CN101771698A - Grid visit control method based on extendible markup language security policy - Google Patents
Grid visit control method based on extendible markup language security policy Download PDFInfo
- Publication number
- CN101771698A CN101771698A CN201010017914A CN201010017914A CN101771698A CN 101771698 A CN101771698 A CN 101771698A CN 201010017914 A CN201010017914 A CN 201010017914A CN 201010017914 A CN201010017914 A CN 201010017914A CN 101771698 A CN101771698 A CN 101771698A
- Authority
- CN
- China
- Prior art keywords
- role
- user
- resource
- authority
- prms
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a grid visit control method based on an extendible markup language security policy, which aims at solving the problems of dynamics and span of different security domains in the grid calculation visit control process. The method comprises the following methods: limiting security domains on roles; defining the role inheriting relationship between different security domains; attaching the roles of the self domain to the roles of other domains through the authorized agency service to establish the role inheriting relationship between the domains; and giving corresponding resolutions for possibly meeting role inheriting relationship conflicts. The invention carries out the extension on the basis of a standard RBAC model, and gives a role visit control model based on the context through introducing two context mechanisms: main events and object events, the model can realize the dynamic authorization process, and formally describes the concrete realization process of the role state change caused by the main events and the permission state change caused by the object events, and at the same time, the analysis on the consistency in the state conversion process shows that the model maintains the consistency in the state conversion process.
Description
Technical field
The present invention is a kind of security solution of Distributed Calculation.Be mainly used in the problem that solves access control under the grid environment, belong to the Distributed Calculation technical field of software security.
Background technology
Grid computing (Grid Computing) is meant by express network the hardware, software, the information resources that are dispersed in is everywhere connected to a huge integral body, thereby make people can utilize the resource that is scattered on the geography everywhere, finish various large-scale, the complicated calculating and the task of data processing.Compare with former collaborative work (Cooperativework), Distributed Calculation notions such as (Distributed Computing), the degree of integration of grid computing is higher, use is convenient, the utilization of resource is abundant more and effective.It indicates that modern information technologies use new a, higher level is arranged.
Safety problem is one of key issue of grid computing technology, and particularly along with the commercialized development of grid with popularize, the solution of safety problem is extremely urgent especially.Purpose of the present invention is exactly to introduce the method that solves the particularly access control aspect of security strategy in the grid computing.Research to grid computing safety at present also is in the starting stage, need carry out deep research.
Extend markup language (Extensible Markup Language, XML) as the technology of carrying out exchanges data and interoperability between a kind of heterogeneous platform, be exchanges data representation the most frequently used in the grid, the safety of XML language is the basis of gridding information exchange.The encryption of traditional technology such as SSL and TSL all is at whole file, under grid environment, safe handling granularity to the XML file no longer is whole file, might just carry out ciphering signature etc., thereby be necessary to use under the grid environment some security strategies based on the XML technology at partial information in the XML document.
Access control RBAC based on the role is current popular access control model, but the same with other traditional access control model what adopt is static the mandate, do not consider residing context environmental, being applied to the dynamic is the grid computing environment of notable feature, must cause certain defective.The present invention expands on based on role access control RBAC model based, User Activity role, system activity authority, User Activity authority, main body context, the contextual notion of object have been added, and realized to solve the access control of context-sensitive under the grid environment based on contextual access control by state matrix.
Summary of the invention
Technical problem; The objective of the invention is in order to solve dynamic involved in the grid computing access control process and the problem of crossing over different security domains.The role is carried out the qualification of security domain, defined the role succession relation between the different security domains, by the devolution service role in this territory and other territories role are associated and set up role succession relation between the territory, the role succession conflict of relationships that may run into has been provided corresponding solution.
Technical scheme: the present invention expands on the standard RBAC model basis, provided based on contextual role access control (Role based AccessControl by introducing main body incident and two kinds of context mechanism of object incident, RBAC) model, this model can based on contextual information be realized dynamic licensing process, formalized description the specific implementation process of the rights state that role state changes and the object incident the causes change that causes by the main body incident, simultaneously the consistency analysis in the state conversion process is shown that this model keeps consistency in state conversion process.
Provide the several notions in this model below:
Security domain (Security Domain): individuality, tissue, department and group etc. that the inside of adding grid environment has consistent security system.
GSI (Globus Security Infrastrue): Globus foundation for security framework.
PKI (Public Key Infrastructure): public-key infrastructure.
RBAC (Role Based Access Control): based on role's access control.
XACML (Extensible Access Control Markup Language): extensible access control markup language.
XML (Extensible Markup Language): extend markup language.
Grid visit control method based on extendible markup language security policy of the present invention specifically may further comprise the steps:
1). the strategy that is provided with of configure user-role at first, the role who sets in the territory has two kinds, visitor and keeper; In the strategy file<rule daughter element in the element<main body coupling<property value value be default email address, the rule of coupling adopts the name discriminant function, be used as basis for estimation with mailbox suffix name, be equipped with administrator role to the user user who presets the mailbox suffix by name;
2). the strategy of configuration role-authority, the definition administrator role has the authority of reading and writing and execution to the resource node of this network segment of resource 10.10.138.*, to resource<resource〉10.10.138.*</resource〉adopt the function of subnet coupling;
3). dispose resource-based dynamic access control strategy, resource in the grid is dynamically controlled user's visit according to strategy, such as time-based resource policy with based on the access control policy of resource dynamic performance;
4). the user proposes the access resources request to service;
5). examine user profile, according to user profile and the solicited message of user capture control request transducer handle through the grid authentication system authentication, be converted to the cannonical format of extendible access control SGML, user's information is classified as<main body element, want request accessed resources to be classified as<resource〉element, the visit type of action to resource is classified as<moves element;
6). according to the extendible access control markup language request after the conversion, in the extraction subscription request message<and resource〉element, check corresponding resource access control strategy, if this resource is in upstate, then carry out next step, otherwise return<refuse information;
7). according in the extendible access control SGML request that receives<main body comprise in the element<authority, which kind of role inquiring user-Role Information storehouse belongs to judge this user, and mates corresponding role to the user;
8). inquire about role-authority information storehouse again according to the role who is assigned to, give the corresponding authority of this role assignments, as read, write the authority of operation;
9). with this role's authority and request<action of user〉contrast, the authority that user's request action belongs to this role is then mated and is qualifiedly carried out next step, and then it fails to match outside user's authority then returns<refuse for request action〉information;
10). all by then returning corresponding final access protocal to the user, the user can do the action of appointment by this agreement to above step to requested resource.
Beneficial effect: major advantage of the present invention has following several:
(1) content has simply just added the context driving and the role has been carried out the qualification of security domain in right assignment and role assignments from the RBAC that definition is expanded as can be seen, the content that all the other definition maintain the standard, thereby guaranteed certain compatibility, also made this model be easy to realize;
(2) many granularities are controlled contextual control and are divided role's dynamic assignment and authority dynamic assignment, thus the dynamic characteristic of adaptive mess better, thus realize cross-domain access control;
(3) definition itself that is easy to extended context is dynamic, state exchange control only need be provided on interface, can add flexibly various dynamic logics for example according to the control of cpu load, according to the control of time, according to the control of user capture number, according to the control in place and according to control of Link State or the like.
Description of drawings
Fig. 1 is the component of core RBAC.
Fig. 2 is the grid access control model in the security domain.
Fig. 3 is the schematic diagram of state machine RSM.
Fig. 4 is the schematic diagram of state machine PSM.
Fig. 5 grid access control basic flow sheet.
Fig. 6 is a system flow chart of the present invention.
Fig. 7 is a Model Design flow chart of the present invention.
Embodiment
One. architecture
Fig. 1 has provided core RBAC and has defined five the most basic elements of RBAC model: user, session, role, operation, object privilege (authority).
User (User) representative, but also can be a machine, agent or other any intelligent article.
Role (Role) represents a responsibilities, the responsibilities in organization's environment.This responsibility can more related semantemes about power and responsibility.
Authority (Permission) is a permission, to the permission of executable operations on one or more objects.
Operation (Operation) is the executable reflection (image) of program, is called and carries out by the user.Operation types depends on the type of realization system.Read and write during operation that for example file system is possible, carry out etc., Database Systems then are CRUD.
Object (Object) expression resource or object, any access control mechanisms all is the resource for protection system.Object may comprise file, catalogue, and database table, OK, and field or the like, disk space even, printer, cpu cycles etc. all are resources.
Fig. 2 has provided based on contextual RBAC model, wherein: (1). authentication and authorization service: be responsible for the authorization services in the security domain in the grid computing, this service be can manage and dispose and dynamically control according to strategy.(2). context agency (Context Agent): be assigned to the role and the authority place of appointment, the state transition that their use middleware services to monitor context and produce the Event triggered state machine by authentication and authorization service.(3). role state machine (Role State Machine): be used to safeguard role's transfering state of distributing to the user, it is driven by the context agency.(4). rights state machine (Role State Machine): be used for the current role's of maintenance customer authority transfering state, it is driven by the context agency also.
Two. method flow
The present invention selects wireless mesh to be used as the description background of our concrete case.Under the wireless mesh environment, we are divided into context two classes equally: main body context (for example: user locations, user time, local resource state, Link State etc.), object context (for example: present load, upstate, connectivity).Below we control is described to main body context and object contextual access respectively by example.
(1) main body contextual access control
Example: under a wireless environment, when the user used the internal wireless safety chain to insert, distributing user role was that (authority is P1 to power user role, P2, P3), when the user uses the external wireless safety chain to insert, the role of distributing user domestic consumer (P1, P2).When the user uses outside non-safety chain to insert, distributing user visitor role (P1).
Table 4-1 and table 4-2 have provided the information explanation of role and incident in this case.Obviously we can be easy to these contents are described with a role state machine (RSM).Be the schematic diagram of a state machine shown in Fig. 4-9, wherein each node is represented a state, and an incident is represented on every limit.RS0 wherein represents illegal state, when RS0 is arrived in other diversification in role, represents that this role will be under an embargo in this time session.
Table 1 role-security table
The role | Status number | Authority |
The power user | ??RS1 | ??P1,P2,P3 |
Domestic consumer | ??RS2 | ??P1,P2 |
The visitor | ??RS3 | ??P1 |
Forbid the role | ??RS0 | Lack of competence |
Table 2 event table
Incident | Case Number | Event description |
The internal security link | ??SE1 | Be used for inner advanced authorization |
The external security link | ??SE2 | Be used for outside common mandate |
Outside dangerous link | ??SE3 | Be used for outside restriction mandate |
Link disconnects | ??SE4 | Link occurs fault disconnects suddenly |
We adopt the tactful descriptor of XML form to come wireless mesh visit is controlled, and are the Policy description example that user role shifts below.
<role's Zhuan Yi><strategy><main body sign>* * * *</main body sign><chu Shijiaose>The power user</Chu Shijiaose><shi Jian>Dangerous link</Shi Jian><final Jiao Se>The general user</final Jiao Se><//></role Zhuan Yi> |
For the state variation under the main body event-driven, be at user agent, thereby only relate to the role-security transformation of a user user, its role transforming process is as follows:
TransSubRoles(role_1:ROLES,role_2:ROLES,event:SUB_EVENTS)
while((role_1,event,role_2)∈RER∧event.state==activate)
session∈role_sessions(role_1)·session.state=Execute
session.state=Block
role_1.state=enable
session.state=Error
AddActiveRole(user,session,role_2)
role_2.state=activate
TransSubPerms(role_1,role_2,session)
authorized_role′=authorized_role\{role_2}∪{role_1}
activated_role′=activated_role\{role_1}∪{role_2}
Wherein, subfunction AddActiveRole (role_2) expression role_2 then will increase this role and be defined as not in the role set that is authorized to the time in this session for user:USERS, session:SESSIONS:
AddActiveRole(user:USERS,session:SESSIONS,role_2)
∪{session
(session_roles(session)∪{role_2})}
authorized_prms′(session)=authorized_prms?∪
And subfunction TransSubPerms (role_1, role_2, event) then be to carry out corresponding authority adjustment, the state that is about to authority that role_1 authorized and that be in activate is adjusted into enable, and with authority that role_2 authorized, state is that enable is adjusted into activate, adjusts authorized_prms collection and activated_prms collection at last respectively, specifically being defined as of this function:
TransSubPerms(role_1:ROLES,role_2:ROLES,session:SESSIONS)
prms.state=enable
prms′.state=activate
When incident cause that role state changes from state of activation to illegal state the time, promptly be equivalent to the role transforming from role_1 to role_0.Also can represent that mode realizes with this kind:
DropActiveRole(role_1:ROLES,event:EVENTS,session:SESSIONS)
DropSubPerms(role_1,session)
role_1.state=disable
Subfunction DropSubPerms wherein (role_1, a state of the authority of authorizing and activating also changes illegal state into session) to represent this role:
DropSubPerms(role_1,session)
prms.state=disable
prms′.state=disable
authorized_prms′(session)=authorized_prms\{prms′}
(2) object contextual access control
Example: only allow the user in the morning 8:00 to evening 8:00 certain resource is conducted interviews; Allow the user to be at the cpu load of resource<resource to be conducted interviews at 80% o'clock, and>80% allow to read resource; Readable the writing of resource can be carried out when having only session to use resource, and when having a plurality of sessions to use resource, resource then can not be write.
Table 4-3 and table 4-4 have provided the information explanation of rights state and incident in this example.We can describe these situations with rights state machine (PSM) equally.Be the schematic diagram of rights state machine shown in Fig. 4-10, wherein each node is represented a state, and an incident is represented on every limit, and PS0 represents the illegal state of this authority.
Table 3 rights state table
Authority | Status number |
Resource is readable to be write and can carry out (P1, P2, P3) | ??PS1 |
Resource is readable to be carried out (P1, P2) | ??PS2 |
Resource readable (P1) | ??PS3 |
Authority | Status number |
The inaccessible resource | ??PS0 |
Table 4 event table
Incident | Case Number | Event description |
??8:00-20:00 | ??OE1 | Allow resource access |
All the other times | ??OE2 | Resource access is forbidden |
When having a plurality of sessions to use resource | ??OE3 | Resource is readable to be carried out |
When having only a session to use resource | ??OE4 | Readable the writing of resource can be carried out |
The resource cpu load went up to 80% o'clock | ??OE5 | Resource is readable |
Fell under the resource cpu load 80% o'clock | ??OE6 | Recover original resource access authority |
We still adopt the tactful descriptor of XML form to come wireless mesh visit is controlled, and are an example of the strategy that shifts of authority below.
<authority shifts><strategy><object sign>* * * *</object sign><chu Shiquanxian>Addressable CPU</Chu Shiquanxian><shi Jian>Cpu load goes up to 80%</Shi Jian><final Quan Xian>Inaccessible CPU</final Quan Xian><//></authority shifts> |
If exist certain or some incidents authority can be realized forbidding and allows between conversion then for authority from forbidding permission, we are called based on the authority activation of state machine and from allowing to forbid that we are called the passivation of authority.
For the state variation under the object event-driven, because at same system, thereby be related to all sessions of using this authority, the rights state that is caused by the object incident is converted to:
TransObjPerms(prms_1:PERMS,prms_2:PERMS,event:OBJ_EVENTS)
session.state=Block
if(prms_2∈authorized_prms(session))
prms_1.state=enable
prms_2.state=activate
TransObjRoles(prms_1,prms_2,session)
authorized_prms′(session)=authorized_prms\{prms_2}∪{prms_1}
activated_prms′(session)=activaed_prms\{prms_1}∪{prms_2}
session.state=activate
else·session.state=Error
Subfunction TransObjRoles (prms_1 wherein, prms_2, session) be to carry out corresponding role state adjustment, be about to authorize the role state prms_1 authority and that be in state activate and be adjusted into enable, be adjusted into activate and will authorize the role state prms_2 authority and that be in state enable, adjust authorized_roles collection and activated_roles collection at last respectively, specifically being defined as of this function (considering the role succession relation):
TransObjRoles(prms_1,prms_2,session)
role.state=enable
role′.state=activate
role′.state=activate
When authority is cancelled, promptly transfer to the PS0 state equally, corresponding conversion process is:
DropActivePerms(prms_1:PERMS,event:EVENTS,session:SESSIONS)
DropObjRoles(prms_1,session)
prms_1.state=disable
And the state of authorizing and activate the role of this authority accordingly also changes illegal state into.
DropObjRoles(prms_1,session)
role.state=disable
authorized_role′(session)=authorized_role\{role}
activated_role′(session)=activated_role\{role}
At this, we have considered to inherit the change of role state, and when the pairing authority of role that activates all be enable, the role who then needs to transfer under this authority by the activation authority of inheriting was activated.
The execution flow process of a complete utilization extend markup language realization grid access control as shown in Figure 7.
1). the strategy that is provided with of configure user-role at first, the role who sets in the territory has two kinds, visitor and keeper; In the strategy file<rule daughter element in the element<main body coupling<property value value be default email address, the rule of coupling adopts the name discriminant function, be used as basis for estimation with mailbox suffix name, be equipped with administrator role to the user user who presets the mailbox suffix by name;
2). the strategy of configuration role-authority, the definition administrator role has the authority of reading and writing and execution to the resource node of this network segment of resource 10.10.138.*, to resource<resource〉10.10.138.*</resource〉adopt the function of subnet coupling;
3). dispose resource-based dynamic access control strategy, resource in the grid is dynamically controlled user's visit according to strategy, such as time-based resource policy with based on the access control policy of resource dynamic performance;
4). the user proposes the access resources request to service;
5). examine user profile, according to user profile and the solicited message of user capture control request transducer handle through the grid authentication system authentication, be converted to the cannonical format of extendible access control SGML, user's information is classified as<main body element, want request accessed resources to be classified as<resource〉element, the visit type of action to resource is classified as<moves element;
6). according to the extendible access control markup language request after the conversion, in the extraction subscription request message<and resource〉element, check corresponding resource access control strategy, if this resource is in upstate, then carry out next step, otherwise return<refuse information;
7). according to extendible anti-ask in the control mark language request<main body that receives〉comprise in the element<authority 〉, which kind of role inquiring user-Role Information storehouse belongs to judge this user, and mates corresponding role to the user;
8). inquire about role-authority information storehouse again according to the role who is assigned to, give the corresponding authority of this role assignments, as read, write the authority of operation;
9). with this role's authority and request<action of user〉contrast, the authority that user's request action belongs to this role is then mated and is qualifiedly carried out next step, and then it fails to match outside user's authority then returns<refuse for request action〉information;
10). all by then returning corresponding final access protocal to the user, the user can do the action of appointment by this agreement to above step to requested resource.
Claims (1)
1. grid visit control method based on extendible markup language security policy is characterized in that this method specifically may further comprise the steps:
1). the strategy that is provided with of configure user-role at first, the role who sets in the territory has two kinds, visitor and keeper; In the strategy file<rule daughter element in the element<main body coupling<property value value be default email address, the rule of coupling adopts the name discriminant function, be used as basis for estimation with mailbox suffix name, be equipped with administrator role to the user user who presets the mailbox suffix by name;
2). the strategy of configuration role-authority, the definition administrator role has the authority of reading and writing and execution to the resource node of this network segment of resource 10.10.138.*, to resource<resource〉10.10.138.*</resource〉adopt the function of subnet coupling;
3). dispose resource-based dynamic access control strategy, resource in the grid is dynamically controlled user's visit according to strategy, such as time-based resource policy with based on the access control policy of resource dynamic performance;
4). the user proposes the access resources request to service;
5). examine user profile, according to user profile and the solicited message of user capture control request transducer handle through the grid authentication system authentication, be converted to the cannonical format of extendible access control SGML, user's information is classified as<main body element, want request accessed resources to be classified as<resource〉element, the visit type of action to resource is classified as<moves element;
6). according to the extendible anti-control mark language format request of asking after the conversion, in the extraction subscription request message<and resource〉element, check the anti-control strategy of asking of corresponding resource, be in upstate as if this resource, then carry out next step, otherwise return<refuse information;
7). according in the extendible access control SGML request that receives<main body comprise in the element<authority, which kind of role inquiring user-Role Information storehouse belongs to judge this user, and mates corresponding role to the user;
8). inquire about role-authority information storehouse again according to the role who is assigned to, give the corresponding authority of this role assignments, as read, write the authority of operation;
9). with this role's authority and request<action of user〉contrast, the authority that user's request action belongs to this role is then mated and is qualifiedly carried out next step, and then it fails to match outside user's authority then returns<refuse for request action〉information;
10). all by then returning corresponding final access protocal to the user, the user can do the action of appointment by this agreement to above step to requested resource.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010017914A CN101771698A (en) | 2010-01-15 | 2010-01-15 | Grid visit control method based on extendible markup language security policy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010017914A CN101771698A (en) | 2010-01-15 | 2010-01-15 | Grid visit control method based on extendible markup language security policy |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101771698A true CN101771698A (en) | 2010-07-07 |
Family
ID=42504289
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201010017914A Pending CN101771698A (en) | 2010-01-15 | 2010-01-15 | Grid visit control method based on extendible markup language security policy |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101771698A (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101895551A (en) * | 2010-07-22 | 2010-11-24 | 北京天融信科技有限公司 | Resource access control method and system |
CN101951372A (en) * | 2010-09-17 | 2011-01-19 | 公安部第三研究所 | Dual-authorization cross-domain access control method |
CN101951384A (en) * | 2010-09-29 | 2011-01-19 | 南京信息工程大学 | Distributed security domain logic boundary protection method |
CN104392159A (en) * | 2014-12-17 | 2015-03-04 | 中国人民解放军国防科学技术大学 | User on-demand authorization method capable of supporting least privilege |
CN105787317A (en) * | 2016-03-23 | 2016-07-20 | 中国电力科学研究院 | Permission control method based on multi-layer hierarchy system |
CN105827564A (en) * | 2015-01-04 | 2016-08-03 | ***通信集团安徽有限公司 | Information management method and information management system |
CN105893794A (en) * | 2014-11-18 | 2016-08-24 | 苏州慧盾信息安全科技有限公司 | Authority management system and method of Internet of things information system |
CN106326760A (en) * | 2016-08-31 | 2017-01-11 | 清华大学 | Access control rule description method for data analysis |
CN107679099A (en) * | 2017-09-12 | 2018-02-09 | 中国科学院软件研究所 | Access control wants sketch map construction method, policy depiction method, access control decision method and framework |
CN108881197A (en) * | 2018-06-07 | 2018-11-23 | 浙江大学 | High score grid system authentication system based on RBAC model |
CN110826088A (en) * | 2019-11-13 | 2020-02-21 | 国网浙江省电力有限公司宁波供电公司 | Method for constructing access control model of T-RBACG |
-
2010
- 2010-01-15 CN CN201010017914A patent/CN101771698A/en active Pending
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101895551A (en) * | 2010-07-22 | 2010-11-24 | 北京天融信科技有限公司 | Resource access control method and system |
CN101951372A (en) * | 2010-09-17 | 2011-01-19 | 公安部第三研究所 | Dual-authorization cross-domain access control method |
CN101951384A (en) * | 2010-09-29 | 2011-01-19 | 南京信息工程大学 | Distributed security domain logic boundary protection method |
CN101951384B (en) * | 2010-09-29 | 2013-08-07 | 南京信息工程大学 | Distributed security domain logic boundary protection method |
CN105893794A (en) * | 2014-11-18 | 2016-08-24 | 苏州慧盾信息安全科技有限公司 | Authority management system and method of Internet of things information system |
CN104392159A (en) * | 2014-12-17 | 2015-03-04 | 中国人民解放军国防科学技术大学 | User on-demand authorization method capable of supporting least privilege |
CN104392159B (en) * | 2014-12-17 | 2018-02-06 | 中国人民解放军国防科学技术大学 | A kind of user for supporting least privilege authorization method on demand |
CN105827564B (en) * | 2015-01-04 | 2019-10-29 | ***通信集团安徽有限公司 | A kind of approaches to IM and system |
CN105827564A (en) * | 2015-01-04 | 2016-08-03 | ***通信集团安徽有限公司 | Information management method and information management system |
CN105787317A (en) * | 2016-03-23 | 2016-07-20 | 中国电力科学研究院 | Permission control method based on multi-layer hierarchy system |
CN106326760A (en) * | 2016-08-31 | 2017-01-11 | 清华大学 | Access control rule description method for data analysis |
CN106326760B (en) * | 2016-08-31 | 2019-03-15 | 清华大学 | It is a kind of for data analysis access control rule method is described |
CN107679099A (en) * | 2017-09-12 | 2018-02-09 | 中国科学院软件研究所 | Access control wants sketch map construction method, policy depiction method, access control decision method and framework |
CN107679099B (en) * | 2017-09-12 | 2021-07-30 | 中国科学院软件研究所 | Access control element graph construction method, policy description method, access control judgment method and framework |
CN108881197A (en) * | 2018-06-07 | 2018-11-23 | 浙江大学 | High score grid system authentication system based on RBAC model |
CN110826088A (en) * | 2019-11-13 | 2020-02-21 | 国网浙江省电力有限公司宁波供电公司 | Method for constructing access control model of T-RBACG |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101771698A (en) | Grid visit control method based on extendible markup language security policy | |
CN107507005B (en) | Off-link data access method and system based on alliance chain | |
CN102567675A (en) | User authority management method and system in business system | |
WO2011143949A1 (en) | Method for implementing service process and work flow engine | |
CN101917448A (en) | Control method for realizing RBAC access permission in application on basis of.NET | |
CN108288001A (en) | A kind of construction method and device of organizational structure | |
Guo et al. | Dabac: Smart contract-based spatio-temporal domain access control for the internet of things | |
CN103729455B (en) | Master data storage method based on primary copy storage pattern | |
JP4671337B2 (en) | Web service access control system | |
Ahn et al. | Security-enhanced OSGi service environments | |
Corley et al. | A Cooperative Dual to the Nash Equilibrium for Two‐Person Prescriptive Games | |
CN104166581A (en) | Virtualization method for increment manufacturing device | |
US20050172149A1 (en) | Method and system for management of information for access control | |
Liu et al. | A multi-tenant usage access model for cloud computing | |
CN102902578B (en) | Based on the cloud service catalog system of verb expression formula | |
Kayes et al. | A context-aware access control framework for software services | |
Tang et al. | An Extended Role-based Access Controls Model: Temporal, Spatial, Workflowed and Attributed Role-based Access Controls Model | |
Zhu et al. | Service oriented architecture design of energy consumption information system about petroleum enterprise | |
CN102866909B (en) | A kind of system and method for the resource lock for controlling docking port resource to access | |
Zhu et al. | A context-aware access control model for pervasive computing in enterprise environments | |
Sun et al. | PROXZONE: one cloud computing system for support paas in energy power applications | |
Lu et al. | ETBAC-Based Model in Media Oriented System Transport Network | |
Trnka et al. | Context-aware role-based access control using security levels | |
Wang | Intelligent task scheduling of distributed wireless sensor network to monitor building environment | |
Khan et al. | Implementing a storage pattern in the OR mapping framework |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100707 |