[go: up one dir, main page]

WO2016082756A1 - Application access authority control - Google Patents

Application access authority control Download PDF

Info

Publication number
WO2016082756A1
WO2016082756A1 PCT/CN2015/095494 CN2015095494W WO2016082756A1 WO 2016082756 A1 WO2016082756 A1 WO 2016082756A1 CN 2015095494 W CN2015095494 W CN 2015095494W WO 2016082756 A1 WO2016082756 A1 WO 2016082756A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
application
authorized
applications
server
Prior art date
Application number
PCT/CN2015/095494
Other languages
French (fr)
Inventor
Zhiqiang Zhao
Ke Li
Original Assignee
Hangzhou H3C Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co., Ltd. filed Critical Hangzhou H3C Technologies Co., Ltd.
Publication of WO2016082756A1 publication Critical patent/WO2016082756A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Definitions

  • BYOD Bring Your Own Office
  • Fig. 1 is a high-level block diagram of a computing environment for supporting application access authority control according to one example.
  • Fig. 2 is a flow chart of an application access authority control method according to one example.
  • Fig. 3 is a flow chart of an application access authority control method according to another example.
  • Fig. 4 is a flow chart of an application access authority control method according to yet another example.
  • Fig. 5 is a block diagram illustrating hardware structure of an application access authority control device according to one example.
  • Fig. 1 illustrates a computing environment for supporting application access authority control according to an example of the disclosure.
  • the computing environment includes a client device, a network, a strategy control server and a third-party mobile office server.
  • the client device can be an electronic device used by a user to perform functions such as accessing applications on the remote application server via the network.
  • the client device can be a mobile phone, a tablet computer such as an iPad, a laptop computer, a desktop computer, etc.
  • the network can be a public network accessed through a Virtual Private Network (VPN) , an enterprise private network accessed through a portal or the 802.1x series of protocols, etc.
  • VPN Virtual Private Network
  • the strategy control server can include an access management server and an application authority management server; and the third-party mobile office server can include remote application servers and Windows Active Directory (AD) domain servers.
  • the access management server can be a User Access Management (UAM) server
  • the application authority management server can be an Endpoint Mobile Office (EMO) server
  • the remote application server can be a Remote Desktop Protocol (RDP) server.
  • RDP Remote Desktop Protocol
  • an enterprise can install some office applications on the remote application server.
  • a user can access the remote application server via the network and access the office application on the remote application server by using a client device of the user.
  • the application access authority control method presented herein can be utilized to determine if a user has authority to access the application that the user is accessing. Further, if the user does not have authority to access the application, the application access authority control method can be used to restrict the access of the user to the application promptly. This way, security of the BYOD system can be improved.
  • Fig. 2 illustrates a flow chart of an application access authority control method according to one example.
  • the method can be performed by a remote application server.
  • Fig. 3 illustrates a flow chart of the application access authority control method according to another example. In this example of Fig. 3, the method is described from the perspective of an application authority management server. The application access authority control method presented herein will be described below with reference to Fig. 2 and Fig. 3 together.
  • an authorized application message of a user is obtained.
  • the authorized application message may be a message indicating applications which the user is authorized to use.
  • the authorized application message can include application names of applications that the user is authorized to access, process names of processes started when the applications run, etc.
  • An administrator can set the applications that each user is authorized to access through the application authority management server. For example, for each user the administrator sets access right for each of the applications. A user can only access the applications that the user is authorized by the administrator to access.
  • the application authority management server can obtain the authorized application message of the user.
  • the authorized application message associated with a user A includes an application Y1, an application Y2, process names corresponding to applications Y1 and Y2, etc.
  • the authorized application message being ‘obtained’ is meant in a general sense and includes both the possibility of the application authority management server obtaining the message from elsewhere or the application authority management server creating the message itself.
  • the application authority management server can send the authorized application message to the remote application server.
  • the remote application server can receive the authorized application message of the user sent by the application authority management server.
  • the administrator can set, through the application authority management server, initial access authority of applications for each user before the user of the client device gets online for the first time. Additionally, the administrator may further adjust, through the application authority management server, the initial access authority of the applications for the user after the user has been online for the first time.
  • the authorized application message associated with the user A initially includes the application Y1 and the application Y2.
  • the administrator can add another application (such as application Y3) accessible by the user A.
  • the authorized application message includes the application Y1, the application Y2 and the application Y3.
  • the administrator can delete one or more of the applications that the user A has been authorized to access so that the authorized application message associated with the user A may include the application Y1 but not the application Y2 any longer.
  • the application authority management server can report an updated authorized application message periodically to the remote application server.
  • the application authority management server e.g., an EMO server
  • the remote application server can update the stored authorized application message in a timely manner, and further control access of the user to the applications more accurately in subsequent steps, thus improving the security of the BYOD system.
  • the authorized application message of the user sent by the application authority management server to the remote application server can include an authorized application message indicating the authorized applications that were initially set for the user on the application authority management server; or an updated authorized application message generated after the authorized applications that were initially set for the user have been adjusted on the application authority management server.
  • the remote application server can create a list of authorized applications for the user according to the authorized application message of the user.
  • the list of the authorized applications includes information about each application that the user has authority to access.
  • the list of the authorized applications can be used by the remote application server to determine whether the user has authority to access the applications, as described at block 203.
  • the remote application server can determine whether the user has authority to access the applications being accessed based on the list of authorized applications created at block 202. If an application being accessed by the user is included in the list of authorized applications of the user, then it indicates that the user has authority to access the application; otherwise, it indicates that the user has no authority to access the application.
  • the remote server can make determinations on application access authority of the user multiple times, for example periodically, instead of making a determination just once.
  • application access authority of the user may change while the user is accessing an application on the remote application server (e.g., the initial authorized application message was set before the user gets online, and the authorized application message of the user is adjusted after the user gets online) .
  • the remote application server can determine periodically whether the user has authority to access each of the applications being accessed, thereby improving the accuracy of application access authority control so as to further improve the security of the BYOD system.
  • the remote application server can periodically determine whether the user is accessing an application on the remote application server; and if the user is accessing an application on the remote application server, then the remote application server can determine whether each of the applications being accessed by the user is included in the list of authorized applications of the user (possibly in a particular order) . If an application being accessed appears in the list of authorized applications, then it indicates that the user has authority to access the application being accessed; otherwise, it indicates that the user has no authority to access the application.
  • the remote application server can control access of the user to the applications on the remote application server based on the result of the determination. For example, if the user has no authority to access an application being accessed, then the remote application server can prohibit the user from further accessing the application by closing a process of the application accessed by the user in a task manager.
  • the remote application server creates the list of authorized applications for the user based on the authorized application message of the user, determines periodically whether the user has authority to access each of the applications that the user is accessing based on the list of authorized applications of the user, and prohibits the user from further accessing the application being accessed if the user has no authority to access the application, thus preventing the user from accessing an illegal application on the remote application server so as to improve the security of the BYOD system.
  • FIG. 4 illustrated is a flow chart of an application access authority control method according to yet another example of the disclosure.
  • an agent can be deployed on a remote application server, and the agent communicates with an application authority management server to perform the application access authority control.
  • Fig. 4 illustrates the application access authority control process performed by the agent and the application authority management server in cooperation.
  • the application authority management server can detect whether a user gets online, and send authorized application messages of the user periodically to the agent on the remote application server upon detecting that the user gets online.
  • the authorized application message can include process names of processes that are started when applications authorized by an administrator for the user run, where each of the applications can correspond to at least one of the process names.
  • the agent can create a list of process names corresponding to the authorized applications of the user upon reception of the authorized application message.
  • the agent checks a task manager of the remote application server periodically.
  • the agent determines whether there is the same username as the username of the user in the task manager, and if so, then it indicates that the user is accessing an application on the remote application server, and the method proceeds to block 405; otherwise, it indicates that the user is not accessing any application on the remote application server, and the method proceeds to block 409 where the method ends;
  • the agent detects sequentially whether a process name of each of the applications being accessed by the user in the task manager appears in the list of process names of the user; and if the process name of the application being accessed by the user is included in the list of process names of the user, then it indicates that the user has authority to access the application, and the method proceeds to block 407; otherwise, it indicates that the user has no authority to access the application, and the method proceeds to block 406;
  • the agent prohibits the user from further accessing the application by closing the process of the application in the task manager of the remote application server;
  • the agent checks whether access authority for all the applications being accessed by the user has been determined; and if so, then the method proceeds to block 408, the process terminates; otherwise, the method returns to block 405 where it is further determined whether a next application being accessed by the user is included in the list of process names;
  • all the applications being accessed by the user refer to all the applications being accessed by the user in the task manager.
  • the agent can periodically determine whether each of the applications being accessed by the user is included in the list of authorized applications of the user, every time the agent makes determinations on application access authority of the user, the block 403 to block 408 can be performed.
  • the remote application server creates the list of authorized applications for the user according to the authorized application message of the user, determines periodically whether the user has authority to access each of the applications being accessed based on the list of authorized applications of the user, and if the user has no authority to access the application, restrict continuing access of the user to an application being accessed , thus preventing the user from accessing an illegal application on the remote application server, and therefore improving the security of the BYOD system.
  • the application access authority control device can be a remote application server or an application authority management server.
  • a processor 51 in the device can read corresponding machine readable instructions stored on a non-transitory machine readable storage medium 52 into memory 53 for execution to perform the application access authority control method described in the examples of the disclosure.
  • the machine readable instructions can be referred to as application access authority control module 54.
  • the application access authority control module 54 can be instructions executed to perform the method flow illustrated in Fig. 2, and the remote application server can execute the instructions to perform the operations of the method illustrated in Fig. 2. If the device is the application authority management server, then the application access authority control module 54 can be instructions executed to perform the method flow illustrated in Fig. 3, and the application authority management server can execute the instructions to perform the operations of the method illustrated in Fig. 3.
  • the device where the module 54 is stored according to the example typically can further include other hardware, e.g., a forwarding chip for processing a packet, etc. ; and from the perspective of a hardware structure, the device may alternatively be a distributed device including a number of interface cards to extend message processing at the hardware level.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A remote application server obtains an authorized application message of a user sent by an application authority management server; creates a list of authorized applications for the user according to the authorized application message of the user; determines whether the user has authority to access one or more applications being accessed according to the list of authorized applications of the user; and controls access of the user to the applications on the remote application server according to the result of the determination.

Description

APPLICATION ACCESS AUTHORITY CONTROL Background
Along with the development of enterprise scales and businesses, the Bring Your Own Office (BYOD) technology makes it possible for the office personnel to handle anything related to their businesses anywhere at any time. In order to implement the BYOD, the enterprises typically need to install various office applications on a remote application server, and the users can access the applications on the remote application server using their client devices.
Brief Description of the Drawings
Fig. 1 is a high-level block diagram of a computing environment for supporting application access authority control according to one example.
Fig. 2 is a flow chart of an application access authority control method according to one example.
Fig. 3 is a flow chart of an application access authority control method according to another example.
Fig. 4 is a flow chart of an application access authority control method according to yet another example.
Fig. 5 is a block diagram illustrating hardware structure of an application access authority control device according to one example.
Detailed Description of the Embodiments
Fig. 1 illustrates a computing environment for supporting application access authority control according to an example of the disclosure. The computing environment includes a client device, a network, a strategy control server and a third-party mobile office server.
In the illustrated example of Fig. 1, the client device can be an electronic device used by a user to perform functions such as accessing applications on the remote application server via the network. For example, the client device can be  a mobile phone, a tablet computer such as an iPad, a laptop computer, a desktop computer, etc. The network can be a public network accessed through a Virtual Private Network (VPN) , an enterprise private network accessed through a portal or the 802.1x series of protocols, etc.
As illustrated in the example of Fig. 1, the strategy control server can include an access management server and an application authority management server; and the third-party mobile office server can include remote application servers and Windows Active Directory (AD) domain servers. For example, the access management server can be a User Access Management (UAM) server, the application authority management server can be an Endpoint Mobile Office (EMO) server, and the remote application server can be a Remote Desktop Protocol (RDP) server. When the remote application server is an RDP server, each remote application server in the third-party mobile office server, if there are multiple, needs to join the unified Windows AD domain.
In order to implement the BYOD, an enterprise can install some office applications on the remote application server. A user can access the remote application server via the network and access the office application on the remote application server by using a client device of the user. The application access authority control method presented herein can be utilized to determine if a user has authority to access the application that the user is accessing. Further, if the user does not have authority to access the application, the application access authority control method can be used to restrict the access of the user to the application promptly. This way, security of the BYOD system can be improved.
Fig. 2 illustrates a flow chart of an application access authority control method according to one example. In the illustrated example, the method can be performed by a remote application server. Fig. 3 illustrates a flow chart of the application access authority control method according to another example. In this example of Fig. 3, the method is described from the perspective of an application authority management server. The application access authority control method presented herein will be described below with reference to Fig. 2 and Fig. 3  together.
At block 301, an authorized application message of a user is obtained. The authorized application message may be a message indicating applications which the user is authorized to use. For example, the authorized application message can include application names of applications that the user is authorized to access, process names of processes started when the applications run, etc. An administrator can set the applications that each user is authorized to access through the application authority management server. For example, for each user the administrator sets access right for each of the applications. A user can only access the applications that the user is authorized by the administrator to access. After the access authorization of the applications is set by the administrator, the application authority management server can obtain the authorized application message of the user. For example, the authorized application message associated with a user A includes an application Y1, an application Y2, process names corresponding to applications Y1 and Y2, etc. As used herein the authorized application message being ‘obtained’ is meant in a general sense and includes both the possibility of the application authority management server obtaining the message from elsewhere or the application authority management server creating the message itself.
After the authorized application message of the user is obtained, at block 302 the application authority management server can send the authorized application message to the remote application server. At block 201 shown in Fig. 2, the remote application server can receive the authorized application message of the user sent by the application authority management server.
For example, the administrator can set, through the application authority management server, initial access authority of applications for each user before the user of the client device gets online for the first time. Additionally, the administrator may further adjust, through the application authority management server, the initial access authority of the applications for the user after the user has been online for the first time. For example, the authorized application message  associated with the user A initially includes the application Y1 and the application Y2. In one example, after the user A gets online, the administrator can add another application (such as application Y3) accessible by the user A. Thus the authorized application message includes the application Y1, the application Y2 and the application Y3. In another example, the administrator can delete one or more of the applications that the user A has been authorized to access so that the authorized application message associated with the user A may include the application Y1 but not the application Y2 any longer.
These above examples show that the authorized application message of the user obtained by the application authority management server can be changed. Therefore, in order to improve the accuracy of application access authority control, the application authority management server can report an updated authorized application message periodically to the remote application server. For example, the application authority management server (e.g., an EMO server) can send the authorized application message of the user periodically to the remote application server each time when it is detected that the user gets online. Thus the remote application server can update the stored authorized application message in a timely manner, and further control access of the user to the applications more accurately in subsequent steps, thus improving the security of the BYOD system. Accordingly, the authorized application message of the user sent by the application authority management server to the remote application server can include an authorized application message indicating the authorized applications that were initially set for the user on the application authority management server; or an updated authorized application message generated after the authorized applications that were initially set for the user have been adjusted on the application authority management server.
Upon reception of the authorized application message of the user sent by the application authority management server, at block 202 the remote application server can create a list of authorized applications for the user according to the authorized application message of the user. The list of the authorized applications  includes information about each application that the user has authority to access. The list of the authorized applications can be used by the remote application server to determine whether the user has authority to access the applications, as described at block 203.
For example, if the user is accessing the office applications on the remote application server via the network using the client device of the user, then the remote application server can determine whether the user has authority to access the applications being accessed based on the list of authorized applications created at block 202. If an application being accessed by the user is included in the list of authorized applications of the user, then it indicates that the user has authority to access the application; otherwise, it indicates that the user has no authority to access the application.
Moreover the remote server can make determinations on application access authority of the user multiple times, for example periodically, instead of making a determination just once. As described above, application access authority of the user may change while the user is accessing an application on the remote application server (e.g., the initial authorized application message was set before the user gets online, and the authorized application message of the user is adjusted after the user gets online) . Accordingly the remote application server can determine periodically whether the user has authority to access each of the applications being accessed, thereby improving the accuracy of application access authority control so as to further improve the security of the BYOD system.
For example, the remote application server can periodically determine whether the user is accessing an application on the remote application server; and if the user is accessing an application on the remote application server, then the remote application server can determine whether each of the applications being accessed by the user is included in the list of authorized applications of the user (possibly in a particular order) . If an application being accessed appears in the list of authorized applications, then it indicates that the user has authority to access the application being accessed; otherwise, it indicates that the user has no authority to  access the application.
After it is determined whether the user has authority to access each of the applications being accessed, at block 204 the remote application server can control access of the user to the applications on the remote application server based on the result of the determination. For example, if the user has no authority to access an application being accessed, then the remote application server can prohibit the user from further accessing the application by closing a process of the application accessed by the user in a task manager.
As seen from the example above, the remote application server creates the list of authorized applications for the user based on the authorized application message of the user, determines periodically whether the user has authority to access each of the applications that the user is accessing based on the list of authorized applications of the user, and prohibits the user from further accessing the application being accessed if the user has no authority to access the application, thus preventing the user from accessing an illegal application on the remote application server so as to improve the security of the BYOD system.
Referring to Fig. 4, illustrated is a flow chart of an application access authority control method according to yet another example of the disclosure. In the illustrated example, an agent can be deployed on a remote application server, and the agent communicates with an application authority management server to perform the application access authority control. Fig. 4 illustrates the application access authority control process performed by the agent and the application authority management server in cooperation.
At block 401, the application authority management server can detect whether a user gets online, and send authorized application messages of the user periodically to the agent on the remote application server upon detecting that the user gets online. For example, the authorized application message can include process names of processes that are started when applications authorized by an administrator for the user run, where each of the applications can correspond to at least one of the process names.
At block 402, the agent can create a list of process names corresponding to the authorized applications of the user upon reception of the authorized application message.
At block 403, the agent checks a task manager of the remote application server periodically.
Particularly there can be usernames, and process names of applications being accessed by users in the task manager of the remote application server.
At block 404, the agent determines whether there is the same username as the username of the user in the task manager, and if so, then it indicates that the user is accessing an application on the remote application server, and the method proceeds to block 405; otherwise, it indicates that the user is not accessing any application on the remote application server, and the method proceeds to block 409 where the method ends;
At block 405, the agent detects sequentially whether a process name of each of the applications being accessed by the user in the task manager appears in the list of process names of the user; and if the process name of the application being accessed by the user is included in the list of process names of the user, then it indicates that the user has authority to access the application, and the method proceeds to block 407; otherwise, it indicates that the user has no authority to access the application, and the method proceeds to block 406;
At block 406, the agent prohibits the user from further accessing the application by closing the process of the application in the task manager of the remote application server;
At block 407, the agent checks whether access authority for all the applications being accessed by the user has been determined; and if so, then the method proceeds to block 408, the process terminates; otherwise, the method returns to block 405 where it is further determined whether a next application being accessed by the user is included in the list of process names;
In this example of Fig. 4, all the applications being accessed by the user refer to all the applications being accessed by the user in the task manager.
The agent can periodically determine whether each of the applications being accessed by the user is included in the list of authorized applications of the user, every time the agent makes determinations on application access authority of the user, the block 403 to block 408 can be performed.
As seen from the example above, the remote application server creates the list of authorized applications for the user according to the authorized application message of the user, determines periodically whether the user has authority to access each of the applications being accessed based on the list of authorized applications of the user, and if the user has no authority to access the application, restrict continuing access of the user to an application being accessed , thus preventing the user from accessing an illegal application on the remote application server, and therefore improving the security of the BYOD system.
Referring to Fig. 5, illustrated is a hardware structural diagram of an application access authority control device according to one example. In the illustrated example, the application access authority control device can be a remote application server or an application authority management server. A processor 51 in the device can read corresponding machine readable instructions stored on a non-transitory machine readable storage medium 52 into memory 53 for execution to perform the application access authority control method described in the examples of the disclosure. The machine readable instructions can be referred to as application access authority control module 54.
If the device is the remote application server, then the application access authority control module 54 can be instructions executed to perform the method flow illustrated in Fig. 2, and the remote application server can execute the instructions to perform the operations of the method illustrated in Fig. 2. If the device is the application authority management server, then the application access authority control module 54 can be instructions executed to perform the method flow illustrated in Fig. 3, and the application authority management server can execute the instructions to perform the operations of the method illustrated in Fig. 3. In addition to the processor 51, a network interface 55, and the  non-transitory machine readable storage medium 52 illustrated in Fig. 5, the device where the module 54 is stored according to the example typically can further include other hardware, e.g., a forwarding chip for processing a packet, etc. ; and from the perspective of a hardware structure, the device may alternatively be a distributed device including a number of interface cards to extend message processing at the hardware level.
Other examples of the disclosure will be readily recognized by those skilled in the art upon consideration of the description and practice of the disclosure disclosed here. The disclosure is intended to encompass any variations, uses or adaptations of the disclosure, and all these variations, uses or adaptations will comply with the general principle of the disclosure and include general knowledge or common technical means in the related art, which has not been disclosed in the description. The description and the examples are merely illustrative, and the true scope and spirit of the disclosure will be as pointed out in the appended claims.
It shall be appreciated that the disclosure will not be limited to the precise structure described above and illustrated in the drawings, but can be modified and amended variously without departing from the scope thereof. The scope of the disclosure will be only as defined in the appended claims.

Claims (14)

  1. A method of application access authority control, applicable to a remote application server, the method comprising:
    obtaining an authorized application message of a user sent by an application authority management server;
    creating a list of authorized applications for the user according to the authorized application message of the user;
    determining whether the user has authority to access one or more applications being accessed according to the list of authorized applications of the user; and
    controlling access of the user to the one or more applications on the remote application server based on the result of the determination.
  2. The method according to claim 1, wherein determining whether the user has authority to access the one or more applications being accessed, according to the list of authorized applications of the user comprises:
    detecting whether the user is accessing an application on the remote application server; and
    if it is detected that the user is accessing an application on the remote application server, then determining whether the application being accessed by the user is included in the list of authorized applications of the user; and if the application being accessed by the user is included in the list of authorized applications of the user, then indicating that the user has authority to access the application; otherwise, indicating that the user has no authority to access the application.
  3. The method according to claim 1, wherein controlling access of the user to the  one or more applications on the remote application server based on the result of the determination comprises:
    if the user has no authority to access an application being accessed, then prohibiting the user from further accessing the application by closing the application on the remote application server.
  4. The method according to claim 1, wherein the authorized application message of the user comprises:
    an authorized application message indicating the authorized applications that were initially set for the user on the application authority management server; or
    an updated authorized application message generated after the authorized applications that were initially set for the user have been adjusted on the application authority management server.
  5. A method of application access authority control, applicable to an application authority management server, wherein the method comprises:
    obtaining an authorized application message of a user; and
    sending the authorized application message of the user to a remote application server to enable the remote application server to create a list of authorized applications for the user according to the authorized application message of the user, and to control access of the user to  applications on the remote application server according to the list of authorized applications of the user.
  6. The method according to claim 5, wherein sending the authorized application message of the user to the remote application server comprises:
    sending the authorized application message of the user to the remote application server upon detecting that the user gets online.
  7. The method according to claim 5, wherein the authorized application message of the user comprises:
    an authorized application message indicating the authorized applications that were initially set for the user on the application authority management server; or
    an updated authorized application message generated after the authorized applications that were initially set for the user have been adjusted on the application authority management server.
  8. A remote application server, comprising a processor, and a non-transitory machine readable storage medium storing executable instructions that are executable by the processor to perform the operations of:
    obtaining an authorized application message of a user sent by an application authority management server;
    creating a list of authorized applications for the user according to the authorized application message of the user;
    determining whether the user has authority to access one or more applications being accessed according to the list of authorized applications of the user; and
    controlling access of the user to the one or more applications on the remote application server based on the result of the determination.
  9. The remote application server according to claim 8, wherein in order to determine whether the user has authority to access the one or more applications being accessed according to the list of authorized applications of the user, the processor is configured to execute the executable instructions so that the remote application server performs the operations of:
    detecting whether the user is accessing an application on the remote  application server; and
    if it is detected that the user is accessing an application on the remote application server, then determining whether the application being accessed by the user is included in the list of authorized applications of the user; and if the application being accessed by the user is included in the list of authorized applications of the user, then indicating that the user has authority to access the application; otherwise, indicating that the user has no authority to access the application.
  10. The remote application server according to claim 8, wherein in order to control access of the user to the one or more applications on the remote application server based on the result of the determination, the processor is configured to execute the executable instructions so that the remote application server performs the operations of:
    if the user has no authority to access an application being accessed, then prohibiting the user from further accessing the application by closing the application on the remote application server.
  11. The remote application server according to claim 8, wherein the authorized application message of the user comprises:
    an authorized application message indicating the authorized applications that were initially set for the user on the application authority management server; or
    an updated authorized application message generated after the authorized applications that were initially set for the user have been adjusted on the application authority management server.
  12. An application authority management server, comprising a processor, and a non-transitory machine readable storage medium storing executable instructions  which are executable by the processor to perform the operations of:
    obtaining an authorized application message of a user; and
    sending the authorized application message of the user to a remote application server to enable the remote application server to create a list of authorized applications for the user according to the authorized application message of the user, and to control the access of the user to applications on the remote application server according to the list of authorized applications of the user.
  13. The application authority management server according to claim 12, wherein in order to send the authorized application message of the user to the remote application server, the processor is to execute the executable instructions so that the application authority management server performs the operations of:
    sending the authorized application message of the user to the remote application server upon detecting that the user gets online.
  14. The application authority management server according to claim 12, wherein the authorized application message of the user comprises:
    an authorized application message indicating the authorized applications that were initially set for the user on the application authority management server; or
    an updated authorized application message generated after the authorized applications that were initially set for the user have been adjusted on the application authority management server.
PCT/CN2015/095494 2014-11-25 2015-11-25 Application access authority control WO2016082756A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410690717.3 2014-11-25
CN201410690717.3A CN105704094B (en) 2014-11-25 2014-11-25 Application access authority control method and device

Publications (1)

Publication Number Publication Date
WO2016082756A1 true WO2016082756A1 (en) 2016-06-02

Family

ID=56073618

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/095494 WO2016082756A1 (en) 2014-11-25 2015-11-25 Application access authority control

Country Status (2)

Country Link
CN (1) CN105704094B (en)
WO (1) WO2016082756A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110264321A (en) * 2019-06-27 2019-09-20 中国石油集团东方地球物理勘探有限责任公司 A kind of order generation method, device, electronic equipment and storage medium

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107871062A (en) * 2016-09-28 2018-04-03 中兴通讯股份有限公司 A kind of application permission control method, device and terminal
CN106685960B (en) * 2016-12-28 2020-06-12 北京奇艺世纪科技有限公司 Server remote management card login management method and system
CN108347402A (en) * 2017-01-23 2018-07-31 中国移动通信有限公司研究院 A kind of application access method, apparatus, processing terminal and cloud server
CN110321717A (en) * 2018-03-28 2019-10-11 深圳联友科技有限公司 A kind of file encrypting method and system
CN108769175B (en) * 2018-05-22 2020-07-31 京东数字科技控股有限公司 Remote real machine access control method and device, storage medium and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101821729A (en) * 2007-10-15 2010-09-01 微软公司 Remote auto provisioning and publication of applications
CN102857537A (en) * 2011-07-01 2013-01-02 中国移动通信集团辽宁有限公司 Remote call method, device and system
US20130191882A1 (en) * 2012-01-19 2013-07-25 Sap Ag Access control of remote communication interfaces based on system-specific keys

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100596361C (en) * 2006-04-26 2010-03-31 北京华科广通信息技术有限公司 Safety protection system of information system or equipment and its working method
CN101217368A (en) * 2007-12-29 2008-07-09 亿阳安全技术有限公司 A network logging on system and the corresponding configuration method and methods for logging on the application system
CN101247336B (en) * 2008-03-07 2010-08-18 中兴通讯股份有限公司 Method and server for controlling multilevel access authority of access user
CN101448002B (en) * 2008-12-12 2011-12-14 北京大学 Method and device for accessing digital resources
CN101754190A (en) * 2008-12-19 2010-06-23 Tcl集团股份有限公司 Method for establishing equipment secure access
CN103713904A (en) * 2013-12-26 2014-04-09 北京奇虎科技有限公司 Method, related device and system for installing applications in working area of mobile terminal

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101821729A (en) * 2007-10-15 2010-09-01 微软公司 Remote auto provisioning and publication of applications
CN102857537A (en) * 2011-07-01 2013-01-02 中国移动通信集团辽宁有限公司 Remote call method, device and system
US20130191882A1 (en) * 2012-01-19 2013-07-25 Sap Ag Access control of remote communication interfaces based on system-specific keys

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110264321A (en) * 2019-06-27 2019-09-20 中国石油集团东方地球物理勘探有限责任公司 A kind of order generation method, device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN105704094A (en) 2016-06-22
CN105704094B (en) 2019-09-17

Similar Documents

Publication Publication Date Title
US10686758B2 (en) Elastic outbound gateway
US9432358B2 (en) System and method of authenticating user account login request messages
WO2016082756A1 (en) Application access authority control
US9871813B2 (en) Method of and system for processing an unauthorized user access to a resource
CN109716343B (en) Enterprise graphic method for threat detection
TWI745473B (en) Network verification method and device
US8959513B1 (en) Controlling virtualization resource utilization based on network state
US10491632B1 (en) Methods for reducing compliance violations in mobile application management environments and devices thereof
US9900318B2 (en) Method of and system for processing an unauthorized user access to a resource
US9298936B2 (en) Issuing security commands to a client device
AU2019361716B2 (en) Computing system with an email privacy filter and related methods
US9679147B2 (en) System and method for automated security testing
US10333778B2 (en) Multiuser device staging
US11531716B2 (en) Resource distribution based upon search signals
US9215235B1 (en) Using events to identify a user and enforce policies
US10681031B2 (en) Federating devices to improve user experience with adaptive security
WO2015062266A1 (en) System and method of authenticating user account login request messages
WO2013189669A1 (en) A method and a server for evaluating a request for access to content from a server in a computer network
US10404698B1 (en) Methods for adaptive organization of web application access points in webtops and devices thereof
US11824886B2 (en) Determining the exposure level of vulnerabilities
US11411813B2 (en) Single user device staging
EP3834110B1 (en) Global sign-out on shared devices
US20250047677A1 (en) Systems and methods for improved network intrusions prevention
US8230060B2 (en) Web browser security

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15863619

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15863619

Country of ref document: EP

Kind code of ref document: A1