CN113765925B - Improved method based on OSAC and PERM access control model - Google Patents
Improved method based on OSAC and PERM access control model Download PDFInfo
- Publication number
- CN113765925B CN113765925B CN202111051910.9A CN202111051910A CN113765925B CN 113765925 B CN113765925 B CN 113765925B CN 202111051910 A CN202111051910 A CN 202111051910A CN 113765925 B CN113765925 B CN 113765925B
- Authority
- CN
- China
- Prior art keywords
- policy information
- authority
- request
- osac
- model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 208000019585 progressive encephalomyelitis with rigidity and myoclonus Diseases 0.000 title claims abstract description 24
- 238000000034 method Methods 0.000 title claims abstract description 22
- 230000000694 effects Effects 0.000 claims description 17
- 230000009471 action Effects 0.000 claims description 10
- 230000010354 integration Effects 0.000 claims description 6
- 230000006872 improvement Effects 0.000 claims description 2
- 238000009472 formulation Methods 0.000 abstract description 5
- 239000000203 mixture Substances 0.000 abstract description 5
- 230000006870 function Effects 0.000 description 13
- 238000013475 authorization Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000002474 experimental method Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an improved method based on an OSAC and PERM access control model, which comprises the following steps: the sub-account user sends a request for checking the cloud host list to a back-end service through the front end of the cloud platform; acquiring authority policy information bound by a sub-account user according to the request, acquiring requested content from the request, and splicing the requested content into temporary authority policy information by a rear end; and the matching pile function matches the authority policy information with the temporary authority policy information to obtain an authentication result. By the method, the feasibility of access control of the cloud computing platform is increased, the high risk of user operation data authority is avoided, the expansion of the model expression capacity and the dynamic authority allocation of fine granularity are realized, and the performance is greatly improved; the invention peels the formulation of the strategy from the OSAC model and the implementation, and fills the strategy by the actual user, so that the strategy content is transparent in the improved model, and the access control with finer granularity of the user authority is realized.
Description
Technical Field
The invention belongs to the technical field of edge cloud computing, and particularly relates to an improved method based on an OSAC and PERM access control model.
Background
In order to adapt to enterprise demands, a part of enterprises select to deploy applications on a cloud computing platform of a cloud service provider, and in this scenario, the control of data resources and user authentication by the cloud service provider becomes a critical security problem.
The traditional method is to adopt an RBAC model to control users, roles and authorities, namely, the authorities are bound on the roles, and then the roles are given to the users when the users are created, but the authority authentication mode of the RBAC only limits the authorities operated by the users, but does not limit the authorities operated by the users, for example, the authorities given to the roles to operate the cloud host can cause all people under the roles to have the authorities operated by the cloud host, and other people or other organizations cannot be subdivided to be invisible to the cloud host.
Another approach is OpenStack access control (OSAC), which implements access control for users based on the RBAC implemented native access control model, which requires a role to be bound to the user for each user authorization, which tends to cause confusion and inefficiency in access rights control in the face of a large number of different types, hierarchies of user surges and the consequent dynamic rights allocation and usage scenarios for multiple users.
The native OSAC model is designed for openstack usage scenarios, portability is poor, and the OSAC model still has the drawbacks of the RBAC model.
Disclosure of Invention
Aiming at the technical problems in the related art, the invention provides an improved method based on an OSAC and PERM access control model, which can overcome the defects in the prior art.
In order to achieve the technical purpose, the technical scheme of the invention is realized as follows:
an improved method based on an OSAC and PERM access control model, the method comprising:
the sub-account user sends a request for checking a cloud host list to a back-end service through the front end of the cloud platform, wherein the requested content comprises a requested action and a requested resource path, and the requested resource path comprises a requested resource attribution account and a requested resource type;
the back-end service receives the request, acquires authority policy information bound by the sub-account user according to the request, acquires the requested content from the request, and the back-end composes the requested content into temporary authority policy information;
the back-end service self-defines a matching stub function, the matching stub function matches the authority policy information with the temporary authority policy information to obtain a matching result, namely an authentication result, wherein,
when the authentication result is true, the authentication is successful, and expected data is returned, wherein when the sub-account user views the cloud host list, the information of the cloud host corresponding to the unique identifier is seen;
and when the authentication result is false, the authentication fails and an empty list is returned.
Furthermore, in the step of obtaining the matching result, the matching result is obtained by adopting a logical operation mode, namely when the sub-account user binds a plurality of strategies, the plurality of strategies must be subjected to logical true and false judgment.
Further, the matching stub function matches the authority policy information with the temporary authority policy information to obtain a matching result, which includes:
checking whether the authority policy information is consistent with the temporary authority policy information, wherein if the matching result is consistent, the matching result is true; if at least one of the matching is unsuccessful, the matching result is false.
Further, the sub-account user is created by a main account, and the main account authorizes the authority policy information to the sub-account user.
The invention has the beneficial effects that: by the method, the feasibility of access control of the cloud computing platform is increased, the high risk of user operation data authority is avoided, the expansion of the model expression capacity and the dynamic authority allocation of fine granularity are realized, and the performance is greatly improved; the invention reforms based on OSAC and PERM, peels the formulation of strategy from OSAC model and realization, and fills the strategy by actual users, so that the strategy content is transparent in the improved model, and the access control with finer granularity of user authority is realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates an OSAC model diagram in accordance with an embodiment of the present invention;
FIG. 2 illustrates a PERM metamodel diagram according to an embodiment of the invention;
FIG. 3 illustrates a PERM-based modified OSAC model graph in accordance with an embodiment of the present invention;
FIG. 4 illustrates a comparison of an OSAC model with an improved model in accordance with an embodiment of the present invention;
fig. 5 shows a flow diagram of an improved method based on the OSAC and PERM access control models, according to an embodiment of the invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, an improved method based on an OSAC and PERM access control model, the method comprising:
step S1: the sub-account user sends a request for checking a cloud host list to a back-end service through the front end of the cloud platform, wherein the requested content comprises a requested action and a requested resource path, and the requested resource path comprises a requested resource attribution account and a requested resource type;
step S2: the back-end service receives the request, acquires authority policy information bound by the sub-account user according to the request, acquires the requested content from the request, and the back-end composes the requested content into temporary authority policy information;
step S3: the back-end service self-defines a matching stub function, the matching stub function matches the authority policy information with the temporary authority policy information to obtain a matching result, namely an authentication result, wherein,
when the authentication result is true, the authentication is successful, and expected data is returned, wherein when the sub-account user views the cloud host list, the information of the cloud host corresponding to the unique identifier is seen;
and when the authentication result is false, the authentication fails and an empty list is returned.
In some embodiments of the present invention, in the step of obtaining the matching result, a logical operation is used to obtain the matching result, that is, when the sub-account user binds a plurality of policies, a logical true or false judgment must be performed on the plurality of policies.
In some embodiments of the present invention, the matching stub function matches the authority policy information with the temporary authority policy information to obtain a matching result, including:
checking whether the authority policy information is consistent with the temporary authority policy information, wherein if the matching result is consistent, the matching result is true; if at least one of the matching is unsuccessful, the matching result is false.
In some embodiments of the invention, the sub-account user is created by a primary account that grants permission policy information to the sub-account user.
As shown in FIG. 1, the native OSAC model is designed based on a role access control model (RBAC) that contains users, groups of users, roles, projects, domains, and the like. The user is assigned rights on a particular item in the OSAC by a role only.
As shown in fig. 2, the PERM meta-model is composed of four basic primitives (Policy, effect, request, matcher), and the Request, policy primitives abstract to describe the matching rule of the access request and the policy rule, the match rule of the access request and the policy rule defined by the Matcher, and the Effect integrate a plurality of matching results, so as to realize 3 properties: policy language independence, access control model independence, and programming language independence.
As shown in FIG. 4, the improved model changes authorization logic, and takes the user and the role as the same level of direct authorization, thereby realizing the dynamic authority management of the user and enabling the user to be directly authorized. The original OSAC model authorizes the request of only RESTAPI of content and request content, the model after transformation takes the tactics as authorizing the content, request the content to have more tactics authority on the basis of RESTAPI, introduce through the customized tactics, make the authentication of authority finer. The matcher is realized, the custom pile function is realized, and the authentication is realized in an integrator mode, so that the whole authentication is more flexible and has fine granularity.
As shown in fig. 5, the improved model strips the formulation of the strategy from the model and the reality thereof, and the strategy is filled in by the user according to the actual situation, so that the strategy content is transparent to the improved model.
1. Technical problem to be solved by the invention (object of the invention)
In order to increase the feasibility of access control of a cloud computing platform and avoid the high risk of user operation data authority, the invention improves an OSAC model based on PERM, proposes an improvement scheme based on PERM and OSAC, adds policy integration and matching pile functions for the OSAC by using PERM, and does not depend on the characteristics and implementation mode of the access control model, thereby realizing that users directly obtain the authority, expanding the expression capability of the model and realizing the dynamic authority allocation with fine granularity.
2. The working principle (invention scheme) provided by the invention
As shown in fig. 3 below, the improved model changes Users (Users) and Roles (Roles) into a hierarchical authorization structure, so that the Users can be granted permission to the Roles or the permission can be granted directly to the Users. Meanwhile, the authorization takes the form of configuration Policy (Policy), and the content of the Policy is expanded from a URL access path to the resource to four major parts including an access path, access resource attribution, request action and Policy effect. Wherein the resource path is defined as: resource, access resource attribution is defined as: resource group project, resource home account, request action defined as: action, policy effect is defined as: eft, using the perma primitive to represent:
P=project,account,resource,action,eft(1)
the access request is expanded from the original URL access path to three parts including an access resource path, an access resource attribution and a request action, and is expressed as follows by using PERM primitives:
r=project,account,resource,action(2)
using resource to describe resource path (URN) in formulas (1) and (2), in order to implement resource management and control of each fine granularity, the invention designs a set of unified resource path (uniforme resource name) containing resource type and unique identifier id to locate specific resources:
resource=service,account,type,id(3)
the resource URN has a format of ucs: $ { service name }: $ { region unique identifier }: $ { primary account unique identifier }: $ { resource type }/$ { resource unique identifier };
the improved model can use custom matching pile function custom Mathcer matching Policy (Policy) and access Request (Request) in matcher (Mathcer), and PERM primitive to represent matcher as
In an actual application scenario, a user often has more than one authority policy, and one authority policy also has more than one authority, so that an access request of the user needs to be matched with a plurality of authorities, which requires integration of matching results of a plurality of policies. In the context of the lack of policy integration of the native OSAC model, the improved model uses a policy effect integrator (Macher) that can set policy integration effects as needed. The integrator is used in cooperation with the matcher, and when the matcher successfully matches one strategy, the effect of the strategy is recorded in the effect list and is transmitted to the integrator for logic operation.
3. As a point of distinction from the prior art of the present invention:
the native OSAC model is designed for openstack usage scenarios, portability is poor, and the OSAC model still has the drawbacks of the RBAC model. The invention reforms based on OSAC and PERM, peels the formulation of strategy from OSAC model and realization, and fills the strategy by actual users, so that the strategy content is transparent in the improved model, and the access control with finer granularity of user authority is realized.
Through the design of the invention, the feasibility of the access control of the cloud computing platform is increased, the high risk of the user operation data authority is avoided, the expansion of the model expression capability and the fine granularity dynamic authority allocation are realized, and the performance is greatly improved.
The improved model is compared with the native OSAC model in terms of the expression capability in the experiment of the expression capability of the improved model, and the result is shown in Table 1. The public cloud platform usually manages cloud users in units of tenants, so whether supporting multiple tenants is important to the access control of the cloud platform. The improved model replaces the region concept by the Account (resource home account) concept to support the authority management of tenant granularity in the cloud environment. The Openstack realizes the user permission distribution by granting permission to the roles and binding the roles to the users, does not support the user dynamic permission management, the improved model changes the authorization logic, and the users and the roles are directly authorized as the same level, thereby realizing the user dynamic permission management. The policy foundation and matcher implemented in the model are improved to support policy integration and stub function functions.
Experiments of performance evaluation mainly study the difference between the original OSAC model and the improved model in terms of performance, and test is carried out on the time consumption of multiple requests of the same user authentication request under the same data source under the same environment under two access control models, wherein the test data are shown in table 2. Table 2 details the number of milliseconds required to complete the implementation of two different models with 50, 100, 200, 500 repeat requests, and can calculate about 10% performance loss for the improved model compared to the native model.
TABLE 1 comparison of OSAC model and modified model expression
TABLE 2 comparison of OSAC model to modified model Performance
| Number of requests | 50 | 100 | 200 | 500 |
| OSAC model | 7361 | 15272 | 30367 | 75139 |
| Model after transformation | 8231 | 17682 | 33351 | 84178 |
The embodiment of the invention provides an improved method based on OSAC and PERM access control, which realizes the expansion of the expression capacity of a model and the dynamic authority allocation of user access control with fine granularity.
In the following fig. 5, a high-authority user may make a policy grant to a user under its administrative domain, and after the authorized user sends a request for accessing a resource, the authority policy and the request are matched through a matcher, and a matching result set is logically operated by an effect integrator to obtain a final authentication result.
The interface is presented below as an example of viewing cloud host details.
S1, creating a plurality of cloud hosts in region 1 by the primary account 1 (unique identifier 1463963314690513): cloud host 1, cloud host 2, cloud host 3, cloud host 4, wherein the unique identifier of one cloud host 1 is i-3fb205f3b5d44bae;
s2, creating a custom strategy according to a strategy rule by the main account (the unique identifier is 1463963314690513), wherein the strategy rule comprises the following steps of: ucs $ { service name } $ { area unique identifier } $ { primary account unique identifier } $ { resource type }/$ { resource unique identifier }, if a policy-1 is added as: acs ecs cn-wuxi1 1463963314690513 instance/i-3fb205f3b5d44bae;
s3, creating a sub-account user1 by the main account 1 (the unique identifier is 1463963314690513);
s4, the main account 1 (the unique identifier is 1463963314690513) authorizes the authority policy-1 created in the S2 to the sub-account user1 created in the S3, namely the user1 binds the authority policy-1, and the back-end service stores the data of the user and the authority into a corresponding database;
s5, a sub-account user1 created in S3 logs in the cloud platform to check a cloud host list,
s6, the sub-account user1 can only see the cloud host 1 with the unique identifier of i-3fb205f3b5d44bae.
The technical authentication flow is as follows (fig. 5 below):
sa and sub-account user1 log in the cloud platform to view the cloud host list, and the front end of the cloud platform sends a RESTAPI request for viewing the cloud host list (S5), wherein the resource path of the request sent by the user1 is acs ecs: cn-wuxi1: 14639314690513: instance/i-3fb205f3b5d44bae.
Sb, the back-end service receives the RESTAPI request, and queries the database according to the information of the request data user1 to obtain rights policy information policy-1 bound by the user 1. The request action is acquired from the request content as ListInstances, the request resource home account 1463963314690513 and the request resource type instance, and the valid information is taken by the back end to splice into a temporary policy-2.
Sc and the back-end service define a matching stake function, the function matches the acquired authority policy-1 with a temporary policy-2 spliced by access request contents, and the matching process is a process for checking whether the policy-1 and the policy-2 are consistent.
Sd, obtaining a matched result set according to a result of checking whether the policy-1 and the policy-2 are consistent, wherein the consistency is True, and the inconsistency is False. And the result set is subjected to logic operation, wherein the logic operation is carried on the False priority principle, namely when the user1 binds a plurality of strategies, the strategies in the user1 are required to be matched for a plurality of times, so that a plurality of matching results can be obtained, and in the matching results, if one strategy is matched and does not pass (False), the result set of the user is False, and only if all the strategies pass, the result set is True.
Se, obtaining an authentication result effect through logical operation of Sd.
If, when the effect is true, the authentication is passed, expected data is returned, and when the user1 views the cloud host list, only the cloud host 1 with the unique identifier of i-3fb205f3b5d44 baeefect of the cloud host can be seen; when the effect is false, authentication fails, and the user1 can only see the empty list when viewing the cloud host list.
OSAC: openstack access control, open stack access control.
PERM: an access control metamodel, consisting of four basic primitives: policy, effect, request, matcher, describes the relationship between resources and users.
RBAC: role-based access control.
By the method, the feasibility of access control of the cloud computing platform is increased, the high risk of user operation data authority is avoided, the expansion of the model expression capacity and the dynamic authority allocation of fine granularity are realized, and the performance is greatly improved; the invention reforms based on OSAC and PERM, peels the formulation of strategy from OSAC model and realization, and fills the strategy by actual users, so that the strategy content is transparent in the improved model, and the access control with finer granularity of user authority is realized.
Although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (4)
1. An improved method based on an OSAC and PERM access control model, comprising:
the sub-account user sends a request for checking a cloud host list to the rear end through the front end of the cloud platform, wherein the requested content comprises an access resource path, an access resource attribution and a request action; the resource is positioned by a uniform resource path of a resource type and a unique identifier of the resource;
the back end receives the request, acquires authority policy information bound by the sub-account user according to the request, acquires the requested content from the request, and composes the requested content into temporary authority policy information;
the method comprises the steps that a post-end custom matching pile function is used, the matching pile function matches authority policy information bound by sub-account users with temporary authority policy information to obtain a matching result, namely an authentication result, wherein when the authentication result is true, authentication is successful, expected data is returned, the obtained matching result comprises an OSAC model using policy effect integrator, policy integration effects are set according to requirements, the integrator is used in cooperation with a matcher, and when the matcher matches one policy successfully, the effect of the policy is recorded in an effect list and is submitted to the integrator for logic operation, so that the authentication result is obtained; when a sub-account user views the cloud host list, the information of the cloud host corresponding to the unique identifier is seen;
when the authentication result is false, the authentication fails and an empty list is returned;
wherein the authentication is directly obtained by the user; authentication is realized in an integrator mode; after authentication is successful, the authorized content comprises a policy; the user and the role are directly authorized as the same level; the custom matching stub function is added to the OSAC model for use of PERM.
2. The improved method for access control model based on OSAC and PERM according to claim 1, wherein the matching result is obtained by means of logical operation, i.e. when sub-account users bind several policies, the logical true or false judgment must be made for the policies.
3. The improvement method according to claim 1, wherein said matching stub function matches the authority policy information with the temporary authority policy information to obtain a matching result, comprising: checking whether the authority policy information is consistent with the temporary authority policy information, wherein if the matching result is consistent, the matching result is true; if at least one of the matching is unsuccessful, the matching result is false.
4. The improved method of claim 1, wherein the sub-account user is created from a primary account, the primary account authorizing the sub-account user with rights policy information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111051910.9A CN113765925B (en) | 2021-09-08 | 2021-09-08 | Improved method based on OSAC and PERM access control model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111051910.9A CN113765925B (en) | 2021-09-08 | 2021-09-08 | Improved method based on OSAC and PERM access control model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113765925A CN113765925A (en) | 2021-12-07 |
| CN113765925B true CN113765925B (en) | 2023-07-25 |
Family
ID=78794112
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111051910.9A Active CN113765925B (en) | 2021-09-08 | 2021-09-08 | Improved method based on OSAC and PERM access control model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113765925B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110113369A (en) * | 2019-06-27 | 2019-08-09 | 无锡华云数据技术服务有限公司 | A kind of method for authenticating of based role permission control |
| CN110309666A (en) * | 2019-07-10 | 2019-10-08 | 浪潮云信息技术有限公司 | A kind of fine-grained access control method and system based on tactful grammer |
| CN111488595A (en) * | 2020-03-27 | 2020-08-04 | 腾讯科技(深圳)有限公司 | Method for realizing authority control and related equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102307185B (en) * | 2011-06-27 | 2015-02-25 | 北京大学 | Data isolation method used in storage cloud |
| CN112182522A (en) * | 2019-07-05 | 2021-01-05 | 北京地平线机器人技术研发有限公司 | Access control method and device |
| CN112733185A (en) * | 2020-12-30 | 2021-04-30 | 普华云创科技(北京)有限公司 | Method and system for controlling resources based on attribute access |
-
2021
- 2021-09-08 CN CN202111051910.9A patent/CN113765925B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110113369A (en) * | 2019-06-27 | 2019-08-09 | 无锡华云数据技术服务有限公司 | A kind of method for authenticating of based role permission control |
| CN110309666A (en) * | 2019-07-10 | 2019-10-08 | 浪潮云信息技术有限公司 | A kind of fine-grained access control method and system based on tactful grammer |
| CN111488595A (en) * | 2020-03-27 | 2020-08-04 | 腾讯科技(深圳)有限公司 | Method for realizing authority control and related equipment |
Non-Patent Citations (1)
| Title |
|---|
| 一种基于元模型的访问控制策略描述语言;罗杨;沈晴霓;吴中海;;软件学报(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113765925A (en) | 2021-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11824970B2 (en) | Systems, methods, and apparatuses for implementing user access controls in a metadata driven blockchain operating via distributed ledger technology (DLT) using granular access objects and ALFA/XACML visibility rules | |
| JP7451565B2 (en) | A system or method for enforcing the right to be forgotten on a metadata-driven blockchain using a shared secret and read agreement | |
| US9047462B2 (en) | Computer account management system and realizing method thereof | |
| KR102355480B1 (en) | System and method for supporting security in a multitenant application server environment | |
| RU2598324C2 (en) | Means of controlling access to online service using conventional catalogue features | |
| US8381306B2 (en) | Translating role-based access control policy to resource authorization policy | |
| EP2405607B1 (en) | Privilege management system and method based on object | |
| US20090205018A1 (en) | Method and system for the specification and enforcement of arbitrary attribute-based access control policies | |
| US6678682B1 (en) | Method, system, and software for enterprise access management control | |
| CN111159134A (en) | Multi-tenant-oriented distributed file system security access control method and system | |
| US20110219425A1 (en) | Access control using roles and multi-dimensional constraints | |
| US11888856B2 (en) | Secure resource authorization for external identities using remote principal objects | |
| RU2458385C2 (en) | Transaction isolated data storage system | |
| CN113297550A (en) | Authority control method, device, equipment, storage medium and program product | |
| CN110851127B (en) | Universal evidence-storing method based on blockchain | |
| CN105871880B (en) | Across tenant access control method based on trust model under a kind of cloud environment | |
| CN109862001A (en) | Multistage authority management method based on cloud management platform | |
| US20070198522A1 (en) | Virtual roles | |
| CN112019543A (en) | Multi-tenant permission system based on BRAC model | |
| CN110225039A (en) | Authority models acquisition, method for authenticating, gateway, server and storage medium | |
| CN113765925B (en) | Improved method based on OSAC and PERM access control model | |
| JP4723930B2 (en) | Compound access authorization method and apparatus | |
| KR100673329B1 (en) | User Role / Permission Setting System using Certificate in Grid Environment and Its Method | |
| Zou et al. | Multi-tenancy access control strategy for cloud services | |
| Ferraiolo et al. | On the unification of access control and data services |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 2 / F, building C, building 9, Huzhou multimedia Industrial Park, 999 Wuxing Avenue, Huzhou City, Zhejiang Province, 313000 Patentee after: Zhejiang Jiuzhou Future Information Technology Co.,Ltd. Country or region after: China Address before: 2 / F, building C, building 9, Huzhou multimedia Industrial Park, 999 Wuxing Avenue, Huzhou City, Zhejiang Province, 313000 Patentee before: Zhejiang Jiuzhou cloud Mdt InfoTech Ltd. Country or region before: China |