CN104504343A - Authority control method base on resource granularity - Google Patents
Authority control method base on resource granularity Download PDFInfo
- Publication number
- CN104504343A CN104504343A CN201410738336.8A CN201410738336A CN104504343A CN 104504343 A CN104504343 A CN 104504343A CN 201410738336 A CN201410738336 A CN 201410738336A CN 104504343 A CN104504343 A CN 104504343A
- Authority
- CN
- China
- Prior art keywords
- resource
- user
- authority
- authority control
- control method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of resource operation authority control, in particular to an authority control method base on resource granularity. The authority control method comprises the following steps: an administer conducts pre-authorization on a specific role according to a resource type; then, when an authorized user conducts operation on the resource, an authority control system confirms whether the user has operation authority or not; if the user has operation authority, the authority control system continues to detect whether the user is the creator of the resource or not, otherwise, the authority control system detects whether the user acquires operation authority of the resource through authorization or not; if the operation user is confirmed to be the creator of the resource, the user conducts operation on the resource, otherwise, the user accesses the authority control system to detect whether the user acquires operation authority of the resource through authorization or not; if the detection result shows that the user acquires operation authority of the resource through authorization, the user is permitted to conduct operation on the resource, otherwise, the user is refused to conduct operation. The authority control method solves the problem that operation authority control of resource in cloud computing environment is tedious, and can be applied to authority control of virtual machine resource granularity in cloud computing.
Description
Technical field
The present invention relates to resource operation control of authority technical field, particularly a kind of based on resource granularity authority control method.
Background technology
In resource management system, usually adopt the authority control system of based role, can only limited subscriber to the operation of certain function.The granularity of this method for limiting is too thick, is only suitable for simple infosystem, when the different user of same role has different control authority to same asset; Such as, under cloud computing environment, all domestic consumers can control cloud main frame, but different users just can only control the cloud main frame that oneself is bought.At this time this method inapplicable, generally can add on the basis of the authority control system of based role and realizing the rigid judgement of user name, performing step is as follows:
1, the authority control system with traditional based role is the same, first authorizes concrete role the execution authority to operation, then authorizes user role;
2, for concrete user authorizes the control authority to existing resource;
3, after user's executable operations, first authority control system judges whether role that this user is awarded has the execution authority of operation, if do not have authority, then directly refuses operation, if had permission, then continues;
4, authority control system searches the control authority of user to existing resource, if there is control authority, then allows operation, otherwise refusal operation.
Said method has following drawback:
One is that keeper needs again to authorize all users, and configuration effort amount is larger, the rule of some agreement, and the founder of such as resource can control resource, can not remove the step of configuration from;
Two is control method underactions, and this method takes the treating method of clean cut to all resources, could be controlled after all resource authorizations, is unnecessary concerning the resource that some does not need to carry out control of authority.And there is no pre-authorization mechanism, can only carry out control of authority to existing resource, after each newly-built resource, keeper must first authorize.
Three is role-securities that the operating right of user to resource relies on this user, if the role described in user does not possess certain operating right, just this operating right can not be configured to it, for the application scenarios of Complex Flexible in cloud computing environment, such as expect by authorizing acquisition Premium Features (role of this user does not possess this function) to meet;
Controlling validity to promote access authorization for resource, reducing management workload, improving configuration flexibility, adapt to flexible use scenes, need one to control access authorization for resource by resource granularity, in resource use procedure, resource operation authority is directly licensed to user, carries out the mode of control of authority.
Summary of the invention
The technical matters that the present invention solves is to provide a kind of right management method based on resource granularity, solves as a large amount of authority configuration effort of satisfied minimizing, according to actual business requirement flexible configuration authority, adapts to the problems such as flexible use scenes.
The technical scheme that the present invention solves the problems of the technologies described above is:
Described method comprises the steps:
Step 1: carry out pre-authorization to specific role according to the type of resource;
After step 2: resource A creates, the information such as record founder B, founder B can will authorize to user C, user E etc. to the operating right of resource A;
Step 3: user C is to after resource A executable operations D, and first authority control system judges whether user C has the execution authority of operation D, if had, performs step 4, if do not had, performs step 5;
Step 4: permission system judges whether the founder of resource A is user C, if so, performs step 7, if not, perform step 5;
Step 5: permission system judges whether the authority of handlebar to the operation D of resource A is authorized to user C for the founder B of resource A, if had, performs step 7, if do not had, performs step 6;
Step 6: the D operation that refusal user C performs resource A, performs step 8;
Step 7: perform and the D of resource A is operated;
Step 8: terminate control of authority flow process.
Described control of authority detects the concrete operations resource object not relating to D when user judges the operating right whether possessing function D.
Described asset creation person is the keeper of system, and this user, by treaty rule, possesses all operations authority to resource A.
Described resource user operating right is non-establishment user, the non-management user of resource, the mode that this user is used by system resource management person or asset creation person's authorization resources, obtains the rights of using of resource; As without authorizing, do not possess the operating right to resource, even if this user role possesses this operating right.
The present invention, by resource operation authority being determined regular regulation asset creation person is used for all operations authority to resource, does not need to do extra configuration, greatly eliminates the administration configuration work of keeper; The present invention, by distributing authority based on resource granularity, makes resource can also resource-based operating right work under based on the operational hypothesis of user role, is a kind of control method of high level of security; The mode that the mandate of method of the present invention to resource takes thickness to combine, had both removed the configuration effort amount that keeper is heavy from, also can meet to resource become more meticulous configuration demand; The present invention also provides very large dirigibility, for the control of authority of based role, the operating right of user needs based role, namely the operating right user do not had for role does not possess, and the operating right that the invention provides role belonging to it does not have is authorized separately, make user obtain operating right to specific resources, under the unitarity prerequisite ensureing management, turn improve dirigibility; Method control of authority Method compare of the present invention is flexible, can simply configuration mode by resource eliminating outside authority control system, be the more weak authority control method of a kind of invasive.
Accompanying drawing explanation
Below in conjunction with accompanying drawing, the present invention is further described:
Fig. 1 is the inventive method process flow diagram;
Embodiment
As shown in the figure, asset creation person first by resource authorization to non-administrator, non-founder user, authorize after user can to resource executable operations.Main code is as follows:
When after logging in system by user, when performing the operation to resource, first authority detection system detects the operating right whether user possesses function, and main code is as follows:
Wherein for judging that the function privilege code whether user possesses is as follows:
Finally, authority control system judges whether user has the operating right to resource, if as follows by main code:
Claims (5)
1. based on an authority control method for resource granularity, it is characterized in that: described method comprises the steps:
Step 1: carry out pre-authorization to specific role according to the type of resource;
After step 2: resource A creates, the information such as record founder B, founder B can will authorize to user C, user E etc. to the operating right of resource A;
Step 3: user C is to after resource A executable operations D, and first authority control system judges whether user C has the execution authority of operation D, if had, performs step 4, if do not had, performs step 5;
Step 4: permission system judges whether the founder of resource A is user C, if so, performs step 7, if not, perform step 5;
Step 5: permission system judges whether the authority of handlebar to the operation D of resource A is authorized to user C for the founder B of resource A, if had, performs step 7, if do not had, performs step 6;
Step 6: the D operation that refusal user C performs resource A, performs step 8;
Step 7: perform and the D of resource A is operated;
Step 8: terminate control of authority flow process.
2. according to the authority control method based on resource granularity described in claim 1, it is characterized in that: described control of authority detects the concrete operations resource object not relating to D when user judges the operating right whether possessing function D.
3. according to the authority control method based on resource granularity described in claim 1, it is characterized in that: described asset creation person is the keeper of system, this user, by treaty rule, possesses all operations authority to resource A.
4. according to the authority control method based on resource granularity described in claim 2, it is characterized in that: described asset creation person is the keeper of system, this user, by treaty rule, possesses all operations authority to resource A.
5. according to described in any one of right 1 to 4 the authority control method based on resource granularity, it is characterized in that: described resource user operating right is non-establishment user, the non-management user of resource, the mode that this user is used by system resource management person or asset creation person's authorization resources, obtains the rights of using of resource; As without authorizing, do not possess the operating right to resource, even if this user role possesses this operating right.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410738336.8A CN104504343A (en) | 2014-12-05 | 2014-12-05 | Authority control method base on resource granularity |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410738336.8A CN104504343A (en) | 2014-12-05 | 2014-12-05 | Authority control method base on resource granularity |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104504343A true CN104504343A (en) | 2015-04-08 |
Family
ID=52945739
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410738336.8A Pending CN104504343A (en) | 2014-12-05 | 2014-12-05 | Authority control method base on resource granularity |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104504343A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107852408A (en) * | 2015-07-17 | 2018-03-27 | Lg 电子株式会社 | The method and its device of source synchronous are kept in a wireless communication system |
CN107911465A (en) * | 2017-11-28 | 2018-04-13 | 国云科技股份有限公司 | A kind of resource granularity filter method of more cloud platforms |
CN108280354A (en) * | 2017-01-05 | 2018-07-13 | 珠海金山办公软件有限公司 | A kind of application method and device of permission template |
WO2019052496A1 (en) * | 2017-09-14 | 2019-03-21 | 腾讯科技(深圳)有限公司 | Account authentication method for cloud storage, and server |
CN110414211A (en) * | 2019-07-29 | 2019-11-05 | 浪潮软件集团有限公司 | A kind of resource-based IOSS right management method |
CN111090839A (en) * | 2018-10-23 | 2020-05-01 | 阿里巴巴集团控股有限公司 | Resource operation authority management method and device, electronic equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1770169A (en) * | 2004-11-05 | 2006-05-10 | 国际商业机器公司 | Systems and methods of access control enabling ownership of access control lists to users or groups |
CN102902898A (en) * | 2012-09-21 | 2013-01-30 | 中国科学院信息工程研究所 | Resource use control method and resource use control device of multi-dimensional digital media |
CN102968599A (en) * | 2012-10-25 | 2013-03-13 | 北京邮电大学 | User-defined access control system and method based on resource publisher |
CN102984000A (en) * | 2012-11-22 | 2013-03-20 | 百度在线网络技术(北京)有限公司 | Authority management method and device for cloud resources based on Policy language |
CN103049684A (en) * | 2012-12-21 | 2013-04-17 | 大唐软件技术股份有限公司 | Data authority control method and data authority control system based on RBAC (role-based access control) model extension |
-
2014
- 2014-12-05 CN CN201410738336.8A patent/CN104504343A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1770169A (en) * | 2004-11-05 | 2006-05-10 | 国际商业机器公司 | Systems and methods of access control enabling ownership of access control lists to users or groups |
CN102902898A (en) * | 2012-09-21 | 2013-01-30 | 中国科学院信息工程研究所 | Resource use control method and resource use control device of multi-dimensional digital media |
CN102968599A (en) * | 2012-10-25 | 2013-03-13 | 北京邮电大学 | User-defined access control system and method based on resource publisher |
CN102984000A (en) * | 2012-11-22 | 2013-03-20 | 百度在线网络技术(北京)有限公司 | Authority management method and device for cloud resources based on Policy language |
CN103049684A (en) * | 2012-12-21 | 2013-04-17 | 大唐软件技术股份有限公司 | Data authority control method and data authority control system based on RBAC (role-based access control) model extension |
Non-Patent Citations (1)
Title |
---|
邬小鲁 等: "基于粒度的访问控制冲突分析及解决办法", 《舰船电子工程》 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107852408A (en) * | 2015-07-17 | 2018-03-27 | Lg 电子株式会社 | The method and its device of source synchronous are kept in a wireless communication system |
CN108280354A (en) * | 2017-01-05 | 2018-07-13 | 珠海金山办公软件有限公司 | A kind of application method and device of permission template |
WO2019052496A1 (en) * | 2017-09-14 | 2019-03-21 | 腾讯科技(深圳)有限公司 | Account authentication method for cloud storage, and server |
CN109510849A (en) * | 2017-09-14 | 2019-03-22 | 腾讯科技(深圳)有限公司 | The account number method for authenticating and device of cloud storage |
US11265306B2 (en) | 2017-09-14 | 2022-03-01 | Tencent Technology (Shenzhen) Company Ltd | Account authentication method for cloud storage, and server |
CN107911465A (en) * | 2017-11-28 | 2018-04-13 | 国云科技股份有限公司 | A kind of resource granularity filter method of more cloud platforms |
CN111090839A (en) * | 2018-10-23 | 2020-05-01 | 阿里巴巴集团控股有限公司 | Resource operation authority management method and device, electronic equipment and storage medium |
CN110414211A (en) * | 2019-07-29 | 2019-11-05 | 浪潮软件集团有限公司 | A kind of resource-based IOSS right management method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104504343A (en) | Authority control method base on resource granularity | |
US10348734B2 (en) | Security bypass environment for circumventing a security application in a computing environment | |
US10216937B2 (en) | Secure BIOS password method in server computer | |
US9078129B1 (en) | Knowledge-based authentication for restricting access to mobile devices | |
GB2599273A (en) | Fine-grained token based access control | |
JP2014534515A5 (en) | ||
US12010121B2 (en) | Gradual credential disablement | |
WO2017161569A1 (en) | Access control method, apparatus and system | |
CN107707572A (en) | A kind of WEB safety access control methods of based role | |
US20170220792A1 (en) | Constraining authorization tokens via filtering | |
CN106997440A (en) | A kind of role access control method | |
CN103428191A (en) | Single sign on method based on combination of CAS framework and fingerprint | |
WO2019006998A1 (en) | Node.js authority control method, storage medium, electronic device, and system | |
CN101860436A (en) | Technology for accurately controlling system user data authority | |
US20180343239A1 (en) | Hard coded credential bypassing | |
CN108549797A (en) | A kind of user and user group and the System right management method of role | |
Gkioulos et al. | Enhancing usage control for performance: An architecture for systems of systems | |
Huang et al. | A trust-based cloud computing access control model | |
US9442808B1 (en) | Session tickets for a backup and recovery system | |
CN113472717B (en) | SDN access control method and device and computer readable storage medium | |
CN104268090B (en) | A kind of method and apparatus for controlling distributed system capacity | |
IV | WORKLOAD IDENTITY MANAGEMENT USING AGENT AND CONTROLLER | |
CN107733650A (en) | The dynamic setting method of account password | |
Xu et al. | Research on Access Control Strategies for Medical Data Interaction Platform Based on Cloud Services | |
Han et al. | Poster: Using quantified risk and benefit to strengthen the security of information sharing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150408 |
|
RJ01 | Rejection of invention patent application after publication |