CN114969809A - Cross-domain multi-source information access control method and system based on process engine - Google Patents
Cross-domain multi-source information access control method and system based on process engine Download PDFInfo
- Publication number
- CN114969809A CN114969809A CN202210494218.1A CN202210494218A CN114969809A CN 114969809 A CN114969809 A CN 114969809A CN 202210494218 A CN202210494218 A CN 202210494218A CN 114969809 A CN114969809 A CN 114969809A
- Authority
- CN
- China
- Prior art keywords
- information
- engine
- model
- cross
- role
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Medical Informatics (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a cross-domain multi-source information access control method and a system based on a process engine, which comprises the following steps: establishing a process engine, and formulating a standard specification based on the process engine to obtain a process model; establishing an authority engine, and constructing a role control model based on a process model; establishing a unified authentication platform, authenticating the role identity in the process model through the process model, and obtaining the shared resource information of the role identity in the process model; based on the shared resource information, adopting an identification analysis technology to obtain shared information; and calculating shared information by adopting a flow model and a role control model to obtain a resource information set. And information barriers are opened, and the data value is improved. For information with different sensitivities and distributed in different use units, the sharing and the confidentiality of the information can be ensured.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a cross-domain multi-source information access control method and a cross-domain multi-source information access control system based on a process engine.
Background
With the deep development of digital technologies such as informatization, networking, intellectualization and the like, the trend of social digitization is more and more obvious, and various industries actively use modern means to establish a large-scale computer management information system and improve the working efficiency. However, because the top-level design and planning are lacked in early construction, the use units all use respective applications as cores, and are not effectively fused, and the problems of ordered collection, deep sharing, association analysis and efficient utilization of the information islands, the data chimneys and the like are not realized, so that the full play of the value and the vitality of the data resources is restricted. Meanwhile, with the construction of the system and the summarization and concentration of data, the requirements on the safety management and control of the digital assets are more and more.
Disclosure of Invention
In order to solve the problem that interconnection and intercommunication among data information have limitations in the prior art, the invention provides a cross-domain multi-source information management method and a cross-domain multi-source information management system based on a process engine and authority control. For information with different sensitivities and distributed in different use units, the sharing and the confidentiality of the information can be ensured.
In order to achieve the above object, the present invention provides a cross-domain multi-source information access control method based on a process engine, including:
s1, establishing a process engine, and formulating a standard specification based on the process engine to obtain a process model;
s2, establishing an authority engine, and establishing a role control model based on the process model;
s3, establishing a unified authentication platform, authenticating the role identity in the process model through the process model, and obtaining the shared resource information of the role identity in the process model;
s4, based on the shared resource information, adopting an identification analysis technology to obtain shared information;
and S5, calculating the shared information by adopting the process model and the role control model to obtain a resource information set.
Optionally, the process of constructing the flow model includes:
s101, defining a process node, wherein the process node is an activity in the process;
s102, defining metadata of all the process nodes;
s103, defining an incidence relation, and describing the relation between the information objects of the process nodes by adopting the incidence relation so as to support incidence inquiry and obtain the process model.
Optionally, the role control model uses resource management of the system as a core, and adopts a role-based access control technology to support a centralized authorization and a hierarchical authorization mechanism.
Optionally, the identifier resolution technology includes identifier registration and identifier resolution.
The invention also provides a cross-domain multi-source information access control system based on the process engine, which comprises the following steps: the system comprises a process engine module, a permission engine module, a unified authentication module, an identification tool module and a resource calculation engine module;
the process engine module is used for establishing a process model;
the authority engine module is used for providing information authorization;
the unified authentication module is used for managing the centralized account;
the identification tool module is used for realizing cross-industry, cross-region and cross-country information sharing;
the resource calculation engine module is used for carrying out validity check on the identity of the visitor.
Optionally, the process engine module establishes a process model according to industry or product standard specifications.
Optionally, the permission engine module takes resource management of the system as a core, and supports a centralized authorization and hierarchical authorization mechanism by using a role-based access control technology.
Optionally, the resource calculation engine module checks the identity of the visitor by calling a role control model.
The invention has the following technical effects:
1. and (4) information sharing. By means of the identification coding resource and the identification analysis system, identification data management and data sharing and sharing across enterprises, industries, regions and countries are developed, information barriers are opened, and data value is improved.
2. Flexible and expandable. The process model and the role control can be individually configured in the system by management personnel according to the data type and the requirements of the service system.
3. And (4) information security. For the information with different sensitivities and distributed in different use units, the sharing and the sharing can be realized, and the confidentiality of the information can be ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
FIG. 1 is a flow chart of a cross-domain multi-source information access control method based on a flow engine according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a role-based privilege control according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a unified authentication performed by the unified authentication platform according to an embodiment of the present invention;
FIG. 4 is an interaction diagram of identity registration according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating resource calculation according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
As shown in fig. 1, the present invention discloses a cross-domain multi-source information access control method based on a process engine, which comprises:
s1, establishing a process engine, and formulating a standard specification based on the process engine to obtain a process model;
firstly, defining flow nodes, metadata of the flow nodes and an incidence relation among the flow nodes according to the actual situation of information circulation. The process node is a set of specific activities and attributes in the process; the metadata of the process node is data describing data, such as: the order data refers to data such as order number and creation time of each order, and the metadata of the order data is data describing the order data, namely, which fields the order data has, what types the fields are, and the like; and defining the association relationship of the process nodes, and describing the association relationship of the information objects among the process nodes by using the process relationship so as to support association query. The flow direction relationship between enterprise data is really existed in an enterprise information system and is easy to obtain, but the association relationship between the enterprise data and a process model is generally logical, and the logical relationship can be obtained generally by crossing departments or systems, so that the relationship needs to be established for the enterprise data through a process engine.
Then, based on the process engine, a primary establishment mode from bottom to top and a secondary establishment mode from top to bottom are adopted, standard specifications are formulated according to actual conditions of industries and enterprises, so that the relation with the actual conditions of the enterprises is easier to establish, the standard specifications are established imperfectly, and the cooperation cannot be carried out.
And finally, constructing a flow model by adopting a flow designer, wherein the flow designer adopts Web pure JS, programming is not needed, flow editing is completed in a mouse dragging, pulling and dragging mode, and the editing environment can be used for constructing a flow model diagram and carrying out various attribute configurations on basic flow elements in the flow model.
S2, establishing an authority engine, and establishing a role control model based on the process model;
based on the process model established in S1, sensitive information in the process model should be controlled. Specifically, in this embodiment, the whole life cycle of the device may be divided into links such as device design, operation and maintenance, production, and use, and classification and partition analysis are required for information of different links, so as to realize efficient collaboration among device manufacturers, device service providers, and device users on the premise of ensuring data security. Therefore, a role control model needs to be established in the process model, the user and the enterprise data are separated through the role control model, the user corresponds to the role to which the user belongs, and the connection between the user and the information resource is realized through the authorized role.
As shown in fig. 2, the role control model uses resource management of the system as a core, and adopts a role-based access control technology to support a centralized authorization and a hierarchical authorization mechanism. Namely: the process, the process nodes, the metadata and the information resources are allocated to different roles by analyzing the actual conditions of the business, and the enterprise selects a subscription process model according to the application scene and carries out role authentication, thereby realizing centralized authorization and hierarchical authorization and protecting sensitive information. Therefore, the enterprise user can inherit the corresponding information resource from the possessed role, and the control of the sensitive information becomes simpler.
S3, establishing a unified authentication platform, authenticating the role identity in the process model through the process model, and obtaining the shared resource information of the role identity in the process model;
due to the early lack of top-level design, a set of account management systems exists in each system of many enterprises or departments. However, since these systems all work independently and the systems are not communicated with each other, embodiments of the present invention provide a unified authentication platform, which associates systems having unified user groups with certain information resources, exchanges authentication information through a certain channel, and implements a sharing mechanism of authentication relationships on the basis of ensuring the security of user information. Meanwhile, the unified authentication platform can perform centralized account management, integrate account information of each system, realize centralized unified management of the life cycle of the user account, realize enterprise unified access authentication, and inherit the shared resource information of the role identity in the process model by subscribing the process model constructed by the process engine and authenticating the role identity of the enterprise in the corresponding process after the enterprise access authentication. The management complexity of the user and the account is simplified, and the safety risk of system management is reduced.
Specifically, in the present embodiment, as shown in fig. 3,
s301, an enterprise user accesses a service system to request enterprise registration;
s302, the business system redirects the enterprise user to the unified authentication platform and carries a callback address;
s303, in a page provided by the unified authentication platform, an enterprise user inputs enterprise registration information, submits a registration request, the unified authentication platform submits the enterprise registration information to an identifier resolution secondary IDIS system for grade-by-grade auditing, and an effective token is generated and is sent to a service system, and the operation proceeds to S304; and if the enterprise registration information is invalid to be checked, the enterprise user continues to authenticate until the enterprise user successfully authenticates or the enterprise user actively quits.
S304, based on the token obtained in S303, the service system carries the token to call the API interface to perform validity check, and obtains the identity information of the enterprise user.
S305, if the token passes the validity check, issuing a valid token, returning the enterprise user identity information corresponding to the token to the service system by the unified authentication platform, writing the enterprise user identity information and the valid token into a session state by the service system, and allowing the enterprise user to perform various operations of the service system by using the enterprise user identity information, including acquiring shared resource information in the flow model; if the token fails the validity check, the token is redirected to the unified authentication platform again, and the process returns to S303.
S4, based on the shared resource information, adopting an identification analysis technology to obtain shared information;
at present, enterprises have a lot of data, and hope to perform statistical analysis, decision making and the like through data analysis, the data is certain to be existed, but a lot of needed data are distributed in a plurality of systems, and even some data have conflicts. Therefore, the service system adopts the identification analysis technology to share data according to the standard specification, obtains shared information and exerts the value of the data.
Specifically, as shown in the interaction diagram of the identifier registration of the present embodiment provided in fig. 4,
and identification data management and cross-enterprise, cross-industry, cross-region and cross-country data sharing and sharing are carried out by means of identification coding resources and an industrial internet identification analysis system. The main elements of the industrial internet identification analysis system comprise a root node, a national top level node, a secondary node, an enterprise node, a public recursion node and the like. The secondary node is a public node which provides identification service for a specific industry platform, a general platform or a large enterprise platform, and a flexible industry identification data format can be defined according to specific industry requirements. The second-level node is upwards connected with the national top-level node, and downwards distributes identification resources for the industrial enterprise, and provides data services such as identification registration, analysis, public query and the like.
According to the registration and analysis API interface provided by the secondary node, an interface which is in butt joint with the secondary node is developed in the cross-domain multi-source information management system, packaging is carried out, the butt joint with the national top node, the secondary node and the enterprise node is supported, and the functions of identification registration, analysis, query and the like are realized.
The identification analysis technology comprises identification registration and identification analysis, wherein the identification registration refers to that an information provider registers shared resource information as an identification to realize sharing; the identification analysis means that a consumer analyzes according to the identification to obtain the shared information of the information provider, and the sharing of information across industries, regions and countries can be realized according to standard specifications by means of an identification analysis technology.
And step S5, calculating the shared information by adopting the process model and the role control model to obtain a resource information set.
Specifically, in the present embodiment, as shown in fig. 5,
firstly, establishing a resource calculation engine, wherein the resource calculation engine comprises user validity verification, intelligent search and sequencing, data processing and the like, the verification is carried out according to an accessed enterprise user, then information search and sequencing are realized according to a process node and an incidence relation in a process model through the process model and a role control model subscribed by the user, data processing is carried out according to the role control model, and only authorized information resources of the user are returned.
And calling the role control model by the resource calculation engine to carry out validity check on the accessed enterprise users, if the check is passed, carrying out information resource calculation based on the shared information, and if the check is failed, returning abnormal information.
Acquiring related information resource data of related enterprises according to the identity roles of the accessed enterprise users by calling the flow model and the role control model, and if the acquisition is successful, continuing to execute an authentication flow in the role control model; if the acquisition fails, returning abnormal information of the business system client, and simultaneously prohibiting enterprise users from executing related operations by the business system client so as to ensure the safety of the system;
after the enterprise user successfully obtains the data set, the data set and the role control model are used as parameters to be calculated simultaneously, and finally a calculation result of a set type is obtained and returned to the enterprise user, so that cross-domain multi-source information management is completed. The data set refers to a set which is calculated according to the identity roles of the accessed enterprise users and the flow model and is composed of metadata corresponding to a plurality of flow nodes. Each user has a different role and a different subscription process, and the data set is correspondingly different.
Example two
A cross-domain multi-source information access control system based on a process engine comprises: the system comprises a process engine module, a permission engine module, a unified authentication module, an identification tool module and a resource calculation engine module;
the process engine module is used for establishing a process model;
the authority engine module is used for providing information authorization;
the unified authentication module is used for managing the centralized account;
the identification tool module is used for realizing cross-industry, cross-region and cross-country information sharing;
the resource calculation engine module is used for carrying out validity check on the identity of the visitor.
The process engine module establishes a process model according to industry or product standard specifications.
The authority engine module takes resource management of a system as a core, adopts a role-based access control technology and supports a centralized authorization and hierarchical authorization mechanism.
The resource calculation engine module verifies the identity of the visitor by calling the role control model.
The foregoing illustrates and describes the principles, general features, and advantages of the present invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (8)
1. A cross-domain multi-source information access control method based on a process engine is characterized by comprising the following steps:
s1, establishing a process engine, and formulating a standard specification based on the process engine to obtain a process model;
s2, establishing an authority engine, and establishing a role control model based on the process model;
s3, establishing a unified authentication platform, authenticating the role identity in the process model through the process model, and obtaining the shared resource information of the role identity in the process model;
s4, based on the shared resource information, adopting an identification analysis technology to obtain shared information;
and S5, calculating the shared information by adopting the process model and the role control model to obtain a resource information set.
2. The cross-domain multi-source information access control method based on the process engine as claimed in claim 1, wherein the process model building process comprises:
s101, defining a process node, wherein the process node is an activity in the process;
s102, defining metadata of all the process nodes;
s103, defining an incidence relation, and describing the relation between the information objects of the process nodes by adopting the incidence relation so as to support incidence inquiry and obtain the process model.
3. The process engine-based cross-domain multi-source information access control method as claimed in claim 1, wherein the role control model is centered on resource management of a system, and adopts a role-based access control technology to support centralized authorization and hierarchical authorization mechanisms.
4. The process engine-based cross-domain multi-source information access control method of claim 1, wherein the identifier resolution technique comprises identifier registration and identifier resolution.
5. A cross-domain multi-source information access control system based on a process engine is characterized by comprising: the system comprises a process engine module, a permission engine module, a unified authentication module, an identification tool module and a resource calculation engine module;
the process engine module is used for establishing a process model;
the authority engine module is used for providing information authorization;
the unified authentication module is used for managing the centralized account;
the identification tool module is used for realizing cross-industry, cross-region and cross-country information sharing;
the resource calculation engine module is used for checking the validity of the identity of the visitor.
6. The cross-domain multi-source information access control system based on the process engine of claim 5, wherein the process engine module builds the process model according to industry or product standard specifications.
7. The cross-domain multi-source information access control system based on the process engine as claimed in claim 5, wherein the authority engine module takes resource management of the system as a core, and adopts a role-based access control technology to support a centralized authorization and a hierarchical authorization mechanism.
8. The process engine-based cross-domain multi-source information access control system of claim 5, wherein the resource calculation engine module verifies visitor identity by invoking a role control model.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210494218.1A CN114969809A (en) | 2022-05-07 | 2022-05-07 | Cross-domain multi-source information access control method and system based on process engine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210494218.1A CN114969809A (en) | 2022-05-07 | 2022-05-07 | Cross-domain multi-source information access control method and system based on process engine |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114969809A true CN114969809A (en) | 2022-08-30 |
Family
ID=82982289
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210494218.1A Pending CN114969809A (en) | 2022-05-07 | 2022-05-07 | Cross-domain multi-source information access control method and system based on process engine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114969809A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117892206A (en) * | 2024-03-15 | 2024-04-16 | 深圳市志奋领科技有限公司 | Method and device for managing moisture content measurement model, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106874461A (en) * | 2017-02-14 | 2017-06-20 | 北京慧正通软科技有限公司 | A kind of workflow engine supports multi-data source configuration security access system and method |
| CN106897810A (en) * | 2015-12-17 | 2017-06-27 | 北京奇虎科技有限公司 | Method for processing business and system, workflow engine and system, operation system |
| CN112699089A (en) * | 2021-03-23 | 2021-04-23 | 中国信息通信研究院 | Data sharing system, data sharing method and device |
| CN112989313A (en) * | 2021-01-14 | 2021-06-18 | 国网上海市电力公司 | Identification registration method and device, electronic equipment and storage medium |
| CN114449010A (en) * | 2021-12-15 | 2022-05-06 | 国网电动汽车服务有限公司 | Car pile network interaction system and method based on industrial internet identification analysis |
-
2022
- 2022-05-07 CN CN202210494218.1A patent/CN114969809A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106897810A (en) * | 2015-12-17 | 2017-06-27 | 北京奇虎科技有限公司 | Method for processing business and system, workflow engine and system, operation system |
| CN106874461A (en) * | 2017-02-14 | 2017-06-20 | 北京慧正通软科技有限公司 | A kind of workflow engine supports multi-data source configuration security access system and method |
| CN112989313A (en) * | 2021-01-14 | 2021-06-18 | 国网上海市电力公司 | Identification registration method and device, electronic equipment and storage medium |
| CN112699089A (en) * | 2021-03-23 | 2021-04-23 | 中国信息通信研究院 | Data sharing system, data sharing method and device |
| CN114449010A (en) * | 2021-12-15 | 2022-05-06 | 国网电动汽车服务有限公司 | Car pile network interaction system and method based on industrial internet identification analysis |
Non-Patent Citations (1)
| Title |
|---|
| 严俊兰: "面向社会保障***的业务协同平台的设计与实现" * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117892206A (en) * | 2024-03-15 | 2024-04-16 | 深圳市志奋领科技有限公司 | Method and device for managing moisture content measurement model, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2510466B1 (en) | Delegated and restricted asset-based permissions management for co-location facilities | |
| CN112118224B (en) | Trusted mechanism authority management method and system for big data block chain | |
| CN113114498B (en) | Architecture system of trusted block chain service platform and construction method thereof | |
| US20130145419A1 (en) | Systems and Methods for Generating Trust Federation Data from BPMN Choreography | |
| CN101436195A (en) | Method and system for generating resource access entrance in Web user interface | |
| US11954233B2 (en) | Chaining, triggering, and enforcing entitlements | |
| US20080104250A1 (en) | Identity migration system apparatus and method | |
| Cao et al. | A topology-aware access control model for collaborative cyber-physical spaces: Specification and verification | |
| CN102073817A (en) | Dynamic access control improvement method on basis of RBAC (Role-Based policies Access Control) model | |
| US11775681B2 (en) | Enforcement flow for pipelines that include entitlements | |
| CN114969809A (en) | Cross-domain multi-source information access control method and system based on process engine | |
| Huo et al. | A blockchain-enabled trusted identifier co-governance architecture for the industrial internet of things | |
| Zhang et al. | Access control and trust management for emerging multidomain environments | |
| US11777978B2 (en) | Methods and systems for accurately assessing application access risk | |
| CN110189440A (en) | A kind of smart lock monitoring equipment and its method based on block chain | |
| Song et al. | A novel access control for internet of things based on blockchain smart contract | |
| Tang et al. | Collaborative management and control of blockchain in cloud computing environment | |
| Huai et al. | CROWN: A service grid middleware with trust management mechanism | |
| de Aguiar Monteiro et al. | A Survey on Microservice Security–Trends in Architecture Privacy and Standardization on Cloud Computing Environments | |
| Cherif | Access control models for collaborative applications | |
| Kasinathan | Workflow-aware access control for the Internet of Things | |
| Siriweera et al. | QoS-Aware Federated Crosschain-Based Model-Driven Reference Architecture for IIoT Sensor Networks in Distributed Manufacturing | |
| Krym et al. | Configuration and management of security procedures with dedicated ‘spa-lang’domain language in security engineering | |
| CN116108407A (en) | Method and system for realizing middle-stage authorization management service | |
| Devi et al. | Analysis of blockchain based smart contract system to understand its performance in different applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |