CN103179126A - Access control method and device - Google Patents
Access control method and device Download PDFInfo
- Publication number
- CN103179126A CN103179126A CN2013100998668A CN201310099866A CN103179126A CN 103179126 A CN103179126 A CN 103179126A CN 2013100998668 A CN2013100998668 A CN 2013100998668A CN 201310099866 A CN201310099866 A CN 201310099866A CN 103179126 A CN103179126 A CN 103179126A
- Authority
- CN
- China
- Prior art keywords
- authority
- target
- data
- access
- credentials
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses an access control method and device. The method comprises the following steps of: receiving an access request, wherein the access request includes an accessor identification and an data identification; and inquiring whether a target authority value corresponding to the access request is contained in a preset authority list according to the accessor identification and the data identification, if so, generating a first access result which indicates that a user corresponding to the accessor identification can access the target data corresponding to the data identification with the authority corresponding to the target authority value, wherein the authority list includes at least one authority value, and each authority value corresponds to one accessor identification and the data identification. According to the embodiment of the invention, the data access control under the state that the authority and the service are decoupled is realized, and the problem in the prior art that the performance and efficiency of the access control are influenced as the authority is tightly coupled with service data, and both the authority and the service are varied while the demand change is varied, is avoided.
Description
Technical field
The application relates to rights management techniques field, particularly a kind of access control method and device.
Background technology
At present, in the access control scheme for data resource, general access control (RBAC) model that adopts based on role's (data resource).The basic thought of RBAC model is that access permission power (authority) is distributed to certain role, the user obtains by playing different roles the authority that the role has, for example, the role who is served as in department by each user determines the access permission power that it has separately.
the RBAC model passes through the user, relational model between Role and privilege embodies access control, its focus is user and role, and the relation between authority, a user can have a plurality of roles, a role can be applied to a plurality of users, same, a role can have a plurality of authorities, authority can corresponding a plurality of roles, User, the role, contextual definition authority between authority, make the coupled relation of authority and business comparatively tight, when business demand changes, for example user or role change, the change thereupon of authority and business, thus, in business demand comparatively under complicated situation, as data query, operating right etc., because the coupling between authority and business in the RBAC model is comparatively tight, even can't be clear and definite distinguish some authorities and business, when the changes in demand change, authority and business all can changes, make the RBAC model occur chaotic, affect the efficient of access control.
Summary of the invention
The application's technical problem to be solved is to provide a kind of access control method and device, and in existing access control scheme, authority and business close coupling make the lower technical problem of access control efficient in order to solve.
The application provides a kind of access control method, and described method comprises:
Receive access request, described access request comprises that the visitor identifies and Data Identification;
According to described visitor's sign and described Data Identification, whether inquiry contains the target authority credentials corresponding with described access request in default authority list, if have, generate the first access result, described the first access result shows: described visitor identifies corresponding user, can conduct interviews to target data corresponding to described Data Identification with authority corresponding to described target authority credentials;
Wherein, described authority list comprises at least one authority credentials, and each described authority credentials is corresponding with visitor's sign and a data sign respectively.
Said method, preferred, if do not inquire the target authority credentials corresponding with described access request in described authority list, described method also comprises:
Generate the second access result, described the second access result shows: described visitor identifies corresponding user and can not conduct interviews to target data corresponding to described Data Identification.
Said method, preferred, after described generation the first access result, described method also comprises;
Search the target data corresponding with described target authority credentials detailed in default traffic table, described traffic table comprises that at least one data are detailed, and every described data are detailed corresponding with an authority credentials;
Generate the 3rd access result, described the 3rd access result shows: described visitor identifies corresponding user and can conduct interviews to described target data detail with authority corresponding to described target authority credentials.
Said method, preferred, after described generation the first access result, described method also comprises:
Search the target query type corresponding with described target authority credentials in default question blank, described question blank comprises at least one query type, and each described query type is corresponding with an authority credentials;
Generate the 4th access result, described the 4th access result shows: described visitor identifies corresponding user, can be with search access right corresponding to described target query type, and the target data corresponding to described Data Identification conducts interviews.
Said method, preferred, describedly set in advance described authority list and comprise:
With authority credentials of each authority definition, described each authority credentials forms authority list according to minimum right principle;
Wherein, each authority credentials is corresponding with visitor's sign and a data sign respectively.
Said method, preferred, described method also comprises:
By the priority ordering algorithm, the authority credentials in described authority list is sorted and filters.
The application also provides a kind of access control apparatus, and described device comprises:
The request receiving unit receives access request, and described access request comprises that the visitor identifies and Data Identification;
The authority query unit is used for according to described visitor's sign and described Data Identification, and whether inquiry contains the target authority credentials corresponding with described access request in default authority list;
Wherein, described authority list comprises at least one authority credentials, and each described authority credentials is corresponding with visitor's sign and a data sign respectively;
First information generation unit, inquire described target authority credentials if be used at described authority list, generate the first access result, described the first access result shows: described visitor identifies corresponding user, can conduct interviews to target data corresponding to described Data Identification with authority corresponding to described target authority credentials.
Said apparatus, preferred, described device also comprises:
The second information generating unit, do not inquire the target authority credentials corresponding with described accessing request information if be used at described authority list, generate the second access result, described the second access result shows: described visitor identifies corresponding user and can not conduct interviews to target data corresponding to described Data Identification.
Said apparatus, preferred, described device also comprises:
Detail is searched the unit, be used for after described first information generation unit generates described the first access result, search the target data corresponding with described target authority credentials detailed in default traffic table, described traffic table comprises that at least one data are detailed, and every described data are detailed corresponding with an authority credentials;
The 3rd information generating unit is used for generating the 3rd access result, and described the 3rd access result shows: described visitor identifies corresponding user and can conduct interviews to described target data detail with authority corresponding to described target authority credentials.
Said apparatus, preferred, described device also comprises:
Type is searched the unit, be used for after described first information generation unit generates described the first access result, search the target query type corresponding with described target authority credentials in default question blank, described question blank comprises at least one query type, and each described query type is corresponding with an authority credentials;
The 4th information generating unit, be used for generating the 4th access result, described the 4th access result shows: described visitor identifies corresponding user, can be with search access right corresponding to described target query type, and the target data corresponding to described Data Identification conducts interviews.
by such scheme as can be known, a kind of access control method and device that the application provides, by setting in advance authority list, described authority list comprises at least one authority credentials, each described authority credentials is corresponding with visitor's sign and a data sign respectively, when the user carries out data access, after receiving access request, according to the sign of the visitor in described access request and described Data Identification, the inquiry target authority credentials corresponding with described access request in described authority list, and after inquiring described target authority credentials, generate the first access result, and described the first access result shows: described visitor identifies corresponding user, can conduct interviews to target data corresponding to described Data Identification with authority corresponding to described target authority credentials, at this moment, the user namely can authority corresponding to described target authority credentials conduct interviews to target data corresponding to described Data Identification, realize under the uncoupled state of authority and business the access control to data, improve access control efficient, avoid authority and business datum close-coupled in prior art, when the changes in demand change, authority and business all can changes, make the RBAC model occur chaotic, affect the efficient of access control.
Description of drawings
In order to be illustrated more clearly in the technical scheme in the embodiment of the present application, during the below will describe embodiment, the accompanying drawing of required use is done to introduce simply, apparently, accompanying drawing in the following describes is only some embodiment of the application, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
The flow chart of a kind of access control method embodiment one that Fig. 1 provides for the application;
Fig. 2 is the application exemplary plot of the embodiment of the present application one;
Fig. 3 is the Another Application exemplary plot of the embodiment of the present application one;
Fig. 4 is the another application exemplary plot of the embodiment of the present application one;
Fig. 5 is the another application exemplary plot of the embodiment of the present application one;
The flow chart of a kind of access control method embodiment two that Fig. 6 provides for the application;
The flow chart of a kind of access control method embodiment three that Fig. 7 provides for the application;
The flow chart of a kind of access control method embodiment four that Fig. 8 provides for the application;
The structural representation of a kind of access control apparatus embodiment five that Fig. 9 provides for the application;
The structural representation of a kind of access control apparatus embodiment six that Figure 10 provides for the application;
The structural representation of a kind of access control apparatus embodiment seven that Figure 11 provides for the application;
The structural representation of a kind of access control apparatus embodiment eight that Figure 12 provides for the application.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is clearly and completely described, obviously, described embodiment is only the application's part embodiment, rather than whole embodiment.Based on the embodiment in the application, those of ordinary skills are not making the every other embodiment that obtains under the creative work prerequisite, all belong to the scope of the application's protection.
At present, traditional access control scheme, general access control (RBAC) model that adopts based on role's (data resource), it supports three security doctrines:
Minimum right principle: the authority set that its role is configured to its required minimum of finishing the work;
The responsibility separation principle: the role who calls separate mutual exclusion completes responsive task jointly;
Data abstraction principle: be embodied in authority is abstracted into specific image.
The RBAC model scheme is to embody access control by the relational model between user, Role and privilege, namely based on the role access control model scheme.its focus is user and role, and the relation between authority, wherein, a user can have a plurality of roles, a role can be applied to a plurality of users, same, a role can have a plurality of authorities, authority can corresponding a plurality of roles, thus, when conducting interviews control, coupled relation between authority and business is comparatively tight, and in business demand comparatively under complicated situation, as data query, operating right etc., because the coupling between authority and business in the RBAC model is comparatively tight, even can't be clear and definite distinguish authority and business, when the changes in demand change, authority and business all can changes, make the RBAC model occur chaotic, affect performance and the efficient of access control.
The application provides a kind of access control method and device, to authority and the coupling of business datum solution, realizes that rights management is graphical, and standardized management is concentrated in the access control realization of data.
With reference to figure 1, it shows the flow chart of a kind of access control method embodiment one that the application provides, and described method can comprise the following steps:
Step 101: receive access request, described access request comprises that the visitor identifies and Data Identification.
Wherein, described access request refers to, the access request that the user generates in the time need to conducting interviews to a certain data, and this access request comprises user's identification information and needs the Data Identification of visit data.
Step 102: according to described visitor's sign and described Data Identification, whether inquiry contains the target authority credentials corresponding with described access request in default authority list, if having, and execution in step 103;
Wherein, described authority list comprises at least one authority credentials, and each described authority credentials is corresponding with visitor's sign and a data sign respectively.
Step 103: generate the first access result, described the first access result shows: described visitor identifies corresponding user, can conduct interviews to target data corresponding to described Data Identification with authority corresponding to described target authority credentials.
Need to prove, generate the first access result in described step 103 after, the user namely can authority corresponding to described target authority credentials conduct interviews to target data corresponding to described Data Identification.
Need to prove, when carrying out authority inquiry or access, generally realize the operations such as authority inquiry or access by calling rights interface API.The rights interface here comprises two of data level authority judgement API, and correspondence is obtained data and submitted two application of data to respectively, is called: search access right API and decision-making authority API also comprise functional level authority judgement API.The API here is very simple, except authority credentials PrivilegeID, do not comprise other any authority informations, thus, make the coupling of authority and business solution, all authority logics are all inside security strategy such as authority list, when the user asks API, entitlement engine will be resolved the security strategies such as authority list, return to analysis result.
And described authority credentials is used for identifying the authority classification of current request, as inquiry employee authority, editing order authority etc.In the application's practical application, authority credentials in described authority list can be derived by the control end that arranges, then be saved in default business constant class the inside, as com.your.company.Constants, when calling API, directly use constant to quote, rather than numeral, define as shown in Figure 2 shown in the code of demo class, when calling a certain authority, directly call its corresponding constant Constants.QUERY_EMPLOYEE and get final product, as code in Fig. 2: hasPrivilege (Constants.QUERY_EMPLOYEE, user).
by such scheme as can be known, a kind of access control method embodiment one that the application provides, by setting in advance authority list, described authority list comprises at least one authority credentials, each described authority credentials is corresponding with visitor's sign and a data sign respectively, when the user carries out data access, after receiving access request, according to the sign of the visitor in described access request and described Data Identification, the inquiry target authority credentials corresponding with described access request in described authority list, and after inquiring described target authority credentials, generate the first access result, and described the first access result shows: described visitor identifies corresponding user, can conduct interviews to target data corresponding to described Data Identification with authority corresponding to described target authority credentials, at this moment, the user namely can authority corresponding to described target authority credentials conduct interviews to target data corresponding to described Data Identification, realize under the uncoupled state of authority and business the access control to data, avoid authority and business datum close-coupled in prior art, when the changes in demand change, authority and business all can changes, make the RBAC model occur chaotic, affect performance and the efficient of access control.
Preferably, the foundation of described authority list specific implementation in the following manner:
With authority credentials of each authority definition, described each authority credentials forms authority list according to minimum right principle;
Wherein, each authority credentials is corresponding with visitor's sign and a data sign respectively.
Need to prove, according to described minimum right principle, be an authority credentials PrivilegeID with all authority definitions, and these PrivilegeID have set membership, can realize the subordinate relation of authority; Different types is arranged, as U access authorization for resource (Url), O operating right, D data permission, Q search access right and B service authority etc., as shown in Figure 3, authority and business decoupling zero symphysis are become the exemplary plot of authority list auth_privilege for the relation by user auth_user, role auth_role, authority auth_roleprivilege.Set up by constant title (ConstantName) for each authority credentials in described authority list, be used for corresponding different PrivilegeID, thus, only need to determine the corresponding rules of competence by PrivilegeID.
In the embodiment of the present application, after defining all authority constant, the authority credentials that obtains is saved in default constant class, be authority list, when calling authority API, directly call constant value and get final product, as shown in Figure 4, for deriving the example code figure of authority constant.
For example, as shown in Figure 5, use the authority list that the application builds the authority tree structure.Below to access authorization for resource and sub-authority thereof (operate brand-new eh, represent authority and data permission is described):
Access authorization for resource is mainly to describe url (as user management), existing Rights Management System just directly just no longer manages setting to this one deck of access authorization for resource, the control of its next level is all to be embedded in operation system, in this application, the all operations authority that belongs to this access authorization for resource, represent authority, data permission etc. and all concentrate together, be convenient to management;
Operating right is manipulable all the authority set of recording user;
Representing authority is can see to the user all authority set that the row name represents;
Data permission is to describe all authority set that the user has operation (checking) data.
The above simple hierarchical relationship of describing authority can also be segmented down certainly, forms more detailed, less authority subset, satisfies the minimum right principle in RBAC, realizes accurate description and control to authority.
And according to the contextual definition authority credentials between user, role and authority the time, due to the multirelation between user, role, authority, easily cause the authority redundancy, need to go the authority credentials of redundancy in authority list heavily to process this moment, simultaneously, also exist the problem of mutual exclusion between authority, for satisfying responsibility separation principle in the RBAC model, by the priority ordering algorithm, the authority credentials in described authority list is sorted and filters in the application.
With reference to figure 6, it shows the flow chart of a kind of access control method embodiment two that the application provides, and in described step 102, if do not inquire the target authority credentials corresponding with described access request in described authority list, described method is further comprising the steps of:
Step 104: generate the second access result, described the second access result shows: described visitor identifies corresponding user and can not conduct interviews to target data corresponding to described Data Identification.
Need to prove, if do not inquire the corresponding target authority credentials of described access request in described authority list, the authority that does not have these user's access destination data is described, thus, described visitor identifies corresponding user and can not conduct interviews to target data corresponding to described Data Identification.
by such scheme as can be known, a kind of access control method embodiment two that the application provides, based on the embodiment of the present application one, generate the second access result when not inquiring about the target authority credentials corresponding with described access request in described authority list, and described the second access result shows: described visitor identifies corresponding user and can not target data corresponding to described Data Identification be conducted interviews, at this moment, the user can't conduct interviews to target data corresponding to described Data Identification, thereby protected data is not by illegal invasion, further realize under the uncoupled state of authority and business the access control to data.
With reference to figure 7, it shows the flow chart of a kind of access control method embodiment three that the application provides, and wherein, after described step 103, described method can also comprise the following steps:
Step 105: search the target data detail corresponding with described target authority credentials in default traffic table, described traffic table comprises that at least one data are detailed, and every described data are detailed corresponding with an authority credentials.
need to prove, in described step 103, judging described visitor identifies corresponding user and has the authority that described target data is conducted interviews, at this moment, when this user conducts interviews to described target data with authority corresponding to described target authority credentials, need to the data detail of described target data be conducted interviews, and the corresponding relation of the data detail of described target authority credentials and described target data is pre-arranged in traffic table, traffic table auth_business as shown in Figure 3, thus, in described step 105, determine to search the target data detail that this user need to access.
Step 106: generate the 3rd access result, described the 3rd access result shows: described visitor identifies corresponding user and can conduct interviews to described target data detail with authority corresponding to described target authority credentials.
By such scheme as can be known, a kind of access control method embodiment three that the application provides is by being placed in traffic table with the data detail, after the authority of determining the user, search corresponding data detailed, thereby further with business datum and the coupling of authority solution, improve the efficient of access control.
With reference to figure 8, it shows the flow chart of a kind of access control method embodiment four that the application provides, and wherein, after described step 103, described method can also comprise the following steps:
Step 107: search the target query type corresponding with described target authority credentials in default question blank, described question blank comprises at least one query type, and each described query type is corresponding with an authority credentials.
need to prove, in described step 103, judging described visitor identifies corresponding user and has the authority that described target data is conducted interviews, at this moment, when this user conducts interviews to described target data with authority corresponding to described target authority credentials, need to determine the concrete operating right that user and described target data have, and the operating right type between target authority credentials and described target data is arranged in default question blank, question blank auth_query as shown in Figure 4, thus in described step 107, determine the target query type.
Step 108: generate the 4th access result, described the 4th access result shows: described visitor identifies corresponding user, can be with search access right corresponding to described target query type, and the target data corresponding to described Data Identification conducts interviews.
Need to prove, described search access right comprises as " selection ", " insertion result ", " insertion value ", " renewal " etc.
With reference to figure 9, it shows the structural representation of a kind of access control apparatus embodiment five that the application provides, and described device comprises:
Wherein, described access request refers to, the access request that the user generates in the time need to conducting interviews to a certain data, and this access request comprises user's identification information and needs the Data Identification of visit data.
Wherein, described authority list comprises at least one authority credentials, and each described authority credentials is corresponding with visitor's sign and a data sign respectively.
First information generation unit 903, inquire described target authority credentials if be used at described authority list, generate the first access result, described the first access result shows: described visitor identifies corresponding user, can conduct interviews to target data corresponding to described Data Identification with authority corresponding to described target authority credentials.
Need to prove, after described first information generation unit 903 generated the first access result, the user namely can authority corresponding to described target authority credentials conduct interviews to target data corresponding to described Data Identification.
Need to prove, when carrying out authority inquiry or access, generally realize the operations such as authority inquiry or access by calling rights interface API.The rights interface here comprises two of data level authority judgement API, and correspondence is obtained data and submitted two application of data to respectively, is called: search access right API and decision-making authority API also comprise functional level authority judgement API.The API here is very simple, except authority credentials PrivilegeID, do not comprise other any authority informations, thus, make the coupling of authority and business solution, all authority logics are all inside security strategy such as authority list, when the user asks API, entitlement engine will be resolved the security strategies such as authority list, return to analysis result.
And described authority credentials is used for identifying the authority classification of current request, as inquiry employee authority, editing order authority etc.In the application's practical application, authority credentials in described authority list can be derived by the control end that arranges, then be saved in default business constant class the inside, as com.your.company.Constants, when calling API, directly use constant to quote, rather than numeral, define as shown in Figure 2 shown in the code of demo class, when calling a certain authority, directly call its corresponding constant Constants.QUERY_EMPLOYEE and get final product, as code in Fig. 2: hasPrivilege (Constants.QUERY_EMPLOYEE, user).
by such scheme as can be known, a kind of access control apparatus embodiment five that the application provides, by setting in advance authority list, described authority list comprises at least one authority credentials, each described authority credentials is corresponding with visitor's sign and a data sign respectively, when the user carries out data access, after receiving access request, according to the sign of the visitor in described access request and described Data Identification, the inquiry target authority credentials corresponding with described access request in described authority list, and after inquiring described target authority credentials, generate the first access result, and described the first access result shows: described visitor identifies corresponding user, can conduct interviews to target data corresponding to described Data Identification with authority corresponding to described target authority credentials, at this moment, the user namely can authority corresponding to described target authority credentials conduct interviews to target data corresponding to described Data Identification, realize under the uncoupled state of authority and business the access control to data, avoid authority and business datum close-coupled in prior art, when the changes in demand change, authority and business all can changes, make the RBAC model occur chaotic, affect performance and the efficient of access control.
Preferably, the foundation of described authority list specific implementation in the following manner:
With authority credentials of each authority definition, described each authority credentials forms authority list according to minimum right principle;
Wherein, each authority credentials is corresponding with visitor's sign and a data sign respectively.
Need to prove, according to described minimum right principle, be an authority credentials PrivilegeID with all authority definitions, and these PrivilegeID have set membership, can realize the subordinate relation of authority; Different types is arranged, as U access authorization for resource (Url), O operating right, D data permission, Q search access right and B service authority etc., as shown in Figure 3, for the relation by user, role, authority becomes authority and business decoupling zero symphysis the exemplary plot of authority list.Set up by constant title (ConstantName) for each authority credentials in described authority list, be used for corresponding different PrivilegeID, thus, only need to determine the corresponding rules of competence by PrivilegeID.
In the embodiment of the present application, after defining all authority constant, the authority credentials that obtains is saved in default constant class, be authority list, when calling authority API, directly call constant value and get final product, as shown in Figure 4, for deriving the example code figure of authority constant.
For example, as shown in Figure 4, use the authority list that the application builds the authority tree structure.Below to access authorization for resource and sub-authority thereof (operate brand-new eh, represent authority and data permission is described):
Access authorization for resource is mainly to describe url (as user management), existing Rights Management System just directly just no longer manages setting to this one deck of access authorization for resource, the control of its next level is all to be embedded in operation system, in this application, the all operations authority that belongs to this access authorization for resource, represent authority, data permission etc. and all concentrate together, be convenient to management;
Operating right is manipulable all the authority set of recording user;
Representing authority is can see to the user all authority set that the row name represents;
Data permission is to describe all authority set that the user has operation (checking) data.
The above simple hierarchical relationship of describing authority can also be segmented down certainly, forms more detailed, less authority subset, satisfies the minimum right principle in RBAC, realizes accurate description and control to authority.
And according to the contextual definition authority credentials between user, role and authority the time, due to the multirelation between user, role, authority, easily cause the authority redundancy, need to go the authority credentials of redundancy in authority list heavily to process this moment, simultaneously, also exist the problem of mutual exclusion between authority, for satisfying responsibility separation principle in the RBAC model, by the priority ordering algorithm, the authority credentials in described authority list is sorted and filters in the application.
With reference to Figure 10, it shows the structural representation of a kind of access control apparatus embodiment six that the application provides, and described device also comprises:
The second information generating unit 904, do not inquire the target authority credentials corresponding with described accessing request information if be used at described authority list, generate the second access result, described the second access result shows: described visitor identifies corresponding user and can not conduct interviews to target data corresponding to described Data Identification.
Need to prove, if do not inquire the corresponding target authority credentials of described access request in described authority list, the authority that does not have these user's access destination data is described, thus, described visitor identifies corresponding user and can not conduct interviews to target data corresponding to described Data Identification.
by such scheme as can be known, a kind of access control apparatus embodiment six that the application provides, based on the embodiment of the present application five, generate the second access result when not inquiring about the target authority credentials corresponding with described access request in described authority list, and described the second access result shows: described visitor identifies corresponding user and can not target data corresponding to described Data Identification be conducted interviews, at this moment, the user can't conduct interviews to target data corresponding to described Data Identification, thereby protected data is not by illegal invasion, further realize under the uncoupled state of authority and business the access control to data.
With reference to Figure 11, it shows the structural representation of a kind of access control apparatus embodiment seven that the application provides, and described device also comprises:
Detail is searched unit 905, be used for after described first information generation unit 903 generates described the first access result, search the target data corresponding with described target authority credentials detailed in default traffic table, described traffic table comprises that at least one data are detailed, and every described data are detailed corresponding with an authority credentials.
need to prove, judging described visitor in described first information generation unit 903 identifies after corresponding user has the authority that described target data is conducted interviews, at this moment, when this user conducts interviews to described target data with authority corresponding to described target authority credentials, need to the data detail of described target data be conducted interviews, and the corresponding relation of the data detail of described target authority credentials and described target data is pre-arranged in traffic table, thus, search unit 905 by described detail and determine to search the target data detail that this user need to access.
The 3rd information generating unit 906 is used for generating the 3rd access result, and described the 3rd access result shows: described visitor identifies corresponding user and can conduct interviews to described target data detail with authority corresponding to described target authority credentials.
By such scheme as can be known, a kind of access control apparatus embodiment seven that the application provides is by being placed in traffic table with the data detail, after the authority of determining the user, search corresponding data detailed, thereby further with business datum and the coupling of authority solution, improve the efficient of access control.
With reference to Figure 12, it shows the structural representation of a kind of access control apparatus embodiment eight that the application provides, and described device also comprises:
Type is searched unit 907, be used for after described first information generation unit 903 generates described the first access result, search the target query type corresponding with described target authority credentials in default question blank, described question blank comprises at least one query type, and each described query type is corresponding with an authority credentials.
Need to prove, judging described visitor at first information generation unit 903 identifies after corresponding user has the authority that described target data is conducted interviews, at this moment, when this user conducts interviews to described target data with authority corresponding to described target authority credentials, need to determine the concrete operating right that user and described target data have, and the operating right type between target authority credentials and described target data is arranged in default question blank, searches unit 907 by described type and determines the target query type.
The 4th information generating unit 908, be used for generating the 4th access result, described the 4th access result shows: described visitor identifies corresponding user, can be with search access right corresponding to described target query type, and the target data corresponding to described Data Identification conducts interviews.
Need to prove, described search access right comprises as " selection ", " insertion result ", " insertion value ", " renewal " etc.
Need to prove, the application in actual applications, for operation system, add authority vacant table, malice embodies the facility of control of authority in a plurality of application, the result that only need call the method function acquisition in authority API needs gets final product, and below describes for the application specifically uses example:
Login is controlled: refer to when the user accesses to your account login, operation system judges whether the user has authority to access and operate, here can process together with login authentication, if the login system of user's success simultaneously, authority module need to be returned to all access authorization for resource that can operate of this user;
Filter and control: refer to when the user carries out business operation, need to carry out the authority judgement to all requests, all illegal operations are filtered, to guarantee the safe and reliable of operation system;
Represent control: refer to the judgement user can operate (checking) which interface element when operation system is returned to request, can control user's operating right here and check authority, check for the different operation of different user control etc.;
Inquiry is controlled: refer to determine the user has the authority of CRUD to which data, be used for the strict operating right of controlling data.By resolving different false codes, the inquiry condition of carrying out is injected the control that realizes inquiry.Because operation system is used different data access frameworks (as jdbc, hibernate, ibatis etc.), the condition that needs the different transducer of customization to adapt under various frameworks is injected, so add an Adapter to satisfy different framework demands.
Wherein, false code is described and to be referred to limiting operation that data are filtered, to the description of capable authority and the row authority of data.The row authority is querying condition, and the row authority is the column item of inquiry output, that is to say that capable authority can be controlled to find how many bar records, and the row authority can be controlled the project of every record of displaying.About capable rights expression (as t0.companyId=t1.id) wherein, value can make context value, user property value or fixed value.False code can be similar SQL statement, also can make XML and describe, as long as the adapter conversion when can the aspect condition injecting.
Need to prove, each embodiment in this specification all adopts the mode of going forward one by one to describe, and what each embodiment stressed is and the difference of other embodiment that between each embodiment, identical similar part is mutually referring to getting final product.
At last, also need to prove, in this article, relational terms such as the first and second grades only is used for an entity or operation are separated with another entity or operating space, and not necessarily requires or hint and have the relation of any this reality or sequentially between these entities or operation.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thereby make the process, method, article or the equipment that comprise a series of key elements not only comprise those key elements, but also comprise other key elements of clearly not listing, or also be included as the intrinsic key element of this process, method, article or equipment.In the situation that not more restrictions, the key element that is limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment that comprises described key element and also have other identical element.
Above a kind of access control method provided by the present invention and device are described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as the restriction to the application.
Claims (10)
1. an access control method, is characterized in that, described method comprises:
Receive access request, described access request comprises that the visitor identifies and Data Identification;
According to described visitor's sign and described Data Identification, whether inquiry contains the target authority credentials corresponding with described access request in default authority list, if have, generate the first access result, described the first access result shows: described visitor identifies corresponding user, can conduct interviews to target data corresponding to described Data Identification with authority corresponding to described target authority credentials;
Wherein, described authority list comprises at least one authority credentials, and each described authority credentials is corresponding with visitor's sign and a data sign respectively.
2. method according to claim 1, is characterized in that, if do not inquire the target authority credentials corresponding with described access request in described authority list, described method also comprises:
Generate the second access result, described the second access result shows: described visitor identifies corresponding user and can not conduct interviews to target data corresponding to described Data Identification.
3. method according to claim 1, is characterized in that, after described generation the first access result, described method also comprises;
Search the target data corresponding with described target authority credentials detailed in default traffic table, described traffic table comprises that at least one data are detailed, and every described data are detailed corresponding with an authority credentials;
Generate the 3rd access result, described the 3rd access result shows: described visitor identifies corresponding user and can conduct interviews to described target data detail with authority corresponding to described target authority credentials.
4. method according to claim 1, is characterized in that, after described generation the first access result, described method also comprises:
Search the target query type corresponding with described target authority credentials in default question blank, described question blank comprises at least one query type, and each described query type is corresponding with an authority credentials;
Generate the 4th access result, described the 4th access result shows: described visitor identifies corresponding user, can be with search access right corresponding to described target query type, and the target data corresponding to described Data Identification conducts interviews.
5. method according to claim 1, is characterized in that, describedly sets in advance described authority list and comprise:
With authority credentials of each authority definition, described each authority credentials forms authority list according to minimum right principle;
Wherein, each authority credentials is corresponding with visitor's sign and a data sign respectively.
6. method according to claim 1, is characterized in that, described method also comprises:
By the priority ordering algorithm, the authority credentials in described authority list is sorted and filters.
7. an access control apparatus, is characterized in that, described device comprises:
The request receiving unit receives access request, and described access request comprises that the visitor identifies and Data Identification;
The authority query unit is used for according to described visitor's sign and described Data Identification, and whether inquiry contains the target authority credentials corresponding with described access request in default authority list;
Wherein, described authority list comprises at least one authority credentials, and each described authority credentials is corresponding with visitor's sign and a data sign respectively;
First information generation unit, inquire described target authority credentials if be used at described authority list, generate the first access result, described the first access result shows: described visitor identifies corresponding user, can conduct interviews to target data corresponding to described Data Identification with authority corresponding to described target authority credentials.
8. device according to claim 7, is characterized in that, described device also comprises:
The second information generating unit, do not inquire the target authority credentials corresponding with described accessing request information if be used at described authority list, generate the second access result, described the second access result shows: described visitor identifies corresponding user and can not conduct interviews to target data corresponding to described Data Identification.
9. device according to claim 7, is characterized in that, described device also comprises:
Detail is searched the unit, be used for after described first information generation unit generates described the first access result, search the target data corresponding with described target authority credentials detailed in default traffic table, described traffic table comprises that at least one data are detailed, and every described data are detailed corresponding with an authority credentials;
The 3rd information generating unit is used for generating the 3rd access result, and described the 3rd access result shows: described visitor identifies corresponding user and can conduct interviews to described target data detail with authority corresponding to described target authority credentials.
10. device according to claim 7, is characterized in that, described device also comprises:
Type is searched the unit, be used for after described first information generation unit generates described the first access result, search the target query type corresponding with described target authority credentials in default question blank, described question blank comprises at least one query type, and each described query type is corresponding with an authority credentials;
The 4th information generating unit, be used for generating the 4th access result, described the 4th access result shows: described visitor identifies corresponding user, can be with search access right corresponding to described target query type, and the target data corresponding to described Data Identification conducts interviews.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100998668A CN103179126A (en) | 2013-03-26 | 2013-03-26 | Access control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100998668A CN103179126A (en) | 2013-03-26 | 2013-03-26 | Access control method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103179126A true CN103179126A (en) | 2013-06-26 |
Family
ID=48638749
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013100998668A Pending CN103179126A (en) | 2013-03-26 | 2013-03-26 | Access control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103179126A (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103488791A (en) * | 2013-09-30 | 2014-01-01 | 华为技术有限公司 | Data access method and system and data warehouse |
| CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
| CN104994086A (en) * | 2015-06-26 | 2015-10-21 | 北京京东尚科信息技术有限公司 | Database cluster authority control method and device |
| CN105718461A (en) * | 2014-12-02 | 2016-06-29 | 阿里巴巴集团控股有限公司 | Call center based information query method, apparatus and system |
| CN105760217A (en) * | 2016-03-23 | 2016-07-13 | 深圳森格瑞通信有限公司 | Method for accessing shared memory |
| CN105787347A (en) * | 2014-12-24 | 2016-07-20 | 北京奇虎科技有限公司 | Data processing method and system, and electronic device |
| CN106650414A (en) * | 2016-12-28 | 2017-05-10 | 广州杰赛科技股份有限公司 | User authority management method and system |
| CN106850743A (en) * | 2016-12-21 | 2017-06-13 | 腾讯科技(深圳)有限公司 | A kind of business authorization method and device |
| CN106878325A (en) * | 2017-03-20 | 2017-06-20 | 北京润科通用技术有限公司 | A kind of method and device for determining access privilege |
| CN108268798A (en) * | 2017-06-30 | 2018-07-10 | 勤智数码科技股份有限公司 | A kind of data item authority distributing method and system |
| CN109218024A (en) * | 2017-07-04 | 2019-01-15 | 百度在线网络技术(北京)有限公司 | Method and apparatus for control authority |
| CN109829287A (en) * | 2018-11-20 | 2019-05-31 | 新疆福禄网络科技有限公司 | Api interface permission access method, equipment, storage medium and device |
| CN110083680A (en) * | 2019-03-20 | 2019-08-02 | 阿里巴巴集团控股有限公司 | Context data management method and device in a kind of distributed system |
| CN110225039A (en) * | 2019-06-14 | 2019-09-10 | 无锡华云数据技术服务有限公司 | Authority models acquisition, method for authenticating, gateway, server and storage medium |
| CN110909373A (en) * | 2018-09-18 | 2020-03-24 | 阿里巴巴集团控股有限公司 | Access control method, device, system and storage medium |
| CN111125642A (en) * | 2018-10-31 | 2020-05-08 | 北京数聚鑫云信息技术有限公司 | Method and device for managing API, storage medium and computer equipment |
| CN111159164A (en) * | 2020-01-16 | 2020-05-15 | 四川天翼网络服务有限公司 | Report data access authority control method based on parametric transfer |
| CN112163236A (en) * | 2020-10-14 | 2021-01-01 | 上海妙一生物科技有限公司 | File access method, device, system and computer readable storage medium |
| CN113285933A (en) * | 2021-05-13 | 2021-08-20 | 京东数字科技控股股份有限公司 | User access control method and device, electronic equipment and storage medium |
| CN113554416A (en) * | 2021-07-22 | 2021-10-26 | 重庆富民银行股份有限公司 | Client management method and system based on service authority classification |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030175A (en) * | 2006-02-28 | 2007-09-05 | 国际商业机器公司 | Universal serial bus storage device and access control method thereof |
| CN101056175A (en) * | 2007-04-26 | 2007-10-17 | 华为技术有限公司 | Disk array and its access right control method and device, server and server system |
| CN101478536A (en) * | 2008-12-08 | 2009-07-08 | 山东浪潮齐鲁软件产业股份有限公司 | Method for solving access control in authority management |
| CN101616126A (en) * | 2008-06-23 | 2009-12-30 | 华为技术有限公司 | Realize method, the Apparatus and system of data access authority control |
| CN101655892A (en) * | 2009-09-22 | 2010-02-24 | 成都市华为赛门铁克科技有限公司 | Mobile terminal and access control method |
| CN101827110A (en) * | 2010-05-13 | 2010-09-08 | 中国工商银行股份有限公司 | Application server access system in intranet |
| CN101895551A (en) * | 2010-07-22 | 2010-11-24 | 北京天融信科技有限公司 | Resource access control method and system |
| CN101902402A (en) * | 2010-07-21 | 2010-12-01 | 中兴通讯股份有限公司 | Method for managing user right and device thereof |
| CN101964901A (en) * | 2010-10-11 | 2011-02-02 | 杭州海康威视数字技术股份有限公司 | Right management method and equipment for video monitoring equipment |
| CN102129539A (en) * | 2011-03-11 | 2011-07-20 | 清华大学 | Data resource authority management method based on access control list |
| CN102195956A (en) * | 2010-03-19 | 2011-09-21 | 富士通株式会社 | Cloud service system and user right management method thereof |
| CN102413198A (en) * | 2011-09-30 | 2012-04-11 | 山东中创软件工程股份有限公司 | Security-marker-based access control method and related system |
| CN103049684A (en) * | 2012-12-21 | 2013-04-17 | 大唐软件技术股份有限公司 | Data authority control method and data authority control system based on RBAC (role-based access control) model extension |
-
2013
- 2013-03-26 CN CN2013100998668A patent/CN103179126A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030175A (en) * | 2006-02-28 | 2007-09-05 | 国际商业机器公司 | Universal serial bus storage device and access control method thereof |
| CN101056175A (en) * | 2007-04-26 | 2007-10-17 | 华为技术有限公司 | Disk array and its access right control method and device, server and server system |
| CN101616126A (en) * | 2008-06-23 | 2009-12-30 | 华为技术有限公司 | Realize method, the Apparatus and system of data access authority control |
| CN101478536A (en) * | 2008-12-08 | 2009-07-08 | 山东浪潮齐鲁软件产业股份有限公司 | Method for solving access control in authority management |
| CN101655892A (en) * | 2009-09-22 | 2010-02-24 | 成都市华为赛门铁克科技有限公司 | Mobile terminal and access control method |
| CN102195956A (en) * | 2010-03-19 | 2011-09-21 | 富士通株式会社 | Cloud service system and user right management method thereof |
| CN101827110A (en) * | 2010-05-13 | 2010-09-08 | 中国工商银行股份有限公司 | Application server access system in intranet |
| CN101902402A (en) * | 2010-07-21 | 2010-12-01 | 中兴通讯股份有限公司 | Method for managing user right and device thereof |
| CN101895551A (en) * | 2010-07-22 | 2010-11-24 | 北京天融信科技有限公司 | Resource access control method and system |
| CN101964901A (en) * | 2010-10-11 | 2011-02-02 | 杭州海康威视数字技术股份有限公司 | Right management method and equipment for video monitoring equipment |
| CN102129539A (en) * | 2011-03-11 | 2011-07-20 | 清华大学 | Data resource authority management method based on access control list |
| CN102413198A (en) * | 2011-09-30 | 2012-04-11 | 山东中创软件工程股份有限公司 | Security-marker-based access control method and related system |
| CN103049684A (en) * | 2012-12-21 | 2013-04-17 | 大唐软件技术股份有限公司 | Data authority control method and data authority control system based on RBAC (role-based access control) model extension |
Non-Patent Citations (1)
| Title |
|---|
| 李良才: ""实时数据库安全访问的研究"", 《中国优秀硕士学位论文全文数据库(信息科技辑)》 * |
Cited By (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103488791A (en) * | 2013-09-30 | 2014-01-01 | 华为技术有限公司 | Data access method and system and data warehouse |
| CN103488791B (en) * | 2013-09-30 | 2018-03-27 | 华为技术有限公司 | Data access method, system and data warehouse |
| CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
| CN105718461A (en) * | 2014-12-02 | 2016-06-29 | 阿里巴巴集团控股有限公司 | Call center based information query method, apparatus and system |
| CN105718461B (en) * | 2014-12-02 | 2019-09-24 | 阿里巴巴集团控股有限公司 | Information query method, apparatus and system based on call center |
| CN105787347A (en) * | 2014-12-24 | 2016-07-20 | 北京奇虎科技有限公司 | Data processing method and system, and electronic device |
| CN105787347B (en) * | 2014-12-24 | 2018-10-12 | 北京奇虎科技有限公司 | Data processing method and system and electronic equipment |
| CN104994086A (en) * | 2015-06-26 | 2015-10-21 | 北京京东尚科信息技术有限公司 | Database cluster authority control method and device |
| CN104994086B (en) * | 2015-06-26 | 2018-09-04 | 北京京东尚科信息技术有限公司 | A kind of control method and device of data-base cluster permission |
| CN105760217A (en) * | 2016-03-23 | 2016-07-13 | 深圳森格瑞通信有限公司 | Method for accessing shared memory |
| CN106850743A (en) * | 2016-12-21 | 2017-06-13 | 腾讯科技(深圳)有限公司 | A kind of business authorization method and device |
| CN106850743B (en) * | 2016-12-21 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Service authorization method and device |
| CN106650414A (en) * | 2016-12-28 | 2017-05-10 | 广州杰赛科技股份有限公司 | User authority management method and system |
| CN106650414B (en) * | 2016-12-28 | 2020-05-19 | 广州杰赛科技股份有限公司 | User authority management method and system |
| CN106878325B (en) * | 2017-03-20 | 2019-08-06 | 北京润科通用技术有限公司 | A kind of method and device of determining access privilege |
| CN106878325A (en) * | 2017-03-20 | 2017-06-20 | 北京润科通用技术有限公司 | A kind of method and device for determining access privilege |
| CN108268798A (en) * | 2017-06-30 | 2018-07-10 | 勤智数码科技股份有限公司 | A kind of data item authority distributing method and system |
| CN108268798B (en) * | 2017-06-30 | 2023-09-05 | 勤智数码科技股份有限公司 | Data item authority allocation method and system |
| CN109218024B (en) * | 2017-07-04 | 2021-07-16 | 百度在线网络技术(北京)有限公司 | Method and device for controlling authority |
| CN109218024A (en) * | 2017-07-04 | 2019-01-15 | 百度在线网络技术(北京)有限公司 | Method and apparatus for control authority |
| CN110909373A (en) * | 2018-09-18 | 2020-03-24 | 阿里巴巴集团控股有限公司 | Access control method, device, system and storage medium |
| CN110909373B (en) * | 2018-09-18 | 2023-06-20 | 阿里巴巴集团控股有限公司 | Access control method, equipment, system and storage medium |
| CN111125642A (en) * | 2018-10-31 | 2020-05-08 | 北京数聚鑫云信息技术有限公司 | Method and device for managing API, storage medium and computer equipment |
| CN109829287A (en) * | 2018-11-20 | 2019-05-31 | 新疆福禄网络科技有限公司 | Api interface permission access method, equipment, storage medium and device |
| CN110083680A (en) * | 2019-03-20 | 2019-08-02 | 阿里巴巴集团控股有限公司 | Context data management method and device in a kind of distributed system |
| CN110083680B (en) * | 2019-03-20 | 2023-07-25 | 创新先进技术有限公司 | Method and device for managing context data in distributed system |
| CN110225039A (en) * | 2019-06-14 | 2019-09-10 | 无锡华云数据技术服务有限公司 | Authority models acquisition, method for authenticating, gateway, server and storage medium |
| CN110225039B (en) * | 2019-06-14 | 2021-10-26 | 华云数据控股集团有限公司 | Authority model obtaining method, authority authentication method, gateway, server and storage medium |
| CN111159164A (en) * | 2020-01-16 | 2020-05-15 | 四川天翼网络服务有限公司 | Report data access authority control method based on parametric transfer |
| CN111159164B (en) * | 2020-01-16 | 2024-01-30 | 四川天翼网络股份有限公司 | Report data access right control method based on parameterization transfer |
| CN112163236A (en) * | 2020-10-14 | 2021-01-01 | 上海妙一生物科技有限公司 | File access method, device, system and computer readable storage medium |
| CN113285933A (en) * | 2021-05-13 | 2021-08-20 | 京东数字科技控股股份有限公司 | User access control method and device, electronic equipment and storage medium |
| CN113554416A (en) * | 2021-07-22 | 2021-10-26 | 重庆富民银行股份有限公司 | Client management method and system based on service authority classification |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103179126A (en) | Access control method and device | |
| US7299171B2 (en) | Method and system for processing grammar-based legality expressions | |
| JP5193061B2 (en) | Method and system for enhancing matching from customer-driven queries | |
| KR100323551B1 (en) | Information registration method and document information processing apparatus | |
| CN101448002B (en) | Method and device for accessing digital resources | |
| EP2405607A1 (en) | Privilege management system and method based on object | |
| CN104240342A (en) | Access control method and device | |
| US20180157851A1 (en) | Systems and methods for authentication of access based on multi-data source information | |
| CN111966866A (en) | Data asset management method and device | |
| US20190050435A1 (en) | Object data association index system and methods for the construction and applications thereof | |
| CN103026334A (en) | Data classification | |
| CN110968894B (en) | Fine granularity access control scheme for game service data | |
| CA2461871A1 (en) | An efficient index structure to access hierarchical data in a relational database system | |
| KR100903726B1 (en) | System for Evaluating Data Quality Management Maturity | |
| Miller et al. | Data Management Life Cycle, Final report | |
| CN106354882A (en) | Query service platform and query method thereof | |
| Passlick et al. | Self-service business intelligence and analytics application scenarios: A taxonomy for differentiation | |
| CN107742141B (en) | Intelligent identity information acquisition method and system based on RFID technology | |
| CN106777310B (en) | Information verification method and device | |
| Zhu | [Retracted] Interoperability of Multimedia Network Public Opinion Knowledge Base Group Based on Multisource Text Mining | |
| CN101763260B (en) | Dynamic authorizing method of data based on ITSM system | |
| CN101944127B (en) | Method and device for controlling data permission | |
| CN107742140B (en) | Intelligent identity information identification method based on RFID technology | |
| CN109978448A (en) | Vehicle management system | |
| Kikuchi et al. | On-site service and safe output checking in japan |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130626 |