CN104504343A - Authority control method base on resource granularity - Google Patents

Authority control method base on resource granularity Download PDF

Info

Publication number
CN104504343A
CN104504343A CN201410738336.8A CN201410738336A CN104504343A CN 104504343 A CN104504343 A CN 104504343A CN 201410738336 A CN201410738336 A CN 201410738336A CN 104504343 A CN104504343 A CN 104504343A
Authority
CN
China
Prior art keywords
resource
user
authority
authority control
control method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410738336.8A
Other languages
Chinese (zh)
Inventor
张雪梅
杨松
莫展鹏
季统凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
G Cloud Technology Co Ltd
Original Assignee
G Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by G Cloud Technology Co Ltd filed Critical G Cloud Technology Co Ltd
Priority to CN201410738336.8A priority Critical patent/CN104504343A/en
Publication of CN104504343A publication Critical patent/CN104504343A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of resource operation authority control, in particular to an authority control method base on resource granularity. The authority control method comprises the following steps: an administer conducts pre-authorization on a specific role according to a resource type; then, when an authorized user conducts operation on the resource, an authority control system confirms whether the user has operation authority or not; if the user has operation authority, the authority control system continues to detect whether the user is the creator of the resource or not, otherwise, the authority control system detects whether the user acquires operation authority of the resource through authorization or not; if the operation user is confirmed to be the creator of the resource, the user conducts operation on the resource, otherwise, the user accesses the authority control system to detect whether the user acquires operation authority of the resource through authorization or not; if the detection result shows that the user acquires operation authority of the resource through authorization, the user is permitted to conduct operation on the resource, otherwise, the user is refused to conduct operation. The authority control method solves the problem that operation authority control of resource in cloud computing environment is tedious, and can be applied to authority control of virtual machine resource granularity in cloud computing.

Description

A kind of authority control method based on resource granularity
Technical field
The present invention relates to resource operation control of authority technical field, particularly a kind of based on resource granularity authority control method.
Background technology
In resource management system, usually adopt the authority control system of based role, can only limited subscriber to the operation of certain function.The granularity of this method for limiting is too thick, is only suitable for simple infosystem, when the different user of same role has different control authority to same asset; Such as, under cloud computing environment, all domestic consumers can control cloud main frame, but different users just can only control the cloud main frame that oneself is bought.At this time this method inapplicable, generally can add on the basis of the authority control system of based role and realizing the rigid judgement of user name, performing step is as follows:
1, the authority control system with traditional based role is the same, first authorizes concrete role the execution authority to operation, then authorizes user role;
2, for concrete user authorizes the control authority to existing resource;
3, after user's executable operations, first authority control system judges whether role that this user is awarded has the execution authority of operation, if do not have authority, then directly refuses operation, if had permission, then continues;
4, authority control system searches the control authority of user to existing resource, if there is control authority, then allows operation, otherwise refusal operation.
Said method has following drawback:
One is that keeper needs again to authorize all users, and configuration effort amount is larger, the rule of some agreement, and the founder of such as resource can control resource, can not remove the step of configuration from;
Two is control method underactions, and this method takes the treating method of clean cut to all resources, could be controlled after all resource authorizations, is unnecessary concerning the resource that some does not need to carry out control of authority.And there is no pre-authorization mechanism, can only carry out control of authority to existing resource, after each newly-built resource, keeper must first authorize.
Three is role-securities that the operating right of user to resource relies on this user, if the role described in user does not possess certain operating right, just this operating right can not be configured to it, for the application scenarios of Complex Flexible in cloud computing environment, such as expect by authorizing acquisition Premium Features (role of this user does not possess this function) to meet;
Controlling validity to promote access authorization for resource, reducing management workload, improving configuration flexibility, adapt to flexible use scenes, need one to control access authorization for resource by resource granularity, in resource use procedure, resource operation authority is directly licensed to user, carries out the mode of control of authority.
Summary of the invention
The technical matters that the present invention solves is to provide a kind of right management method based on resource granularity, solves as a large amount of authority configuration effort of satisfied minimizing, according to actual business requirement flexible configuration authority, adapts to the problems such as flexible use scenes.
The technical scheme that the present invention solves the problems of the technologies described above is:
Described method comprises the steps:
Step 1: carry out pre-authorization to specific role according to the type of resource;
After step 2: resource A creates, the information such as record founder B, founder B can will authorize to user C, user E etc. to the operating right of resource A;
Step 3: user C is to after resource A executable operations D, and first authority control system judges whether user C has the execution authority of operation D, if had, performs step 4, if do not had, performs step 5;
Step 4: permission system judges whether the founder of resource A is user C, if so, performs step 7, if not, perform step 5;
Step 5: permission system judges whether the authority of handlebar to the operation D of resource A is authorized to user C for the founder B of resource A, if had, performs step 7, if do not had, performs step 6;
Step 6: the D operation that refusal user C performs resource A, performs step 8;
Step 7: perform and the D of resource A is operated;
Step 8: terminate control of authority flow process.
Described control of authority detects the concrete operations resource object not relating to D when user judges the operating right whether possessing function D.
Described asset creation person is the keeper of system, and this user, by treaty rule, possesses all operations authority to resource A.
Described resource user operating right is non-establishment user, the non-management user of resource, the mode that this user is used by system resource management person or asset creation person's authorization resources, obtains the rights of using of resource; As without authorizing, do not possess the operating right to resource, even if this user role possesses this operating right.
The present invention, by resource operation authority being determined regular regulation asset creation person is used for all operations authority to resource, does not need to do extra configuration, greatly eliminates the administration configuration work of keeper; The present invention, by distributing authority based on resource granularity, makes resource can also resource-based operating right work under based on the operational hypothesis of user role, is a kind of control method of high level of security; The mode that the mandate of method of the present invention to resource takes thickness to combine, had both removed the configuration effort amount that keeper is heavy from, also can meet to resource become more meticulous configuration demand; The present invention also provides very large dirigibility, for the control of authority of based role, the operating right of user needs based role, namely the operating right user do not had for role does not possess, and the operating right that the invention provides role belonging to it does not have is authorized separately, make user obtain operating right to specific resources, under the unitarity prerequisite ensureing management, turn improve dirigibility; Method control of authority Method compare of the present invention is flexible, can simply configuration mode by resource eliminating outside authority control system, be the more weak authority control method of a kind of invasive.
Accompanying drawing explanation
Below in conjunction with accompanying drawing, the present invention is further described:
Fig. 1 is the inventive method process flow diagram;
Embodiment
As shown in the figure, asset creation person first by resource authorization to non-administrator, non-founder user, authorize after user can to resource executable operations.Main code is as follows:
When after logging in system by user, when performing the operation to resource, first authority detection system detects the operating right whether user possesses function, and main code is as follows:
Wherein for judging that the function privilege code whether user possesses is as follows:
Finally, authority control system judges whether user has the operating right to resource, if as follows by main code:

Claims (5)

1. based on an authority control method for resource granularity, it is characterized in that: described method comprises the steps:
Step 1: carry out pre-authorization to specific role according to the type of resource;
After step 2: resource A creates, the information such as record founder B, founder B can will authorize to user C, user E etc. to the operating right of resource A;
Step 3: user C is to after resource A executable operations D, and first authority control system judges whether user C has the execution authority of operation D, if had, performs step 4, if do not had, performs step 5;
Step 4: permission system judges whether the founder of resource A is user C, if so, performs step 7, if not, perform step 5;
Step 5: permission system judges whether the authority of handlebar to the operation D of resource A is authorized to user C for the founder B of resource A, if had, performs step 7, if do not had, performs step 6;
Step 6: the D operation that refusal user C performs resource A, performs step 8;
Step 7: perform and the D of resource A is operated;
Step 8: terminate control of authority flow process.
2. according to the authority control method based on resource granularity described in claim 1, it is characterized in that: described control of authority detects the concrete operations resource object not relating to D when user judges the operating right whether possessing function D.
3. according to the authority control method based on resource granularity described in claim 1, it is characterized in that: described asset creation person is the keeper of system, this user, by treaty rule, possesses all operations authority to resource A.
4. according to the authority control method based on resource granularity described in claim 2, it is characterized in that: described asset creation person is the keeper of system, this user, by treaty rule, possesses all operations authority to resource A.
5. according to described in any one of right 1 to 4 the authority control method based on resource granularity, it is characterized in that: described resource user operating right is non-establishment user, the non-management user of resource, the mode that this user is used by system resource management person or asset creation person's authorization resources, obtains the rights of using of resource; As without authorizing, do not possess the operating right to resource, even if this user role possesses this operating right.
CN201410738336.8A 2014-12-05 2014-12-05 Authority control method base on resource granularity Pending CN104504343A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410738336.8A CN104504343A (en) 2014-12-05 2014-12-05 Authority control method base on resource granularity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410738336.8A CN104504343A (en) 2014-12-05 2014-12-05 Authority control method base on resource granularity

Publications (1)

Publication Number Publication Date
CN104504343A true CN104504343A (en) 2015-04-08

Family

ID=52945739

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410738336.8A Pending CN104504343A (en) 2014-12-05 2014-12-05 Authority control method base on resource granularity

Country Status (1)

Country Link
CN (1) CN104504343A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107852408A (en) * 2015-07-17 2018-03-27 Lg 电子株式会社 The method and its device of source synchronous are kept in a wireless communication system
CN107911465A (en) * 2017-11-28 2018-04-13 国云科技股份有限公司 A kind of resource granularity filter method of more cloud platforms
CN108280354A (en) * 2017-01-05 2018-07-13 珠海金山办公软件有限公司 A kind of application method and device of permission template
WO2019052496A1 (en) * 2017-09-14 2019-03-21 腾讯科技(深圳)有限公司 Account authentication method for cloud storage, and server
CN110414211A (en) * 2019-07-29 2019-11-05 浪潮软件集团有限公司 A kind of resource-based IOSS right management method
CN111090839A (en) * 2018-10-23 2020-05-01 阿里巴巴集团控股有限公司 Resource operation authority management method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1770169A (en) * 2004-11-05 2006-05-10 国际商业机器公司 Systems and methods of access control enabling ownership of access control lists to users or groups
CN102902898A (en) * 2012-09-21 2013-01-30 中国科学院信息工程研究所 Resource use control method and resource use control device of multi-dimensional digital media
CN102968599A (en) * 2012-10-25 2013-03-13 北京邮电大学 User-defined access control system and method based on resource publisher
CN102984000A (en) * 2012-11-22 2013-03-20 百度在线网络技术(北京)有限公司 Authority management method and device for cloud resources based on Policy language
CN103049684A (en) * 2012-12-21 2013-04-17 大唐软件技术股份有限公司 Data authority control method and data authority control system based on RBAC (role-based access control) model extension

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1770169A (en) * 2004-11-05 2006-05-10 国际商业机器公司 Systems and methods of access control enabling ownership of access control lists to users or groups
CN102902898A (en) * 2012-09-21 2013-01-30 中国科学院信息工程研究所 Resource use control method and resource use control device of multi-dimensional digital media
CN102968599A (en) * 2012-10-25 2013-03-13 北京邮电大学 User-defined access control system and method based on resource publisher
CN102984000A (en) * 2012-11-22 2013-03-20 百度在线网络技术(北京)有限公司 Authority management method and device for cloud resources based on Policy language
CN103049684A (en) * 2012-12-21 2013-04-17 大唐软件技术股份有限公司 Data authority control method and data authority control system based on RBAC (role-based access control) model extension

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
邬小鲁 等: "基于粒度的访问控制冲突分析及解决办法", 《舰船电子工程》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107852408A (en) * 2015-07-17 2018-03-27 Lg 电子株式会社 The method and its device of source synchronous are kept in a wireless communication system
CN108280354A (en) * 2017-01-05 2018-07-13 珠海金山办公软件有限公司 A kind of application method and device of permission template
WO2019052496A1 (en) * 2017-09-14 2019-03-21 腾讯科技(深圳)有限公司 Account authentication method for cloud storage, and server
CN109510849A (en) * 2017-09-14 2019-03-22 腾讯科技(深圳)有限公司 The account number method for authenticating and device of cloud storage
US11265306B2 (en) 2017-09-14 2022-03-01 Tencent Technology (Shenzhen) Company Ltd Account authentication method for cloud storage, and server
CN107911465A (en) * 2017-11-28 2018-04-13 国云科技股份有限公司 A kind of resource granularity filter method of more cloud platforms
CN111090839A (en) * 2018-10-23 2020-05-01 阿里巴巴集团控股有限公司 Resource operation authority management method and device, electronic equipment and storage medium
CN110414211A (en) * 2019-07-29 2019-11-05 浪潮软件集团有限公司 A kind of resource-based IOSS right management method

Similar Documents

Publication Publication Date Title
CN104504343A (en) Authority control method base on resource granularity
US10348734B2 (en) Security bypass environment for circumventing a security application in a computing environment
US10216937B2 (en) Secure BIOS password method in server computer
US9078129B1 (en) Knowledge-based authentication for restricting access to mobile devices
GB2599273A (en) Fine-grained token based access control
JP2014534515A5 (en)
US12010121B2 (en) Gradual credential disablement
WO2017161569A1 (en) Access control method, apparatus and system
CN107707572A (en) A kind of WEB safety access control methods of based role
US20170220792A1 (en) Constraining authorization tokens via filtering
CN106997440A (en) A kind of role access control method
CN103428191A (en) Single sign on method based on combination of CAS framework and fingerprint
WO2019006998A1 (en) Node.js authority control method, storage medium, electronic device, and system
CN101860436A (en) Technology for accurately controlling system user data authority
US20180343239A1 (en) Hard coded credential bypassing
CN108549797A (en) A kind of user and user group and the System right management method of role
Gkioulos et al. Enhancing usage control for performance: An architecture for systems of systems
Huang et al. A trust-based cloud computing access control model
US9442808B1 (en) Session tickets for a backup and recovery system
CN113472717B (en) SDN access control method and device and computer readable storage medium
CN104268090B (en) A kind of method and apparatus for controlling distributed system capacity
IV WORKLOAD IDENTITY MANAGEMENT USING AGENT AND CONTROLLER
CN107733650A (en) The dynamic setting method of account password
Xu et al. Research on Access Control Strategies for Medical Data Interaction Platform Based on Cloud Services
Han et al. Poster: Using quantified risk and benefit to strengthen the security of information sharing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20150408

RJ01 Rejection of invention patent application after publication