CN111935131B - SaaS resource access control method based on resource authority tree - Google Patents
SaaS resource access control method based on resource authority tree Download PDFInfo
- Publication number
- CN111935131B CN111935131B CN202010781030.6A CN202010781030A CN111935131B CN 111935131 B CN111935131 B CN 111935131B CN 202010781030 A CN202010781030 A CN 202010781030A CN 111935131 B CN111935131 B CN 111935131B
- Authority
- CN
- China
- Prior art keywords
- resource
- authority
- tree
- access control
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000011217 control strategy Methods 0.000 claims description 8
- 230000008520 organization Effects 0.000 claims description 6
- 238000004458 analytical method Methods 0.000 claims description 4
- 230000008859 change Effects 0.000 claims description 4
- 238000013507 mapping Methods 0.000 claims description 4
- 239000002071 nanotube Substances 0.000 claims description 4
- 230000006872 improvement Effects 0.000 claims description 2
- 230000004044 response Effects 0.000 claims description 2
- 235000019580 granularity Nutrition 0.000 abstract description 6
- 238000007726 management method Methods 0.000 description 14
- 238000012423 maintenance Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 3
- 238000013070 change management Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a SaaS resource access control method based on a resource authority tree, which comprises the following steps: firstly, combining an H-RBAC model and an ABAC model, and designing a SaaS access control theoretical model based on a resource authority tree, namely an H-RRBAC model; then, resource authority allocation and access control are carried out based on an H-RRBAC model, which concretely comprises the following steps: the SaaS platform resource is registered, and a resource oriented original subtree is automatically generated; generating a directed tree of resources; constructing a resource authority tree of the role; generating a resource authority tree of the user; and when the user accesses the service, performing access control on the resource by the user based on the resource authority tree of the user. The method disclosed by the invention can be suitable for different authority management scenes of different tenants in the SaaS mode, realizes high-efficiency and low-complexity authority distribution, and simultaneously meets the authority access control requirements of different tenants on dynamic changes of different granularities and attributes of resources.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a SaaS resource access control method based on a resource authority tree.
Background
SaaS is an abbreviated name for Software-as-a-Service, meaning that Software is a Service, i.e., providing a Software Service over a network. SaaS is used as a software application mode of cloud computing, definitely defines software as service, provides a replicable standardized service scheme for clients, solves the problems of software construction, operation and maintenance cost, management cost and the like in client informatization construction, and is particularly popular with small and medium enterprises. Although SaaS has many advantages, there are still many problems, of which the SaaS security problem has become the primary problem restricting the development of the SaaS model. In order to reduce service use cost, a service provider mostly adopts a single-instance multi-tenant mode and a thinking design SaaS of a data storage model of a shared database table, but needs to solve the data security problem under the design mode at the same time, and access control is one of key technologies for solving the problem, and mainly comprises two parts of authority allocation and access control.
RBAC is abbreviation of Role-Based Access Control, namely Role-based authority access control, an RBAC model provides strong and flexible access control capability, complexity of user authority allocation and workload of management staff are reduced, the RBAC model is still used as a main model of SaaS access control in practical application, H-RBAC is abbreviation of HIERARCHICAL ROLE-Based Access Control based on an improved H-RBAC model, the H-RBAC model is a Role-based authority access control model classified according to grades, and the core is dividing access control in SaaS into two layers of a SaaS software platform level access control layer and a tenant level access control layer, wherein each layer is used for performing access control based on the RBAC model. However, the RBAC model has limitations in fine granularity access control, and cannot adapt to the situation that the user permission is restricted by multiple factors in the SaaS mode. The ABAC model is an access control model for solving the problem of large workload of authority allocation, lack of context environment difficulty increase in access rule formulation and the like, can make up for the defect, has strong flexibility and expandability, and is more remarkable in a SaaS mode. At present, an attempt of realizing access control by combining RBAC and ABAC models is made, but the complexity problem of authority allocation is ignored, and in order to ensure the privacy of tenant data in a SaaS mode, the access authority of a user to resources in a tenant is usually distributed autonomously by a tenant administrator, and if the complexity of authority allocation is too high, the use and popularization of the SaaS are directly affected. Therefore, it is necessary to provide a method to fully utilize the advantages of RBAC and ABAC models to realize efficient and low-complexity rights allocation and flexible and fine-grained access control in SaaS mode.
Disclosure of Invention
The invention aims to solve the problems and provide a SaaS resource access control method based on a resource authority tree, so as to realize high-efficiency and low-complexity authority allocation and flexible and fine-granularity access control in a SaaS mode.
The invention realizes the above purpose through the following technical scheme:
a SaaS resource access control method based on a resource authority tree comprises the following steps:
Step1, combining an H-RBAC model and an ABAC model, and designing a SaaS access control theoretical model based on a resource authority tree, namely an H-RRBAC model;
and 2, performing resource authority allocation and access control based on an H-RRBAC model, wherein the method comprises the following steps of:
2.1, registering the resources of the SaaS platform, and automatically generating a resource oriented original tree by taking the resources representing the minimum service units as root nodes;
Step 2.2, a platform manager combines the resource directed atomic trees as required to generate a resource directed tree;
Step 2.3, a platform manager allocates resource access permissions to tenants by taking the resource oriented tree as a unit, and the tenant manager allocates resource rights of roles by taking the resource oriented tree which is permitted to access as a unit, so as to construct a resource rights tree of the roles;
step 2.4, establishing a relationship among a user-user group, a user group-role and a user-role by a tenant administrator, and generating a resource authority tree of the user;
And 2.5, when the user accesses the service, performing access control on the resource by the user based on the resource authority tree of the user.
Preferably, in the step1, the H-RRBAC model is modified based on the H-RBAC model and the ABAC model, and the modification includes:
1.1, introducing a resource oriented tree between roles-resources of an H-RBAC model, performing authority allocation based on the resource oriented tree, wherein 1 resource oriented tree represents a service scene, a clear service boundary exists between the trees, the intrinsic association relationship between the resources in the tree determines the implication relationship of the authority of father-son resource nodes, when a certain resource node is authorized, the child node automatically inherits the authority of the father node, and when the access control strategies of the same service scene are the same, only the authority allocation is performed on the root node;
1.2, performing access control based on a resource authority tree, and fusing the advantages of RBAC and ABAC, wherein the access authority of a role on a resource is determined by the resource-operation authority and the resource-ABAC rule;
1.3, the access rights of the main body to the data resources and the non-data resources are used as an organic whole to conduct unified nano-tubes through the resource rights tree, the access rights of the main body to the data resources are determined by the service, the service context is presented in the form of a directed resource tree, and when the access control requirements change or the access control rights are configured to be wrong/conflict, the quick positioning and efficient response can be realized;
The resource authority tree is a directed tree formed by a plurality of resource nodes, the resource nodes are represented by four groups of resource node IDs, resource information, allocated operation authorities and access control rules, wherein the resource node IDs are used for uniquely identifying the directed tree and the position of the resource where the node is located; the resource information is represented by five tuples of a resource ID, a resource name, a resource type, a resource attribute and a supported operation authority, wherein the resource ID is used for uniquely identifying a resource, the resource name is automatically acquired, the resource type is divided into types including but not limited to a menu, a page control and data, the resource attribute is an attribute set of the resource, and the supported operation authority is determined by the resource type; the distributed operation rights are rights sets selected from the supported operation rights; the access control rule is a rule set constructed based on attribute information of users, resources and context; the relationship between resource nodes is determined by business logic predefined by the SaaS software code.
In the step 2.1, the directed atomic tree of resources represents a minimum service unit, and service related resources are automatically associated and organized according to a logic relation predefined by the SaaS software code; the leaf nodes of the resource oriented original subtrees are the resources of the data type; no duplicate resource nodes are allowed within the same tree.
In the step 2.2, 1 or more resource oriented atom trees are combined according to the requirement of the service scene to generate 1 resource oriented tree, wherein the 1 resource oriented tree represents a complete service scene, generally corresponds to a service opened by SaaS to the client, has similarity to the corresponding access control strategy, and is a cut-in point for reducing the workload of authority allocation.
In the step 2.3, the role and the resource authority tree are mapped in a many-to-many mode, the resource directed tree and the resource authority tree are in a one-to-many mode, the authorities of father and child nodes of the resource authority tree have implications according to the generation rule of the resource directed tree, and the child nodes default inherit all authorities of the father node, but can be redefined under the condition of not violating conflict constraint, so that the authority allocation workload is reduced, and the flexibility of authority allocation is ensured.
In the step 2.3, attribute information of a user, resources and a context environment is identified, an access control rule based on attributes is established based on an ABAC model, and fine granularity control of authority is performed on resource nodes in a resource authority tree; the user attribute information comprises but is not limited to a user ID, a tenant, a department, an organization, a post, a job level, a security level and an authorized area, the resource attribute comprises but is not limited to a resource provider ID, a tenant, a department, an organization and a security level, the context environment comprises but is not limited to a user login place and login time, the attribute information is customized according to the business characteristics of the SaaS as required, the access control rules corresponding to the resources with the same resource ID in the tenant are not allowed to conflict, and the child nodes of the resource authority default inherit the access control rules of the father node without one-to-one configuration.
In the step 2.4, the users with the same roles are organized in the form of user groups, so that repeated generation of a resource authority tree of the users is avoided; the user and the user group, the user group and the role, and the user and the role are all in a many-to-many mapping relationship, 1 user can actually correspond to a plurality of roles, so as to correspond to a plurality of resource authority trees, merging and eliminating conflict of a plurality of resource authority trees corresponding to the same resource directional tree and authorities of the same resource referenced by the plurality of resource authority trees, and finally obtaining a plurality of effective resource authority trees dynamically corresponding to the user.
In the step 2.5, user attribute information, resource attribute information and context environment are obtained in real time, the allocated operation authority and access control rule of the resource node are obtained from the resource authority tree set of the user according to the resource node ID associated with the resource, whether the resource has access authority is determined by rule analysis and authority matching, and a corresponding result is returned to realize access control.
The invention has the beneficial effects that:
The method disclosed by the invention can be suitable for different authority management scenes of different tenants in a SaaS mode, realizes high-efficiency and low-complexity authority allocation, and simultaneously meets the authority access control requirements of different tenants on dynamic changes of different granularities and attributes of resources, and has the specific advantages that:
1. the authority allocation is carried out based on the directed resource tree, so that the workload of the authority allocation is greatly reduced, the flexibility of the authority allocation is reserved, and the method can be suitable for different authority management scenes of different tenants;
2. access control is performed based on the resource authority tree, and the advantages of RBAC and ABAC are achieved at the same time, so that the authority access control requirements of different tenants on dynamic changes of different granularities and attributes of resources can be met;
3. the access rights of the data resources and the non-data resources are used as an organic whole to carry out unified nano-tubes through the resource rights tree, so that the complexity of management is reduced compared with the traditional isolated management of the data resources and the non-data resources, and the access rights can be rapidly positioned and efficiently handled particularly when the access control requirements change or the access control rights are wrongly configured.
Drawings
FIG. 1 is a schematic diagram of the H-RRBAC model of the present invention;
FIG. 2 is a schematic diagram of steps for implementing resource rights allocation and access control based on the H-RRBAC model in the present invention;
FIG. 3 is a schematic diagram of the structure of a resource authority tree in the H-RRBAC model of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings:
The SaaS resource access control method based on the resource authority tree comprises the following steps:
Step1, combining an H-RBAC model and an ABAC model, and designing a SaaS access control theoretical model based on a resource authority tree, namely an H-RRBAC model.
As shown in FIG. 1, in this step, the H-RRBAC model is improved based on an H-RBAC model and an ABAC model, and the improvement comprises:
1.1, introducing a resource directed tree between roles-resources of an H-RBAC model, performing authority allocation based on the resource directed tree, wherein the 1 resource directed tree represents a service scene, a clear service boundary exists between the trees, the intrinsic association relationship between the resources in the tree determines the implication relationship of the authority of father and son resource nodes, when a certain resource node is authorized, the son node automatically inherits the authority of the father node, and when the access control strategies of the same service scene are the same, only the authority allocation is needed to be performed on the root node.
1.2, Performing access control based on a resource authority tree, and fusing the advantages of RBAC and ABAC, wherein the access authority of the role to the resource is determined by the resource-operation authority and the resource-ABAC rule.
1.3, The access rights of the main body to the data resources and the non-data resources are used as an organic whole to conduct unified nano-tubes through the resource rights tree, the access rights of the main body to the data resources are determined by the service, the service context is presented in the form of a directed resource tree, and when the access control requirements change or the access control rights are configured to be wrong/conflict, the method can be used for rapidly positioning and efficiently coping with the situation.
As shown in fig. 3, the resource authority tree is a directed tree formed by a plurality of resource nodes, the resource nodes are represented by four tuples of resource node IDs, resource information, allocated operation authorities and access control rules, wherein the resource node IDs are used for uniquely identifying the directed tree and the position of the resource where the node is located; the resource information is represented by five tuples of a resource ID, a resource name, a resource type, a resource attribute and a supported operation authority, wherein the resource ID is used for uniquely identifying a resource, the resource name is automatically acquired, the resource type is divided into types including but not limited to a menu, a page control and data, the resource attribute is an attribute set of the resource, and the supported operation authority is determined by the resource type; the distributed operation rights are rights sets selected from the supported operation rights; the access control rule is a rule set constructed based on attribute information of users, resources and context; the relation between the resource nodes is determined by business logic predefined by SaaS software codes, and there may be relations of inclusion, operation triggering, reference and the like, for example, a menu may include a plurality of submenus, a menu operation may trigger a page, the page may be composed of a plurality of sub-pages, and the page includes data, controls and the like.
Step 2, as shown in fig. 2, performing resource permission allocation and access control based on an H-RRBAC model, including the following steps:
And 2.1, registering the resources of the SaaS platform, and automatically generating a resource oriented original tree by taking the resources representing the minimum service units as root nodes.
In the step, the directed resource atomic tree represents a minimum service unit, and service related resources are automatically associated and organized according to a predefined logic relationship of SaaS software codes; the leaf nodes of the resource oriented original subtrees are the resources of the data type; no duplicate resource nodes are allowed within the same tree.
And 2.2, combining the resource directed atomic tree by a platform manager according to the requirement to generate a resource directed tree.
In the step, 1 or more resource oriented atom trees are combined according to the requirements of service scenes to generate 1 resource oriented tree, wherein the 1 resource oriented tree represents a complete service scene and corresponds to a service opened by SaaS to clients, and the corresponding access control strategies have similarity and are access points for reducing the workload of authority allocation.
And 2.3, allocating resource access permissions to tenants by a platform manager by taking the resource oriented tree as a unit, allocating resource permissions of roles by the tenant manager by taking the resource oriented tree which is permitted to access as a unit, and constructing a resource permission tree of the roles.
In the step, the role and the resource authority tree are in a mapping relation of many to many, the resource directed tree and the resource authority tree are in a relation of one to many, the authorities of father and child nodes of the resource authority tree have an implication relation according to the generation rule of the resource directed tree, and the child nodes inherit all authorities of the father node by default, but can be redefined under the condition of not violating conflict constraint, so that the authority allocation workload is reduced, and the flexibility of the authority allocation is ensured.
Further, in the step, attribute information of a user, a resource and a context environment is identified, an access control rule based on attributes is established based on an ABAC model, and fine granularity control of authority is performed on resource nodes in a resource authority tree; the user attribute information comprises but is not limited to a user ID, a tenant, a department, a mechanism, a post, a job level, a security level and an authorized area, the resource attribute comprises but is not limited to a resource provider ID, a tenant, a department, a mechanism and a security level, the context environment comprises but is not limited to a user login place and login time, the attribute information is customized according to the business characteristics of SaaS as required, the access control rules corresponding to the resources with the same resource ID in the tenant are not allowed to conflict, and the child nodes of the resource authority default inherit the access control rules of the father node without one-to-one configuration; in order to avoid the situation that the same access control rule is repeatedly configured in all the resource authority trees, introducing global rules in tenants, and automatically inheriting the global rules of the corresponding tenants by all the resource authority trees.
And 2.4, establishing a relationship among a user-user group, a user group-role and a user-role by the tenant administrator, and generating a resource authority tree of the user.
In the step, users with a plurality of same roles are organized in a user group mode, so that repeated generation of a resource authority tree of the users is avoided; the user and the user group, the user group and the role, and the user and the role are all in a many-to-many mapping relationship, 1 user can actually correspond to a plurality of roles, so as to correspond to a plurality of resource authority trees, merging and eliminating conflict of a plurality of resource authority trees corresponding to the same resource directional tree and authorities of the same resource referenced by the plurality of resource authority trees, and finally obtaining a plurality of effective resource authority trees dynamically corresponding to the user.
And 2.5, when the user accesses the service, performing access control on the resource by the user based on the resource authority tree of the user.
In the step, user attribute information, resource attribute information and context environment are acquired in real time, the allocated operation authority and access control rule of the resource node are acquired from a resource authority tree set of a user according to the resource node ID associated with the resource, whether the resource has access authority is determined by rule analysis and authority matching, and a corresponding result is returned to realize access control.
Description: the foregoing is not necessarily identical to the descriptions of the drawings, but corresponds to each other, for convenience of the drawing expression.
In order to facilitate understanding of the embodiments of the present invention and the effects thereof, a specific application example is given below. It will be understood by those of ordinary skill in the art that the examples are for ease of understanding only and that any particular details thereof are not intended to limit the present invention in any way.
Application example:
Taking an operation and maintenance management SaaS platform in a certain group M as an example. The platform is deployed at a headquarter of a group, and each sub-company under the group accesses the platform in the form of a tenant. And when the platform is initialized, automatically completing platform resource registration and generating a resource oriented original subtree. The platform manager divides the service provided by the platform outside into asset management (basic edition), asset management (complete edition), resource operation monitoring, work order management, change management, resource allocation management and the like according to the business scene of operation and maintenance management, the service is selected by tenants (the supporting service which is tightly coupled with the service is automatically selected), the construction of the resource directed tree corresponding to the service is completed based on the resource directed atomic tree, and meanwhile, the configuration of a host-guest access control strategy which is suitable for the whole group is completed based on the resource directed tree, for example, each employee can access the data of the responsible person, the department leadership can access the data of the staff of the department, the operation and maintenance engineer can access the work order data of the operated and maintained area and the like, and an initial resource authority tree is formed.
After applying for opening asset management (complete version), work order management, change management service and payment on a platform, a platform manager distributes tenant roles for the subsidiary X and completes corresponding access permission authorization. An administrator (tenant administrator) of the sub-company X firstly completes configuration of basic data (such as an organization, an operation and maintenance area, an operation and maintenance organization and the like of a company), then adjusts based on an initial resource authority tree, including roles, operation authorities, ABAC rules and the like, maps the roles to users or user groups (optional), maps the users to the user groups (optional), generates a resource authority tree of the users, and completes configuration of an internal personalized access control strategy of the company. When a user of a subsidiary company X needs to access a service, identity authentication is firstly carried out based on an identity authentication module of a platform, user attribute information, resource attribute information and a context environment are acquired after authentication is passed, the allocated operation authority and access control rule of a resource node are acquired from a resource authority tree set of the user according to a resource node ID associated with the resource, whether the resource has access authority is determined by rule analysis and authority matching, and a corresponding result is returned.
The above embodiments are only preferred embodiments of the present invention, and are not limiting to the technical solutions of the present invention, and any technical solution that can be implemented on the basis of the above embodiments without inventive effort should be considered as falling within the scope of protection of the patent claims of the present invention.
Claims (7)
1.A SaaS resource access control method based on a resource authority tree is characterized in that: the method comprises the following steps:
Step1, combining an H-RBAC model and an ABAC model, and designing a SaaS access control theoretical model based on a resource authority tree, namely an H-RRBAC model;
and 2, performing resource authority allocation and access control based on an H-RRBAC model, wherein the method comprises the following steps of:
2.1, registering the resources of the SaaS platform, and automatically generating a resource oriented original tree by taking the resources representing the minimum service units as root nodes;
Step 2.2, a platform manager combines the resource directed atomic trees as required to generate a resource directed tree;
Step 2.3, a platform manager allocates resource access permissions to tenants by taking the resource oriented tree as a unit, and the tenant manager allocates resource rights of roles by taking the resource oriented tree which is permitted to access as a unit, so as to construct a resource rights tree of the roles;
step 2.4, establishing a relationship among a user-user group, a user group-role and a user-role by a tenant administrator, and generating a resource authority tree of the user;
2.5, when the user accesses the service, performing access control on the resource by the user based on the resource authority tree of the user;
In the step 1, the H-RRBAC model is improved based on the H-RBAC model and the ABAC model, and the improvement content comprises:
1.1, introducing a resource oriented tree between roles-resources of an H-RBAC model, performing authority allocation based on the resource oriented tree, wherein 1 resource oriented tree represents a service scene, a clear service boundary exists between the trees, the intrinsic association relationship between the resources in the tree determines the implication relationship of the authority of father-son resource nodes, when a certain resource node is authorized, the child node automatically inherits the authority of the father node, and when the access control strategies of the same service scene are the same, only the authority allocation is performed on the root node;
1.2, performing access control based on a resource authority tree, and fusing the advantages of RBAC and ABAC, wherein the access authority of a role on a resource is determined by the resource-operation authority and the resource-ABAC rule;
1.3, the access rights of the main body to the data resources and the non-data resources are used as an organic whole to conduct unified nano-tubes through the resource rights tree, the access rights of the main body to the data resources are determined by the service, the service context is presented in the form of a directed resource tree, and when the access control requirements change or the access control rights are configured to be wrong/conflict, the quick positioning and efficient response can be realized;
The resource authority tree is a directed tree formed by a plurality of resource nodes, the resource nodes are represented by four groups of resource node IDs, resource information, allocated operation authorities and access control rules, wherein the resource node IDs are used for uniquely identifying the directed tree and the position of the resource where the node is located; the resource information is represented by five tuples of a resource ID, a resource name, a resource type, a resource attribute and a supported operation authority, wherein the resource ID is used for uniquely identifying a resource, the resource name is automatically acquired, the resource type is divided into types including but not limited to a menu, a page control and data, the resource attribute is an attribute set of the resource, and the supported operation authority is determined by the resource type; the distributed operation rights are rights sets selected from the supported operation rights; the access control rule is a rule set constructed based on attribute information of users, resources and context; the relationship between resource nodes is determined by business logic predefined by the SaaS software code.
2. The SaaS resource access control method based on the resource authority tree according to claim 1, wherein: in the step 2.1, the directed atomic tree of resources represents a minimum service unit, and service related resources are automatically associated and organized according to a logic relation predefined by the SaaS software code; the leaf nodes of the resource oriented original subtrees are the resources of the data type; no duplicate resource nodes are allowed within the same tree.
3. The SaaS resource access control method based on the resource authority tree according to claim 1, wherein: in the step 2.2, 1 or more resource oriented atom trees are combined according to the requirement of the service scene to generate 1 resource oriented tree, wherein the 1 resource oriented tree represents a complete service scene, generally corresponds to a service opened by SaaS to the client, has similarity to the corresponding access control strategy, and is a cut-in point for reducing the workload of authority allocation.
4. The SaaS resource access control method based on the resource authority tree according to claim 1, wherein: in the step 2.3, the role and the resource authority tree are mapped in a many-to-many mode, the resource directed tree and the resource authority tree are in a one-to-many mode, the authorities of father and child nodes of the resource authority tree have implications according to the generation rule of the resource directed tree, and the child nodes default inherit all authorities of the father node, but can be redefined under the condition of not violating conflict constraint, so that the authority allocation workload is reduced, and the flexibility of authority allocation is ensured.
5. The SaaS resource access control method based on the resource authority tree according to claim 1, wherein: in the step 2.3, attribute information of a user, resources and a context environment is identified, an access control rule based on attributes is established based on an ABAC model, and fine granularity control of authority is performed on resource nodes in a resource authority tree; the user attribute information comprises but is not limited to a user ID, a tenant, a department, an organization, a post, a job level, a security level and an authorized area, the resource attribute comprises but is not limited to a resource provider ID, a tenant, a department, an organization and a security level, the context environment comprises but is not limited to a user login place and login time, the attribute information is customized according to the business characteristics of the SaaS as required, the access control rules corresponding to the resources with the same resource ID in the tenant are not allowed to conflict, and the child nodes of the resource authority default inherit the access control rules of the father node without one-to-one configuration.
6. The SaaS resource access control method based on the resource authority tree according to claim 1, wherein: in the step 2.4, the users with the same roles are organized in the form of user groups, so that repeated generation of a resource authority tree of the users is avoided; the user and the user group, the user group and the role, and the user and the role are all in a many-to-many mapping relationship, 1 user can actually correspond to a plurality of roles, so as to correspond to a plurality of resource authority trees, merging and eliminating conflict of a plurality of resource authority trees corresponding to the same resource directional tree and authorities of the same resource referenced by the plurality of resource authority trees, and finally obtaining a plurality of effective resource authority trees dynamically corresponding to the user.
7. The SaaS resource access control method based on the resource authority tree according to claim 1, wherein: in the step 2.5, user attribute information, resource attribute information and context environment are obtained in real time, the allocated operation authority and access control rule of the resource node are obtained from the resource authority tree set of the user according to the resource node ID associated with the resource, whether the resource has access authority is determined by rule analysis and authority matching, and a corresponding result is returned to realize access control.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010781030.6A CN111935131B (en) | 2020-08-06 | 2020-08-06 | SaaS resource access control method based on resource authority tree |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010781030.6A CN111935131B (en) | 2020-08-06 | 2020-08-06 | SaaS resource access control method based on resource authority tree |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111935131A CN111935131A (en) | 2020-11-13 |
CN111935131B true CN111935131B (en) | 2024-06-07 |
Family
ID=73306787
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010781030.6A Active CN111935131B (en) | 2020-08-06 | 2020-08-06 | SaaS resource access control method based on resource authority tree |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111935131B (en) |
Families Citing this family (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113722725A (en) * | 2020-12-24 | 2021-11-30 | 京东数字科技控股股份有限公司 | Resource data acquisition method and system |
CN112633764A (en) * | 2020-12-31 | 2021-04-09 | 北京捷通华声科技股份有限公司 | Intelligent customer service system and customer service method |
CN112800413B (en) * | 2021-02-26 | 2024-03-15 | 上海派拉软件股份有限公司 | Authority information pushing method, device, equipment and storage medium |
CN112818309A (en) * | 2021-03-04 | 2021-05-18 | 重庆度小满优扬科技有限公司 | Method and device for controlling data access authority and storage medium |
CN112861087A (en) * | 2021-03-08 | 2021-05-28 | 山东高速信息集团有限公司 | Authority distribution management method and system based on multiple parks and multiple units |
CN113190348B (en) * | 2021-04-28 | 2023-03-10 | 深圳市鹰硕云科技有限公司 | Cross-platform virtual resource allocation method, device, equipment and storage medium |
CN113221138B (en) * | 2021-04-30 | 2022-11-18 | 中核武汉核电运行技术股份有限公司 | Authority management system |
CN113239344B (en) * | 2021-05-12 | 2023-05-05 | 中国建设银行股份有限公司 | Access right control method and device |
CN112966292A (en) * | 2021-05-19 | 2021-06-15 | 北京仁科互动网络技术有限公司 | Metadata access authority control method, system, electronic equipment and storage medium |
CN113204427A (en) * | 2021-05-20 | 2021-08-03 | 远景智能国际私人投资有限公司 | Resource management method, resource management device, computer equipment and storage medium |
CN113507443B (en) * | 2021-06-10 | 2022-03-25 | 广州大学 | Internet of things access control method and device based on time capability tree and storage medium |
CN113612724B (en) * | 2021-06-10 | 2022-01-25 | 广州大学 | Internet of things access control method and device based on capability |
CN113282896A (en) * | 2021-06-11 | 2021-08-20 | 上海数禾信息科技有限公司 | Authority management method and system |
CN113505996A (en) * | 2021-07-13 | 2021-10-15 | 上海数禾信息科技有限公司 | Authority management method and device |
CN113590118B (en) * | 2021-07-23 | 2024-02-09 | 南京赛宁信息技术有限公司 | Resource authority control device and method based on DRF framework |
CN113742743B (en) * | 2021-07-23 | 2023-08-08 | 苏州浪潮智能科技有限公司 | LDAP-based data encryption access control method and system |
CN113536254A (en) * | 2021-07-26 | 2021-10-22 | 平安资产管理有限责任公司 | Resource permission configuration method and device, computer equipment and storage medium |
CN113591126B (en) * | 2021-08-12 | 2023-02-07 | 北京滴普科技有限公司 | Data authority processing method and computer readable storage medium |
CN113839942A (en) * | 2021-09-22 | 2021-12-24 | 上海妙一生物科技有限公司 | User authority management method, device, equipment and storage medium |
CN113591134B (en) * | 2021-09-28 | 2021-12-14 | 广东机电职业技术学院 | Threat intelligence big data sharing method and system |
CN114139139A (en) * | 2022-02-07 | 2022-03-04 | 树根互联股份有限公司 | Authority management and control method and device for service and application and electronic equipment |
CN114726632B (en) * | 2022-04-14 | 2024-04-05 | 广州鑫景信息科技服务有限公司 | Login method, login equipment and storage medium |
CN116186652B (en) * | 2022-12-22 | 2024-01-02 | 博上(山东)网络科技有限公司 | Authority management method, system, equipment and readable storage medium |
CN116842220B (en) * | 2023-07-06 | 2024-01-02 | 中国科学院青藏高原研究所 | Data access method based on logic classification and data role control |
CN116800550A (en) * | 2023-08-29 | 2023-09-22 | 北京仁科互动网络技术有限公司 | Region management method, device and equipment in software as a service (SaaS) mode |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
CN107104931A (en) * | 2016-02-23 | 2017-08-29 | 中兴通讯股份有限公司 | A kind of access control method and platform |
WO2018121445A1 (en) * | 2016-12-29 | 2018-07-05 | 中兴通讯股份有限公司 | Multi-tenant access control method and apparatus |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8843648B2 (en) * | 2009-05-26 | 2014-09-23 | Microsoft Corporation | External access and partner delegation |
US8595799B2 (en) * | 2012-04-18 | 2013-11-26 | Hewlett-Packard Development Company, L.P. | Access authorization |
-
2020
- 2020-08-06 CN CN202010781030.6A patent/CN111935131B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
CN107104931A (en) * | 2016-02-23 | 2017-08-29 | 中兴通讯股份有限公司 | A kind of access control method and platform |
WO2018121445A1 (en) * | 2016-12-29 | 2018-07-05 | 中兴通讯股份有限公司 | Multi-tenant access control method and apparatus |
Non-Patent Citations (3)
Title |
---|
SaaS模式下可插拔访问控制框架的设计;申利民;《小型微型计算机***》;20100615;第31卷(第6期);全文 * |
Service Availability Monitoring and Measurement Based on Customer Perception;Guihua Wang;《2018 IEEE 9th International Conference on Software Engineering and Service Science (ICSESS)》;20190310;全文 * |
一种基于角色等级树的SaaS多租户多域访问控制模型;熊光辉;白尚旺;党伟超;潘理虎;张睿;;计算机应用与软件;20180612(06);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN111935131A (en) | 2020-11-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111935131B (en) | SaaS resource access control method based on resource authority tree | |
US8381306B2 (en) | Translating role-based access control policy to resource authorization policy | |
Hu et al. | Guidelines for access control system evaluation metrics | |
US8806578B2 (en) | Data driven role based security | |
Barka et al. | Securing the web of things with role-based access control | |
CN110472388B (en) | Equipment management and control system and user permission control method thereof | |
Li et al. | RBAC-based access control for SaaS systems | |
CN106302483B (en) | Decentralized management method and system | |
WO2018095326A1 (en) | Method and apparatus for determining access permission, and terminal | |
WO2009145760A1 (en) | Hierarchical administration of resources | |
WO2016026320A1 (en) | Access control method and apparatus | |
CN103763369A (en) | Multi-permission distribution method based on SAN storage system | |
CN114143069B (en) | Authority management system and method applied to microservice | |
US20240007458A1 (en) | Computer user credentialing and verification system | |
CN115022020B (en) | Access control method and system based on multidimensional set calculation | |
CN111752539A (en) | BI service cluster system and building method thereof | |
CN110348184B (en) | Industrial cloud-based permission resource configuration method, system and storage medium | |
CN112861087A (en) | Authority distribution management method and system based on multiple parks and multiple units | |
Sengupta | Dynamic fragmentation and query translation based security framework for distributed databases | |
Zeng et al. | Verifying secure information flow in federated clouds | |
Wang et al. | A SaaS Resource Authorization Management Model based on Resource Directed Tree | |
Greeff et al. | Design of an access control module for an instrumentation gateway | |
Nassr et al. | Osdm: An organizational supervised delegation model for rbac | |
CN116010376B (en) | Main data modeling method based on inheritance strategy | |
Saffarian et al. | Owner-based role-based access control OB-RBAC |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant |