TWI663556B - Resource authorization control system and method with fee splitting function - Google Patents
Resource authorization control system and method with fee splitting function Download PDFInfo
- Publication number
- TWI663556B TWI663556B TW107103222A TW107103222A TWI663556B TW I663556 B TWI663556 B TW I663556B TW 107103222 A TW107103222 A TW 107103222A TW 107103222 A TW107103222 A TW 107103222A TW I663556 B TWI663556 B TW I663556B
- Authority
- TW
- Taiwan
- Prior art keywords
- account
- sub
- resource
- rule
- resources
- Prior art date
Links
Landscapes
- Storage Device Security (AREA)
Abstract
本發明揭露一種具拆帳功能之資源權限管控系統及方法。該方法包括:建立用戶之主帳號之子帳號,對子帳號進行認證,以在子帳號經認證成功時,使子帳號登入一具有資源之雲端系統;依據主帳號或子帳號申請、異動或退租雲端系統之資源之行為,建立、修改或刪除用於子帳號之權限管理之資源規則,以依據資源規則產生資源之存取權限;以及關聯子帳號及存取權限,將子帳號加入權限群組以綁定子帳號及存取權限,進而依據帳務群組中之子帳號對資源之使用情形分拆出子帳號之帳務。據此,本發明可提供資源權限管控及帳務分拆功能,藉以提高資源權限管控之效率。 The invention discloses a resource authority management and control system and method with a function of account separation. The method includes: establishing a sub-account of a user's main account, and authenticating the sub-account so that the sub-account can log in to a cloud-based system with resources when the sub-account is successfully authenticated; applying, changing, or canceling a lease based on the main account or sub-account Cloud system resource behavior, create, modify, or delete resource rules for permission management of sub-accounts to generate resource access permissions based on resource rules; and associate sub-accounts and access permissions to add sub-accounts to permission groups Binding sub-accounts and access rights, and then according to the use of resources in the sub-account in the account group to separate the sub-account account. Accordingly, the present invention can provide functions of resource authority management and control and account splitting, thereby improving the efficiency of resource authority management and control.
Description
本發明係關於一種資源權限管控之技術,特別是指一種具拆帳功能之資源權限管控系統及方法。 The present invention relates to a technology for resource authority management and control, and more particularly to a resource authority management and control system and method with a function of account separation.
一般雲端系統通常僅具有權限管控機制而未加入資源權限,以致不易達成有效的資源權限管控。而且,用戶之主帳號及子帳號在使用雲端系統之資源後,無法分拆主帳號及子帳號之帳務(帳單),從而難以提供主帳號依據分拆帳務(帳單)向子帳號收取費用。 Generally, a cloud system only has a permission management and control mechanism without adding a resource permission, so that it is difficult to achieve effective resource permission management and control. In addition, after using the resources of the cloud system, the user's main account and sub-account cannot split the account (bill) of the main account and the sub-account, making it difficult to provide the main account to the sub-account in accordance with the split account (bill). Fee.
舉例而言,如先前技術中之權限管控方法為利用用戶識別碼及服務請求的資源識別碼進行權限規則比對,以判定是否接受服務請求。又,如先前技術中另提供存取權限之過濾機制,可依據網路請求的執行功能及存取資源進行權限規則比對,以決定是否受理此網路請求。然而,上述先前技術均無法同時提供資源權限管控及帳務分拆功能。 For example, the permission management method in the prior art uses a user identification code and a resource identification code of a service request to perform a comparison of a permission rule to determine whether to accept a service request. In addition, if the filtering mechanism of access rights is provided in the prior art, the permission rules can be compared according to the execution function of the network request and the access resource to determine whether to accept the network request. However, none of the above-mentioned prior technologies can provide resource authority management and account splitting functions at the same time.
因此,如何解決上述現有技術之缺點,實已成為本領域技術人員之一大課題。 Therefore, how to solve the above-mentioned shortcomings of the prior art has become a major issue for those skilled in the art.
本發明提供一種具拆帳功能之資源權限管控系統及方法,其可同時提供資源權限管控及帳務分拆功能,藉以提高資源權限管控之效率。 The present invention provides a resource permission management and control system and method with a function of account splitting, which can simultaneously provide the function of resource permission management and control and account splitting functions, thereby improving the efficiency of resource permission management and control.
本發明中具拆帳功能之資源權限管控系統包括:一用戶管理模組,其建立主帳號之一或多個子帳號,且用戶管理模組對子帳號進行認證,在子帳號經認證成功時,使子帳號登入一具有資源之雲端系統;一權限管理模組,其依據主帳號或子帳號申請、異動或退租雲端系統之資源之行為,同步建立、修改或刪除用於子帳號之權限管理之資源規則,以依據資源規則產生雲端系統之資源之存取權限;以及一具有權限群組與帳務群組之群組管理模組,其關聯或連結子帳號及相應資源之存取權限,將子帳號加入權限群組以綁定子帳號及相應資源之存取權限,進而依據帳務群組中之子帳號對雲端系統之資源之使用情形分拆出子帳號之帳務。 The resource authority management and control system with the account splitting function of the present invention includes a user management module that establishes one or more sub-accounts of the main account, and the user management module authenticates the sub-accounts. When the sub-accounts are successfully authenticated, Allow sub-accounts to log in to a cloud system with resources; a rights management module that synchronously establishes, modifies, or deletes rights management for sub-accounts based on the behavior of the main account or sub-account to apply for, change, or unlease resources of the cloud system Resource rules to generate access rights to resources in the cloud system based on the resource rules; and a group management module with permission groups and accounting groups that associate or link sub-accounts and access permissions to corresponding resources, Add the sub-account to the permission group to bind the sub-account and the access rights of the corresponding resources, and then split the sub-account account based on the usage of the cloud system resources by the sub-account in the account group.
本發明中具拆帳功能之資源權限管控方法包括:建立主帳號之一或多個子帳號,對子帳號進行認證,以在子帳號經認證成功時,使子帳號登入一具有資源之雲端系統;依據主帳號或子帳號申請、異動或退租雲端系統之資源之行為,同步建立、修改或刪除用於子帳號之權限管理之資源規則,進而依據資源規則產生資源之存取權限;以及關聯或連結子帳號及相應資源之存取權限,將子帳號加入權限群組以綁定子帳號及相應資源之存取權限,進而依據帳務群組中之子帳號對雲端系統之資源之使用情形分拆出子 帳號之帳務。 The resource authority management and control method of the present invention with account splitting function includes: establishing one or more sub-accounts of the main account, and authenticating the sub-accounts, so that when the sub-accounts are successfully authenticated, the sub-accounts log in to a cloud system with resources; Synchronize the creation, modification, or deletion of resource rules for permission management of sub-accounts based on the behavior of the main account or sub-account to apply for, change or cancel the resources of the cloud system, and then generate access rights to resources according to the resource rules; and associate or Link the access permissions of the sub-accounts and corresponding resources, add the sub-accounts to the permission group to bind the access permissions of the sub-accounts and corresponding resources, and then split according to the use of cloud system resources by the sub-accounts in the account group Chuko Account transactions.
為讓本發明之上述特徵與優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明。在以下描述內容中將部分闡述本發明之額外特徵及優點,且此等特徵及優點將部分自所述描述內容顯而易見,或可藉由對本發明之實踐習得。本發明之特徵及優點借助於在申請專利範圍中特別指出的元件及組合來認識到並達到。應理解,前文一般描述與以下詳細描述兩者均僅為例示性及解釋性的,且不欲約束本發明所主張之範圍。 In order to make the above features and advantages of the present invention more comprehensible, embodiments are described below in detail with reference to the accompanying drawings. Additional features and advantages of the present invention will be partially explained in the following description, and these features and advantages will be partially obvious from the description, or may be learned through practice of the present invention. The features and advantages of the invention are realized and achieved by means of elements and combinations specifically pointed out in the scope of the patent application. It should be understood that both the foregoing general description and the following detailed description are merely exemplary and explanatory and are not intended to limit the scope of the invention as claimed.
1‧‧‧具拆帳功能之資源權限管控系統 1‧‧‧Resource authority management and control system with account splitting function
10‧‧‧用戶管理模組 10‧‧‧User Management Module
20‧‧‧權限管理模組 20‧‧‧Permission Management Module
21‧‧‧權限管理單元 21‧‧‧ Authority Management Unit
30‧‧‧群組管理模組 30‧‧‧Group Management Module
40‧‧‧雲端系統 40‧‧‧ Cloud System
50‧‧‧應用程式介面(API) 50‧‧‧Application Programming Interface (API)
A‧‧‧主帳號 A‧‧‧Master Account
B‧‧‧子帳號 B‧‧‧Sub account
C‧‧‧存取權限 C‧‧‧access
D1‧‧‧權限群組 D1‧‧‧Permission group
D2‧‧‧帳務群組 D2‧‧‧Accounting Group
E1‧‧‧功能規則 E1‧‧‧Function Rules
E2‧‧‧資源規則 E2‧‧‧Resource Rules
F‧‧‧資源 F‧‧‧ Resources
P1、P2、P2'‧‧‧程序 P1, P2, P2'‧‧‧ procedures
S11至S12、S21至S24‧‧‧步驟 S11 to S12, S21 to S24 ‧‧‧ steps
S31至S35、S41至S43‧‧‧步驟 S31 to S35, S41 to S43 ‧‧‧ steps
第1圖係繪示本發明具拆帳功能之資源權限管控系統中有關帳號權限設定方式之示意圖;第2圖係繪示本發明具拆帳功能之資源權限管控系統中有關帳號權限管控方式之示意圖;第3圖係繪示本發明具拆帳功能之資源權限管控系統中有關子帳號查詢虛擬機之權限過濾方式之示意圖;第4圖係繪示本發明具拆帳功能之資源權限管控系統中有關存取權限之權限規則之示意圖;第5圖係繪示本發明具拆帳功能之資源權限管控系統中有關群組管理模組之示意圖;第6A圖至第6C圖係分別繪示本發明具拆帳功能之資源權限管控方法中有關建立、啟用及刪除資源規則之流程示意圖;以及第7圖係繪示本發明具拆帳功能之資源權限管控方法 之流程示意圖。 FIG. 1 is a schematic diagram showing the account authority setting method in the resource permission management and control system with the account splitting function of the present invention; FIG. 2 is a diagram showing the account permission control method in the resource permission management and control system with the account splitting function of the present invention; Schematic diagram; FIG. 3 is a schematic diagram showing a method for filtering permissions of a sub-account query virtual machine in a resource permission management and control system with a demolition function according to the present invention; and FIG. 4 is a resource permission management and control system with a demolition function according to the present invention Schematic diagram of the permission rules related to access permissions; Figure 5 is a schematic diagram showing the group management module in the resource permission management and control system of the present invention with an account splitting function; Figures 6A to 6C are separate illustrations Schematic diagram of the process of creating, enabling and deleting resource rules in the resource authority management and control method with the account splitting function of the invention; and FIG. 7 is a diagram showing the resource authority management and control method with the account splitting function of the invention Process flow diagram.
以下藉由特定的具體實施形態說明本發明之實施方式,熟悉此技術之人士可由本說明書所揭示之內容輕易地了解本發明之其他優點與功效,亦可藉由其他不同的具體實施形態加以施行或應用。 The following describes the embodiments of the present invention with specific specific implementation forms. Those skilled in the art can easily understand other advantages and effects of the present invention from the content disclosed in this description, and can also be implemented by other different specific implementation forms. Or apply.
本發明可加強雲端系統(雲端服務)中主帳號與子帳號之權限管控機制,並對雲端系統之資源之權限及帳務費用加以管理,讓主帳號可進行更嚴格的子帳號之權限分割。 The invention can strengthen the authority management and control mechanism of the main account and sub-accounts in the cloud system (cloud service), and manage the resource permissions and account fees of the cloud system, so that the main account can perform stricter sub-account permission division.
本發明可將雲端系統之服務功能與資源納入主帳號與子帳號之權限管控機制,藉由權限管理模組實行雙重權限之過濾機制,讓具備相同服務功能權限之子帳號可存取不同的資源,雲端系統也不會暴露其他子帳號的資源,還能滿足權限設定的彈性及個人資料隱私。 The invention can integrate the service functions and resources of the cloud system into the authority control mechanism of the main account and the sub-accounts, and implement a dual-principle filtering mechanism through the authority management module, so that sub-accounts with the same service function authority can access different resources, The cloud system will not expose the resources of other sub-accounts, but it can also meet the flexibility of permission settings and privacy of personal data.
本發明可提供費用分拆至資源使用的子帳號功能,針對多人共用的資源,經系統設定對應出帳之子帳號後,讓主帳號能掌握各子帳號的資源使用情形並收取費用。 The present invention can provide a function of sub-accounts for cost splitting into resources. For resources shared by multiple people, after the system sets a sub-account corresponding to the account, the main account can grasp the resource usage of each sub-account and charge fees.
本發明可提供一種支援帳務拆帳並兼具功能與資源兩大面向的彈性資源權限管控機制,以滿足分工精細的大企業、服務代理商及服務通路商的需求。 The invention can provide a flexible resource authority management control mechanism that supports account demolition and has both functions and resources, so as to meet the needs of large enterprises, service agents and service distributors with fine division of labor.
本發明具拆帳功能之資源權限管控系統可包括:一用戶管理模組,其提供用戶建立主帳號之一或多個子帳號,且用戶管理模組對子帳號進行認證,在子帳號經認證成功時,使子帳號登入一具有資源之雲端系統;一權限管理模 組,其依據主帳號或子帳號申請、異動或退租雲端系統之資源之行為,同步建立、修改或刪除用於子帳號之權限管理之資源規則,以依據資源規則產生雲端系統之資源之存取權限;以及一具有權限群組與帳務群組之群組管理模組,其關聯或連結子帳號及相應資源之存取權限,將子帳號加入權限群組以綁定子帳號及相應資源之存取權限,進而依據帳務群組中之子帳號對雲端系統之資源之使用情形分拆出子帳號之帳務。在本發明中,上述雲端系統之資源為雲端系統所提供之所有可申請之服務。 The resource authority management and control system with the account splitting function of the present invention may include: a user management module that provides users to establish one or more sub-accounts of the main account, and the user management module authenticates the sub-accounts, and the sub-accounts are successfully authenticated To log in to a cloud system with resources; a rights management module Group, which creates, modifies, or deletes resource rules for permission management of sub-accounts in accordance with the actions of the main account or sub-account to apply for, change, or cancel the resources of the cloud system, so as to generate the storage of the resources of the cloud system according to the resource rules Access permissions; and a group management module with permission groups and accounting groups, which associates or links access permissions of sub-accounts and corresponding resources, and adds sub-accounts to permission groups to bind sub-accounts and corresponding resources The access rights of the sub-accounts in the account group according to the use of resources in the cloud system. In the present invention, the resources of the above-mentioned cloud system are all applicable services provided by the cloud system.
第1圖係繪示本發明具拆帳功能之資源權限管控系統1中有關帳號權限設定方式之示意圖。如圖所示,雲端共用帳號之權限管控機制可分為兩大面向,包括帳號權限設定方式及帳號權限管控方式。 FIG. 1 is a schematic diagram showing the account authority setting method in the resource authority management and control system 1 with the function of demolition of accounts according to the present invention. As shown in the figure, the permission management and control mechanism of the cloud shared account can be divided into two major aspects, including the account permission setting method and the account permission management method.
在帳號權限設定方式上,用戶之主帳號A可先透過用戶管理模組10建立主帳號A之一或多個(如二個以上)子帳號B,並透過權限管理模組20建立該些子帳號B之存取權限C,以設定該些子帳號B對雲端系統40之資源之存取權限或各種行為的操作權限。然後,透過群組管理模組30建立該些子帳號B之權限群組D1,並關聯或連結該些子帳號B及其存取權限C,再將該些子帳號B加入權限群組D1以完成該些子帳號B及其存取權限C的綁定,使該些子帳號B具有主帳號A之一部或全部存取權限C以存取對應之雲端服務(雲端系統40之資源)。 In the account permission setting method, the user's main account A can first establish one or more (such as two or more) sub-accounts B of the main account A through the user management module 10, and establish these sub-accounts through the permission management module 20. The access permission C of the account B is used to set the access permissions of the sub-accounts B to the resources of the cloud system 40 or the operation permissions of various actions. Then, the permission group D1 of the sub-accounts B is established through the group management module 30, and the sub-accounts B and their access rights C are associated or linked, and then the sub-accounts B are added to the permission group D1 to The binding of the sub-accounts B and their access rights C is completed, so that the sub-accounts B have some or all of the access rights C of the main account A to access corresponding cloud services (resources of the cloud system 40).
第2圖係繪示本發明具拆帳功能之資源權限管控系統 1中有關帳號權限管控方式之示意圖,其中部分元件之符號參見第1圖之說明。 FIG. 2 is a diagram showing a resource authority management and control system with a function of account separation according to the present invention. Refer to the description of Figure 1 for the schematic diagram of the account authority management and control method in 1.
如第2圖所示,子帳號B可透過用戶管理模組10進行認證。若認證失敗,則子帳號B無法登入具有資源之雲端系統40。反之,若認證成功,則子帳號B可以登入具有資源之雲端系統40。當子帳號B經認證成功時,子帳號B在雲端系統40之操作可經由例如Spring AOP(Aspect-Oriented Programming;面向導向程式設計)機制進行存取權限C(見第1圖)之管控。雲端系統40之資源可為雲端系統40所提供之虛擬機(VM)或儲存空間,但不以此為限。 As shown in FIG. 2, the sub-account B can be authenticated through the user management module 10. If the authentication fails, the sub-account B cannot log in to the cloud system 40 with resources. Conversely, if the authentication is successful, the sub-account B can log in to the cloud system 40 with resources. When the sub-account B is successfully authenticated, the operation of the sub-account B in the cloud system 40 can be controlled by, for example, Spring AOP (Aspect-Oriented Programming; mechanism). The resources of the cloud system 40 may be a virtual machine (VM) or storage space provided by the cloud system 40, but not limited thereto.
當雲端系統40呼叫受管控之應用程式介面(Application Programming Interface;API)50時,應用程式介面(API)50可通知權限管理模組20(權限管理單元21),以由權限管理模組20(權限管理單元21)透過群組管理模組30取得子帳號B之存取權限C,並使用正規表示式將子帳號B與雲端系統40所呼叫之應用程式介面(API)50及資源之辨識碼進行第一輪的規則比對。 When the cloud system 40 calls a controlled application programming interface (API) 50, the application programming interface (API) 50 may notify the rights management module 20 (the rights management unit 21), so that the rights management module 20 ( Authority management unit 21) Obtain the access authority C of the sub-account B through the group management module 30, and use a regular expression to connect the sub-account B and the application program interface (API) 50 and resource identification code called by the cloud system 40 Perform the first round of regular comparisons.
如第2圖之程序P1所示,若第一輪的規則比對之比對結果為「拒絕」,則權限管理模組20(權限管理單元21)將拒絕呼叫(拒絕執行)應用程式介面(API)50或該應用程式介面(API)50指定之資源,並透過應用程式介面(API)50回傳訊息「拒絕呼叫」或「拒絕執行」予雲端系統40,俾由雲端系統40回應子帳號B無存取權限C來存取應用程式介面(API)50。反之,若第一輪的規則比對之比對結果為 「允許」,則開始執行應用程式介面(API)50。 As shown in the program P1 in FIG. 2, if the comparison result of the first round of rule comparison is “reject”, the authority management module 20 (authority management unit 21) will refuse to call (reject execution) the application program interface ( API) 50 or the resource specified by the application program interface (API) 50, and send a message "reject call" or "reject execution" to the cloud system 40 through the application program interface (API) 50, and the cloud system 40 responds to the sub-account B does not have access permission C to access the application programming interface (API) 50. Conversely, if the comparison result of the first round of rule comparison is "Allow", the application program interface (API) 50 is started.
如第2圖之程序P2所示,當應用程式介面(API)50執行完畢時,權限管理模組20(權限管理單元21)可依據應用程式介面(API)50之類型判斷是否再次進行(即第二輪)規則比對。若應用程式介面(API)50有明確指定資源,例如異動、刪除或查詢指定之虛擬機(Virtual Machine;VM),則應用程式介面(API)50執行完畢會直接回傳執行結果予雲端系統40。 As shown in the program P2 in FIG. 2, when the application program interface (API) 50 is completed, the authority management module 20 (authority management unit 21) can determine whether to perform it again according to the type of the application program interface (API) 50 (that is, Second round) Rules comparison. If the application program interface (API) 50 has clearly specified resources, such as changes, deletions, or query of the specified virtual machine (VM), the application program interface (API) 50 will directly return the execution results to the cloud system 40 after execution .
申言之,在程序P2中,若權限管理模組20(權限管理單元21)判斷應用程式介面(API)50是查詢資源列表類(如查詢所有虛擬機),則將查詢所得的資源產生資源列表(如虛擬機列表),並將子帳號B進行第二輪的規則比對,包括將查詢所得的資源與子帳號B的存取權限C進行規則比對,再依據資源列表之比對結果,將不允許存取之資源予以過濾或剔除,進而回傳過濾後之資源列表予雲端系統40。反之,若權限管理模組20(權限管理單元21)判斷應用程式介面(API)50並非查詢資源列表類,則將應用程式介面(API)50之執行結果回傳予雲端系統40。 In summary, in the program P2, if the authority management module 20 (the authority management unit 21) judges that the application programming interface (API) 50 is a query resource list class (such as querying all virtual machines), the query resource is used to generate a resource List (such as a list of virtual machines), and sub-account B performs a second round of rule comparison, including comparing the resources obtained by the query with the access permission C of sub-account B, and then according to the comparison result of the resource list , Filtering or removing resources that are not allowed to be accessed, and then returning the filtered resource list to the cloud system 40. Conversely, if the authority management module 20 (the authority management unit 21) determines that the application program interface (API) 50 is not a query resource list class, it returns the execution result of the application program interface (API) 50 to the cloud system 40.
因此,透過上述第一輪與第二輪之雙重過濾或管控機制,可以確保子帳號B僅能依據其存取權限C之範圍來操作雲端系統40之服務及資源,且雲端系統40亦不會顯露出未授權子帳號B進行存取的資源。 Therefore, through the above-mentioned dual filtering or control mechanism of the first and second rounds, it can be ensured that the sub-account B can only operate the services and resources of the cloud system 40 according to the scope of its access authority C, and the cloud system 40 will not Reveals resources that are not authorized for sub-account B to access.
第3圖係繪示本發明具拆帳功能之資源權限管控系統1及方法中有關子帳號查詢虛擬機之權限過濾方式之示意 圖,其中部分元件之符號參見第4圖之說明。 FIG. 3 is a schematic diagram showing a method for filtering permission of a sub-account query virtual machine in the resource permission management and control system 1 and method of the present invention with a function of removing accounts. For the symbols of some components, please refer to the description in Figure 4.
如第3圖所示,當子帳號B(如帳號為AAA)查詢所有虛擬機(VM)時,由雲端系統40呼叫受管控之應用程式介面(如listVM)50,並由權限管理模組20(權限管理單元21)依據子帳號B(如AAA)自群組管理模組30中查詢出此子帳號B關聯的存取權限C(包含第4圖之功能規則E1及資源規則E2)。 As shown in FIG. 3, when the sub-account B (for example, the account is AAA) queries all virtual machines (VMs), the cloud system 40 calls a controlled application program interface (for example, listVM) 50, and the rights management module 20 (Rights management unit 21) Query the access rights C (including function rule E1 and resource rule E2 in FIG. 4) associated with the subaccount B from the group management module 30 according to the subaccount B (such as AAA).
接著,權限管理模組20(權限管理單元21)確認子帳號B有無權限執行應用程式介面(如listVM)50,並先將應用程式介面(如listVM)50與拒絕存取的功能規則E1進行比對以取得子帳號B被拒絕存取的功能規則E1,之後將應用程式介面(如listVM)50與允許存取的功能規則E1進行比對以取得子帳號B被允許存取的功能規則E1。另外,在本實施例中,假設應用程式介面(如listVM)50之參數無指定資源,故不需比對資源規則E2。反之,若應用程式介面(如listVM)50之參數有指定資源,則需比對資源規則E2。 Next, the authority management module 20 (the authority management unit 21) confirms whether the sub-account B has the authority to execute the application program interface (such as listVM) 50, and first compares the application program interface (such as listVM) 50 with the function rule E1 that denies access. The function rule E1 for which access is denied to the sub-account B is compared, and then the application program interface (such as listVM) 50 is compared with the function rule E1 for which access is allowed to obtain the function rule E1 for which the sub-account B is allowed to access. In addition, in this embodiment, it is assumed that the parameters of the application program interface (such as listVM) 50 do not specify resources, so there is no need to compare the resource rule E2. Conversely, if the parameters of the application program interface (such as listVM) 50 have specified resources, the resource rule E2 needs to be compared.
當功能規則E1之比對結果為允許存取時,雲端系統40便開始執行應用程式介面(如listVM)50之工作。應用程式介面(如listVM)50執行完畢後,將依據執行結果回傳一份虛擬機列表。此時,需依據應用程式介面(如listVM)50之類型判斷是否進行第二輪的規則比對。因listVM屬於查詢資源列表類的應用程式介面(API)50且未指定資源,而查詢所得的虛擬機列表可能含有子帳號B(如AAA)不具備權限存取的虛擬機的資源,故虛擬機列表與子帳號B(如 AAA)的存取權限C將進行第二輪的規則比對(見程序P2')。 When the comparison result of the functional rule E1 is that access is allowed, the cloud system 40 starts to execute the work of the application program interface (such as listVM) 50. After the application program interface (such as listVM) 50 is executed, a virtual machine list is returned according to the execution result. At this time, it is necessary to judge whether to perform the second round of rule comparison according to the type of the application program interface (such as listVM) 50. Because listVM belongs to the application programming interface (API) 50 of the query resource list class and does not specify resources, the virtual machine list obtained by the query may contain resources of virtual machines that the sub-account B (such as AAA) does not have permission to access, so the virtual machine List and subaccount B (e.g. The access authority C of AAA) will perform the second round of rule comparison (see program P2 ').
因資源列表的權限比對方式並非一次性,故需取出虛擬機列表中每個虛擬機的資源辨識碼與存取權限C進行規則比對。若規則比對之結果為符合,則將此虛擬機保留於虛擬機列表;反之,若規則比對之結果為不符合,則將此虛擬機自虛擬機列表中過濾掉或移除。然後,權限管理單元21可得到一份過濾後之虛擬機(VM)列表,並將過濾後之虛擬機(VM)列表透過雲端系統40呈現或顯示於子帳號B(如AAA)之使用畫面上。 Because the permission comparison method of the resource list is not a one-time operation, the resource ID of each virtual machine in the virtual machine list and the access right C need to be compared for rules. If the result of the rule comparison is compliant, the virtual machine is kept in the virtual machine list; otherwise, if the result of the rule comparison is not compliant, the virtual machine is filtered or removed from the virtual machine list. Then, the authority management unit 21 can obtain a filtered virtual machine (VM) list, and present the filtered virtual machine (VM) list through the cloud system 40 or display it on the use screen of the sub-account B (such as AAA). .
第4圖係繪示本發明具拆帳功能之資源權限管控系統1中有關存取權限之權限規則之示意圖,其中部分元件之符號參見第1圖與第2圖之說明。 FIG. 4 is a schematic diagram showing the permission rules of the access right in the resource permission management and control system 1 with the function of demolition of accounts according to the present invention. For the symbols of some components, refer to the description of FIG.
如第4圖所示,為了提升權限設定之彈性以達到精確的權限分割,將存取權限C之權限規則分為兩種類型,包括功能規則E1與資源規則E2。 As shown in Figure 4, in order to improve the flexibility of permission setting to achieve accurate permission division, the permission rules of access permission C are divided into two types, including function rules E1 and resource rules E2.
功能規則E1對應至服務呼叫的應用程式介面(API)50(見第2圖),包含雲端系統40上的所有服務。為了方便用戶(見第1圖之主帳號A或子帳號B)設定,依據用戶(主帳號A或子帳號B)之操作行為整合成申請、異動、刪除及查詢四大類,且一筆功能規則E1可包含多個應用程式介面(API)50之名稱,例如,「查詢虛擬機」使用到的應用程式介面(API)50有表列所有虛擬機(listVM)與查詢單一虛擬機(getVMbyId)。 The functional rule E1 corresponds to an application programming interface (API) 50 (see FIG. 2) of a service call, and includes all services on the cloud system 40. In order to facilitate the setting of the user (see main account A or sub account B in Figure 1), according to the operation behavior of the user (main account A or sub account B), it is integrated into four categories of application, change, deletion, and query, and a function rule E1 It may include multiple application program interface (API) 50 names. For example, the application program interface (API) 50 used by "Query Virtual Machine" has a list of all virtual machines (listVM) and query a single virtual machine (getVMbyId).
資源規則E2對應至主帳號A使用中的資源,雲端系 統40可依據用戶申請或刪除資源來自動建立或刪除對應的資源規則E2,且資源規則E2與資源為一對一的關係。 Resource rule E2 corresponds to the resource in use by master account A, the cloud system The system 40 may automatically establish or delete a corresponding resource rule E2 according to a user applying or deleting a resource, and the resource rule E2 and the resource have a one-to-one relationship.
主帳號A可透過權限管理模組20選取允許及拒絕的權限規則(功能規則E1與資源規則E2),而未被選取的權限規則(功能規則E1與資源規則E2)將被視為拒絕。被選取的權限規則(功能規則E1與資源規則E2)可組成一份存取權限C,並分別存放在存取權限C之「允許」與「拒絕」兩大區塊。當權限管理模組20(權限管理單元21)進行規則比對時,才能有效率地先從「拒絕」的規則開始比對,再比對「允許」的規則。完成設定的存取權限C可成為權限模板,之後主帳號A可用來套用權限模板到各個子帳號B或權限群組D1,以節省用戶(主帳號A)設定大量子帳號B或權限群組D1之存取權限C的時間。 The master account A can select the permission rules (function rules E1 and resource rules E2) that are allowed and denied through the permission management module 20, and the permission rules (function rules E1 and resource rules E2) that are not selected will be considered as denied. The selected permission rules (function rule E1 and resource rule E2) can form an access permission C, and are stored in the two blocks of "permission" and "deny" of the access permission C, respectively. When the authority management module 20 (authority management unit 21) performs the rule comparison, it can efficiently start the comparison from the "deny" rule and then the "allow" rule. After setting the access permission C, it can become a permission template, and then master account A can be used to apply the permission template to each sub-account B or permission group D1 to save the user (master account A) from setting up a large number of sub-account B or permission group D1. Time of access C.
第5圖係繪示本發明具拆帳功能之資源權限管控系統1中有關群組管理模組30之示意圖,其中部分元件之符號參見第1圖與第2圖之說明。 FIG. 5 is a schematic diagram of a group management module 30 in the resource authority management and control system 1 with a function of demolition of accounts according to the present invention. For the symbols of some components, refer to the description of FIGS.
如第5圖所示,對於雲端系統40(見第2圖)而言,一或多個子帳號B皆隸屬於主帳號A(見第1圖)之下,故帳務(帳單)之費用會集中於主帳號A,但對於主帳號A而言,要掌握其下資源F被子帳號B的使用情形變得較為困難。因此,群組管理模組30可具有或支援帳務群組D2與權限群組D1。 As shown in Figure 5, for cloud system 40 (see Figure 2), one or more sub-accounts B are under the main account A (see Figure 1), so the cost of the account (bill) Will focus on the main account A, but for the main account A, it is more difficult to grasp the use of the subordinate account B of the resource F under it. Therefore, the group management module 30 may have or support the accounting group D2 and the authority group D1.
帳務群組D2可用於建立或管理資源F之子帳號B的出帳,在建立帳務群組D2後,可設定一個子帳號B為帳 務群組D2之負責人,並加入負責人需支付費用之資源F。同時,為了避免費用之重複計算,資源F與帳務群組D2為一對一的關係。 The account group D2 can be used to establish or manage the outgoing account of the sub-account B of the resource F. After the account group D2 is established, a sub-account B can be set as the account The person in charge of business group D2, and join resource F where the person in charge needs to pay. At the same time, in order to avoid double calculation of expenses, the resource F and the account group D2 have a one-to-one relationship.
由於資源F可能被多個子帳號B共享,故帳務群組D2可只綁定一個子帳號B,且資源F之費用統一掛勾在此子帳號B上。當雲端系統40收到主帳號A之帳務(帳單)之費用時,便可依據資源F所屬的帳務群組D2,將費用計算到對應的子帳號B。此外,亦可依據各子帳號B的實際使用時間以透過雲端系統40計算而獲得個別的費用。 Because resource F may be shared by multiple sub-accounts B, the account group D2 can be bound to only one sub-account B, and the cost of resource F is linked to this sub-account B uniformly. When the cloud system 40 receives the expenses of the account (bill) of the main account A, it can calculate the expenses to the corresponding sub-account B according to the account group D2 to which the resource F belongs. In addition, individual charges can also be obtained by calculating through the cloud system 40 based on the actual usage time of each sub-account B.
權限群組D1用於連結子帳號B與存取權限C,建立權限群組D1可關聯存取權限C,此後加入權限群組D1的存取權限C,亦可加入個人的特殊權限,或者將存取權限C直接綁定在子帳號B上,子帳號B之權限可為權限群組D1的權限及個人的存取權限C的聯集。子帳號B、權限群組D1與存取權限C皆屬於多對多的關係,以滿足權限設定的彈性與便利性。 The permission group D1 is used to connect the sub-account B and the access permission C. The establishment of the permission group D1 can be associated with the access permission C. Thereafter, the access permission C of the permission group D1 can be added, and the individual's special permission can also be added. The access authority C is directly bound to the sub-account B, and the authority of the sub-account B can be a combination of the authority of the authority group D1 and the individual's access authority C. The sub-account B, the permission group D1, and the access permission C all belong to a many-to-many relationship to meet the flexibility and convenience of permission setting.
此外,帳務群組D2針對之情境可分為兩種模式,例如二房東模式及部門預算管理模式。 In addition, the scenario targeted by account group D2 can be divided into two modes, such as the two-host mode and the department budget management mode.
舉例而言,二房東模式係主帳號A代理雲端系統40之業務,針對主帳號A之用戶各自開設一或多個子帳號B以供使用。因各個子帳號B為不同的獨立用戶,故不會發生資源共用的情形,主帳號A之帳務(帳單)之費用分拆只須判斷資源所屬之子帳號B,便可進行主帳號A與子帳號B之費用分拆。 For example, the two-host model is a service for the cloud account 40 of the main account A, and each user of the main account A opens one or more sub-accounts B for use. Since each sub-account B is a different independent user, resource sharing does not occur. The cost split of the account (bill) of the main account A only needs to determine the sub-account B to which the resource belongs, and the main account A and the The cost of sub-account B is split.
再者,部門預算管理模式係主帳號A為公司代表帳號,子帳號B為公司內各部門之帳號,且各部門可存取的資源依工作內容而異。但有時會有各部門互相合作的情形,故同一份資源可能同時供多個部門使用,資源之費用無法單純依據主帳號A所屬之子帳號B進行分拆。因此,採用帳務群組D2之負責人的設計避免費用重複計算。 In addition, the department budget management mode is that the main account A is the company's representative account, and the sub account B is the account of each department in the company, and the resources that can be accessed by each department vary according to the work content. However, sometimes the departments cooperate with each other, so the same resource may be used by multiple departments at the same time, and the cost of the resources cannot be split based on the sub-account B to which the main account A belongs. Therefore, the design of the person in charge of the accounting group D2 is used to avoid double counting of costs.
在上述兩種模式中,為了費用分拆的準確性,群組管理模組30需記錄各個子帳號B授權為此資源所屬帳務群組D2之負責人的時間區間,費用結算時可依據資源允許存取的時間區間的比例來分拆帳務之費用。如子帳號B為帳務群組D2之負責人,主帳號A於當月10日調整帳務群組D2之負責人為另一子帳號B,月底費用分拆時將由前任負責人負擔1/3費用,後任負責人負擔2/3費用。 In the above two modes, for the accuracy of expense splitting, the group management module 30 needs to record the time interval of each sub-account B authorized to the responsible person of the account group D2 to which this resource belongs. Percentage of time periods allowed to access the cost of splitting accounts. If the sub-account B is the person in charge of the account group D2, the main account A adjusts the person in charge of the account group D2 to another sub-account B on the 10th of the month, and the previous person will bear 1/3 of the cost when the expense is split at the end of the month The subsequent person in charge shall bear 2/3 of the cost.
第6A圖至第6C圖係分別繪示本發明具拆帳功能之資源權限管控方法中有關建立、啟用及刪除資源規則之流程示意圖,其中元件之符號參見第1圖、第2圖與第5圖之說明。 Figures 6A to 6C are schematic diagrams showing the flow of creating, enabling, and deleting resource rules in the resource permission management and control method of the present invention with the account splitting function. The symbols of the components are shown in Figure 1, Figure 2, and Figure 5. Illustration of the figure.
如第6A圖所示,在步驟S11中,由主帳號A或子帳號B(見第1圖)申請資源F(見第5圖)。在步驟S12中,依據主帳號A或子帳號B所申請之資源F建立一筆對應的資源規則E2,並記錄申請者為主帳號A或子帳號B。此時,因資源F尚未供裝完成,故不開放資源F為子帳號B可存取的對象,且資源規則E2的狀態為不可用。再者,因資源F尚未納入權限管控之範圍,故僅不受權限管控之主帳 號A與申請資源F之子帳號B能看見雲端系統40(見第2圖)顯示資源F正在供裝中。 As shown in FIG. 6A, in step S11, the resource F (see FIG. 5) is applied for by the main account A or the sub-account B (see FIG. 1). In step S12, a corresponding resource rule E2 is established according to the resource F applied by the main account A or the sub-account B, and the applicant is recorded as the main account A or the sub-account B. At this time, because the resource F has not been installed yet, the resource F is not opened as an object accessible by the sub-account B, and the status of the resource rule E2 is unavailable. Furthermore, because resource F has not been included in the scope of authority control, only the master account that is not subject to authority control No. A and the child account B of the application resource F can see the cloud system 40 (see FIG. 2), and the resource F is being installed.
如第6B圖所示,在步驟S21中,將資源F供裝完成。在步驟S22中,由雲端系統40啟用資源規則E2,亦即將資源規則E2之狀態改為可用,代表資源F已納入權限管控之範圍。在步驟S23中,因存取資源F需具有對應的權限,故需判斷申請者為主帳號A或子帳號B之身份,若申請者為主帳號A,則直接結束。在步驟S24中,若申請者為子帳號B,則需透過子帳號B所屬的權限群組D1取得存取權限C,並將子帳號B之存取權限C加入資源規則E2,以便子帳號B能存取資源F。 As shown in FIG. 6B, in step S21, the loading of the resource F is completed. In step S22, the resource rule E2 is enabled by the cloud system 40, that is, the state of the resource rule E2 is changed to available, which means that the resource F has been included in the scope of the authority control. In step S23, because the resource F needs to have corresponding authority, it is necessary to determine the identity of the applicant as the main account A or the sub-account B. If the applicant is the main account A, the process ends directly. In step S24, if the applicant is a sub-account B, the access group C needs to be obtained through the permission group D1 to which the sub-account B belongs, and the access permission C of the sub-account B is added to the resource rule E2 so that the sub-account B Can access resource F.
如第6C圖所示,在步驟S31中,當雲端系統40之資源F被刪除時,雲端系統40不能只刪除對應的資源規則E2,因資源規則E2可能存在多個子帳號B之存取權限C,但若不進行刪除,則過多或無用的資源規則E2將影響規則比對之效能。因此,在步驟S32中,可撈取資源F所屬的主帳號A下所有存取權限C,並在步驟S33中判斷存取權限C之規則列表中有無此資源規則E2。若無此資源規則E2,則進入步驟S35,刪除此資源規則E2;若有此資源規則E2,則進入步驟S34,自存取權限C之規則列表中移出此資源規則E2。亦即,當所有存取權限C都不存在此資源規則E2時,才會刪除資源規則E2。 As shown in FIG. 6C, in step S31, when the resource F of the cloud system 40 is deleted, the cloud system 40 cannot delete only the corresponding resource rule E2, because the resource rule E2 may have multiple sub-accounts B's access rights C. , But if not deleted, the excessive or useless resource rule E2 will affect the performance of rule comparison. Therefore, in step S32, all access rights C under the master account A to which the resource F belongs can be retrieved, and in step S33, it is determined whether there is this resource rule E2 in the rule list of the access right C. If there is no such resource rule E2, then proceed to step S35 to delete this resource rule E2; if this resource rule E2 is present, then proceed to step S34, and remove this resource rule E2 from the rule list of the access right C. That is, when the resource rule E2 does not exist for all the access rights C, the resource rule E2 is deleted.
第7圖係繪示本發明具拆帳功能之資源權限管控方法之流程示意圖,其主要技術內容如下,其餘技術內容如同 上述第1圖至第6圖所載,於此不再重覆敘述。 FIG. 7 is a schematic flow chart showing a method for managing and controlling a resource authority with an account-separating function according to the present invention. The main technical contents are as follows, and the remaining technical contents are similar to The above-mentioned Figures 1 to 6 are not repeated here.
在第7圖之步驟S41中,建立用戶之主帳號之一或多個子帳號,對子帳號進行認證,以在子帳號經認證成功時,使子帳號登入一具有資源之雲端系統。 In step S41 of FIG. 7, one or more sub-accounts of the user's main account are established, and the sub-account is authenticated, so that when the sub-account is successfully authenticated, the sub-account is logged into a cloud system with resources.
在第7圖之步驟S42中,依據主帳號或子帳號申請、異動或退租雲端系統之資源之行為,同步建立、修改或刪除用於子帳號之權限管理之資源規則,以依據資源規則產生雲端系統之資源之存取權限。 In step S42 of FIG. 7, according to the behavior of the main account or sub account to apply for, change or cancel the resources of the cloud system, synchronously create, modify or delete the resource rules for the permission management of the sub account to generate according to the resource rules. Access rights to cloud system resources.
在第7圖之步驟S43中,關聯或連結子帳號及相應資源之存取權限,將子帳號加入權限群組以綁定子帳號及相應資源之存取權限,進而依據帳務群組中之子帳號對雲端系統之資源之使用情形分拆出子帳號之帳務。 In step S43 of FIG. 7, associate or link the access permissions of the sub-account and the corresponding resource, add the sub-account to the permission group to bind the sub-account and the access permission of the corresponding resource, and then according to the child in the account group The use of the account's resources on the cloud system is split into sub-account accounts.
由上可知,本發明具拆帳功能之資源權限管控系統及方法中,其可同時提供資源權限管控及拆帳功能,並至少具有下列優點或技術功效。 As can be seen from the above, in the resource permission management and control system and method with the function of demolition of accounts of the present invention, it can provide the function of resource permission management and demolition of accounts simultaneously, and has at least the following advantages or technical effects.
一、本發明於雲端系統(雲端服務)中,針對主帳號之子帳號之權限管控機制加入資源權限,可針對資源面向進行權限及帳務管理。 1. In the cloud system (cloud service), the present invention adds resource permissions to the permission management and control mechanism of the child account of the main account, and can perform permissions and account management for resource orientation.
二、本發明提供有效率且嚴謹之子帳號的資源權限管控機制,經由應用程式介面之呼叫與資源之過濾,能確保子帳號僅能存取權限之範圍內的服務功能及資源,但無法存取權限之範圍外的服務功能及資源。 2. The present invention provides an efficient and rigorous resource authority control mechanism for sub-accounts. By calling and resource filtering in the application program interface, it can ensure that sub-accounts can only access service functions and resources within the scope of permissions, but cannot access them. Service functions and resources outside the scope of authority.
三、本發明提供共享雲端系統之資源的帳務群組機制,可自動分拆帳務(帳單)之費用,以提供主帳號依據分 拆帳務(帳單)向各子帳號收取費用。 3. The present invention provides an account group mechanism for sharing resources of the cloud system, which can automatically split the expenses of the account (bill) to provide a master account based on the Account splitting (billing) charges each sub-account.
上述實施形態僅例示性說明本發明之原理、特點及其功效,並非用以限制本發明之可實施範疇,任何熟習此項技藝之人士均可在不違背本發明之精神及範疇下,對上述實施形態進行修飾與改變。任何運用本發明所揭示內容而完成之等效改變及修飾,均仍應為申請專利範圍所涵蓋。因此,本發明之權利保護範圍,應如申請專利範圍所列。 The above-mentioned embodiments merely exemplify the principles, features, and effects of the present invention, and are not intended to limit the implementable scope of the present invention. Anyone who is familiar with this technology can perform the above operations without departing from the spirit and scope of the present invention. Modifications and changes to the implementation form. Any equivalent changes and modifications made by using the disclosure of the present invention should still be covered by the scope of patent application. Therefore, the scope of protection of the rights of the present invention should be as listed in the scope of patent application.
Claims (15)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW107103222A TWI663556B (en) | 2018-01-30 | 2018-01-30 | Resource authorization control system and method with fee splitting function |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW107103222A TWI663556B (en) | 2018-01-30 | 2018-01-30 | Resource authorization control system and method with fee splitting function |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TWI663556B true TWI663556B (en) | 2019-06-21 |
| TW201933201A TW201933201A (en) | 2019-08-16 |
Family
ID=67764245
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW107103222A TWI663556B (en) | 2018-01-30 | 2018-01-30 | Resource authorization control system and method with fee splitting function |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI663556B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110265147A1 (en) * | 2010-04-27 | 2011-10-27 | Huan Liu | Cloud-based billing, credential, and data sharing management system |
| US20120116937A1 (en) * | 2010-06-15 | 2012-05-10 | Van Biljon Willem Robert | Billing Usage in a Virtual Computing Infrastructure |
| CN104301430A (en) * | 2014-10-29 | 2015-01-21 | 北京麓柏科技有限公司 | Software definition storage system and method and centralized control equipment of software definition storage system |
| CN104468136A (en) * | 2014-12-31 | 2015-03-25 | 华为技术有限公司 | Billing method, analysis center and billing center |
| TW201721530A (en) * | 2015-12-01 | 2017-06-16 | Chunghwa Telecom Co Ltd | Multi-authority identity recognition and access strategy management system especially applicable to a cloud self-help platform for account and access right management |
-
2018
- 2018-01-30 TW TW107103222A patent/TWI663556B/en active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110265147A1 (en) * | 2010-04-27 | 2011-10-27 | Huan Liu | Cloud-based billing, credential, and data sharing management system |
| US20120116937A1 (en) * | 2010-06-15 | 2012-05-10 | Van Biljon Willem Robert | Billing Usage in a Virtual Computing Infrastructure |
| CN104301430A (en) * | 2014-10-29 | 2015-01-21 | 北京麓柏科技有限公司 | Software definition storage system and method and centralized control equipment of software definition storage system |
| CN104468136A (en) * | 2014-12-31 | 2015-03-25 | 华为技术有限公司 | Billing method, analysis center and billing center |
| TW201721530A (en) * | 2015-12-01 | 2017-06-16 | Chunghwa Telecom Co Ltd | Multi-authority identity recognition and access strategy management system especially applicable to a cloud self-help platform for account and access right management |
Also Published As
| Publication number | Publication date |
|---|---|
| TW201933201A (en) | 2019-08-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109522735B (en) | Data permission verification method and device based on intelligent contract | |
| JP5814639B2 (en) | Cloud system, cloud service license management method, and program | |
| CN102724647B (en) | Method and system for access capability authorization | |
| US8955041B2 (en) | Authentication collaboration system, ID provider device, and program | |
| WO2017143975A1 (en) | Access control method and platform | |
| WO2018019364A1 (en) | Method for controlling access to a shared resource | |
| US8365298B2 (en) | Comprehensive security architecture for dynamic, web service based virtual organizations | |
| CN113364589B (en) | Key management system, method and storage medium for federal learning security audit | |
| WO2013138954A1 (en) | Computer account management system and implementation method thereof | |
| US20220083936A1 (en) | Access control method | |
| SG193224A1 (en) | Authentication collaboration system, id provider device, and program | |
| CN106559389A (en) | A kind of Service Source issue, call method, device, system and cloud service platform | |
| CN114726554B (en) | Copyright authentication system and method based on alliance chain and NFT | |
| CN105760774A (en) | Enterprise file collaboration and access control method and system based on RABC | |
| WO2019184232A1 (en) | Seat quality management method, device, and storage medium | |
| CN108846755A (en) | A kind of right management method and device based on intelligent contract | |
| US11146560B1 (en) | Distributed governance of computing resources | |
| TWI663556B (en) | Resource authorization control system and method with fee splitting function | |
| CN110036623B (en) | On-demand contact center generation | |
| TWI622944B (en) | Multi-permission identity identification and access policy management system | |
| CN100417146C (en) | Method for power discrimination and charging and external user interface gateway | |
| CN109726187B (en) | Hadoop-oriented adaptive permission control method and device | |
| CN109474706B (en) | data security centralized service method and system | |
| US9232078B1 (en) | Method and system for data usage accounting across multiple communication networks | |
| CN110708298A (en) | Method and device for centralized management of dynamic instance identity and access |