud configuration resource.
  • the cloud maintains a unique instance of account resources for each device. Among them, the account resource can be the "/oic/sec/account" resource.
  • Step S206 to step S207 the access token provided by the cloud verification device.
  • the cloud sends the User ID and Access Token provided by the device to the authorization server.
  • the authorization server successfully verifies the update operation request
  • the cloud responds to the update operation.
  • the response will provide the device with an updated Access Token and the validity period of the Access Token.
  • the cloud also records the User ID that is associated with this device, that is, has a binding relationship.
  • step S201 is completed between the cloud and the configurator, and step S207 is not required.
  • the device needs to log in to the cloud to transfer data between the device and the cloud, and the device sends an update (UPDATE) operation request to the cloud session resource.
  • UPDATE update
  • the cloud session resource can be a "/oic/sec/session" resource.
  • the device in Figure 2 can be a client or a server. If the device is used as a server, after the device establishes a TLS connection with the cloud, the device discloses the resources it carries in the resource directory of the cloud, so as to facilitate remote access to these resources of the client.
  • Devices that are not in the same local network can communicate with each other through the cloud using a restricted application (CoAP over TCP) protocol based on the Transmission Control Protocol (TCP).
  • the cloud groups devices belonging to the same User ID under the same User ID. All devices registered to the cloud and belonging to the same User ID can communicate according to the ACE2 policy of the device authorization cloud.
  • a device under a User ID is referred to as a device that has a binding relationship with the User ID.
  • the access control entry method of the embodiment of the present invention can be applied to the Internet of Things system 300 shown in FIG. 3, including: a first access device 301, a second access device 302, and a target Device 303 and server 304; among them, the first access device 301 and the second access device are clients, the target device is the server, and the server 304 is the cloud.
  • the client accesses the resources of the server based on the cloud.
  • the first access device 301 logs in to the server 304 with the first user ID
  • the second access device 302 logs in to the server 304 with the second user ID.
  • the first user ID is not associated with the target device
  • the second user ID is associated with the target device, that is, the first access device and the target device are not devices under the same user ID, and the second access device and the target device are under the same user ID device of.
  • the client, server, and cloud in the IoT system 300 can communicate based on various communication systems, such as: Global System of Mobile Communication (GSM) system, Code Division Multiple Access (CDMA) System, Wideband Code Division Multiple Access (WCDMA) system, General Packet Radio Service (GPRS), Long Term Evolution (LTE) system, LTE Frequency Division Duplex (Frequency Division) Duplex (FDD) system, LTE Time Division Duplex (TDD), Universal Mobile Telecommunication System (UMTS), Worldwide Interoperability for Microwave Access (WiMAX) communication system or 5G system Wait.
  • GSM Global System of Mobile Communication
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • GPRS General Packet Radio Service
  • LTE Long Term Evolution
  • LTE Frequency Division Duplex Frequency Division
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • UMTS Universal Mobile Telecommunication System
  • WiMAX Worldwide Interoperability for Microwave Access
  • the first access device 301 and the second access device can be terminal devices, which can refer to access terminals, user equipment (UE), user units, user stations, mobile stations, mobile stations, remote stations, remote terminals, Mobile device, user terminal, terminal, wireless communication device, user agent or user device.
  • the access terminal can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a wireless local loop (Wireless Local Loop, WLL) station, a personal digital processing (Personal Digital Assistant, PDA), with wireless communication Functional handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in 5G networks, or terminal devices in the future evolution of PLMN, etc.
  • SIP Session Initiation Protocol
  • WLL Wireless Local Loop
  • PDA Personal Digital Assistant
  • the target device can be IoT devices such as sensors, laser scanning systems, and smart home appliances.
  • Figure 3 exemplarily shows one server and two clients.
  • the IoT system 300 may include multiple servers and clients that have a binding relationship with the server or do not have a binding relationship with the server. Clients that define a relationship are not limited in this embodiment of the present invention.
  • An optional processing flow of the access control method provided by the embodiment of the present invention, as shown in FIG. 4, includes the following steps:
  • Step S401 The first access device determines the target device selected by the received selection operation
  • the first access device When the user using the first access device controls the target device in the Internet of Things system, the first access device receives the user's selection operation, and the operation object of the selection operation is the device identification of the target device.
  • the first access device uses the first user ID to log in to the server, establishes a session with the server, and displays the device ID of the device that has a binding relationship with the first user ID and the first user ID A device ID of a device whose user ID does not have a binding relationship.
  • the device that has a binding relationship with the first user ID and the first access device are devices that are associated with the same user ID; the device that does not have a binding relationship with the first user ID and the first access device are not associated with the same user ID equipment.
  • the first user identifier may be a registered user name, or a User ID assigned by the server to the registered user name, and the registered user name and User ID have a one-to-one correspondence relationship.
  • the first access device uses the first user ID to log in to the server, which can be understood as: the first access device logs in to the server with the registered user name and the login account, and the server identifies the first access device using the registered user name to correspond Login to the server with your User ID.
  • Step S402 The first access device generates an access request based on the device identifier corresponding to the target device, and sends the access request to the server.
  • the first access device generates an access request according to the device identification of the target device.
  • the access request carries the device identification of the target device, so that the server determines the access authority of the first user identification used by the first access device to the target device.
  • the access request may or may not carry the first user identification.
  • the server determines the first user identification used by the first access device based on the session connection established with the first access device.
  • the access request may further include an access token associated with the first user identification.
  • the access request is sent in the form of an Update request.
  • Step S403 The server receives an access request for accessing the target device sent by the first access device based on the first user identifier.
  • the server obtains the first user ID by analyzing the access request.
  • the server obtains the first user identification through the session established by the first access device and the server.
  • Step S404 The server determines the access authority of the first user identifier to the target device according to at least one user group.
  • the server is provided with user groups corresponding to different user IDs, and one user group ID can correspond to one or more user groups. Among multiple user groups corresponding to the same user ID, different user groups are distinguished by different user group names.
  • the group information of the user group includes: the group name, the ID of the group member, and the device ID of the shared device.
  • the group name is a string and is set by the user.
  • the group member is a list containing the user identification (user ID) of each group member, wherein a user group includes at least one group member.
  • Shared devices are also a list, including device IDs of shared devices in the group.
  • a user group includes at least one shared device.
  • the group members include a second user identifier, and the second user identifier has a binding relationship with the target device.
  • the second user ID is U2
  • the group information of a user group is as follows: group name: family
  • group members include: U2, U1, and the device ID of the shared device: D1, which means that the user group family will have binding with U2
  • the related device D1 is shared with U1 that does not have a binding relationship with the device D1.
  • the server may only determine the access authority of the first user ID to the target device according to the user group.
  • the group members do not include the second user identifier.
  • the group information of a user group corresponding to U2 as the second user ID is as follows: group name: family, group members include: U1, device ID of the shared device: D1, the characterization is based on the user group family will be bound to U2
  • the related device D1 is shared with U1 that does not have a binding relationship with the device D1.
  • the server determines the access authority of the first user ID to the target device according to the user group and the second user ID.
  • the group information of the user group may further include: validity period.
  • the validity period is the survival time of the user group, which can be counted in seconds.
  • a value of -1 means permanent validity.
  • the representation of a user group is:
  • the group name gn is family, which contains two group members, and the user identifiers gmids of the group members are U001 and U002 respectively.
  • the device identifier dids of the shared device is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1.
  • the validity period of a user group expires in 10000 seconds.
  • the cloud platform starts counting from the moment the user group is created, and automatically deletes the user group after 10000 seconds.
  • the server allocates different user group resources, namely user spaces, to different user IDs based on user IDs, and manages the user group corresponding to each user ID in the user space allocated for the user ID.
  • Each user space includes one or more user groups.
  • the server searches for the user space corresponding to the user ID according to the user ID, and obtains the user group corresponding to the user ID.
  • the user space including two user groups may be as follows:
  • the user identification uid of the user is U001
  • the access token accesstoken is XXXXXXXXX
  • groups is a list of user groups corresponding to the user.
  • user U001 created two user groups family and guest.
  • the group members of the user group family include: U001 and U002, the device identifier of the shared device is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1, and the validity period is permanent.
  • the group members of the user group guest include: U001 and U002.
  • the device identifiers of the shared device are 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, and the validity period is 1000 seconds.
  • the characterization user U001 created a family group on the cloud platform and shared the device 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 with U002.
  • the family group is permanently valid.
  • user U001 created a visitor group for visitor U003, and temporarily shared the devices 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, with a valid period of 10,000 seconds.
  • U002 may be a family member of the household where the user U001 is located, and U004 may be a visitor.
  • the target user group In at least one user group set by the server, whether the target user group is included to determine the access authority of the first user ID to the target device, wherein, in the searched user group, the group members include the first user ID and the shared device includes The user group of the target device is called the target user group.
  • the group members include the first user ID and the device ID of the shared device includes the device ID of the target device, that is, at least one user group includes the target device
  • the server determines that the access authority of the first user identifier to the target device is allowed to access.
  • the server determines that the access permission of the first user ID to the target device is forbidden, that is, it is considered that the first user ID cannot access the resources of the target device.
  • the server can search for candidate user groups from at least one user group using the second user ID as a keyword or the device ID of the target device as a keyword, and determine the access authority of the first user ID to the target device according to the candidate user group. , Thereby narrowing the search scope of the target user group and improving the processing speed of access control.
  • the user IDs of group members of the user group do not include user IDs that have a binding relationship with the target device, and the first user ID does not have a binding relationship with the device, according to at least one user group To determine the access authority of the first user identifier to the target device.
  • the access authority of the first user identifier to the target device is determined according to at least one user group.
  • the access authority of the first user ID can be judged based on the binding relationship and the user group side by side, when the first user ID has a binding relationship with the target device, or when at least one user group includes the target user group , It is determined that the access permission is access permitted, and when the first user identifier does not have a binding relationship with the target device, and the target user group is not included in the at least one user group, the access permission is determined to be access prohibited.
  • Step S405 The server processes the access request according to the access authority.
  • the server forwards the access request to the target device; when the access permission is forbidden to access, the server rejects the access request.
  • the second access device sends an update request to the server based on the second user identifier.
  • the update request is used to make the server generate a user group, and the generated user group is used to determine whether to use the first
  • the first access device identified by the user has access authority to the target device, and the second user identifier has a binding relationship with the target device.
  • the server receives an update request sent by the second access device based on the second user ID; the server obtains a new user group corresponding to the second user ID according to the update request .
  • the second access device logs in to the server with the second user ID, configures the group information of the new user group, generates an update request based on the group information of the new user group, and sends the generated update request to the server.
  • the group information of the new user group includes at least: the user group name, the identifier of the group member and the device identifier of the shared device.
  • the identity of the group member includes: the first user identity
  • the shared device includes: the target device.
  • the new user group created by the service is the target user group.
  • the identity of the group member further includes: a second user identity.
  • the second access device uses the second user ID to log in to the server in the same manner as the first access device uses the first user ID to log in to the server, which will not be repeated here.
  • configuring the group information of the new user group by the second access device may be performed as follows: the second access device obtains the group information of the new user group; and includes the group information of the new user group in the update request in.
  • the second access device obtains the identity of the group member to be configured to the new user group, and obtains the device identity of the shared device to be configured to the new user group.
  • the identifier of the group member may include the first user identifier
  • the acquired shared device may include the target device.
  • the second access device can obtain the group member's identities by means of LAN transmission, QR code scanning, etc.
  • the second access device may obtain the identity of the shared device by way of local area network transmission, or obtain the identity of the target device from the identity of the device configured in the server that has a binding relationship with the second user identity.
  • the server obtains the new user group according to the update request in the following two ways:
  • the update request only carries the group information of the new user group to be created this time. For example, when the new user group to be created this time is the user group family, only the group information of the new user group family is carried in the update message.
  • the server after receiving the update request, the server obtains the new user group corresponding to the second user identifier according to the update request, including:
  • the update request may carry the group information of the user group groups after the user group is created. For example: the group information of the existing user group guest of the created user group family.
  • the second access device queries the server for the group information of the existing user group corresponding to the second user identifier, and carries the obtained group information of the existing user group in the update request in.
  • the information carried in the update request is the group information of the new user group and the group information of the existing user group queried from the server.
  • the second access device may send a query request to the server to obtain the existing user group corresponding to the second user identifier. After acquiring the existing user group of the second user identifier, the second access device updates the existing user group to obtain the updated user group.
  • the updated user group includes a new user group and an existing user group corresponding to the second user identifier.
  • the new user group is a newly added user group or a user group obtained by updating a reference user group in the existing user group.
  • the existing user group can be updated to obtain the updated user group.
  • a new user group is created, and the new user group is the newly added user group.
  • the user group with the same group name as the new user group is called the reference user group, and the group information of the reference user group is updated to New user group.
  • the new user group is a user group obtained by updating the reference user group in the existing user group.
  • the obtaining a new user group corresponding to the second user identifier according to the update request includes: according to the updated group information of at least one user group, The group information of the existing user group corresponding to the second user identifier is overwritten to obtain at least one updated user group.
  • the server after receiving the update request sent by the second access device, the server detects the relationship between the shared device and the second user identity according to the second user identity carried in the update request; when it has a binding relationship with the shared device
  • the user ID of is the second user ID, and a new user group corresponding to the second user ID is obtained according to the update request.
  • the second user equipment is a user identification associated with the shared device, which characterizes that the second user identification is an administrator account of the shared device, the user group corresponding to the second user identification can be updated according to the update request.
  • the new user group created by the server based on the update request may include other user groups in addition to the target user group, and one or more new user groups may be created based on one update request.
  • a user group is created in a server serving as a cloud, and based on the user group, the access authority of the second user ID to the resources of the target device is shared with the first user ID, where the first user ID is different from the target device There is no binding relationship between them, and there is no binding relationship between the second user identifier and the target device.
  • the server determines based on the user group that the access permission of the first user identifier to the target device is allowed to access, and controls the first user identifier to access the resources of the target device.
  • the server determines, based on the user group, that the access permission of the first user identifier to the target device is forbidden, it denies the first user identifier to access the resources of the target device.
  • the server may also query the user group corresponding to the second user identifier based on the query request sent by the second access device.
  • the content of the query can be all user groups, or the corresponding user group can be queried based on the group name carried in the query request.
  • the server receives the query request sent by the second access device based on the second user identifier; the server obtains the query corresponding to the second user identifier based on the query request Group information of all user groups; the server sends the group information of the existing user groups to the second access device.
  • the server receives the query request sent by the second access device based on the second user identifier; the query request carries the user to be queried The user group name of the group; the server obtains the group information of the user group to be queried based on the query request; the server sends the group information of the user group to be queried to the second access device.
  • the server may also delete the user group corresponding to the second user identifier based on the delete request sent by the second access device.
  • the content to be deleted may be all user groups, or the corresponding user group may be deleted based on the group name carried in the query request.
  • the server receives a delete request sent by the second access device based on the second user ID; the server deletes the corresponding user group according to the delete request. All user groups. .
  • the server receives a delete request sent by the second access device based on the second user identifier; the delete request carries the user group to be deleted The name of the user group; the server deletes the group information of the user group to be deleted from at least one user group corresponding to the second user group according to the deletion request.
  • the cloud platform is a control system in a server as a cloud.
  • a resource interface for creating user groups is added to the cloud platform.
  • Registered users of the cloud platform can create user groups for shared devices through the resource interface for creating user groups.
  • the cloud platform provides a resource interface (also referred to as a resource link) /group/gen, and a registered user of the cloud platform updates the information of the corresponding user group through the resource interface to create a user group on the cloud platform.
  • the user group is identified by a group name, and the user group includes: group members, shared devices, and optionally, a validity period.
  • the group name is a string and can be set by the user.
  • Group members are a list of User IDs, including the User ID of each group member.
  • a user group includes at least one group member.
  • the shared device is a list of device IDs, including the device IDs of the shared devices in the group.
  • the shared device of a user group includes at least one device.
  • the validity period is the survival time of the user group, which is counted in seconds.
  • a value of -1 means permanent validity.
  • the following example is a representation of a user group:
  • the group name gn is family, and contains two members: the user identifiers gmids are U001 and U002 respectively.
  • the two users share a device, and the device identifier dids is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1.
  • the validity period of a user group expiresin is 10,000 seconds.
  • the cloud platform starts counting from the moment the user group is created, and automatically deletes the user group after 10,000 seconds.
  • a cloud platform user can create multiple user groups.
  • the cloud platform manages these user groups in the space allocated for the user, and identifies the user with the user ID of the user.
  • the space for a user who created two groups is shown in the following example:
  • the user identification uid of the user is U001
  • the access token is XXXXXXXXX
  • groups is a list of user groups corresponding to the user.
  • user U001 created two user groups family and guest.
  • the group members of the user group family include: U001 and U002, the device identifier of the shared device is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1, and the validity period is permanent.
  • the group members of the user group guest include: U001 and U003.
  • the device identifiers of the shared devices are 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, and the validity period is 1000 seconds.
  • the characterization user U001 created a family group on the cloud platform and shared the device 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 with U002.
  • the family group is permanently valid.
  • user U001 created a visitor group for visitor U003, and temporarily shared the devices 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, with a valid period of 10,000 seconds.
  • U002 may be a family member of the household where the user U001 is located, and U004 may be a visitor.
  • Step S501 The user A uses the client A (Client A) to obtain the User ID (userB_ID) stored in the user B's terminal client B (Client B) by means of LAN transmission, scanning a QR code, and the like.
  • the User ID of client A is userA_ID).
  • Step S502 Client A obtains the device ID of the target device to be configured in the user group through the local area network or the cloud platform. Since user A is the administrator of the target device, it is also possible that Client A has always stored the device ID of the target device after configuring the device. In this case, step S502 can be skipped.
  • Step S503 ClientA sends an update request to the resource interface of the cloud platform.
  • the parameters carried in the update request include userA_ID, access token, group name, group name, user ID of group members (including: userA_ID and userB_ID), The device ID and expiration of the shared device.
  • the shared device in the group is the target device.
  • the address of the resource interface can be a fixed address, such as /group/gen.
  • Step S504 After receiving the update request from ClientA, the cloud platform verifies the userA_ID and the access token based on the corresponding relationship between the User ID and the access token stored on the cloud platform, and confirms that User A is a legitimate user after the verification is passed.
  • Step S505 The cloud platform checks the binding relationship between the target device and user A in the update request according to the binding relationship between userA's ID and the device, that is, checks whether the target device is a device managed by user A.
  • the cloud platform checks the binding relationship between each device in the update request and user A according to the binding relationship between userA_ID and the device, that is, it checks whether each device is a user Equipment managed by A. Among them, for each device and its administrator user, the cloud platform stores the binding relationship between the user ID and the device.
  • Step S506 The cloud platform searches for the user group corresponding to user A according to userA_ID.
  • the cloud platform finds the entry corresponding to user A in the user group list according to userA_ID, and finds the user group in the entry according to the group name carried in the update request. Among them, the entry corresponding to user A includes all existing user groups corresponding to user A.
  • Step S507 If the user group corresponding to the group name is not found in the entry corresponding to user A, the cloud platform creates a new user group under the entry corresponding to user A, which is the target user group.
  • the target user group is named after the group name carried in the update request, the member IDs in the group are userA_ID and userB_ID carried in the update request, and the device ID in the group is the device ID of the target device.
  • Step S508 After the cloud platform successfully establishes the user group, it returns a response OK to ClientA.
  • Step S509 Client B accesses the target device through the cloud platform.
  • Step S5010 The cloud platform judges whether user B and the accessed target device are in the same user group. If so, the cloud platform allows the access request and forwards the access request to the target device; if not, it rejects the access request.
  • Step S5011 if the target device has been shared with user B based on the user group, the target device executes an access request, and executes step S5012 to return a response to ClientB.
  • the group administrator can view the user group.
  • the address of the resource interface is /group/gen
  • the cloud platform After the cloud platform receives the query request, it first verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the content of groups is returned to User A as a response.
  • the cloud platform After the cloud platform receives the query request, it verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the user group whose group name is guest in groups is returned to User A as a response.
  • the user can also delete the created user group.
  • the cloud platform After the cloud platform receives the delete request, it first verifies the User ID of A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the contents of the groups are cleared, and a response to the successful operation of User A is returned.
  • the cloud platform After the cloud platform receives the delete request, it first verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, delete the user group whose group name is guest in groups, and return to User A a successful response.
  • a resource interface for creating user groups is added to the cloud platform.
  • Registered users of the cloud platform can create user groups for shared devices through the resource interface for creating user groups.
  • the cloud platform provides a resource interface /group/gen.
  • Registered users of the cloud platform update the information of the corresponding user group through the resource interface, and then create a user group on the cloud platform.
  • the user group is identified by a group name, and the user group includes: group members, shared devices, and optionally, a validity period.
  • the group name is a string and can be set by the user.
  • Group members are a list of User IDs, including the User ID of each group member. Among them, a user group includes at least one group member.
  • the shared device is also a device ID (device ID) list, which contains the device IDs of the shared devices in the group. Among them, the shared device of a user group includes at least one device.
  • the validity period is the survival time of the user group, which is counted in seconds. A value of -1 means permanent validity.
  • the following example is a representation of a user group:
  • the group name gn is family, and the user identifier gmids of the group members included is U002.
  • the validity period of a user group expiresin is 10,000 seconds.
  • the cloud platform starts counting from the moment the user group is created, and automatically deletes the user group after 10,000 seconds.
  • a cloud platform user can create multiple user groups.
  • the cloud platform manages these user groups in the space allocated for the user, and identifies the user with the user ID of the user.
  • the space for a user who created two groups is shown in the following example:
  • the user identification uid of the user is U001
  • the access token is XXXXXXXXX
  • groups is a list of user groups corresponding to the user.
  • user U001 created two user groups: family and guest.
  • the group members of user group family include: U002 and U003, and the device ID of the shared device is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1, and the validity period is Permanent.
  • the group members of the user group guest include: U004, the device identifiers of the shared device are 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, and the validity period is 1000 seconds.
  • the characterization user U001 created a family group on the cloud platform and shared the device 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 to U002 and U003.
  • the family group is permanently valid.
  • user U001 created a visitor group for visitor U004 and temporarily shared the devices 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, and the effective time is 10,000 seconds.
  • U002 and U003 may be family members of the household where the user U001 is located, and U004 may be a visitor.
  • step S601 the user A uses the client A (ClientA) to obtain the User ID (userB_ID) stored in the user B's terminal client B (ClientB) by means of local area network transmission, scanning the QR code, etc.
  • the User ID of client A is userA_ID).
  • Step S602 Client A obtains the device ID of the target device to be configured in the user group through the local area network or the cloud platform. Since user A is the administrator of the target device, it is also possible that Client A has always stored the device ID of the device after configuring the device, and step S602 can be skipped.
  • Step S603 ClientA sends an update request to the resource interface of the cloud platform.
  • the update request carries parameters including userA_ID, access token, group name, group member ID (userB_ID), device ID of the shared device in the group, and expiration of the validity period.
  • the shared device in the group is the target device.
  • Step S604 After receiving the update request from ClientA, the cloud platform verifies the userA_ID and the access token through the corresponding relationship between the UserID and the access token stored in the cloud platform, and confirms that the user A is a legitimate user after the verification is passed.
  • Step S605 The cloud platform checks the binding relationship between the target device and user A in the update request according to the binding relationship between userA's ID and the device, that is, checks whether the target device is a device managed by user A.
  • the cloud platform checks the binding relationship between each device in the update request and user A according to the binding relationship between userA_ID and the device, that is, it checks whether each device is a user Equipment managed by A. Among them, for each device and its administrator user, the cloud platform stores the binding relationship between the user ID and the device.
  • Step S606 The cloud platform searches for the user group corresponding to user A according to userA_ID.
  • the cloud platform finds the entry corresponding to user A in the user group list according to userA_ID, and finds the user group in the entry according to the group name carried in the update request. Among them, the entry corresponding to user A includes all existing user groups corresponding to user A.
  • Step S607 If the user group corresponding to the group name is not found in the entry corresponding to user A, the cloud platform creates a new user group under the entry corresponding to user A, that is, the target user group.
  • the target user group is named after the group name carried in the update request
  • the member ID in the group is the userB_ID carried in the update request
  • the device ID in the group is the device ID of the target device carried in the update request.
  • Step S608 After the cloud platform successfully establishes the user group, it returns a response OK to ClientA.
  • Step S609 Client B accesses the target device through the cloud platform.
  • Step S6010 The cloud platform checks the binding relationship between ClientB and the target device, and if the binding relationship is established, the access request is directly allowed. Since the target device is bound to ClientA, the binding relationship between ClientB and the target device is not established, and it is necessary to further check whether the group permissions can be accessed.
  • Step S6011 the cloud platform judges whether the user B and the accessed target device are in the same user group, if yes, the cloud platform allows the access request and forwards the access request to the target device; if not, it rejects the access request.
  • Step S6012 if the target device has been shared with user B based on the user group, the target device executes an access request, and executes step S6013 to return a response to Client B.
  • the group administrator can view the user group.
  • the cloud platform After the cloud platform receives the query request, it first verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the content of groups is returned to User A as a response.
  • the cloud platform After the cloud platform receives the query request, it first verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the user group whose group name is guest in groups is returned to User A as a response.
  • the user can also delete the created user group.
  • the cloud platform After the cloud platform receives the delete request, it first verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the contents of the groups are cleared, and a response to the successful operation of User A is returned.
  • the cloud platform After the cloud platform receives the delete request, it first verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, delete the user group whose group name is guest in groups, and return to User A a successful response.
  • a resource interface for creating user groups is added to the cloud platform.
  • Registered users of the cloud platform can create user groups for shared devices through the resource interface for creating user groups.
  • the cloud platform provides a resource interface /group/gen.
  • Registered users of the cloud platform update the information of the corresponding user group through the resource interface, and then create a user group on the cloud platform.
  • the user group is identified by a group name, and the user group includes: group members, shared devices, and optionally, a validity period.
  • the group name is a string and can be set by the user.
  • Group members are a list of User IDs, including the User ID of each group member. Among them, a user group includes at least one group member.
  • the shared device is also a device ID (device ID) list, which contains the device IDs of the shared devices in the group. Among them, the shared device of a user group includes at least one device.
  • the validity period is the survival time of the user group, which is counted in seconds. A value of -1 means permanent validity.
  • the following example is a representation of a user group:
  • the group name gn is family, and contains two members: the user identifiers gmids are U001 and U002 respectively.
  • the two users share a device, and the device identifier dids is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1.
  • the validity period of a user group expiresin is 10,000 seconds.
  • the cloud platform starts counting from the moment the user group is created, and automatically deletes the user group after 10,000 seconds.
  • a cloud platform user can create multiple user groups.
  • the cloud platform manages these user groups in the space allocated for the user, and identifies the user with the user ID of the user.
  • the space for a user who created two groups is shown in the following example:
  • the user identification uid of the user is U001
  • the access token accesstoken is XXXXXXXXX
  • groups is a list of user groups corresponding to the user.
  • user U001 created two user groups: family and guest.
  • the group members of user group family include: U001 and U002, and the device identifier of the shared device is 0685B960-736F-46F7-BEC0-9E6CBD61ADC1, and the validity period is Permanent.
  • the group members of the user group guest include: U001 and U003.
  • the device identifiers of the shared devices are 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, and the validity period is 1000 seconds.
  • the characterization user U001 created a family group on the cloud platform and shared the device 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 with U002.
  • the family group is permanently valid.
  • user U001 created a visitor group for visitor U003 and temporarily shared the devices 0685B960-736F-46F7-BEC0-9E6CBD61ADC1 and E61C3E6B-9C54-4B81-8CE5-F9039C1D04D9, and the effective time was 10,000 seconds.
  • U002 may be a family member of the household where the user U001 is located, and U004 may be a visitor.
  • Step S701 User A uses ClientA to obtain the user ID (userB_ID) stored in the terminal ClientB of user B through LAN transmission, scanning a two-dimensional code, etc.
  • the User ID of Client A is userA_ID).
  • Step S702 Client A obtains the device ID of the device to be configured into the group through the local area network or the cloud platform. Since user A is the administrator of the target device, it is also possible that Client A has always stored the device ID of the target device after configuring the device. In this case, step S702 can be skipped.
  • Step S703 ClientA sends a query request to the resource interface of the cloud platform.
  • the query request can be retrieve/group/gen.
  • Step S704 After receiving the inquiry request, the cloud platform verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the content of groups is returned to the user as a response.
  • the content of groups includes the group name of each user group, the group member ID, the device ID of the shared device, and the validity period.
  • Step S705 ClientA adds a new user group to the groups obtained by the query to obtain the updated groups.
  • the group information of the newly added user group includes the group name, group member ID (userA_ID and userB_ID), the device ID of the target device, and the validity period. .
  • Step S706 ClientA sends an update request to the resource interface of the cloud platform.
  • the parameters included in the update request include userA_ID, access token, and updated groups.
  • Step S707 After receiving the update request, the cloud platform verifies the userA_ID and the access token through the corresponding relationship between the user ID and the access token stored in the cloud platform, and confirms that the user A is a legitimate user after the verification is passed.
  • Step S708 The cloud platform checks the binding relationship between the newly added target device and the user A according to the binding relationship between the userA_ID and the device, that is, checks whether the newly added target device is a device managed by the user A.
  • the cloud platform checks the binding relationship between each newly added device in the update request and user A according to the binding relationship between userA_ID and the device, that is, checking each new Whether the added device is a device managed by user A. Among them, for each device and its administrator user, the cloud platform stores the binding relationship between the user ID and the device.
  • Step S709 The cloud platform updates the groups corresponding to user A.
  • Step S7010 After the cloud platform successfully establishes the user group, it returns a response OK to ClientA.
  • Step S7011 Client B accesses the target device through the cloud platform.
  • step S7012 the cloud platform judges whether the user B and the accessed device are in the same group. If so, the cloud platform allows the access request and forwards the access request to the target device; if not, it rejects the access request.
  • Step S7013 If the target device has been shared with user B based on the user group, the target device executes an access request, and executes step S7014 to return a response to Client B.
  • User A updates the user group based on the existing user group and shares the target device with user B.
  • the specific operation steps, as shown in Figure 8, include:
  • step S801 the user A uses Client A to obtain the user ID (userB_ID) stored in the terminal ClientB of the user B through LAN transmission, scanning a two-dimensional code, or the like.
  • the User ID of Client A is userA_ID).
  • Step S802 Client A obtains the device ID of the device to be configured into the group through the local area network or the cloud platform. Since user A is the administrator of the target device, it is also possible that Client A has always stored the device ID of the target device after configuring the device. In this case, step S702 can be skipped.
  • Step S803 ClientA sends a query request to the resource interface of the cloud platform.
  • the query request can be retrieve/group/gen.
  • Step S804 After receiving the inquiry request, the cloud platform verifies the User ID of user A. After the User ID verification is passed, under the entry corresponding to User A's User ID, the content of groups is returned to the user as a response.
  • the content of groups includes the group name of each user group, the group member ID, the device ID of the shared device, and the validity period.
  • Step S805 Client A adds a group member ID (userB ID) and a target device (device ID) to an existing group in the groups obtained by the query, to obtain the updated groups.
  • Step S806 ClientA sends an update request to the resource interface of the cloud platform.
  • the update request carries parameters including userA_ID, access token, and updated groups.
  • Step S807 After the cloud platform receives the update request, it verifies the userA_ID and the access token through the corresponding relationship between the user ID and the access token stored in the cloud platform, and confirms that the user A is a legitimate user after the verification is passed.
  • Step S808 The cloud platform checks the binding relationship between the newly added target device and the user A according to the binding relationship between the userA_ID and the device, that is, checks whether the newly added target device is a device managed by the user A.
  • the cloud platform checks the binding relationship between each newly added device in the update request and user A according to the binding relationship between userA_ID and the device, that is, checking each new Whether the added device is a device managed by user A. Among them, for each device and its administrator user, the cloud platform stores the binding relationship between the user ID and the device.
  • Step S809 The cloud platform updates the groups corresponding to user A.
  • Step S8010 After the cloud platform successfully establishes the user group, it returns a response OK to ClientA.
  • Step S8011 ClientB accesses the target device through the cloud platform.
  • Step S8012 the cloud platform judges whether the user B and the accessed target device are in the same group, if so, the cloud platform allows the access request and forwards the access request to the target device; if not, it rejects the access request.
  • Step S8013 If the device has been shared with user B based on the user group, the device executes an access request, and executes step S8014 to return a response to Client B.
  • the user can also delete the created user group.
  • the cloud platform After the cloud platform receives the delete request, it first verifies the userID of user A. After the userID verification is passed, the content of the groups is cleared under the entry corresponding to the userID of user A, and a response to the successful operation of user A is returned.
  • the cloud platform After the cloud platform receives the delete request, it first verifies the userID of user A. After the userID verification is passed, under the entry corresponding to user A's userID, delete the user group whose group name is guest in groups, and return to user A a successful response.
  • an embodiment of the present invention also provides a server.
  • the composition structure of the server is as shown in FIG. 9, and the server 304 includes:
  • the receiving unit 901 is configured to receive an access request sent by the first access device to access the target device based on the first user identifier;
  • the authority unit 902 is configured to determine the access authority of the first user identifier to the target device according to at least one user group;
  • the processing unit 903 is configured to process the access request according to the access authority.
  • the access authority includes: access permitted and access prohibited; the processing unit 903 is configured to:
  • the authority unit 902 is configured as:
  • the server determines that the access authority of the first user ID is permission to access; the group members of the target user group include the first user ID, and the target The device identifier of the shared device in the user group includes the device identifier of the target device.
  • the authority unit 902 is configured as:
  • the server determines that the access authority of the first user ID is forbidden; or
  • the server determines that the access authority of the first user identification is forbidden
  • the server determines The access authority of the first user identifier to the target device is forbidden.
  • the authority unit 902 is further configured as:
  • the user IDs of the group members of the user group do not include user IDs that have a binding relationship with the target device, and the first user ID does not have a binding relationship with the device, according to at least one user group, Determine the access authority of the first user identifier to the target device.
  • the server 304 further includes: an update unit configured to:
  • a new user group corresponding to the second user identifier is obtained.
  • the group information of the new user group carried in the update request includes at least: the user group name, the identifier of the group member, and the device identifier of the shared device.
  • the identifier of the group member includes: the first user identifier
  • the sharing device includes: the target device.
  • the identity of the group member further includes: the second user identity.
  • the updating unit is further configured as:
  • the group name of the existing user group does not include the user group name of the new user group carried in the update request, according to the new user group carried in the update request.
  • the user group of the new user group When there is an existing user group corresponding to the second user identifier, and the group name of the existing user group includes the user group name of the new user group carried in the update request, the user group of the new user group
  • the user group corresponding to the name is a reference user group, and the group information of the reference user group is updated according to the group member identification and the device identification of the shared device carried in the update request to obtain a new user group.
  • the update request carries the updated group information of at least one user group;
  • the updated at least one user group includes: a new user group and an existing user group corresponding to the second user identifier;
  • the update unit is also configured as:
  • the group information of the existing user group corresponding to the second user identifier is overwritten to obtain the updated at least one user group.
  • the new user group is a newly added user group or a user group obtained by updating a reference user group in the existing user group.
  • the group information of the new user group includes: the user group name, the identifier of the group member, and the device identifier of the shared device;
  • the identifier of the group member includes: the first user identifier
  • the sharing device includes: the target device.
  • the identity of the group member further includes: the second user identity.
  • the updating unit is further configured to:
  • a new user group corresponding to the second user identifier is obtained according to the update request.
  • the group information of the new user group further includes: a validity period; the server further includes: a first deleting unit configured to, when the creation time of the new user group reaches the validity period, the server Delete the new user group.
  • the server further includes: a first query unit configured to:
  • the server further includes: a second query unit configured to:
  • the query request carries the user group name of the user group to be queried;
  • the server further includes: a second deleting unit configured to:
  • the server further includes: a third deleting unit configured to:
  • the embodiment of the present invention also provides an access device 1000, as the first access device 301 in FIG. 3, the structure diagram of the access device, as shown in FIG. 10A, includes:
  • the selection unit 1001 is configured to determine the target device selected by the received selection operation
  • the first sending unit 1002 is configured to generate an access request based on the device identifier corresponding to the target device, and send the access request to a server, so that the server determines the first access device used by the access device according to at least one user group.
  • the user identifies the access authority to the target device.
  • the access device 1000 further includes: a second sending unit configured to send the first user identification to a second access device using the second user identification, so that the second access device is based on The first user identifier generates an update request, and the update request is used by the server to establish a new user group, and group members of the new user group include the first access device.
  • a second sending unit configured to send the first user identification to a second access device using the second user identification, so that the second access device is based on The first user identifier generates an update request, and the update request is used by the server to establish a new user group, and group members of the new user group include the first access device.
  • the embodiment of the present invention also provides an access device 1010, as the second access device 302 in FIG. 3, the structure diagram of the access device, as shown in FIG. 10B, includes:
  • the group establishing unit 1011 is configured to send an update request to the server based on the second user ID, the update request is used to make the server generate a user group, and the generated user group is used to determine the first access device using the first user ID For access rights to the target device, the second user identifier has a binding relationship with the target device.
  • the access device 1010 further includes:
  • the first acquiring unit is configured to acquire group information of a new user group, and carry the group information of the new user group in the update request.
  • the access device 1010 further includes: a second obtaining unit configured to query the server for the group information of the existing user group corresponding to the second user identifier, and obtain the information of the existing user group The group information is carried in the update request.
  • the access device 1010 further includes:
  • the group update unit is configured to use the existing user group corresponding to the user group name of the new user group as the reference user when the user group name of the existing user group includes the user group name of the new user group Group, the group information of the reference user group is updated through the group information of the new user group.
  • An embodiment of the present invention also provides a server, including a processor and a memory for storing a computer program that can run on the processor, wherein the processor is used to execute the access control performed by the server when the computer program is running. Method steps.
  • An embodiment of the present invention also provides an access device, including a processor and a memory for storing a computer program that can run on the processor, wherein, when the processor is used to run the computer program, the access device 1000 executes The steps of the access control method.
  • An embodiment of the present invention also provides an access device, including a processor and a memory for storing a computer program that can run on the processor.
  • the access device 1010 executes Steps of the access control method
  • the electronic device 1100 includes: at least one processor 1101, a memory 1102, and at least one network interface 1104.
  • the various components in the electronic device 1100 are coupled together through the bus system 1105.
  • the bus system 1105 is used to implement connection and communication between these components.
  • the bus system 1105 also includes a power bus, a control bus, and a status signal bus.
  • various buses are marked as the bus system 1105 in FIG. 11.
  • the memory 1102 may be a volatile memory or a non-volatile memory, and may also include both volatile and non-volatile memory.
  • the non-volatile memory may be ROM, Programmable Read-Only Memory (PROM), Erasable Programmable Read-Only Memory (EPROM), and electrically erasable Programmable read-only memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), magnetic random access memory (FRAM, ferromagnetic random access memory), flash memory (Flash Memory), magnetic surface memory, optical disk, or CD-ROM -ROM, Compact Disc Read-Only Memory); Magnetic surface memory can be disk storage or tape storage.
  • the volatile memory may be random access memory (RAM, Random Access Memory), which is used as an external cache.
  • RAM random access memory
  • SRAM static random access memory
  • SSRAM synchronous static random access memory
  • DRAM Dynamic Random Access Memory
  • SDRAM Synchronous Dynamic Random Access Memory
  • DDRSDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • ESDRAM enhanced -Type synchronous dynamic random access memory
  • SLDRAM SyncLink Dynamic Random Access Memory
  • direct memory bus random access memory DRRAM, Direct Rambus Random Access Memory
  • DRRAM Direct Rambus Random Access Memory
  • the memory 1102 described in the embodiment of the present invention is intended to include, but is not limited to, these and any other suitable types of memory.
  • the memory 1102 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device 1100. Examples of these data include: any computer program used to operate on the electronic device 1100, such as an application program 11021.
  • the program for implementing the method of the embodiment of the present invention may be included in the application program 11021.
  • the method disclosed in the foregoing embodiment of the present invention may be applied to the processor 1101 or implemented by the processor 1101.
  • the processor 1101 may be an integrated circuit chip with signal processing capabilities. In the implementation process, the steps of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 1101 or instructions in the form of software.
  • the aforementioned processor 1101 may be a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, and the like.
  • the processor 1101 may implement or execute various methods, steps, and logical block diagrams disclosed in the embodiments of the present invention.
  • the general-purpose processor may be a microprocessor or any conventional processor.
  • the steps of the method disclosed in the embodiments of the present invention can be directly embodied as being executed and completed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium.
  • the storage medium is located in the memory 1102.
  • the processor 1101 reads the information in the memory 1102, and completes the steps of the foregoing method in combination with its hardware.
  • the electronic device 1100 may be used by one or more application specific integrated circuits (ASIC, Application Specific Integrated Circuit), DSP, programmable logic device (PLD, Programmable Logic Device), and complex programmable logic device (CPLD). , Complex Programmable Logic Device), FPGA, general-purpose processor, controller, MCU, MPU, or other electronic components to implement the foregoing method.
  • ASIC Application Specific Integrated Circuit
  • DSP digital signal processor
  • PLD programmable logic device
  • CPLD complex programmable logic device
  • FPGA field-programmable Logic Device
  • controller MCU
  • MPU or other electronic components to implement the foregoing method.
  • the embodiment of the present invention also provides a storage medium for storing computer programs.
  • the storage medium can be applied to the server in the embodiment of the present invention, and the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention.
  • the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention.
  • the storage medium can be applied to the access device in the embodiment of the present invention, and the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention.
  • the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de commande d'accès, comprenant : un serveur (304) qui reçoit une demande d'accès pour avoir accès à un dispositif cible qui est envoyée à partir d'un premier dispositif d'accès (301) sur la base d'une première identification d'utilisateur ; selon au moins un groupe d'utilisateurs, le serveur détermine des droits d'accès de la première Identification d'utilisateur pour le dispositif cible (S404) ; et le serveur traite la requête d'accès en fonction des droits d'accès (S405).
PCT/CN2019/091410 2019-06-14 2019-06-14 Procédé et appareil de commande d'accès et support d'informations WO2020248284A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
PCT/CN2019/091410 WO2020248284A1 (fr) 2019-06-14 2019-06-14 Procédé et appareil de commande d'accès et support d'informations
CN202311284666.XA CN117336053A (zh) 2019-06-14 2019-06-14 一种访问控制方法、装置及存储介质
CN201980079278.3A CN113169970B (zh) 2019-06-14 2019-06-14 一种访问控制方法、装置及存储介质

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/091410 WO2020248284A1 (fr) 2019-06-14 2019-06-14 Procédé et appareil de commande d'accès et support d'informations

Publications (1)

Publication Number Publication Date
WO2020248284A1 true WO2020248284A1 (fr) 2020-12-17

Family

ID=73781922

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/091410 WO2020248284A1 (fr) 2019-06-14 2019-06-14 Procédé et appareil de commande d'accès et support d'informations

Country Status (2)

Country Link
CN (2) CN113169970B (fr)
WO (1) WO2020248284A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113596092A (zh) * 2021-06-28 2021-11-02 青岛海尔科技有限公司 设备云端控制的分享方法、系统、智能设备及存储介质
CN113630447A (zh) * 2021-07-22 2021-11-09 济南浪潮数据技术有限公司 一种基于web的云服务提供方法、系统及存储介质
CN113839949A (zh) * 2021-09-26 2021-12-24 锐捷网络股份有限公司 一种访问权限管控系统、方法、芯片及电子设备
CN114172687A (zh) * 2021-11-03 2022-03-11 杭州涂鸦信息技术有限公司 云端连接方法、辅助设备连接云端的方法及电子设备

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115309766B (zh) * 2022-10-12 2023-03-24 北京奥星贝斯科技有限公司 一种数据库业务执行的方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170409A (zh) * 2006-10-24 2008-04-30 华为技术有限公司 实现设备访问控制的方法、系统、业务设备和认证服务器
CN103618706A (zh) * 2013-11-19 2014-03-05 深圳Tcl新技术有限公司 智能设备相互访问的控制系统及方法
CN105721420A (zh) * 2015-12-11 2016-06-29 中国地质调查局发展研究中心 访问权限控制方法和反向代理服务器
CN106385397A (zh) * 2015-07-31 2017-02-08 腾讯科技(深圳)有限公司 网络接入设备访问控制及类型配置方法和装置

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8855067B2 (en) * 2010-04-02 2014-10-07 Marvell World Trade Ltd. Multi-user communication group management and signaling
CN102238656A (zh) * 2010-04-28 2011-11-09 北京三星通信技术研究有限公司 一种移动通信系统中的切换方法
CN101957774B (zh) * 2010-09-21 2013-12-25 用友软件股份有限公司 业务操作建模方法和装置
CA2881644C (fr) * 2014-03-31 2023-01-24 Smart Technologies Ulc Definition d'un groupe d'utilisateurs pendant une session initiale
CN107786621B (zh) * 2016-08-31 2020-10-16 阿里巴巴集团控股有限公司 一种用户信息管理方法、访问处理方法及装置和系统
CN107508892A (zh) * 2017-08-29 2017-12-22 努比亚技术有限公司 一种页面访问方法、服务器及计算机可读存储介质
CN109788005A (zh) * 2017-11-10 2019-05-21 中兴通讯股份有限公司 设备控制权限共享方法、装置、系统及计算机存储介质
CN107995215B (zh) * 2017-12-20 2020-09-01 青岛海信智慧家居系统股份有限公司 智能家居设备的控制方法、装置及云平台服务器

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170409A (zh) * 2006-10-24 2008-04-30 华为技术有限公司 实现设备访问控制的方法、系统、业务设备和认证服务器
CN103618706A (zh) * 2013-11-19 2014-03-05 深圳Tcl新技术有限公司 智能设备相互访问的控制系统及方法
US20160072821A1 (en) * 2013-11-19 2016-03-10 Max Wu System and method for controlling mutual access of smart devices
CN106385397A (zh) * 2015-07-31 2017-02-08 腾讯科技(深圳)有限公司 网络接入设备访问控制及类型配置方法和装置
CN105721420A (zh) * 2015-12-11 2016-06-29 中国地质调查局发展研究中心 访问权限控制方法和反向代理服务器

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113596092A (zh) * 2021-06-28 2021-11-02 青岛海尔科技有限公司 设备云端控制的分享方法、系统、智能设备及存储介质
CN113630447A (zh) * 2021-07-22 2021-11-09 济南浪潮数据技术有限公司 一种基于web的云服务提供方法、系统及存储介质
CN113630447B (zh) * 2021-07-22 2023-04-07 济南浪潮数据技术有限公司 一种基于web的云服务提供方法、系统及存储介质
CN113839949A (zh) * 2021-09-26 2021-12-24 锐捷网络股份有限公司 一种访问权限管控系统、方法、芯片及电子设备
CN113839949B (zh) * 2021-09-26 2023-10-24 锐捷网络股份有限公司 一种访问权限管控系统、方法、芯片及电子设备
CN114172687A (zh) * 2021-11-03 2022-03-11 杭州涂鸦信息技术有限公司 云端连接方法、辅助设备连接云端的方法及电子设备

Also Published As

Publication number Publication date
CN117336053A (zh) 2024-01-02
CN113169970B (zh) 2023-10-27
CN113169970A (zh) 2021-07-23

Similar Documents

Publication Publication Date Title
WO2020248284A1 (fr) Procédé et appareil de commande d'accès et support d'informations
CN108140031B (zh) 对等可同步存储系统
KR101962156B1 (ko) 권한부여 처리 방법 및 장치
EP1942629B1 (fr) Procédé et système pour une sécurité orientée objet multiniveaux dans une architecture orientée service
JP6355656B2 (ja) 企業のソーシャル・ビジネス・コンピューティングのためのマルチテナント機能のサポート方法、およびシステム。
US8266671B2 (en) Policy-enabled aggregation of IM user communities
US10148637B2 (en) Secure authentication to provide mobile access to shared network resources
KR20160091314A (ko) 무선 통신 시스템에서 서비스 구독 리소스 기반 인증 방법
EP3226506A1 (fr) Procédé, dispositif et système de traitement d'autorisation
TW201234904A (en) Client and server group SSO with local OpenID
WO2006084036A2 (fr) Systeme et procede pour etablir une communication poste-a-poste
WO2009133419A1 (fr) Procédé, appareil et produit programme d'ordinateur fournissant un mécanisme d'autorisation décentralisé à base de groupe
CN113039745B (zh) 文件系统服务器、应用于其中的方法、计算机可读介质
US11888851B2 (en) Identity proxy and access gateway
CN114363165A (zh) 一种电子设备的配置方法、电子设备和服务器
CN112492592A (zh) 一种多个nrf场景下的授权方法
WO2017210914A1 (fr) Procédé et appareil de transmission d'informations
WO2021035740A1 (fr) Procédé de commande d'accès , serveur, dispositif d'accès et support de stockage
JP5190922B2 (ja) コミュニティ通信ネットワークおよび通信制御方法
WO2015021842A1 (fr) Procédé et appareil d'accès à une application ott et procédé et appareil de poussée de message par serveur
CN110365618B (zh) 网络登录方法及装置
CN113678127B (zh) 访问控制方法、服务器、访问设备及存储介质
WO2020191639A1 (fr) Procédé de communication pour dispositif, dispositif et support de stockage
WO2017181775A1 (fr) Procédé et dispositif de gestion d'autorisation distribuée
JP6920614B2 (ja) 本人認証装置、本人認証システム、本人認証プログラム、および、本人認証方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19932738

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19932738

Country of ref document: EP

Kind code of ref document: A1