CN104519072A - Authority control method and device - Google Patents
Authority control method and device Download PDFInfo
- Publication number
- CN104519072A CN104519072A CN201510018780.7A CN201510018780A CN104519072A CN 104519072 A CN104519072 A CN 104519072A CN 201510018780 A CN201510018780 A CN 201510018780A CN 104519072 A CN104519072 A CN 104519072A
- Authority
- CN
- China
- Prior art keywords
- role
- authority
- user
- identifier
- corresponding relation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an authority control method and device. The authority control method comprises the following steps: pre-building an RBAC model which comprises a user set, a role set and an authority set, setting authority identifiers for authorities in the authority set, setting role authority identifiers for roles in the role set according to the preset authority identifiers, and building a corresponding relation between the authority identifiers and the role authority identifiers; acquiring the authorities requested by users in the user set, and building a corresponding relation between the users and the roles according to the role authority identifiers. According to the authority control method, effective management of authority information in a cloud computing operation system can be realized.
Description
Technical field
The present invention relates to field of cloud computer technology, espespecially a kind of authority control method based on cloud computing operating system and device.
Background technology
Current, cloud computing is approved by industry gradually, and cloud data center operation system realizes gradually and is committed to practice, plays more and more important effect in social production and sphere of life.In cloud computing operating system, resource category is many, management complexity is high, user role is various, and how realizing different user to the differentiation of resource, efficient operation based on the user authority management system of stalwartness is a good problem to study.
At present, most Rights Management System adopts access control based roles (RBAC, Role-Based Access Control) model.In RBAC, authority is associated with role, and user by becoming the member of suitable role and obtaining the authority of these roles, thus realizes user's associating by role and authority.In addition, the demand of role Ke Yixin and the merging of system and give new authority, and authority also can reclaim as required from certain role.
When carrying out rights management by RBAC, that RBAC model stability is effectively crucial to the efficient management of authority list, but, in existing RBAC model, in permissions list, the generation of authority information and management do not have rule, keeper according to circumstances arbitrarily adjusts and upgrades often, there is the problem such as information clutter to a certain degree, autgmentability difference.
Summary of the invention
In order to solve the problems of the technologies described above, the invention provides a kind of authority control method and device, effective management of authority information in cloud computing operating system can be realized.
In order to reach the object of the invention, the invention provides a kind of authority control method, comprise: set up access control based roles RBAC model in advance, RBAC model comprises user's set, role's set and authority set, and be the priority assignation jurisdiction identifier in authority set, according to the jurisdiction identifier pre-set, for the role in role's set arranges role-security identifier, set up the corresponding relation of jurisdiction identifier and role-security identifier; Obtain the authority of user's request in user's set, according to role-security identifier, set up the corresponding relation of user and role.
Described jurisdiction identifier is the jurisdiction identifier based on binary arithmetic operation.
Described jurisdiction identifier is the binary string of 4 bit lengths.
The corresponding relation of described jurisdiction identifier and role-security identifier is in binary arithmetic operation or computing.
The authority of user's request in described acquisition user set, according to role-security identifier, set up the corresponding relation of user and role, comprise: receive the authority request that in user's set, user sends, and the role-security identifier of role in role's set is searched according to the authority of request, the role-security identifier that the authority determined and ask is corresponding, sets up user and has the corresponding relation of role of the role-security identifier determined.
Present invention also offers a kind of permission control device, comprising: the first processing module, for setting up access control based roles RBAC model in advance, RBAC model comprises user's set, role's set and authority set; Second processing module, for being the priority assignation jurisdiction identifier in authority set in advance; 3rd processing module, for according to the jurisdiction identifier pre-set, for the role in role's set arranges role-security identifier, and sets up the corresponding relation of jurisdiction identifier and role-security identifier; 4th processing module, for obtaining the authority of user's request in user's set, according to role-security identifier, sets up the corresponding relation of user and role.
Described jurisdiction identifier is the jurisdiction identifier based on binary arithmetic operation.
Described jurisdiction identifier is the binary string of 4 bit lengths.
The corresponding relation of described jurisdiction identifier and role-security identifier is in binary arithmetic operation or computing.
Described second processing module, specifically for receiving the authority request that in user's set, user sends, and the role-security identifier of role in role's set is searched according to the authority of request, the role-security identifier that the authority determined and ask is corresponding, sets up user and has the corresponding relation of role of the role-security identifier determined.
Compared with prior art, the present invention includes and set up access control based roles RBAC model in advance, described RBAC model comprises user's set, role's set and authority set, and be the priority assignation jurisdiction identifier in authority set, according to the jurisdiction identifier pre-set, for the role in role's set arranges role-security identifier, set up the corresponding relation of jurisdiction identifier and role-security identifier; Obtain the authority of user's request in user's set, according to role-security identifier, set up the corresponding relation of user and role.Pass through the inventive method, by RBAC be combined based on binary rights management mode, achieve between user and role, succinct between role and authority, efficient corresponding relation, for cloud computing operating system provides healthy and strong infrastructural support, thus realize effective management of authority information in cloud computing operating system.
Other features and advantages of the present invention will be set forth in the following description, and, partly become apparent from specification, or understand by implementing the present invention.Object of the present invention and other advantages realize by structure specifically noted in specification, claims and accompanying drawing and obtain.
Accompanying drawing explanation
Accompanying drawing is used to provide the further understanding to technical solution of the present invention, and forms a part for specification, is used from and explains technical scheme of the present invention, do not form the restriction to technical solution of the present invention with the embodiment one of the application.
Fig. 1 is the schematic flow sheet of authority control method of the present invention.
Fig. 2 is the schematic diagram of RBAC model of the present invention.
Fig. 3 is the schematic diagram of authority set of the present invention.
Fig. 4 is the structural representation of permission control device of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly understand, hereinafter will be described in detail to embodiments of the invention by reference to the accompanying drawings.It should be noted that, when not conflicting, the embodiment in the application and the feature in embodiment can combination in any mutually.
Can perform in the computer system of such as one group of computer executable instructions in the step shown in the flow chart of accompanying drawing.Further, although show logical order in flow charts, in some cases, can be different from the step shown or described by order execution herein.
Fig. 1 is the schematic flow sheet of authority control method of the present invention, as shown in Figure 1, comprising:
Step 11, sets up access control based roles RBAC model in advance, and this RBAC model comprises user's set, role's set and authority set.
In this step, cloud computing operating system sets up RBAC model in advance, and as shown in Figure 2, this RBAC model comprises:
User gathers, and at least comprises a user, such as user 1, and user 2 ...;
Role gathers, and at least comprises a role, such as role 1, and role 2 ...; With
Authority set, at least comprises a kind of authority, and wherein authority refers to the operation performed object.
In RBAC, user be one can the main body of the data of independent access cloud computing operating system or other resources with data representation.Role is work in cloud computing operating system or position, it represent a kind of right, qualification and responsibility.Authority is the operation allowing to perform the object in one or more cloud computing operating system.A user can have multiple role through mandate, a role can be made up of multiple user; Each role can have multiple authority, and each authority also can license to multiple different role.
Step 12 is the priority assignation jurisdiction identifier in authority set in advance.
In this step, object can be the resource in cloud computing operating system, operation can be interpolation, amendment, deletion etc., then authority refers to the operation performed object, such as authority 1 is perform resource 1 to add operation, authority 2 is operation of modifying to resource 1, and authority 3 is for carry out deletion action etc. to resource 1.
Because binary digit length can customize, be easy to expansion, in authority set, for priority assignation is based on the jurisdiction identifier of binary arithmetic operation.In specific embodiment of the present invention, as shown in Figure 3, adopt the binary string of 4 bit lengths as jurisdiction identifier, such as authority 1 pair of resource 1 performs the jurisdiction identifier adding operation is 0000, the modify jurisdiction identifier of operation of authority 2 pairs of resources 1 is 0001, and the jurisdiction identifier that authority 3 pairs of resources 1 carry out deletion action is 0010 etc.
Step 13, according to the jurisdiction identifier pre-set, for the role in role's set arranges role-security identifier, and sets up the corresponding relation of jurisdiction identifier and role-security identifier.
In this step, pre-set the corresponding relation of jurisdiction identifier and role-security identifier, such as, based on binary arithmetic operation, role-security identifier is the inclusive-OR operation of jurisdiction identifier, can certainly be other operation relation, not limit at this.
For role arranges role-security identifier, such as, the role-security identifier of role 1 is 0011, based on binary arithmetic operation, role-security identifier is the inclusive-OR operation of jurisdiction identifier, can obtain the authority of jurisdiction identifier 0001 and jurisdiction identifier 0010 correspondence in the set of role 1 authority, what namely this role 1 had jurisdiction identifier 0001 correspondence is the authority of resource 1 being carried out to deletion action of 0010 correspondence to the modify authority of operation and jurisdiction identifier of resource 1.
Step 14, obtains the authority of user's request in user's set, according to role-security identifier, sets up the corresponding relation of user and role.
In this step, cloud computing operating system receives the authority request that user sends, and the role-security identifier of role in role's set is searched according to the authority of request, the role-security identifier that the authority determined and ask is corresponding, sets up this user and has the corresponding relation of role of this role-security identifier.
Such as user 2 modifies and deletion action to cloud computing operating system request to resource 1, search the role-security identifier of role in role's set, the role-security identifier of role 1 represent to resource 1 modify operation authority and resource 1 is carried out to the authority of deletion action, then cloud computing operating system sets up the corresponding relation of user 2 and role 1, and namely user 2 is just provided with the authority of role 1 correspondence.
According to the demand of user, role corresponding to user can convert, and such as the authority of user 2 demand changes, and only needs user 2 and other roles to set up corresponding relation.
The concrete corresponding relation how setting up user and role belongs to the conventional techniques means of those skilled in the art, and the protection range that its specific implementation is not intended to limit the present invention, repeats no more here.
In the present invention, by RBAC be combined based on binary rights management mode, achieve between user and role, succinct between role and authority, efficient corresponding relation, for cloud computing operating system provides healthy and strong infrastructural support, thus realize effective management of authority information in cloud computing operating system.
Fig. 4 is the structural representation of permission control device of the present invention.As shown in Figure 4, at least comprise:
First processing module, for setting up access control based roles RBAC model in advance, this RBAC model comprises user's set, role's set and authority set;
Second processing module, for being the jurisdiction identifier of the priority assignation in authority set based on binary arithmetic operation in advance;
3rd processing module, for according to the jurisdiction identifier in the authority set pre-set, for the role in role's set arranges role-security identifier, and sets up the corresponding relation of jurisdiction identifier and role-security identifier;
4th processing module, for obtaining the authority of user's request in user's set, according to role-security identifier, sets up the corresponding relation of user and role.
Permission control device of the present invention and authority control method correspondence, therefore, the concrete details that realizes of permission control device referring to authority control method, can be not repeated herein.
In the present invention, by RBAC be combined based on binary rights management mode, achieve between user and role, succinct between role and authority, efficient corresponding relation, for cloud computing operating system provides healthy and strong infrastructural support, thus realize effective management of authority information in cloud computing operating system.
Although the execution mode disclosed by the present invention is as above, the execution mode that described content only adopts for ease of understanding the present invention, and be not used to limit the present invention.Those of skill in the art belonging to any the present invention; under the prerequisite not departing from the spirit and scope disclosed by the present invention; any amendment and change can be carried out in the form implemented and details; but scope of patent protection of the present invention, the scope that still must define with appending claims is as the criterion.
Claims (10)
1. an authority control method, is characterized in that, comprising:
Set up access control based roles RBAC model in advance, RBAC model comprises user's set, role's set and authority set, and be the priority assignation jurisdiction identifier in authority set, according to the jurisdiction identifier pre-set, for the role in role's set arranges role-security identifier, set up the corresponding relation of jurisdiction identifier and role-security identifier;
Obtain the authority of user's request in user's set, according to role-security identifier, set up the corresponding relation of user and role.
2. authority control method according to claim 1, is characterized in that, described jurisdiction identifier is the jurisdiction identifier based on binary arithmetic operation.
3. authority control method according to claim 2, is characterized in that, described jurisdiction identifier is the binary string of 4 bit lengths.
4. authority control method according to claim 1, is characterized in that, the corresponding relation of described jurisdiction identifier and role-security identifier is in binary arithmetic operation or computing.
5. the method according to any one of Claims 1 to 4, is characterized in that, the authority of user's request in described acquisition user set, according to role-security identifier, sets up the corresponding relation of user and role, comprising:
Receive the authority request that in user's set, user sends, and the role-security identifier of role in role's set is searched according to the authority of request, the role-security identifier that the authority determined and ask is corresponding, sets up user and has the corresponding relation of role of the role-security identifier determined.
6. a permission control device, is characterized in that, comprising:
First processing module, for setting up access control based roles RBAC model in advance, RBAC model comprises user's set, role's set and authority set;
Second processing module, for being the priority assignation jurisdiction identifier in authority set in advance;
3rd processing module, for according to the jurisdiction identifier pre-set, for the role in role's set arranges role-security identifier, and sets up the corresponding relation of jurisdiction identifier and role-security identifier;
4th processing module, for obtaining the authority of user's request in user's set, according to role-security identifier, sets up the corresponding relation of user and role.
7. permission control device according to claim 6, is characterized in that, described jurisdiction identifier is the jurisdiction identifier based on binary arithmetic operation.
8. permission control device according to claim 7, is characterized in that, described jurisdiction identifier is the binary string of 4 bit lengths.
9. permission control device according to claim 6, is characterized in that, the corresponding relation of described jurisdiction identifier and role-security identifier is in binary arithmetic operation or computing.
10. the permission control device according to any one of claim 6 ~ 9, it is characterized in that, described second processing module, specifically for receiving the authority request that in user's set, user sends, and the role-security identifier of role in role's set is searched according to the authority of request, the role-security identifier that the authority determined and ask is corresponding, sets up user and has the corresponding relation of role of the role-security identifier determined.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510018780.7A CN104519072A (en) | 2015-01-14 | 2015-01-14 | Authority control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510018780.7A CN104519072A (en) | 2015-01-14 | 2015-01-14 | Authority control method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104519072A true CN104519072A (en) | 2015-04-15 |
Family
ID=52793794
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510018780.7A Pending CN104519072A (en) | 2015-01-14 | 2015-01-14 | Authority control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104519072A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106529219A (en) * | 2016-11-08 | 2017-03-22 | 上海有云信息技术有限公司 | User authority control method and device |
| CN109218024A (en) * | 2017-07-04 | 2019-01-15 | 百度在线网络技术(北京)有限公司 | Method and apparatus for control authority |
| CN109697357A (en) * | 2018-12-27 | 2019-04-30 | 珠海格力电器股份有限公司 | System permission setting method, the management system of dynamic extending |
| CN110046486A (en) * | 2019-04-10 | 2019-07-23 | 芋头科技(杭州)有限公司 | Intelligent interaction device management-control method, system and controller and medium |
| CN111680310A (en) * | 2020-05-26 | 2020-09-18 | 泰康保险集团股份有限公司 | Authority control method and device, electronic equipment and storage medium |
| CN111695124A (en) * | 2020-05-18 | 2020-09-22 | 北京三快在线科技有限公司 | Authority control method and device, storage medium and electronic equipment |
| CN111711529A (en) * | 2020-06-12 | 2020-09-25 | 腾讯科技(深圳)有限公司 | Group operation processing method, device, system, equipment and storage medium |
| CN113839942A (en) * | 2021-09-22 | 2021-12-24 | 上海妙一生物科技有限公司 | User authority management method, device, equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009008567A1 (en) * | 2007-07-09 | 2009-01-15 | Nets Co., Ltd. | Provisioning apparatus for resources and authorities for integrated identity management |
| CN101414253A (en) * | 2007-10-17 | 2009-04-22 | 华为技术有限公司 | Method and system for managing authority |
| CN101499906A (en) * | 2008-02-02 | 2009-08-05 | 厦门雅迅网络股份有限公司 | Method for implementing subscriber authority management based on role function mapping table |
| CN101621518A (en) * | 2009-07-20 | 2010-01-06 | 厦门敏讯信息技术股份有限公司 | Method for managing permission |
| CN101894231A (en) * | 2010-07-19 | 2010-11-24 | 上海三零卫士信息安全技术有限公司 | Permission expansion control system and method thereof |
| CN101593260B (en) * | 2009-07-03 | 2011-08-10 | 杭州华三通信技术有限公司 | Method and system for applying privileges of management system |
| CN102393889A (en) * | 2011-09-19 | 2012-03-28 | 北京信城通数码科技有限公司 | Permissions configuration management system |
| CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
-
2015
- 2015-01-14 CN CN201510018780.7A patent/CN104519072A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009008567A1 (en) * | 2007-07-09 | 2009-01-15 | Nets Co., Ltd. | Provisioning apparatus for resources and authorities for integrated identity management |
| CN101414253A (en) * | 2007-10-17 | 2009-04-22 | 华为技术有限公司 | Method and system for managing authority |
| CN101499906A (en) * | 2008-02-02 | 2009-08-05 | 厦门雅迅网络股份有限公司 | Method for implementing subscriber authority management based on role function mapping table |
| CN101593260B (en) * | 2009-07-03 | 2011-08-10 | 杭州华三通信技术有限公司 | Method and system for applying privileges of management system |
| CN101621518A (en) * | 2009-07-20 | 2010-01-06 | 厦门敏讯信息技术股份有限公司 | Method for managing permission |
| CN101894231A (en) * | 2010-07-19 | 2010-11-24 | 上海三零卫士信息安全技术有限公司 | Permission expansion control system and method thereof |
| CN102393889A (en) * | 2011-09-19 | 2012-03-28 | 北京信城通数码科技有限公司 | Permissions configuration management system |
| CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
Non-Patent Citations (1)
| Title |
|---|
| 周敏等: "常州信息职业技术学院学报", 《常州信息职业技术学院学报》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106529219A (en) * | 2016-11-08 | 2017-03-22 | 上海有云信息技术有限公司 | User authority control method and device |
| CN106529219B (en) * | 2016-11-08 | 2019-04-09 | 上海有云信息技术有限公司 | The control method and device of user right |
| CN109218024A (en) * | 2017-07-04 | 2019-01-15 | 百度在线网络技术(北京)有限公司 | Method and apparatus for control authority |
| CN109218024B (en) * | 2017-07-04 | 2021-07-16 | 百度在线网络技术(北京)有限公司 | Method and device for controlling authority |
| CN109697357A (en) * | 2018-12-27 | 2019-04-30 | 珠海格力电器股份有限公司 | System permission setting method, the management system of dynamic extending |
| CN110046486A (en) * | 2019-04-10 | 2019-07-23 | 芋头科技(杭州)有限公司 | Intelligent interaction device management-control method, system and controller and medium |
| CN111695124A (en) * | 2020-05-18 | 2020-09-22 | 北京三快在线科技有限公司 | Authority control method and device, storage medium and electronic equipment |
| CN111680310A (en) * | 2020-05-26 | 2020-09-18 | 泰康保险集团股份有限公司 | Authority control method and device, electronic equipment and storage medium |
| CN111680310B (en) * | 2020-05-26 | 2023-08-25 | 泰康保险集团股份有限公司 | Authority control method and device, electronic equipment and storage medium |
| CN111711529A (en) * | 2020-06-12 | 2020-09-25 | 腾讯科技(深圳)有限公司 | Group operation processing method, device, system, equipment and storage medium |
| CN111711529B (en) * | 2020-06-12 | 2022-03-15 | 腾讯科技(深圳)有限公司 | Group operation processing method, device, system, equipment and storage medium |
| CN113839942A (en) * | 2021-09-22 | 2021-12-24 | 上海妙一生物科技有限公司 | User authority management method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104519072A (en) | Authority control method and device | |
| CN103218398B (en) | Intelligent substation SCL (substation configuration description language) file difference comparison method | |
| CN103500298A (en) | Method for achieving authorization distribution based on rule management | |
| CN105183561A (en) | Resource distribution method and resource distribution system | |
| CN107391622B (en) | Data access method and equipment | |
| JP2012093911A5 (en) | ||
| CN103440136A (en) | Distributed authoring and versioning method and system | |
| CN104572833A (en) | Mapping rule establishing method and device | |
| CN110795431B (en) | Environment monitoring data processing method, device, equipment and storage medium | |
| CN104468599A (en) | Method and system for achieving session sharing among multiple applications | |
| CN109410063B (en) | Transaction processing method and device based on block chain and storage medium | |
| CN103049326B (en) | Method and system for managing job program of job management and scheduling system | |
| CN105045598A (en) | Java-based web front-end performance optimization and online method and system | |
| CN117150534B (en) | Trusted DCS upper computer application access control method and system based on authority management | |
| CN102238037B (en) | Cooperative target strategy detailing method | |
| CN111752539A (en) | BI service cluster system and building method thereof | |
| CN103220336B (en) | The implementation method of vector clock and system in a kind of file synchronization | |
| CN105511816A (en) | Method and system for migrating virtual machine disk data | |
| CN103500315A (en) | System of reasonable classification and use permission distribution for information resources | |
| CN105808989B (en) | A kind of permission auditing method and device | |
| CN104598477A (en) | News transmission effect determining method and system | |
| CN113986545A (en) | Method and device for associating user with role | |
| CN107169044A (en) | A kind of city talent resource integrated management method | |
| CN106874779A (en) | A kind of data mining method for secret protection and system | |
| CN103067450A (en) | Control method and system of application program used in cloud environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150415 |
|
| RJ01 | Rejection of invention patent application after publication |