CN102882834B - A kind of authority control method and device - Google Patents
A kind of authority control method and device Download PDFInfo
- Publication number
- CN102882834B CN102882834B CN201110195628.8A CN201110195628A CN102882834B CN 102882834 B CN102882834 B CN 102882834B CN 201110195628 A CN201110195628 A CN 201110195628A CN 102882834 B CN102882834 B CN 102882834B
- Authority
- CN
- China
- Prior art keywords
- authority
- service
- user
- vector matrix
- services package
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract 9
- 230000006870 function Effects 0.000 claims abstract 3
- 239000011159 matrix material Substances 0.000 claims 30
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 claims 4
- 238000013475 authorization Methods 0.000 claims 1
- 238000013507 mapping Methods 0.000 claims 1
Landscapes
- Storage Device Security (AREA)
Abstract
This application provides a kind of authority control method and device, to solve the problem of control of authority to requirement on flexibility that RBAC model cannot meet resource.Described method comprises: the step of default access configuration file, comprising: in competence profile, business function is mapped as authority, service and services package; Load the step of described competence profile, comprising: the authority set in described competence profile, service and services package are mapped as authority memory model data; Whether authority determination step, comprising: receive user's request, and utilize described authority memory model data judging to authorize described user to ask.The application is different from existing RBAC model completely, the application direct basis business can define site resource neatly, and to resource pack (i.e. services package) license to the user of website, when user often initiates once to ask time, can determine whether this user can access requested resource efficiently.
Description
Technical field
The application relates to network security technology, particularly relates to a kind of authority control method and device.
Background technology
In a network environment, each URL (Universal Resource Locator for website, URL(uniform resource locator)) be all a resource of website, user often initiates a resource access request, website all needs to carry out safety check to this request, with confirm user whether can on website executable operations or viewing content.The mandate of this website to user behavior is called authority, and control of authority is exactly the control of user to the mapping relations of its accessible resource.
The most widely used authority control method of tradition is RBAC (Role-BasedAccess Control) Right control model of based role.RBAC model comprises user (USERS), role (ROLES), target objects (OBS), operation operations (OPS), license permissions (PRMS) five master data elements, authority type ascribed role, role is assigned to a user, and this user just has the authority that this role comprises.And for the access rights of most of request (URL), be this URL is mapped to role, the definition then according to role judges whether user has permission.
Originally most website all uses RBAC model to administer and maintain site resource, but along with the development of web site traffic, the resource had in website gets more and more, and site resource is also in continuous change, and at this moment RBAC models show goes out deficiency.This deficiency is because the identity of user has diversity, the resource of website is also diversified, and along with the change of site resource, user identity is also in change, it is flexible and changeable that these all cause the resource of user-accessible also to need, and RBAC model is in order to meet this flexibility, the degree of coupling of its user type and license is very high, brings a lot of inconvenience to the work of administering and maintaining.
Summary of the invention
This application provides a kind of authority control method and device, to solve the problem of control of authority to requirement on flexibility that RBAC model cannot meet resource.
In order to solve the problem, this application discloses a kind of authority control method, comprising:
The step of default access configuration file, comprising: in competence profile, business function is mapped as authority, service and services package;
Load the step of described competence profile, comprising: the authority set in described competence profile, service and services package are mapped as authority memory model data;
Whether authority determination step, comprising: receive user's request, and utilize described authority memory model data judging to authorize described user to ask.
Preferably, described authority memory model data are the 0 and 1 binary digit vector matrix represented.
Preferably, utilize described authority memory model data judging whether to authorize described user to ask, comprising: utilize described binary digit vector matrix to carry out bit arithmetic, and judge authorize described user request or forbid that described user asks according to operation result.
Preferably, the authority set in described competence profile, service and services package are mapped as authority memory model data, comprise: be each group right assignment one group of bit sequence, an authority in the corresponding bundle of permissions of each difference of 1 is set to, the permission bits vector matrix that multiple bundle of permissions correspondence one is two-dimentional in bit sequence; In described permission bits vector matrix, the position serving the authority that has corresponding is set to 1, otherwise is set to 0, obtain serving vector matrix; The service vector matrix of the service correspondence that services package comprises is carried out or computing, obtains services package vector matrix.
Preferably, the authority set, service and services package are mapped as authority memory model data, also comprise in described competence profile: increase authority to service, then the value of corresponding for this authority position is carried out or computing with service vector matrix; And/or, to service erase right, then by the value negate of corresponding for this authority position, then carry out and computing with service vector matrix.
Preferably, the step of described default access configuration file also comprises: the access control right setting resource in competence profile; The step of described loading competence profile also comprises: the relevant position access control right of described resource being mapped to described permission bits vector matrix.
Preferably, whether described reception user asks and utilizes described authority memory model data judging to authorize described user to ask, comprise: receive user's request, from user's request, extract the resource information that user will access, and obtain the value of access control right corresponding position in permission bits vector matrix of this resource; For this user's request dispatching services package, and be this user right by services package vector matrix mandate corresponding for this services package; The value of access control right corresponding position in permission bits vector matrix of vector matrix corresponding for user right and this resource is carried out and computing, and judges according to operation result: if operation result is greater than 0, then authorize described user to ask; Otherwise, forbid that described user asks.
Present invention also provides a kind of permission control device, comprising:
Permission configuration module, for default access configuration file, is mapped as authority, service and services package by business function in competence profile;
Configuration load-on module, for loading described competence profile, is mapped as authority memory model data by the authority set in described competence profile, service and services package;
Whether authority determination module, for receiving user's request, and utilize described authority memory model data judging to authorize described user to ask.
Preferably, described authority memory model data are the 0 and 1 binary digit vector matrix represented.
Preferably, described authority determination module utilizes described binary digit vector matrix to carry out bit arithmetic, and judges authorize described user request or forbid that described user asks according to operation result.
Preferably, described configuration load-on module comprises:
Authority loads submodule, for being each group right assignment one group of bit sequence, is set to an authority in the corresponding bundle of permissions of each difference of 1 in bit sequence, the permission bits vector matrix that multiple bundle of permissions correspondence one is two-dimentional;
Service loads submodule, in described permission bits vector matrix, the position serving the authority that has corresponding is set to 1, otherwise is set to 0, obtain serving vector matrix;
Services package loads submodule, and the service vector matrix for the service correspondence comprised services package is carried out or computing, obtains services package vector matrix.
Preferably, described service loading submodule comprises:
Service increases unit, for increasing authority to service, then the value of corresponding for this authority position is carried out or computing with service vector matrix;
And/or,
Service delete cells, for service erase right, then by the value negate of corresponding for this authority position, then carries out and computing with service vector matrix.
Preferably, described permission configuration module also for setting the access control right of resource in competence profile; Described configuration load-on module is also for being mapped to the relevant position of described permission bits vector matrix by the access control right of described resource.
Preferably, described authority determination module comprises:
Resource mapping submodule, for receiving user's request, extracting the resource information that user will access, and obtaining the value of access control right corresponding position in permission bits vector matrix of this resource from user's request;
Services package vector matrix mandate corresponding for this services package for being this user's request dispatching services package, and is this user right by subscriber authorisation submodule;
Permission match submodule, for the value of the access control right of vector matrix corresponding for user right and this resource corresponding position in permission bits vector matrix is carried out and computing, and judge according to operation result: if operation result is greater than 0, then authorize described user to ask; Otherwise, forbid that described user asks.
Compared with prior art, the application comprises following advantage:
First, the authority control method that the application proposes, its thinking is different from existing RBAC model completely, do not adopt the concept of role, but direct basis service definition, business function is divided into authority, service and services package, and the combination in any of authority, service can be carried out according to the demand of user.This method can define site resource neatly, and to resource pack (i.e. services package) license to the user of website, when user often initiates once to ask time, can determine that this user whether can resource corresponding to access request efficiently.And described method more presses close to business demand, effectively can reduce the complexity of website empowerment management, reduce administration overhead, and provide very large retractility to Future Services Development.
Secondly, the application, when carrying out authority and judging, adopts internal memory vector to come quick storage and calculating, is that binary digit vector matrix stores, and determines whether to authorize by binary digit computing by the content map that authority, service and services package are stated.
Certainly, the arbitrary product implementing the application not necessarily needs to reach above-described all advantages simultaneously.
Accompanying drawing explanation
Fig. 1 is the schematic diagram of a kind of Right control model described in the embodiment of the present application;
Fig. 2 is the flow chart of a kind of authority control method described in the embodiment of the present application;
Fig. 3 is that in the embodiment of the present application, " rights statements " is loaded in the bit vector matrix schematic diagram in internal memory;
Fig. 4 is that in the embodiment of the present application, " service statement " is loaded in the bit vector matrix schematic diagram in internal memory;
Fig. 5 is that in the embodiment of the present application, " services package statement " is loaded in the bit vector matrix schematic diagram in internal memory;
Fig. 6 is that in the embodiment of the present application, " the access control right statement of resource " is loaded in the bit vector matrix schematic diagram in internal memory;
Fig. 7 is the schematic diagram of subscriber authorisation in the embodiment of the present application;
Fig. 8 is the structure chart of a kind of permission control device described in the embodiment of the present application.
Embodiment
For enabling above-mentioned purpose, the feature and advantage of the application more become apparent, below in conjunction with the drawings and specific embodiments, the application is described in further detail.
Along with the development of web site traffic, website is released provides service function with the form of service or services package, and the application of service and services package is more and more extensive.Based on this, the application proposes a kind of authority control method of high efficient and flexible, can direct basis service definition, business function is divided into authority, service and services package, and carries out the access control of site resource according to this division.Certainly, method described in the application is not limited to the control of authority of site resource, namely independent of web site traffic function, is also applicable to other business function.
Wherein, described authority refers to the mandate of website to user behavior, thus the content determined the operation that user can perform on website and check.Described service refers to operational one group of complete ergasia, and described services package refers to the set of service that an operating main body has.
Below by embodiment, the realization flow of method described in the application is described in detail.
With reference to Fig. 1, it is the schematic diagram of a kind of Right control model described in the embodiment of the present application.
Control of authority described in the application is based on the model shown in Fig. 1, this model direct basis service definition, business function is divided into services package (ServiceBundle), service (Service) and authority (Permission), model data can adopt XML (Extensible Markup Language, extend markup language) mode to define.
Concrete, a services package can define many services, and often kind of service can define multiple authority again, and user can be mapped to a services package by certain mapping logic, thus has each authority that various service in this services package defines.
As shown in Figure 1, define two bundle of permissions (PermissionGroup) by XML file, often group respectively defines three kinds of authorities (Permission).Define a services package (ServiceBundle), in this services package, define two kinds of services (Service), in often kind of service, respectively define three kinds of authorities in above-mentioned two bundle of permissions.By distributing for user the services package defined, this user has just been assigned to six kinds of authorities that this services package defines.
Based on described Right control model, the embodiment of the present application also provides API (Application Programming Interface, application programming interface) with jar packet mode, calls described model carry out authority judgement for related application.
Illustrate, suppose that website provides service of goods for Buyer (buyer), this service of goods comprises release product (post) to showroom, editor (edit) product information, deletion (delete) product, product evaluation four functions.The services package this service of goods is defined as follows according to above-mentioned Right control model, service, authority:
Services package:
Service:
Authority:
Access resources:
In the definition of above-mentioned access resources, "/scrmPostProduct.htm is the function pages (URL) of release product to target=; the method that the action (action) of action=" ProductAction " performed by this page operation, event=" eventSubmitDoSave " use for performing this operation.
Access control scene:
As user's request access resource scrmPostProduct.htm, first URL, action, the event in this request is intercepted, then the api interface that the embodiment of the present application provides is called, call by this api interface buyer services package that active user customizes to conduct interviews to the URL that will access the judgement of authority, and return the judged result of whether permit operation, thus complete the control of authority of access resources.
In order to the content making those skilled in the art understand the application further, describe the complete process process of control of authority in detail below by another example.
With reference to Fig. 2, it is the flow chart of a kind of authority control method described in the embodiment of the present application.
As shown in the figure, the authority control method described in the present embodiment mainly comprises three parts:
1. write competence profile, in competence profile, business function is mapped as authority, service and services package;
Namely in competence profile, carry out the definition of site resource data, comprise authority definition, service definition, services package definition, and the access control right definition of resource (URL);
2. load described competence profile, the access control right bag of the authority set in described competence profile, service, service and resource is mapped as authority memory model data;
3. utilize described authority memory model data to carry out authorisation process to request URL.
Be described below by following steps.
Step 201, configuration authority;
Step 202, configuration service;
Step 203, configuration service bag;
Step 204, the access control right of resource allocation;
Illustrate, as follows:
■ rights statements:
Define two bundle of permissions in above-mentioned rights statements, a bundle of permissions is " Product ", and there is defined four authorities is " post ", " edit, " delete " and " read " respectively; Another bundle of permissions is " Order ", and there is defined five authorities is " create ", " pay ", " edit, " read " and " close " respectively.
■ service statement:
Two services are defined in above-mentioned service statement, a service is " BuyService ", add all authorities of bundle of permissions " Product " and " create " authority of bundle of permissions " Order " in this service, and delete " delete " authority of bundle of permissions " Product "; Another service is " OrderService ", increases all authorities of bundle of permissions " Order " of knowing clearly in this service.
■ services package is stated:
Define a services package " Buyer " in above-mentioned services package statement, in this services package, define " BuyService " service and " OrderService " service.
The access control right statement of ■ resource:
The access control right statement of above-mentioned URL specifies when user accesses resource page "/postostProduct.htm " pointed by taget, has " post " authority of bundle of permissions " Product ", and can submit productFrom list to.
Step 205, loads competence profile, and resolves the statement content in competence profile, is mapped as authority memory model data by resolving;
The conveniently reading of user and the maintenance management of data, in the present embodiment, use XML or database table are carried out administration configuration by above-mentioned statement content.Further, the present embodiment, by structure authority memory model, adopts internal memory vector to come quick storage and calculating, and system, when loading statement content to internal memory, will be interpreted as a binary digit vector matrix represented by 0 and 1 it.
Generally speaking, the basic thought of structure authority memory model is: be each group right assignment one group of bit sequence, be set to an authority in the corresponding bundle of permissions of each difference of 1 in bit sequence, all the other positions of bit sequence are set to 0.The statement of multiple bundle of permissions, then make authority memory model become a two-dimentional bit vector matrix, each coordinate in matrix represents a permission bits.
" service " is then the combination of a series of authority, and when certain service has certain authority, corresponding bit vector matrix correspondence position is 1, otherwise is 0.Therefore, " service " is exactly the sparse matrix of 0 and 1, is also a subset of ownership current limiting matrix simultaneously.
Increasing authority to " service ", is then that the coordinate figure utilizing this authority corresponding carries out or computing with service vector matrix.Delete certain authority in " service ", be then coordinate figure negate corresponding to this authority again with serve vector matrix and carry out and computing.
" service " and " service " is combined into " services package ", and " services package " is then that the vector matrix of several service is carried out or the matrix of consequence of computing.
Such as, authority memory model can be expressed as the vector matrix shown in Fig. 3 to Fig. 6.
With reference to Fig. 3, be that in the embodiment of the present application, " rights statements " is loaded in the bit vector matrix schematic diagram in internal memory.
As seen from Figure 3, each authority in bundle of permissions " Product " is loaded on a position of 8 binary vector matrix, and is set to 1, and the value of this vector matrix is converted to metric value and is then expressed as 15.
Equally, each authority in bundle of permissions " Order " is loaded on a position of another 8 binary vector matrix, and is set to 1, and all the other positions of matrix are set to 0, and the value of this vector matrix is converted to metric value and is then expressed as 31.
To represent that the vector matrix of " Product " and the vector matrix of expression " Order " merge, namely form a permission bits vector matrix [15,31] as shown in Figure 3.
After " rights statements " is represented as bit vector matrix, " service statement " then can be expressed as a submatrix of this vector matrix.
With reference to Fig. 4, be that in the embodiment of the present application, " service statement " is loaded in the bit vector matrix schematic diagram in internal memory.
In " service statement ", " allow " represents increases authority, and " deny " represents erase right.
For service " BuyService ", " <allow>Product.* " correspondence represents the vector matrix of " Product ", and " <allow>Order.create " is expressed as one be 1 all the other positions in create position is the vector matrix of 0." <deny>Product.delete " first inversion operation, to the result of " Product.delete " negate as shown in the figure.Finally, the matrix that " allow " and " deny " in " BuyService " service statement represents separately is got and operation, and be converted to decimal value and be expressed as [11,1].
Equally, for service " OrderService ", be finally mapped as a vector matrix as shown in Figure 4, its value is converted to decimal value and is expressed as [0,31].
Under such principle, the calculating of the vector matrix of " services package ", then develop and become position between vectorial sparse matrix corresponding to two " service " and or the result of computing.
With reference to Fig. 5, be that in the embodiment of the present application, " services package statement " is loaded in the bit vector matrix schematic diagram in internal memory.
First, will vector matrix that " BuyService " represent be served and the vector matrix that service " OrderService " represents is got or operated, obtain the binary matrix represented with [11,31].Then, " Order.edit " vectorial coordinate in permission bits vector matrix is (1,2), and vector value is 1, is 0 after negate.Finally, the vector value 0 of the matrix represent [11,31] and coordinate (1,2) is got and operation, obtains the vector matrix that services package " Buyer " represents, its decimal value is expressed as [11,27].
In addition, for " the access control right statement of resource ", in loading procedure, also the access control right of described resource can be mapped to the relevant position of described permission bits vector matrix, as shown in Figure 6.
With reference to Fig. 6, be that in the embodiment of the present application, " the access control right statement of resource " is loaded in the bit vector matrix schematic diagram in internal memory.
Described " the access control right statement of resource " represents when the URL of access resources is "/postostProduct.htm ", and the authority of permission is " Product.post ", and can return Product.post list.Permission bits vector matrix [15,31] in corresponding diagram, the coordinate that " Product.post " is corresponding in [15,31] is (0,0), and vector value is 1.
Based on above-mentioned authority memory model, the loading procedure of statement content is as follows:
1. load the statement of all permissionGroup and permission.For each permissionGroup distributes numbering from 0, the permission inside permissionGroup also distributes numbering respectively from 0.
| (0,x)Product | (0,0)post | (0,1)edit | (0,2)delete | (0,3)read | |
| (1,x)Order | (1,0)create | (1,1)pay | (1,2)edit | (1,3)read | (1,4)close |
Table 1
Each permission has oneself coordinate, sets up dot chart.
2. load the statement of service.When increasing (allow) one authority (permisison) in this service, carry out or computing with 1 at the coordinate place of this permission.When deleting (deny) one authority (permission) in service, carry out and computing with 0 at corresponding coordinate place.Service loading result is exactly the two-dimensional matrix of 0/1, namely int (integer) array.Such as:
Obtaining result is above (binary system, the first 1 is-symbol position): { 11100000,10100000}=int [] { 3,2}.
3. load the statement of serviceBundle.In like manner service, if allow, then respective coordinates place get with 1 or; If deny, then respective coordinates place get with 0 or.Final serviceBundle will be an int array, illustrate a series of authority.
4. load the access control right statement of resource.The authority that allows of resource (URL) by target definition is also mapped to the relevant position in authority memory model.
Rights statements in competence profile, service statement, services package statement and resource access control right statement loaded one by one after, obtain these serviceBundle (services package), wait to be used.
Step 206, receives the request that user accesses certain resource URL;
After receiving user's request, the resource information (as URL) that user will access can be extracted from user's request, and obtain the value of access control right corresponding position in permission bits vector matrix of this resource.Such as, if the resource URL of user's request access is "/postostProduct.htm ", then according to above-mentioned loading result, the authority " Product.post " that this URL has is in permission bits vector matrix [15,31] position coordinates corresponding in is (0,0), and vector value is 1.
In addition, the service package information that this user customizes can also be extracted according to user's request, then be that this user distributes the services package adapted according to this service package information by api interface, and be this user right by services package vector matrix mandate corresponding for this services package.Such as, be this request dispatching services package " Buyer ".Namely this process for user's distribution services bag is the process of subscriber authorisation, when user has some services packages, is then expressed as specific one vector matrix that this user has in authority memory model.
With reference to shown in Fig. 7, it is the schematic diagram of subscriber authorisation in the embodiment of the present application.After user has services package " Buyer ", then this user has vector matrix as shown in the figure, and therefore the authority of this user can be expressed as [11,27].
Step 207, carries out the matching primitives of authority, and returns result of calculation.
By the matching primitives of authority, can return authorization access and disable access two kinds of results.The process of carrying out permission match is exactly that the resource mapping value that will access and user right carry out and computing, in particular, be that the value of access control right corresponding position in permission bits vector matrix of vector matrix corresponding for user right and this resource is carried out and computing.If operation result is greater than 0, then represent the authority with this resource of access, permitted user accesses this resource; Otherwise, if namely equal 0, represent and do not have authority to access this resource.
As previously mentioned, in the access control right statement of resource, if target="/postostProduct.htm ", then there is " post " authority of bundle of permissions " Product ", and productFrom list can be submitted to.See Fig. 6, when this resource mapping is to authority memory model, the coordinate that " Product.post " is corresponding is (0,0), and vector value is 1.During permission match, value 11 corresponding with " Product " in user right [11,27] for this resource mapping value 1 carried out and computing, operation result is 1, is greater than 0, therefore this URL of this user's Internet access.
In sum, above-mentioned authority control method first defines authority, service and services package in competence profile, and specifies when user accesses certain page pointed by target, needs any permission (authority).Then, after loading competence profile, the authority that access target needs can be corresponded to the coordinate of this permission in authority coordinate system.And then, when user submits request to time, if this scene is hit in the request of user, then carry out the calculating with computing by step-by-step, judge whether coordinate corresponding in the ServiceBundle (services package) that user has is greater than 0, if be greater than 0, give this subscriber authorisation.
As can be seen from above-mentioned computational process:
1. authority is virtualized as binary digit vector matrix, and the volume of data is very little;
2. the superposition between authority and the deletion of authority are evolved into binary bit arithmetic;
3. the computational process whether access that match user is current is authorized to also is evolved into binary digit computing, authorizes and calculates simple and fast, for concurrent large, safety requirements is high, all need the strict system of carrying out authorization check very practical for each login;
4. can control each resource of website, and can neatly organization website Resourse Distribute give various different website user.
In a word, authority control method described in the embodiment of the present application, its thinking is different from existing RBAC model completely, do not adopt the concept of role, but direct basis service definition, business function is divided into authority, service and services package, and the combination in any of authority, service can be carried out according to the demand of user.This method can define site resource neatly, and to resource pack (i.e. services package) license to the user of website, when user often initiates once to ask time, can determine that this user whether can resource corresponding to access request efficiently.And described method more presses close to business demand, effectively can reduce the complexity of website empowerment management, reduce administration overhead, and provide very large retractility to Future Services Development.
Above-described embodiment is described for site resource, but also can be applied in other business functions in embody rule, and it is similar to the aforementioned embodiment that it implements principle, therefore repeat no more.
It should be noted that, for aforesaid embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the application is not by the restriction of described sequence of movement, because according to the application, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in specification all belongs to preferred embodiment, and involved action might not be that the application is necessary.
Based on the explanation of said method embodiment, present invention also provides corresponding permission control device embodiment, realize the content described in said method embodiment.
With reference to Fig. 8, it is the structure chart of a kind of permission control device described in the embodiment of the present application.
Described permission control device can comprise permission configuration module 81, configuration load-on module 82 and authority determination module 83, wherein,
Permission configuration module 81, for default access configuration file, is mapped as authority, service and services package by business function in competence profile;
Configuration load-on module 82, for loading described competence profile, is mapped as authority memory model data by the authority set in described competence profile, service and services package;
Whether authority determination module 83, for receiving user's request, and utilize described authority memory model data judging to authorize described user to ask.
Preferably, in order to quick storage and calculating, in the embodiment of the present application, described authority memory model data are the 0 and 1 binary digit vector matrix represented.Therefore, described authority determination module 83 utilizes described binary digit vector matrix to carry out bit arithmetic, and judge authorize described user request or forbid that described user asks according to operation result.
Further, based on described authority memory model, described configuration load-on module 82 specifically can comprise:
Authority loads submodule 821, for being each group right assignment one group of bit sequence, is set to an authority in the corresponding bundle of permissions of each difference of 1 in bit sequence, the permission bits vector matrix that multiple bundle of permissions correspondence one is two-dimentional;
Service loads submodule 822, in described permission bits vector matrix, the position serving the authority that has corresponding is set to 1, otherwise is set to 0, obtain serving vector matrix;
Services package loads submodule 823, and the service vector matrix for the service correspondence comprised services package is carried out or computing, obtains services package vector matrix.
In addition, described service loading submodule 822 specifically can comprise:
Service increases unit, for increasing authority to service, then the value of corresponding for this authority position is carried out or computing with service vector matrix;
And/or,
Service delete cells, for service erase right, then by the value negate of corresponding for this authority position, then carries out and computing with service vector matrix.
Further, based on described authority memory model, described permission configuration module 81 also for setting the access control right of resource in competence profile; Accordingly, described configuration load-on module 82 is also for being mapped to the relevant position of described permission bits vector matrix by the access control right of described resource.
Based on above content, described authority determination module 83 specifically can comprise:
Resource mapping submodule 831, for receiving user's request, extracting the resource information that user will access, and obtaining the value of access control right corresponding position in permission bits vector matrix of this resource from user's request;
Services package vector matrix mandate corresponding for this services package for being this user's request dispatching services package, and is this user right by subscriber authorisation submodule 832;
Permission match submodule 833, for the value of the access control right of vector matrix corresponding for user right and this resource corresponding position in permission bits vector matrix is carried out and computing, and judge according to operation result: if operation result is greater than 0, then authorize described user to ask; Otherwise, forbid that described user asks.
Above-mentioned permission control device does not adopt the concept of role, but direct basis service definition, business function is divided into authority, service and services package, and the combination in any of authority, service can be carried out according to the demand of user.Described device can define site resource neatly, and more presses close to business demand, effectively can reduce the complexity of website empowerment management, reduces administration overhead, and provides very large retractility to Future Services Development.
For above-mentioned permission control device embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, relevant part illustrates see the part of said method embodiment.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar part mutually see.
The application can describe in the general context of computer executable instructions, such as program module.Usually, program module comprises the routine, program, object, assembly, data structure etc. that perform particular task or realize particular abstract data type.Also can put into practice the application in a distributed computing environment, in these distributed computing environment (DCE), be executed the task by the remote processing devices be connected by communication network.In a distributed computing environment, program module can be arranged in the local and remote computer-readable storage medium comprising memory device.
And "and/or" above represents and both contained herein " with " relation, also contains the relation of "or", wherein: if option A and option b be " with " relation, then represent in certain embodiment can comprise option A and option b simultaneously; If option A and option b are the relations of "or", then represent in certain embodiment and can comprise option A separately, or comprise option b separately.
A kind of authority control method above the application provided and device, be described in detail, apply specific case herein to set forth the principle of the application and execution mode, the explanation of above embodiment is just for helping method and the core concept thereof of understanding the application; Meanwhile, for one of ordinary skill in the art, according to the thought of the application, all will change in specific embodiments and applications, in sum, this description should not be construed as the restriction to the application.
Claims (12)
1. an authority control method, is characterized in that, comprising:
The step of default access configuration file, comprising: in competence profile, business function is mapped as authority, service and services package;
Load the step of described competence profile, comprising: the authority set in described competence profile, service and services package are mapped as authority memory model data; Wherein, described authority memory model data are bundle of permissions and bit sequence are carried out associating the two-dimentional permission bits vector matrix set up;
Whether authority determination step, comprising: receive user's request, and utilize described authority memory model data judging to authorize described user to ask; Wherein, describedly described authority memory model data judging is utilized whether to authorize described user to ask to comprise: to utilize described two-dimentional permission bits vector matrix to carry out bit arithmetic, and judge authorize described user request or forbid that described user asks according to operation result.
2. method according to claim 1, is characterized in that:
Described authority memory model data are the 0 and 1 binary digit vector matrix represented.
3. method according to claim 2, is characterized in that, the authority set, service and services package is mapped as authority memory model data, comprises in described competence profile:
For each group right assignment one group of bit sequence, in bit sequence, be set to an authority in the corresponding bundle of permissions of each difference of 1, the permission bits vector matrix that multiple bundle of permissions correspondence one is two-dimentional;
In described permission bits vector matrix, the position serving the authority that has corresponding is set to 1, otherwise is set to 0, obtain serving vector matrix;
The service vector matrix of the service correspondence that services package comprises is carried out or computing, obtains services package vector matrix.
4. method according to claim 3, is characterized in that, the authority set, service and services package is mapped as authority memory model data, also comprises in described competence profile:
Increase authority to service, then the value of corresponding for this authority position is carried out or computing with service vector matrix;
And/or,
To service erase right, then by the value negate of corresponding for this authority position, then carry out and computing with service vector matrix.
5. method according to claim 3, is characterized in that,
The step of described default access configuration file also comprises: the access control right setting resource in competence profile;
The step of described loading competence profile also comprises: the relevant position access control right of described resource being mapped to described permission bits vector matrix.
6. method according to claim 5, is characterized in that, whether described reception user asks and utilize described authority memory model data judging to authorize described user to ask, and comprising:
Receive user's request, from user's request, extract the resource information that user will access, and obtain the value of access control right corresponding position in permission bits vector matrix of this resource;
For this user's request dispatching services package, and be user right by services package vector matrix mandate corresponding for this services package;
The value of access control right corresponding position in permission bits vector matrix of vector matrix corresponding for user right and this resource is carried out and computing, and judges according to operation result: if operation result is greater than 0, then authorize described user to ask; Otherwise, forbid that described user asks.
7. a permission control device, is characterized in that, comprising:
Permission configuration module, for default access configuration file, is mapped as authority, service and services package by business function in competence profile;
Configuration load-on module, for loading described competence profile, is mapped as authority memory model data by the authority set in described competence profile, service and services package; Wherein, described authority memory model data are bundle of permissions and bit sequence are carried out associating the two-dimentional permission bits vector matrix set up;
Whether authority determination module, for receiving user's request, and utilize described authority memory model data judging to authorize described user to ask; Wherein, describedly described authority memory model data judging is utilized whether to authorize described user to ask to comprise: to utilize described two-dimentional permission bits vector matrix to carry out bit arithmetic, and judge authorize described user request or forbid that described user asks according to operation result.
8. device according to claim 7, is characterized in that:
Described authority memory model data are the 0 and 1 binary digit vector matrix represented.
9. device according to claim 8, is characterized in that, described configuration load-on module comprises:
Authority loads submodule, for being each group right assignment one group of bit sequence, is set to an authority in the corresponding bundle of permissions of each difference of 1 in bit sequence, the permission bits vector matrix that multiple bundle of permissions correspondence one is two-dimentional;
Service loads submodule, in described permission bits vector matrix, the position serving the authority that has corresponding is set to 1, otherwise is set to 0, obtain serving vector matrix;
Services package loads submodule, and the service vector matrix for the service correspondence comprised services package is carried out or computing, obtains services package vector matrix.
10. device according to claim 9, is characterized in that, described service loads submodule and comprises:
Service increases unit, for increasing authority to service, then the value of corresponding for this authority position is carried out or computing with service vector matrix;
And/or,
Service delete cells, for service erase right, then by the value negate of corresponding for this authority position, then carries out and computing with service vector matrix.
11. devices according to claim 9, is characterized in that:
Described permission configuration module also for setting the access control right of resource in competence profile;
Described configuration load-on module is also for being mapped to the relevant position of described permission bits vector matrix by the access control right of described resource.
12. devices according to claim 11, is characterized in that, described authority determination module comprises:
Resource mapping submodule, for receiving user's request, extracting the resource information that user will access, and obtaining the value of access control right corresponding position in permission bits vector matrix of this resource from user's request;
Services package vector matrix mandate corresponding for this services package for being this user's request dispatching services package, and is user right by subscriber authorisation submodule;
Permission match submodule, for the value of the access control right of vector matrix corresponding for user right and this resource corresponding position in permission bits vector matrix is carried out and computing, and judge according to operation result: if operation result is greater than 0, then authorize described user to ask; Otherwise, forbid that described user asks.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110195628.8A CN102882834B (en) | 2011-07-13 | 2011-07-13 | A kind of authority control method and device |
| HK13102535.3A HK1175331A1 (en) | 2011-07-13 | 2013-02-28 | Method and device for access control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110195628.8A CN102882834B (en) | 2011-07-13 | 2011-07-13 | A kind of authority control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102882834A CN102882834A (en) | 2013-01-16 |
| CN102882834B true CN102882834B (en) | 2015-09-02 |
Family
ID=47483983
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110195628.8A Active CN102882834B (en) | 2011-07-13 | 2011-07-13 | A kind of authority control method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102882834B (en) |
| HK (1) | HK1175331A1 (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104462903B (en) * | 2014-12-15 | 2019-01-08 | 北京国双科技有限公司 | The treating method and apparatus of operation system permission |
| CN105812393A (en) * | 2016-05-24 | 2016-07-27 | 浪潮电子信息产业股份有限公司 | Website protection device and method |
| CN106250776A (en) * | 2016-07-25 | 2016-12-21 | 北京集奥聚合科技有限公司 | The hadoop authority control method of a kind of various dimensions and system |
| CN106570421A (en) * | 2016-10-28 | 2017-04-19 | 努比亚技术有限公司 | Authority control method and device |
| CN107038585A (en) * | 2017-05-22 | 2017-08-11 | 上海简慧信息技术有限公司 | A kind of technology business business platform method of commerce |
| CN107688732B (en) * | 2017-09-15 | 2020-08-18 | 苏州浪潮智能科技有限公司 | Resource permission configuration and acquisition method and device |
| US10970712B2 (en) * | 2019-03-21 | 2021-04-06 | Capital One Services, Llc | Delegated administration of permissions using a contactless card |
| CN110427750A (en) * | 2019-07-23 | 2019-11-08 | 武汉宏途科技有限公司 | A kind of method and system carrying out the control of list permission by permission combination |
| CN113779517B (en) * | 2020-06-09 | 2024-12-17 | 武汉斗鱼鱼乐网络科技有限公司 | Authority acquisition method, device, equipment and storage medium |
| CN112883390B (en) * | 2021-02-18 | 2022-04-22 | 腾讯科技(深圳)有限公司 | Authority control method and device and storage medium |
| CN113901511A (en) * | 2021-09-24 | 2022-01-07 | 北京冠群信息技术股份有限公司 | File authority management method |
| CN118427793B (en) * | 2023-10-25 | 2025-04-04 | 荣耀终端股份有限公司 | Rights management method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101034990A (en) * | 2007-02-14 | 2007-09-12 | 华为技术有限公司 | Right management method and device |
| CN100495422C (en) * | 2006-11-09 | 2009-06-03 | 华为技术有限公司 | Controlling method of business operations authority |
| CN101582767A (en) * | 2009-06-24 | 2009-11-18 | 阿里巴巴集团控股有限公司 | Authorization control method and authorization server |
| CN101902402A (en) * | 2010-07-21 | 2010-12-01 | 中兴通讯股份有限公司 | Method for managing user right and device thereof |
-
2011
- 2011-07-13 CN CN201110195628.8A patent/CN102882834B/en active Active
-
2013
- 2013-02-28 HK HK13102535.3A patent/HK1175331A1/en unknown
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100495422C (en) * | 2006-11-09 | 2009-06-03 | 华为技术有限公司 | Controlling method of business operations authority |
| CN101034990A (en) * | 2007-02-14 | 2007-09-12 | 华为技术有限公司 | Right management method and device |
| CN101582767A (en) * | 2009-06-24 | 2009-11-18 | 阿里巴巴集团控股有限公司 | Authorization control method and authorization server |
| CN101902402A (en) * | 2010-07-21 | 2010-12-01 | 中兴通讯股份有限公司 | Method for managing user right and device thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102882834A (en) | 2013-01-16 |
| HK1175331A1 (en) | 2013-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102882834B (en) | A kind of authority control method and device | |
| US10721220B2 (en) | Data custodian and curation system | |
| Benner et al. | Matrix inversion on CPU–GPU platforms with applications in control theory | |
| US6678682B1 (en) | Method, system, and software for enterprise access management control | |
| US20180096412A1 (en) | Digital brokerage service for iot micro compute services | |
| CN107507091A (en) | Enhanced data Right protection method based on block chain and intelligent contract | |
| CN102468971A (en) | Authority management method and device and authority control method and device | |
| CN102724221A (en) | Enterprise information system using cloud computing and method for setting user authority thereof | |
| CN102651775A (en) | Method, equipment and system for managing shared objects of a plurality of lessees based on cloud computation | |
| CN107196974A (en) | Spatial crowdsourcing worker position privacy protection method based on differential privacy | |
| CN111159729A (en) | Permission control method, device and storage medium | |
| De Tommasi et al. | An algorithm for direct identification of passive transfer matrices with positive real fractions via convex programming | |
| US20230195877A1 (en) | Project-based permission system | |
| CN102082821A (en) | Method and system for safely accessing cross-resource pool resources based on federal center | |
| CN103281339A (en) | Safety controlling system of mobile terminal | |
| Guerbouj et al. | A comprehensive survey on privacy and security issues in cloud computing, internet of things and cloud of things | |
| CN104680075A (en) | Framework for fine-grain access control from high-level application permissions | |
| CN105978933A (en) | Webpage request method, webpage response method, terminal, server, and webpage request and response system | |
| CN105404799A (en) | Authority management apparatus in information system | |
| CN106909309B (en) | Data information processing method and data storage system | |
| CN104717206B (en) | A kind of Internet of Things resource access right control method and system | |
| CN105049409A (en) | Security access control framework under distributed cloud environment and access method thereof | |
| CN102664908B (en) | Data security access model based on cloud computing | |
| Li et al. | The study of pallet pooling information platform based on cloud computing | |
| CN111831453B (en) | Information processing method, device, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 1175331 Country of ref document: HK |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: GR Ref document number: 1175331 Country of ref document: HK |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20200826 Address after: Building 8, No. 16, Zhuantang science and technology economic block, Xihu District, Hangzhou City, Zhejiang Province Patentee after: ALIYUN COMPUTING Co.,Ltd. Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands Patentee before: Alibaba Group Holding Ltd. |