CN114268649A - RBAC permission modification method facing to Internet of things - Google Patents

RBAC permission modification method facing to Internet of things Download PDF

Info

Publication number
CN114268649A
CN114268649A CN202111574576.5A CN202111574576A CN114268649A CN 114268649 A CN114268649 A CN 114268649A CN 202111574576 A CN202111574576 A CN 202111574576A CN 114268649 A CN114268649 A CN 114268649A
Authority
CN
China
Prior art keywords
authority
permission
new
access control
implication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111574576.5A
Other languages
Chinese (zh)
Other versions
CN114268649B (en
Inventor
张磊
张芃
沈夏炯
韩道军
贾培艳
丁文珂
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan University
Original Assignee
Henan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan University filed Critical Henan University
Priority to CN202111574576.5A priority Critical patent/CN114268649B/en
Publication of CN114268649A publication Critical patent/CN114268649A/en
Application granted granted Critical
Publication of CN114268649B publication Critical patent/CN114268649B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Hardware Redundancy (AREA)

Abstract

The invention discloses an RBAC permission modification method facing to the Internet of things, which comprises the following steps: a: acquiring access control log records of all authorities and performing data preprocessing to obtain authority instance data and all authority sets of the Internet of things system; b: utilizing an attribute exploration auxiliary role discovery method to establish a non-redundant set, a permission implication relation set and a permission implication set of an access control instance; c: and obtaining a non-redundancy set of the access control instance, and then judging according to whether the addition or the reduction of the back-part exists, and finally obtaining the modified non-redundancy set, the new authority implication relation set and the new authority implication set of the access control instance. The method and the device can quickly and accurately modify part of the authority of the access control model according to the use requirement, and effectively reduce the time cost for reconstructing the access control model.

Description

RBAC permission modification method facing to Internet of things
Technical Field
The invention relates to the technical field of access control (RBAC), in particular to an RBAC permission modification method facing to the Internet of things.
Background
With the development and application of the technology of the internet of things, the access control problem of the internet of things is increasingly prominent, and the access control problem becomes one of key factors for restricting the development of the technology of the internet of things. The Internet of things integrates a large number of sensing devices such as massive sensors and intelligent processing terminals into the Internet in a wired or wireless mode. In the traditional access control technology, the access control strategy of the internet of things system has hidden dangers of artificial malicious operation, illegal access of an external user disguised as a legal user, malicious tampering of data in the internet of things system and the like, and the problem of data leakage of the system can be caused. In the existing internet of things system with mature technology, access control models are established to carry out strategic management on access behaviors in the internet of things system, so that the problem of artificial malicious operation is avoided to a certain extent. After the access control model is established, if part of the rights of the access control model need to be modified, the access control model needs to be reconstructed. Since the access control model is likely to change all the time due to the increase of the actual use requirement, and the frequent change of the access control model necessarily increases the resource consumption of the system, the time cost of the developer is greatly increased by reconstructing the access control model.
Disclosure of Invention
The invention aims to provide an RBAC permission modification method facing to the Internet of things, which can rapidly and accurately modify part of permissions of an access control model in the Internet of things system according to use requirements and effectively reduce the time cost for reconstructing the access control model.
The invention adopts the following technical scheme:
an RBAC permission modification method facing to the Internet of things sequentially comprises the following steps:
a: obtaining access control log records of each authority from the Internet of things system, and obtaining the obtained access control log recordsData preprocessing is carried out on the access control log records to obtain authority instance Data of the Internet of things system0And all sets of permissions M;
b: the method for discovering auxiliary roles by using attributes exploration through the authority example Data obtained in the step A0And all the authority sets M, and establishing a redundancy-free set K of the access control instance of the Internet of things systemS1Obtaining the permission implication relation set J of the whole Internet of things system1And set of rights connotations C1And endowing the authority in the access control background to the user according to the role;
c: for the role r to be modified and the authority A corresponding to the role r, according to the determined non-redundancy set K of the access control instanceS1Permission implication relation set J1And set of rights connotations C1Accessing a non-redundant set of control instances KS1The authority in the middle role r is modified into the input authority A to obtain a non-redundancy set K of the access control instanceS2Then, according to the authority implication relation set J1And set of rights connotations C1Set of permissions in (1) a non-redundant set K of access control instancesS2Whether the back piece in (1) is increased or decreased is judged:
if there is no increase or decrease in the back-piece for a certain set of permissions, then: if the authority set belongs to an authority implication relationship set J1Then the set of permissions also belongs to a new set of implication relationships J of permissions2(ii) a If the authority set belongs to the authority connotation set C1Then the set of permissions also belongs to a new set of connotations of permissions C2
If the back piece of a certain authority set is increased, the authority set is put into a new authority implication relation set J2In and in the set of authority implication relationship J1And set of rights connotations C1Finding out all authority sets not containing the background, and then, in an authority implication relation set J1And set of rights connotations C1Delete these sets of permissions;
if there is a decrease in the back-piece for a certain set of permissions, then ifIf the back part of the authority set is empty, the authority set is put into a new authority content set C2If the back piece is not empty, putting the authority set into a new authority implication relation set J2Finding all the conditions satisfying the condition containing the authority set in KS1Front piece in (1), not containing the set of permissions at KS1And the back-piece containing the authority set in KS2Taking the authority set of the three conditions of the back part as a set to be added; and (4) carrying out relevance judgment on the permission set to be added into the set, putting a new permission content set C into the permission set meeting the relevance condition if the back-end piece is empty2If the back piece is not empty, putting a new authority implication relation set J2
Finally obtaining the non-redundancy collection K of the modified access control exampleS2New authority implication relation set J2And a new set of rights connotations C2
The step A comprises the following specific steps:
a1: reading access control log records of all authorities from an Internet of things system;
a2: in the obtained access control log records of each authority, if a certain user has a certain authority, namely the user successfully accesses the certain authority, the authority corresponding to the user is marked as 1, otherwise, the authority is marked as 0;
a3: according to the method in the step A2, all the obtained access control log records are processed to obtain the Data of the system authority instance of the Internet of things0And simultaneously obtaining all authority sets M in the system.
The step B comprises the following specific steps:
b1: obtaining all authority sets M ═ (a) according to step A1,a2,a3,…,an-1,an) All the authority sets M are arranged in a dictionary sequence to obtain a set
Figure BDA0003424398710000031
Figure BDA0003424398710000032
Initializing a determined redundancy-free set of access control instances
Figure BDA0003424398710000033
Set of implication relationships of authority
Figure BDA0003424398710000034
From the set MqSet of taking dictionary first in order
Figure BDA0003424398710000035
B2: non-redundant set K at determined access control instancesS1In calculating fKs1(gKs1(Q)), if
Figure BDA0003424398710000036
Step B3 is entered; otherwise, go to step B4;
wherein,
Figure BDA0003424398710000037
non-redundant set K for access control instance under determinationS1Finds out all the users who have the right Q,
Figure BDA0003424398710000038
non-redundant set K for access control instance under determinationS1Finds out the rights commonly owned by all the users owning the rights Q,
Figure BDA0003424398710000039
for the Data of the authority instance0Find out all the owned rights
Figure BDA00034243987100000310
The user of (1);
b3: if the authority is
Figure BDA00034243987100000311
I.e. the role having the right Q is
Figure BDA00034243987100000312
And is
Figure BDA00034243987100000313
Is simultaneously Q, then the authority Q is added to the authority content set C1Performing the following steps; if the authority is
Figure BDA00034243987100000314
I.e. the role having the right Q is
Figure BDA00034243987100000315
But do not
Figure BDA00034243987100000316
If the common authority is not Q at the same time, the authority is implied in the relational expression
Figure BDA00034243987100000317
That is, a user has the right Q, then the user has the right
Figure BDA00034243987100000318
Add to set of rights implication relationships J1Then to step B5;
b4: from rights instance Data0Taking out a relation that the authority distribution does not conform to the authority implication
Figure BDA00034243987100000319
Instance o, i.e. instance o owns the right Q but not the right
Figure BDA00034243987100000320
And adds this instance to the determined non-redundant set K of access control instancesS1Then to step B6;
b5: finding out a next implication relation set J with authority according to the sequence of the dictionary order according to the theorem of relevance between the set and the implication set in the formal concept analysis1The related permission set Q 'is set to Q', and then the step B6 is entered;
b6: looping step B2 until the next set J of implication relationships with permissions1The associated set of permissions equals all sets of permissions M and proceeds to step B7;
b7: obtaining the determined non-redundant set K of the access control instance according to the above stepsS1Permission implication relation set J1And content set of rights C1Wherein the non-redundant set K of the access control instanceS1Each row in (1) represents a role and the permissions owned by the role, and permissions in the access control context are assigned to users according to the role.
In the step B6, if there exists a certain permission set and a certain permission implication, where the permission set does not include a front piece of the permission implication, or the permission set includes both a front piece of the permission implication and a back piece of the permission implication, the permission set is said to be related to the permission implication; if a certain permission set and a certain permission implication set exist, and the permission set is related to each permission implication in the permission implication set, the permission set is called to be related to the permission implication set.
The step C comprises the following specific steps:
c1: according to the role r to be modified and the authority A corresponding to the role r, accessing a non-redundancy set K of the control instanceS1The authority of the middle role r is modified into the authority A to obtain a redundancy-free set K of the access control instanceS2(ii) a Non-redundant set K from modified access control instanceS2Calculating the implications of all the front pieces with single attribute, putting the obtained implications into the newly-built set IMPs, and then entering the step C2;
c2: set the implication relationship of authority J1Placing the front pieces of all authority implication relations into a newly-built set F, and newly building a set to be added
Figure BDA0003424398710000041
Then proceed to step C3;
c3: if the new set F, the new set D and the authority content set C are established1If all are empty, go to step C15; if it isNewly-built set F, newly-built set D and permission content set C1If the three sets are not empty, the newly-built set F, the newly-built set D and the authority content set C are taken out1And (3) judging the source of the permission set b: if the permission set b comes from the permission connotation set C1Then go to step C4; if the permission set b is from the new set F, go to step C5; if the permission set b is from the new set D, go to step C6;
c4: set of subordinate rights connotations C1If the permission set b is not a non-redundancy set K of the role r in the access control instanceS1Is not a redundant set K of the modified role rS2Then directly put the permission set b into the new permission content set C2Performing the following steps;
if permission set b is the non-redundant set K of role r in the access control instanceS1Or a non-redundant set K of roles r after modificationS2A subset of rights in (1), then a determination is made
Figure BDA0003424398710000051
Whether it is equal to the set of permissions b;
if yes, putting the authority set b into a new authority content set C2And returning to step C2; if not, then will
Figure BDA0003424398710000052
Put into a new set of rights implication relationships J2And proceeds to step C7;
wherein,
Figure BDA0003424398710000053
non-redundant set K for access control instance after modificationS2Finds out all the users who have the right b,
Figure BDA0003424398710000054
non-redundant set K for access control instance after modificationS2Finding out the common authority of all users with authority b, and the relation of authority implication
Figure BDA0003424398710000055
Indicating that a user has the right b then the user must have the right
Figure BDA0003424398710000056
C5: deleting the authority set b from the new set F, if the authority set b is not the redundancy-free set K of the determined access control instance of the role rS1Is not a redundant set K of access control instances of role r after modificationS2The subset of rights in (1), then directly will
Figure BDA0003424398710000057
Put into a new set of rights implication relationships J2Then returns to step C2;
if the permission set b is a non-redundant set K of the access control instance of which the role r is determinedS1Or a non-redundant set K of roles r after modificationS2A subset of rights in (1), then a determination is made
Figure BDA0003424398710000058
Whether it is equal to the set of permissions b;
if yes, putting the authority set b into a new authority content set C2Then to step C9; if not, will
Figure BDA0003424398710000059
Put into a new set of rights implication relationships J2In, then, judge
Figure BDA00034243987100000510
If yes, the process proceeds to step C7, otherwise, the process proceeds to step C9;
wherein,
Figure BDA00034243987100000511
non-redundant set K referring to access control instance after modificationS2The authority commonly owned by all the users possessing the authority b is contained in the non-redundant set K of the determined access control instanceS1All the users with the authority b have the authority commonly;
c6: deleting the permission set b from the newly-built set D, and then judging
Figure BDA00034243987100000512
Whether it is equal to the set of permissions b; if yes, putting the permission set b into a new permission connotation set C2Performing the following steps; if not, will
Figure BDA00034243987100000513
Put into a new set of rights implication relationships J2Performing the following steps;
then proceed to step C7;
c7: judging in the right connotation set C1Whether or not there is inclusion
Figure BDA00034243987100000514
But do not comprise
Figure BDA0003424398710000061
If so, delete it and go to step C8; if not, go directly to step C8;
c8: judging whether the new set F contains
Figure BDA0003424398710000062
But do not comprise
Figure BDA0003424398710000063
Figure BDA0003424398710000064
If yes, deleting the right set and then entering the step C12; if not, returning to the step C3;
C9:creating a set
Figure BDA0003424398710000065
Find out that all the predecessors in the new set IMPs do not contain
Figure BDA0003424398710000066
Figure BDA0003424398710000067
And the union of the front part and the back part does not contain
Figure BDA0003424398710000068
After the found authorities are arranged and combined, the authority set after arrangement and combination is added to a new set E1Then to step C10;
c10: from the newly created set E1Take out a set of permissions e1Set of rights e1Authority set e1The back-piece and the set of rights for each individual right in the set
Figure BDA0003424398710000069
Combining the three, removing the repeated authority, and forming the final authority into a new authority set e2Then proceed to step C11;
c11: determine a new set of permissions e2Whether the new set D exists or not; if yes, directly returning to the step C10 to continue the operation until a new set is created
Figure BDA00034243987100000610
If the set D does not exist in the new set D, the new permission set e is set2Putting the position into a new set D according to the lexicographic order, returning to the step C10 to continue the operation until the new set is built in the step C10
Figure BDA00034243987100000611
When a collection is newly created
Figure BDA00034243987100000612
Then, returning to the step C3 for cycle calculation;
c12: creating a set
Figure BDA00034243987100000613
Find out that all the predecessors in the new set IMPs do not contain
Figure BDA00034243987100000614
And the union of the front part and the back part does not contain
Figure BDA00034243987100000615
And arranging and combining the found authorities and adding the arranged and combined authority set to a new set E2Then to step C13;
c13: from the newly created set E2Take out a set of permissions e3Set of rights e3Authority set e3A back-piece for each right in and
Figure BDA00034243987100000616
combining, removing repeated single attribute, and forming the obtained permission into a new permission set e4Then proceed to step C14;
c14: judging a new attribute set e4Whether the new set D exists or not; if yes, directly returning to the step C13 to continue operation; if not, the new authority set e is set4Putting the positions in the lexicographical order into a new set D, returning to the step C13 to continue the operation until the sets in the step C13
Figure BDA00034243987100000617
When in use
Figure BDA00034243987100000618
Then, returning to the step C3 for cyclic calculation;
c15: finally obtaining the non-redundancy set of the modified access control example according to the stepsAlloy KS2New authority implication relation set J2And a new set of rights connotations C2
The method and the system can quickly and accurately modify part of the authority of the access control model in the Internet of things system according to the use requirement, and effectively reduce the time cost for reconstructing the access control model.
Drawings
FIG. 1 is a schematic flow chart of the present invention.
Detailed Description
The invention is described in detail below with reference to the following figures and examples:
as shown in fig. 1, the method for modifying an RBAC permission for the internet of things according to the present invention sequentially includes the following steps:
a: obtaining access control log records of each authority from the Internet of things system, and performing Data preprocessing on the obtained access control log records to obtain authority instance Data of the Internet of things system0And all sets of permissions M;
in the invention, the step A comprises the following specific steps:
a1: reading access control log records of all authorities from an Internet of things system;
a2: in the obtained access control log records of each authority, if a certain user has a certain authority, namely the user successfully accesses the certain authority, the authority corresponding to the user is marked as 1, otherwise, the authority is marked as 0;
for example, in an internet of things system of a certain factory, if the temperature of the steel furnace is successfully changed in the operation and production link of the employee A in 8 months and 21 days, the authority of the employee A for operating the temperature change of the steel furnace is recorded, and the authority is marked as 1; if the change of the oxygen adding amount fails in the operation production link of the employee A in 8 months and 21 days, recording that the employee A does not have the authority of the change of the oxygen adding amount in the operation production link, and recording the authority as 0;
a3: according to the method in the step A2, all the obtained access control log records are processed to obtain the Data of the system authority instance of the Internet of things0Simultaneously obtaining all authority sets M in the system;
b: the method for discovering auxiliary roles by using attributes exploration through the authority example Data obtained in the step A0And all the authority sets M, and establishing a redundancy-free set K of the access control instance of the Internet of things systemS1Obtaining the permission implication relation set J of the whole Internet of things system1And set of rights connotations C1And endowing the authority in the access control background to the user according to the role;
wherein, the step B comprises the following specific steps:
b1: obtaining all authority sets M ═ (a) according to step A1,a2,a3,…,an-1,an) All the authority sets M are arranged in a dictionary sequence to obtain a set
Figure BDA0003424398710000081
Figure BDA0003424398710000082
Initializing a determined redundancy-free set of access control instances
Figure BDA0003424398710000083
Set of implication relationships of authority
Figure BDA0003424398710000084
From the set MqSet of taking dictionary first in order
Figure BDA0003424398710000085
Wherein, the lexicographic order is a sort rule in the formal concept analysis;
b2: non-redundant set K at determined access control instancesS1Middle calculation
Figure BDA0003424398710000086
If it is
Figure BDA0003424398710000087
Step B3 is entered; otherwise, go to step B4;
wherein,
Figure BDA0003424398710000088
non-redundant set K for access control instance under determinationS1Finds out all the users who have the right Q,
Figure BDA0003424398710000089
non-redundant set K for access control instance under determinationS1Finds out the rights commonly owned by all the users owning the rights Q,
Figure BDA00034243987100000810
for the Data of the authority instance0Find out all the owned rights
Figure BDA00034243987100000811
The user of (1);
b3: if the authority is
Figure BDA00034243987100000812
I.e. the role having the right Q is
Figure BDA00034243987100000813
And is
Figure BDA00034243987100000814
Is simultaneously Q, then the authority Q is added to the authority content set C1Performing the following steps; if the authority is
Figure BDA00034243987100000815
I.e. the role having the right Q is
Figure BDA00034243987100000816
But do not
Figure BDA00034243987100000817
If the common authority is not Q at the same time, the authority is implied in the relational expression
Figure BDA00034243987100000818
I.e. a certain user has rightsQ then the user must have the right to do
Figure BDA00034243987100000819
Add to set of rights implication relationships J1Then to step B5;
b4: from rights instance Data0Taking out a relation that the authority distribution does not conform to the authority implication
Figure BDA00034243987100000820
Instance o, i.e. instance o owns the right Q but not the right
Figure BDA00034243987100000821
And adds this instance to the determined non-redundant set K of access control instancesS1Then to step B6;
b5: finding out a next implication relation set J with authority according to the sequence of the dictionary order according to the theorem of relevance between the set and the implication set in the formal concept analysis1The related permission set Q 'is set to Q', and then the step B6 is entered;
b6: looping step B2 until the next set J of implication relationships with permissions1The associated set of permissions equals all sets of permissions M and proceeds to step B7;
if a certain authority set and a certain authority implication exist, wherein the authority set does not contain a front piece of the authority implication or contains both a front piece of the authority implication and a back piece of the authority implication, the authority set is called to be related to the authority implication, and if a certain authority set and a certain authority implication set exist, the authority set is called to be related to each authority implication in the authority implication set;
b7: obtaining the determined non-redundant set K of the access control instance according to the above stepsS1Permission implication relation set J1And content set of rights C1Wherein the non-redundant set K of the access control instanceS1Each row in (a) represents a role and the role hasAnd the authority endows the authority in the access control background to the user according to the role.
C: for the role r to be modified and the authority A corresponding to the role r, according to the determined non-redundancy set K of the access control instanceS1Permission implication relation set J1And set of rights connotations C1Accessing a non-redundant set of control instances KS1The authority in the middle role r is modified into the input authority A to obtain a non-redundancy set K of the access control instanceS2Then, according to the authority implication relation set J1And set of rights connotations C1Set of permissions in (1) a non-redundant set K of access control instancesS2Whether the back piece in (1) is increased or decreased is judged:
if there is no increase or decrease in the back-piece for a certain set of permissions, then: if the authority set belongs to an authority implication relationship set J1Then the set of permissions also belongs to a new set of implication relationships J of permissions2(ii) a If the authority set belongs to the authority connotation set C1Then the set of permissions also belongs to a new set of connotations of permissions C2
If the back piece of a certain authority set is increased, the authority set is put into a new authority implication relation set J2In and in the set of authority implication relationship J1And set of rights connotations C1Finding out all authority sets not containing the background, and then, in an authority implication relation set J1And set of rights connotations C1Delete these sets of permissions;
if the back part of a certain authority set is reduced, if the back part of the authority set is empty, the authority set is put into a new authority content set C2If the back piece is not empty, putting the authority set into a new authority implication relation set J2Finding all the conditions satisfying the condition containing the authority set in KS1Front piece in (1), not containing the set of permissions at KS1And the back-piece containing the authority set in KS2Taking the authority set of the three conditions of the back part as a set to be added; to the permission set added in the setJudging the relevance, and putting a new authority content set C into the authority set meeting the relevance condition if the back-piece is empty2If the back piece is not empty, putting a new authority implication relation set J2
Finally obtaining the non-redundancy collection K of the modified access control exampleS2New authority implication relation set J2And a new set of rights connotations C2
The step C comprises the following specific steps:
c1: according to the role r to be modified and the authority A corresponding to the role r, accessing a non-redundancy set K of the control instanceS1The authority of the middle role r is modified into the authority A to obtain a redundancy-free set K of the access control instanceS2(ii) a Non-redundant set K from modified access control instanceS2Calculating the implications of all the front pieces with single attribute, putting the obtained implications into the newly-built set IMPs, and then entering the step C2;
c2: set the implication relationship of authority J1Placing the front pieces of all authority implication relations into a newly-built set F, and newly building a set to be added
Figure BDA0003424398710000101
Then proceed to step C3;
c3: if the new set F, the new set D and the authority content set C are established1If all are empty, go to step C15; if the new set F, the new set D and the authority content set C are established1If the three sets are not empty, the newly-built set F, the newly-built set D and the authority content set C are taken out1And (3) judging the source of the permission set b:
if the permission set b comes from the permission connotation set C1Then go to step C4; if the permission set b is from the new set F, go to step C5; if the permission set b is from the new set D, go to step C6;
c4: set of subordinate rights connotations C1If the permission set b is not a non-redundancy set K of the role r in the access control instanceS1Is not a redundant set K of the modified role rS2Then directly put the permission set b into the new permission content set C2Performing the following steps;
if permission set b is the non-redundant set K of role r in the access control instanceS1Or a non-redundant set K of roles r after modificationS2A subset of rights in (1), then a determination is made
Figure BDA0003424398710000102
Whether it is equal to the set of permissions b;
if yes, putting the authority set b into a new authority content set C2And returning to step C2; if not, then will
Figure BDA0003424398710000103
Put into a new set of rights implication relationships J2And proceeds to step C7;
wherein, gKs2(b) Non-redundant set K for access control instance after modificationS2Finds out all the users who have the right b,
Figure BDA0003424398710000104
non-redundant set K for access control instance after modificationS2Finding out the authority commonly owned by all users having the authority b, the authority implies the relation b → (f)Ks2(gKs2(b) B) indicates that a user has the right b then the user must have the right (f)Ks2(gKs2(b))-b);
C5: deleting the authority set b from the new set F, if the authority set b is not the redundancy-free set K of the determined access control instance of the role rS1Is not a redundant set K of access control instances of role r after modificationS2The subset of rights in (1), then directly will
Figure BDA0003424398710000111
Put in a new set of rights implication relationshipsJ2Then returns to step C2;
if the permission set b is a non-redundant set K of the access control instance of which the role r is determinedS1Or a non-redundant set K of roles r after modificationS2A subset of rights in (1), then a determination is made
Figure BDA0003424398710000112
Whether it is equal to the set of permissions b;
if yes, putting the authority set b into a new authority content set C2Then to step C9; if not, will
Figure BDA0003424398710000113
Put into a new set of rights implication relationships J2In, then, judge
Figure BDA0003424398710000114
If yes, the process proceeds to step C7, otherwise, the process proceeds to step C9;
wherein,
Figure BDA0003424398710000115
non-redundant set K referring to access control instance after modificationS2The authority commonly owned by all the users possessing the authority b is contained in the non-redundant set K of the determined access control instanceS1All the users who have the right b have the right commonly.
C6: deleting the permission set b from the newly-built set D, and then judging
Figure BDA0003424398710000116
Whether it is equal to the set of permissions b; if yes, putting the permission set b into a new permission connotation set C2Performing the following steps; if not, will
Figure BDA0003424398710000117
Put into a new set of rights implication relationships J2Performing the following steps;
then proceed to step C7;
c7: judging in the right connotation set C1Whether or not there is inclusion
Figure BDA0003424398710000118
But do not comprise
Figure BDA0003424398710000119
If so, delete it and go to step C8; if not, go directly to step C8;
c8: judging whether the new set F contains
Figure BDA00034243987100001110
But do not comprise
Figure BDA00034243987100001111
Figure BDA00034243987100001112
If yes, deleting the authority set and then entering the step C12, and if not, returning to the step C3;
c9: creating a set
Figure BDA00034243987100001113
Find out that all the predecessors in the new set IMPs do not contain
Figure BDA00034243987100001114
Figure BDA00034243987100001115
And the union of the front part and the back part does not contain
Figure BDA00034243987100001116
After the found authorities are arranged and combined, the authority set after arrangement and combination is added to a new set E1Then to step C10;
c10: from the newly created set E1Take out a set of permissions e1Will right of waySet e1Authority set e1The back-piece and the set of rights for each individual right in the set
Figure BDA00034243987100001117
Combining the three, removing the repeated authority, and forming the final authority into a new authority set e2Then proceed to step C11;
c11: determine a new set of permissions e2Whether the new set D exists or not; if yes, directly returning to the step C10 to continue the operation until a new set is created
Figure BDA0003424398710000121
If the set D does not exist in the new set D, the new permission set e is set2Putting the position into a new set D according to the lexicographic order, returning to the step C10 to continue the operation until the new set is built in the step C10
Figure BDA0003424398710000122
When a collection is newly created
Figure BDA0003424398710000123
Then, returning to the step C3 for cycle calculation;
c12: creating a set
Figure BDA0003424398710000124
Find out that all the predecessors in the new set IMPs do not contain
Figure BDA0003424398710000125
And the union of the front part and the back part does not contain
Figure BDA0003424398710000126
And arranging and combining the found authorities and adding the arranged and combined authority set to a new set E2Then to step C13;
c13: from the newly created set E2Take out a set of permissions e3Set of rights e3Authority set e3A back-piece for each right in and
Figure BDA0003424398710000127
combining, removing repeated single attribute, and forming the obtained permission into a new permission set e4Then proceed to step C14;
c14: judging a new attribute set e4Whether the new set D exists or not; if yes, directly returning to the step C13 to continue operation; if not, the new authority set e is set4Putting the positions in the lexicographical order into a new set D, returning to the step C13 to continue the operation until the sets in the step C13
Figure BDA0003424398710000128
When in use
Figure BDA0003424398710000129
Then, returning to the step C3 for cyclic calculation;
c15: finally obtaining the non-redundant set K of the modified access control example according to the stepsS2New authority implication relation set J2And a new set of rights connotations C2
Taking a certain large-scale factory as an example, the following steps of the attribute-exploration-based RBAC permission modification method are as follows:
a: obtaining an access control log record of the department from an internet of things system in a large-scale factory, and performing data preprocessing on the access log record; obtaining the authority instance Data of the Internet of things system0And all sets of permissions M;
a1: reading access control log records of all authorities from an Internet of things system;
a2: in the obtained access control log records of each authority, if a certain user has a certain authority, namely the user successfully accesses the certain authority, the authority corresponding to the user is marked as 1, otherwise, the authority is marked as 0;
for example, in an internet of things system of a certain factory, if the temperature of the steel furnace is successfully changed in the operation and production link of the employee A in 8 months and 21 days, the authority of the employee A for operating the temperature change of the steel furnace is recorded, and the authority is marked as 1; if the change of the oxygen adding amount fails in the operation production link of the employee A in 8 months and 21 days, recording that the employee A does not have the authority of the change of the oxygen adding amount in the operation production link, and recording the authority as 0;
a3: processing all the acquired access control log records according to the method in the step A2 to obtain the authority instance Data0Simultaneously obtaining all authority sets M;
get the authority instance Data0As shown in table 2:
TABLE 2Data0
a b c d e f g h i
First of all 0 0 1 1 1 1 1 0 0
Second step 0 0 0 0 0 0 1 0 1
C3 0 0 1 1 1 0 1 0 0
T-shirt 1 1 1 1 0 0 0 1 0
All rights M are (a, b, c, d, e, f, g, h, i).
B: the method for discovering auxiliary roles by using attributes exploration through the authority example Data obtained in the step A0And all sets of permissions M; establishing a non-redundant set of access control instances, KS1And obtaining a set J of authority implication relations1And set of rights connotations C1And endowing the authority in the access control background to the user according to the role;
b1: according to the permission set M obtained in the step A, (i, h, g, f, e, d, … …), all permission sets M are arranged in a lexicographic order to obtain a set Mq(i, h, hi, g, gi, gh, ghi, …, abcdefghi); initializing a determined redundancy-free set of access control instances
Figure BDA0003424398710000131
Set of implication relationships of authority
Figure BDA0003424398710000132
From the set MqSet of taking dictionary first in order
Figure BDA0003424398710000133
Wherein, the lexicographic order is a sort rule in the formal concept analysis;
b2: non-redundant set K at determined access control instancesS1Middle calculation
Figure BDA0003424398710000134
Figure BDA0003424398710000135
KS1Middle gKs1(Q) ═ A, B, C, DOIn
Figure BDA0003424398710000136
Not satisfying KS1In
Figure BDA0003424398710000137
At KOMiddle gK1(fKs1(gKs1(Q)) -Q), step B4;
b4 from the initial set of Access control instances DataOAn instance o is taken out of which the right assignment does not comply with the implication rule and added to the determined non-redundant set K of access control instancesS1Then to step B6;
b5: finding out a next set J related to the authority implication relation in the set M according to the lexical order of the set and the implication set correlation theorem in the formal concept analysis1The related permission set Q 'is set to Q', and then the step B6 is entered; the theorem of relevance between a set and an implication set is a conventional theorem in the field, and is not described herein again;
b6: looping step B2 until the next set J of implication relationships with permissions1The related permission set is equal to all permission sets M, and the step B7 is entered;
b7: at this point we get a non-redundant set K of deterministic access control instancesS1And a set of authority implication relationships J1And content set of rights C1Wherein a non-redundant set K of control instances is accessedS1Each row in (1) represents a role and the rights the role has, and the role is given to the corresponding user as required.
Department-the non-redundant set K of determined access control instances for that department obtained via step A, BS1Is selected from methyl (cdefg), ethyl (gi), propyl (cdeg) and butyl (abcdh);
the authority content set C and the authority implication relation set J of the department I are as follows:
Figure BDA0003424398710000141
J1={i->g,h->abcd,f->cdeg,e->cdg,d->c,c->d,cdg->e,cdegi->abfh,b->acdh,a->bcdh,abcdegh->fi};
c: for the role r to be modified and the authority A corresponding to the role r, according to the determined non-redundancy set K of the access control instanceS1Permission implication relation set J1And set of rights connotations C1Accessing a non-redundant set of control instances KS1The authority in the middle role r is modified into the input authority A to obtain a non-redundancy set K of the access control instanceS2Then, according to the authority implication relation set J1And set of rights connotations C1Set of permissions in (1) a non-redundant set K of access control instancesS2Whether the back piece in (1) is increased or decreased is judged:
if there is no increase or decrease in the back-piece for a certain set of permissions, then: if the authority set belongs to an authority implication relationship set J1Then the set of permissions also belongs to a new set of implication relationships J of permissions2(ii) a If the authority set belongs to the authority connotation set C1Then the set of permissions also belongs to a new set of connotations of permissions C2
If the back piece of a certain authority set is increased, the authority set is put into a new authority implication relation set J2In and in the set of authority implication relationship J1And set of rights connotations C1Finding out all authority sets not containing the background, and then, in an authority implication relation set J1And set of rights connotations C1Delete these sets of permissions;
if the back part of a certain authority set is reduced, if the back part of the authority set is empty, the authority set is put into a new authority content set C2If the back piece is not empty, putting the authority set into a new authority implication relation set J2Finding all the conditions satisfying the condition containing the authority set in KS1Front piece in (1), not containing the set of permissions at KS1And the back-piece containing the authority set in KS2Taking the authority set of the three conditions of the back part as a set to be added; set to be addedThe right set in the contract is subjected to relevance judgment, the right set meeting the relevance condition is put into a new right connotation set C if the back-piece is empty2If the back piece is not empty, putting a new authority implication relation set J2
Finally obtaining the non-redundancy collection K of the modified access control exampleS2New authority implication relation set J2And a new set of rights connotations C2
The step C comprises the following specific steps:
c1 non-redundant set K in access control instance according to inputted role r and authority A of role rS1To obtain a non-redundant set K of the modified access control instanceS2Non-redundant set K from modified access control instanceS2Calculating the implications of all the front pieces with single attribute, putting the implications into a newly-built set IMPs, and then entering the step C2;
the staff member enters the role and authority to be modified as penta (cde).
This time resulting in a modified non-redundant set KS2As shown in table 3:
TABLE 3KS2
a b c d e f g h i
First of all 0 0 1 1 1 1 1 0 0
Second step 0 0 0 0 0 0 1 0 1
C3 0 0 1 1 1 0 0 0 0
T-shirt 1 1 1 1 0 0 0 1 0
Non-redundant set K from modified access control instanceS2Calculating the implication formula of all the predecessors with single attribute, and putting the implication formula of all the predecessors with single attribute into the set new set IMPs ═ i->g,h->abcd,f->cdeg,e->cd,d->c,c->d,b->acdh,a->bcdh } and then to step C2;
c2: set the implication relationship of authority J1And placing the antecedents of all the authority implication relations into a new set F to obtain the new set F, wherein the new set F is { i, h, F, e, d, c, cdg, cdegi, b, a, abcdegh }. Newly establishing a to-be-added set
Figure BDA0003424398710000151
Go to step C3;
c3: at the moment, a new set F, a new set D and an authority content set C are established1Three sets are not completely empty, and a set F, a set D and a permission content set C are newly established1The newly created set with the smallest lexicographical order is i in F, so b is i, and the process proceeds to step C5;
c5: deleting the right set from the new set F, because the right set b ═ i is not a redundancy-free set K of the role penta in the access control instanceS1A subset of middle authorities (cdeg) and not a redundancy-free set K of role pentanes after modificationS2Subset of middle rights (cde), thereforeDirectly convert i->g adding to a new set of rights implication relationships J2And back to step C3;
c2: at the moment, a new set F, a new set D and an authority content set C are established1Three sets are not completely empty, and a set F, a set D and a permission content set C are newly established1The permission set with the minimum middle lexicographic order is h in the newly established set F, so that b is h, and the step C5 is performed;
c5: deleting the right set from the newly-built set F, because the right set b ═ h is not a redundancy-free set K of the role penta in the access control instanceS1A subset of middle authorities (cdeg) and not a redundancy-free set K of role pentanes after modificationS2Subset of middle rights (cde), thus directly associating h->adding abcd to a new set of rights implication relationships J2And back to step C3;
c3: at the moment, a new set F, a new set D and an authority content set C are established1Three sets are not completely empty, and a set F, a set D and a permission content set C are newly established1The authority set with the minimum Chinese dictionary order is an authority connotation set C1G, so b ═ g, proceed to step C4;
c4: set of subordinate rights connotations C1Deleting right set b, because right set b ═ g is the non-redundant set K of role-oriented access control instanceS1A subset of middle rights (cdeg), and at this time
Figure BDA0003424398710000161
Then put g into the new rights content set C2And back to step C2;
c3: at the moment, a new set F, a new set D and an authority content set C are established1Three sets are not completely empty, and a set F, a set D and a permission content set C are newly established1The authority set with the minimum Chinese dictionary order is an authority connotation set C1Gi, so b ═ gi, proceed to step C4;
c4: set of subordinate rights connotations C1Since the permission set b-gi is not the redundancy-free set K of the role in the access control instanceS1A subset of middle authorities (cdeg) and not a redundancy-free set K of role pentanes after modificationS2Subset of middle rights (cde), thus directly adding gi to the new set of rights connotations C2And back to step C2;
……
due to limited space, the repetition process is not described in detail herein.
Finally obtaining the modified non-redundant set KS2Comprises the following steps:
a b c d e f g h i
first of all 0 0 1 1 1 1 1 0 0
Second step 0 0 0 0 0 0 1 0 1
C3 0 0 1 1 1 0 0 0 0
T-shirt 1 1 1 1 0 0 0 1 0
The new set of rights implication relationships is: j. the design is a square2={i->g,h->abcd,f->cdeg,e->cd,d->c,c->d,cdg->ef,cdefgi->abh,b->acdh,a->bcdh,abcdeh->fgi}。
The new authority content set is as follows:
Figure BDA0003424398710000171

Claims (5)

1. an RBAC permission modification method facing to the Internet of things is characterized by sequentially comprising the following steps:
a: obtaining access control log records of each authority from the Internet of things system, and performing Data preprocessing on the obtained access control log records to obtain authority instance Data of the Internet of things system0And all sets of permissions M;
b: the method for discovering auxiliary roles by using attributes exploration through the authority example Data obtained in the step A0And all the authority sets M, and establishing a redundancy-free set K of the access control instance of the Internet of things systemS1Obtaining the permission implication relation set J of the whole Internet of things system1And set of rights connotations C1And endowing the authority in the access control background to the user according to the role;
c: for the role r to be modified and the authority A corresponding to the role r, according to the determined non-redundancy set K of the access control instanceS1Permission implication relation set J1And set of rights connotations C1Accessing a non-redundant set of control instances KS1The authority in the middle role r is modified into the input authority A to obtain a non-redundancy set K of the access control instanceS2Then, according to the authority implication relation set J1And set of rights connotations C1Set of permissions in (1) a non-redundant set K of access control instancesS2Whether the back piece in (1) is increased or decreased is judged:
if there is no increase or decrease in the back-piece for a certain set of permissions, then: if the set of permissions belongs to the implication of permissionsSet of relationships J1Then the set of permissions also belongs to a new set of implication relationships J of permissions2(ii) a If the authority set belongs to the authority connotation set C1Then the set of permissions also belongs to a new set of connotations of permissions C2
If the back piece of a certain authority set is increased, the authority set is put into a new authority implication relation set J2In and in the set of authority implication relationship J1And set of rights connotations C1Finding out all authority sets not containing the background, and then, in an authority implication relation set J1And set of rights connotations C1Delete these sets of permissions;
if the back part of a certain authority set is reduced, if the back part of the authority set is empty, the authority set is put into a new authority content set C2If the back piece is not empty, putting the authority set into a new authority implication relation set J2Finding all the conditions satisfying the condition containing the authority set in KS1Front piece in (1), not containing the set of permissions at KS1And the back-piece containing the authority set in KS2Taking the authority set of the three conditions of the back part as a set to be added; and (4) carrying out relevance judgment on the permission set to be added into the set, putting a new permission content set C into the permission set meeting the relevance condition if the back-end piece is empty2If the back piece is not empty, putting a new authority implication relation set J2
Finally obtaining the non-redundancy collection K of the modified access control exampleS2New authority implication relation set J2And a new set of rights connotations C2
2. An internet-of-things-oriented RBAC permission modification method as claimed in claim 1, wherein said step A comprises the following specific steps:
a1: reading access control log records of all authorities from an Internet of things system;
a2: in the obtained access control log records of each authority, if a certain user has a certain authority, namely the user successfully accesses the certain authority, the authority corresponding to the user is marked as 1, otherwise, the authority is marked as 0;
a3: according to the method in the step A2, all the obtained access control log records are processed to obtain the Data of the system authority instance of the Internet of things0And simultaneously obtaining all authority sets M in the system.
3. The internet-of-things-oriented RBAC permission modification method according to claim 2, wherein the step B comprises the following specific steps:
b1: obtaining all authority sets M ═ (a) according to step A1,a2,a3,…,an-1,an) All the authority sets M are arranged in a dictionary sequence to obtain a set
Figure FDA0003424398700000021
Figure FDA0003424398700000022
Initializing a determined redundancy-free set of access control instances
Figure FDA0003424398700000023
Set of implication relationships of authority
Figure FDA0003424398700000024
From the set MqSet of taking dictionary first in order
Figure FDA0003424398700000025
B2: non-redundant set K at determined access control instancesS1Middle calculation
Figure FDA0003424398700000026
If it is
Figure FDA0003424398700000027
Step B3 is entered; otherwise, go to step B4;
wherein,
Figure FDA0003424398700000028
non-redundant set K for access control instance under determinationS1Finds out all the users who have the right Q,
Figure FDA0003424398700000029
non-redundant set K for access control instance under determinationS1Finds out the rights commonly owned by all the users owning the rights Q,
Figure FDA00034243987000000210
for the Data of the authority instance0Find out all the owned rights
Figure FDA00034243987000000211
The user of (1);
b3: if the authority is
Figure FDA0003424398700000031
I.e. the role having the right Q is
Figure FDA0003424398700000032
And is
Figure FDA0003424398700000033
Is simultaneously Q, then the authority Q is added to the authority content set C1Performing the following steps; if the authority is
Figure FDA0003424398700000034
I.e. the role having the right Q is
Figure FDA0003424398700000035
But do not
Figure FDA0003424398700000036
If the common authority is not Q at the same time, the authority is implied in the relational expression
Figure FDA0003424398700000037
That is, a user has the right Q, then the user has the right
Figure FDA0003424398700000038
Add to set of rights implication relationships J1Then to step B5;
b4: from rights instance Data0Taking out a relation that the authority distribution does not conform to the authority implication
Figure FDA0003424398700000039
Instance o, i.e. instance o owns the right Q but not the right
Figure FDA00034243987000000310
And adds this instance to the determined non-redundant set K of access control instancesS1Then to step B6;
b5: finding out a next implication relation set J with authority according to the sequence of the dictionary order according to the theorem of relevance between the set and the implication set in the formal concept analysis1The related permission set Q 'is set to Q', and then the step B6 is entered;
b6: looping step B2 until the next set J of implication relationships with permissions1The associated set of permissions equals all sets of permissions M and proceeds to step B7;
b7: obtaining the determined non-redundant set K of the access control instance according to the above stepsS1Permission implication relation set J1And content set of rights C1Wherein the non-redundant set K of the access control instanceS1Each row in (1) represents a role and the permissions owned by the role, and permissions in the access control context are assigned to users according to the role.
4. The internet-of-things-oriented RBAC permission modification method as claimed in claim 3, wherein: in the step B6, if there exists a certain permission set and a certain permission implication, where the permission set does not include a front piece of the permission implication, or the permission set includes both a front piece of the permission implication and a back piece of the permission implication, the permission set is said to be related to the permission implication; if a certain permission set and a certain permission implication set exist, and the permission set is related to each permission implication in the permission implication set, the permission set is called to be related to the permission implication set.
5. An internet-of-things-oriented RBAC permission modification method as claimed in claim 3, wherein said step C comprises the following specific steps:
c1: according to the role r to be modified and the authority A corresponding to the role r, accessing a non-redundancy set K of the control instanceS1The authority of the middle role r is modified into the authority A to obtain a redundancy-free set K of the access control instanceS2(ii) a Non-redundant set K from modified access control instanceS2Calculating the implications of all the front pieces with single attribute, putting the obtained implications into the newly-built set IMPs, and then entering the step C2;
c2: set the implication relationship of authority J1Placing the front pieces of all authority implication relations into a newly-built set F, and newly building a set to be added
Figure FDA0003424398700000041
Then proceed to step C3;
c3: if the new set F, the new set D and the authority content set C are established1If all are empty, go to step C15; if the new set F, the new set D and the authority content set C are established1If the three sets are not empty, the newly-built set F, the newly-built set D and the authority content set C are taken out1And (3) judging the source of the permission set b: if the permission set b comes from the permission connotation set C1Then go to step C4; if the permission set b is from the new set F, go to step C5; if set of rightsIf yes, go to step C6;
c4: set of subordinate rights connotations C1If the permission set b is not a non-redundancy set K of the role r in the access control instanceS1Is not a redundant set K of the modified role rS2Then directly put the permission set b into the new permission content set C2Performing the following steps;
if permission set b is the non-redundant set K of role r in the access control instanceS1Or a non-redundant set K of roles r after modificationS2A subset of rights in (1), then a determination is made
Figure FDA0003424398700000042
Whether it is equal to the set of permissions b;
if yes, putting the authority set b into a new authority content set C2And returning to step C2; if not, then will
Figure FDA0003424398700000043
Put into a new set of rights implication relationships J2And proceeds to step C7;
wherein, gKs2(b) Non-redundant set K for access control instance after modificationS2Finds out all the users who have the right b,
Figure FDA0003424398700000044
non-redundant set K for access control instance after modificationS2Finding out the authority commonly owned by all users having the authority b, the authority implies the relation b → (f)Ks2(gKs2(b) B) indicates that a user has the right b then the user must have the right (f)Ks2(gKs2(b))-b);
C5: deleting the authority set b from the new set F, if the authority set b is not the redundancy-free set K of the determined access control instance of the role rS1Nor is role r modifiedAccess control instance of (2) a redundancy-free set KS2The subset of rights in (1), then directly will
Figure FDA0003424398700000045
Put into a new set of rights implication relationships J2Then returns to step C2;
if the permission set b is a non-redundant set K of the access control instance of which the role r is determinedS1Or a non-redundant set K of roles r after modificationS2A subset of rights in (1), then a determination is made
Figure FDA0003424398700000051
Whether it is equal to the set of permissions b;
if yes, putting the authority set b into a new authority content set C2Then to step C9; if not, will
Figure FDA0003424398700000052
Put into a new set of rights implication relationships J2In, then, judge
Figure FDA0003424398700000053
If yes, the process proceeds to step C7, otherwise, the process proceeds to step C9;
wherein,
Figure FDA0003424398700000054
non-redundant set K referring to access control instance after modificationS2The authority commonly owned by all the users possessing the authority b is contained in the non-redundant set K of the determined access control instanceS1All the users with the authority b have the authority commonly;
c6: deleting the permission set b from the newly-built set D, and then judging
Figure FDA0003424398700000055
Whether it is equal to the set of permissions b; if equal, willPutting the authority set b into a new authority content set C2Performing the following steps; if not, will
Figure FDA0003424398700000056
Put into a new set of rights implication relationships J2Performing the following steps;
then proceed to step C7;
c7: judging in the right connotation set C1Whether or not there is inclusion
Figure FDA0003424398700000057
But do not comprise
Figure FDA0003424398700000058
If so, delete it and go to step C8; if not, go directly to step C8;
c8: judging whether the new set F contains
Figure FDA0003424398700000059
But do not comprise
Figure FDA00034243987000000510
If yes, deleting the right set and then entering the step C12; if not, returning to the step C3;
c9: creating a set
Figure FDA00034243987000000511
Find out that all the predecessors in the new set IMPs do not contain
Figure FDA00034243987000000512
And the union of the front part and the back part does not contain
Figure FDA00034243987000000513
After the found authorities are arranged and combined, the authority set after arrangement and combination is added to a new set E1Then to step C10;
c10: from the newly created set E1Take out a set of permissions e1Set of rights e1Authority set e1The back-piece and the set of rights for each individual right in the set
Figure FDA0003424398700000061
Combining the three, removing the repeated authority, and forming the final authority into a new authority set e2Then proceed to step C11;
c11: determine a new set of permissions e2Whether the new set D exists or not; if yes, directly returning to the step C10 to continue the operation until a new set is created
Figure FDA0003424398700000062
If the set D does not exist in the new set D, the new permission set e is set2Putting the position into a new set D according to the lexicographic order, returning to the step C10 to continue the operation until the new set is built in the step C10
Figure FDA0003424398700000063
When a collection is newly created
Figure FDA0003424398700000064
Then, returning to the step C3 for cycle calculation;
c12: creating a set
Figure FDA0003424398700000065
Find out that all the predecessors in the new set IMPs do not contain
Figure FDA0003424398700000066
And the union of the front part and the back part does not contain
Figure FDA0003424398700000067
And will find outThe arranged authorities are arranged and combined, and the authority set after arrangement and combination is added to a new set E2Then to step C13;
c13: from the newly created set E2Take out a set of permissions e3Set of rights e3Authority set e3A back-piece for each right in and
Figure FDA0003424398700000068
combining, removing repeated single attribute, and forming the obtained permission into a new permission set e4Then proceed to step C14;
c14: judging a new attribute set e4Whether the new set D exists or not; if yes, directly returning to the step C13 to continue operation; if not, the new authority set e is set4Putting the positions in the lexicographical order into a new set D, returning to the step C13 to continue the operation until the sets in the step C13
Figure FDA0003424398700000069
When in use
Figure FDA00034243987000000610
Then, returning to the step C3 for cyclic calculation;
c15: finally obtaining the non-redundant set K of the modified access control example according to the stepsS2New authority implication relation set J2And a new set of rights connotations C2
CN202111574576.5A 2021-12-21 2021-12-21 RBAC permission modification method facing to Internet of things Active CN114268649B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111574576.5A CN114268649B (en) 2021-12-21 2021-12-21 RBAC permission modification method facing to Internet of things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111574576.5A CN114268649B (en) 2021-12-21 2021-12-21 RBAC permission modification method facing to Internet of things

Publications (2)

Publication Number Publication Date
CN114268649A true CN114268649A (en) 2022-04-01
CN114268649B CN114268649B (en) 2022-09-13

Family

ID=80828350

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111574576.5A Active CN114268649B (en) 2021-12-21 2021-12-21 RBAC permission modification method facing to Internet of things

Country Status (1)

Country Link
CN (1) CN114268649B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101339591A (en) * 2008-08-29 2009-01-07 中国科学院软件研究所 XACML policy rule checking method
US20110321154A1 (en) * 2010-06-25 2011-12-29 Sap Ag Systems and methods for generating constraints for use in access control
CN102456103A (en) * 2010-10-26 2012-05-16 王芳 Improved RBAC (Role Based Access Control) model
CN104967620A (en) * 2015-06-17 2015-10-07 中国科学院信息工程研究所 Access control method based on attribute-based access control policy
CN111783043A (en) * 2020-07-06 2020-10-16 河南大学 Multi-department collaborative interactive RBAC role construction method based on attribute exploration
CN111950013A (en) * 2020-08-24 2020-11-17 河南大学 RBAC role rapid auxiliary construction method based on attribute exploration
CN111967034A (en) * 2020-08-30 2020-11-20 河南大学 RBAC role fault tolerance auxiliary construction method based on attribute exploration
CN112580070A (en) * 2020-12-04 2021-03-30 河南大学 RBAC role hierarchical auxiliary construction method based on prefix dictionary tree
CN114448659A (en) * 2021-12-16 2022-05-06 河南大学 Yellow river dam bank monitoring Internet of things access control optimization method based on attribute exploration

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101339591A (en) * 2008-08-29 2009-01-07 中国科学院软件研究所 XACML policy rule checking method
US20110321154A1 (en) * 2010-06-25 2011-12-29 Sap Ag Systems and methods for generating constraints for use in access control
CN102456103A (en) * 2010-10-26 2012-05-16 王芳 Improved RBAC (Role Based Access Control) model
CN104967620A (en) * 2015-06-17 2015-10-07 中国科学院信息工程研究所 Access control method based on attribute-based access control policy
CN111783043A (en) * 2020-07-06 2020-10-16 河南大学 Multi-department collaborative interactive RBAC role construction method based on attribute exploration
CN111950013A (en) * 2020-08-24 2020-11-17 河南大学 RBAC role rapid auxiliary construction method based on attribute exploration
CN111967034A (en) * 2020-08-30 2020-11-20 河南大学 RBAC role fault tolerance auxiliary construction method based on attribute exploration
CN112580070A (en) * 2020-12-04 2021-03-30 河南大学 RBAC role hierarchical auxiliary construction method based on prefix dictionary tree
CN114448659A (en) * 2021-12-16 2022-05-06 河南大学 Yellow river dam bank monitoring Internet of things access control optimization method based on attribute exploration

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ZHANG LEI,ETAL.: "A Mandatory Access Control Model Based on Concept Lattice", 《2011 INTERNATIONAL CONFERENCE ON NETWORK COMPUTING AND INFORMATION SECURITY》 *
张磊: "基于概念格的角色工程相关算法研究", 《中国博士学位论文全文数据库 信息科技辑》 *

Also Published As

Publication number Publication date
CN114268649B (en) 2022-09-13

Similar Documents

Publication Publication Date Title
EP1410214B1 (en) Data processing method
US8943059B2 (en) Systems and methods for merging source records in accordance with survivorship rules
Sun et al. Mining weighted association rules without preassigned weights
US7177875B2 (en) System and method for creating and using computer databases having schema integrated into data structure
Ding et al. A brief survey on de-anonymization attacks in online social networks
Taylor SQL for Dummies
CN103176988A (en) Data migration system based on software-as-a-service (SaaS)
CN107402957B (en) Method and system for constructing user behavior pattern library and detecting user behavior abnormity
Ma et al. G-SQL: Fast query processing via graph exploration
CN111950013B (en) RBAC role rapid auxiliary construction method based on attribute exploration
US7593969B2 (en) Linked dimension and measure groups
CN111783043B (en) Multi-department collaborative interactive RBAC role construction method based on attribute exploration
Khan et al. Graph-based management and mining of blockchain data
CN112800085B (en) Method and device for identifying main foreign key fields among tables based on bloom filter
CN114625764A (en) Big data processing system and method based on hybrid engine
CN114268649B (en) RBAC permission modification method facing to Internet of things
US10089361B2 (en) Efficient mechanism for managing hierarchical relationships in a relational database system
CN115168474B (en) Internet of things central station system building method based on big data model
Fu et al. ICA: an incremental clustering algorithm based on OPTICS
CN113946634B (en) Method, device and equipment for processing domain model of business data
Li et al. DPIF: a framework for distinguishing unintentional quality problems from potential shilling attacks
Lu et al. A survey of mapreduce based parallel processing technologies
Zhao et al. ASM-based design of data warehouses and on-line analytical processing systems
Zaker et al. Optimizing the data warehouse design by hierarchical denormalizing
Gang et al. A kind of bidirectional mapping strategy of heterogeneous data model based on metadata-driven

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant