[go: up one dir, main page]

CN115766074A - Authority control method, device, medium and equipment of service object - Google Patents

Authority control method, device, medium and equipment of service object Download PDF

Info

Publication number
CN115766074A
CN115766074A CN202211205408.3A CN202211205408A CN115766074A CN 115766074 A CN115766074 A CN 115766074A CN 202211205408 A CN202211205408 A CN 202211205408A CN 115766074 A CN115766074 A CN 115766074A
Authority
CN
China
Prior art keywords
message
authority
attribute information
business object
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211205408.3A
Other languages
Chinese (zh)
Inventor
李尼格
陈牧
陈璐
张俊锋
邱日轩
李炜
林楠
戴造建
李勇
卢子昂
方文高
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Telecommunication Branch of State Grid Jiangxi Electric Power Co Ltd
State Grid Smart Grid Research Institute of SGCC
Original Assignee
Information and Telecommunication Branch of State Grid Jiangxi Electric Power Co Ltd
State Grid Smart Grid Research Institute of SGCC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information and Telecommunication Branch of State Grid Jiangxi Electric Power Co Ltd, State Grid Smart Grid Research Institute of SGCC filed Critical Information and Telecommunication Branch of State Grid Jiangxi Electric Power Co Ltd
Priority to CN202211205408.3A priority Critical patent/CN115766074A/en
Publication of CN115766074A publication Critical patent/CN115766074A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a method, a device, a medium and equipment for controlling the authority of a service object, wherein the method comprises the following steps: receiving a permission list request message sent by a service object; extracting attribute information of the service object based on the permission list request message; determining an access address corresponding to the permission list request message based on the corresponding relation between the attribute information and the preset message information; determining the authority corresponding to the authority list request message based on the corresponding relation between the attribute information and the preset authority information; and sending the access address and the authority to the service object so that the service object updates the local authority list and performs service access based on the local authority list. According to the embodiment of the invention, the attribute information in the permission list request message is extracted, and the unified management of the permission of the service object is realized through the corresponding rule of the attribute information and the preset message information and the corresponding rule of the preset permission information, so that the safety of the power system is improved.

Description

一种业务对象的权限控制方法、装置、介质、设备Method, device, medium, and equipment for authority control of business objects

技术领域technical field

本发明涉及权限控制技术领域,具体涉及一种业务对象的权限控制方法、装置、介质、设备。The present invention relates to the technical field of authority control, in particular to a method, device, medium and equipment for authority control of business objects.

背景技术Background technique

目前,电力业务终端与电力业务应用服务端通信过程中,每接入一种电力业务应用或电力业务终端,均需对电力业务应用或电力业务终端单独进行权限的配置,由于电力业务应用与电力业务终端类型众多,每次单独配置权限容易造成权限配置不一致、权限重复配置、权限配置错误、权限未及时更新等问题,从而造成电力业务应用和终端的安全风险,给电力系统运行带来安全威胁。At present, during the communication process between the power service terminal and the power service application server, every time a power service application or power service terminal is connected, the power service application or power service terminal needs to be separately configured with authority. There are many types of business terminals, and each separate configuration of permissions is likely to cause problems such as inconsistent permission configuration, repeated permission configuration, wrong permission configuration, and untimely update of permissions, which will cause security risks for power business applications and terminals, and bring security threats to the operation of the power system .

发明内容Contents of the invention

因此,本发明要解决的技术问题在于克服现有技术中的业务对象权限控制过程容易造成电力系统安全威胁的缺陷,从而提供一种业务对象的权限控制方法、装置、介质、设备。Therefore, the technical problem to be solved by the present invention is to overcome the defect that the business object authority control process in the prior art is likely to cause power system security threats, thereby providing a business object authority control method, device, medium, and equipment.

根据第一方面,本发明实施例提供了一种业务对象的权限控制方法,包括:接收业务对象发送的权限列表请求报文;基于权限列表请求报文,提取业务对象的属性信息;基于属性信息与预设报文信息的对应关系,确定与权限列表请求报文对应的访问地址,预设报文信息为属性信息对应的属性信息适配规则;在确定与权限列表请求报文对应的访问地址之后,基于属性信息与预设权限信息的对应关系,确定与权限列表请求报文对应的权限,预设权限信息为属性信息对应的权限;发送访问地址与权限至业务对象,以使业务对象更新本地权限列表,并基于本地权限列表进行业务访问。According to the first aspect, an embodiment of the present invention provides a method for controlling authority of a business object, including: receiving a permission list request message sent by the business object; extracting attribute information of the business object based on the permission list request message; The corresponding relationship with the preset message information determines the access address corresponding to the permission list request message, and the preset message information is the attribute information adaptation rule corresponding to the attribute information; after determining the access address corresponding to the permission list request message Afterwards, based on the corresponding relationship between the attribute information and the preset permission information, determine the permission corresponding to the permission list request message, and the preset permission information is the permission corresponding to the attribute information; send the access address and permission to the business object to update the business object Local permission list, and business access based on the local permission list.

可选地,属性信息包括:电力业务目标、电力业务对象类型、访问IP地址、端口、电力业务安全级别、报文类型、电力业务类型及报文类型包含的业务数据,基于权限列表请求报文,提取业务对象的属性信息,包括:Optionally, the attribute information includes: power business target, power business object type, access IP address, port, power business security level, message type, power business type and business data contained in the message type, based on the permission list request message , to extract the attribute information of the business object, including:

基于预设的报文信息存储规则,提取权限列表请求报文中对应位置存储的访问IP地址、端口、电力业务安全级别、报文类型、电力业务类型及报文类型包含的业务数据中的至少一种;根据访问IP地址、端口与电力业务目标、电力业务对象类型的对应关系,确定与权限列表请求报文对应的电力业务目标、电力业务对象类型。Based on the preset message information storage rules, extract at least one of the access IP address, port, power service security level, message type, power service type, and service data contained in the message type stored in the corresponding location in the permission list request message One: according to the corresponding relationship between the access IP address, the port and the power service target and the power service object type, determine the power service target and the power service object type corresponding to the permission list request message.

可选地,基于属性信息与预设报文信息的对应关系,确定与权限列表请求报文对应的访问地址,包括:基于电力业务安全级别与预设报文信息的对应关系,判断属性信息是否通过校验;若属性信息通过校验,将访问IP地址与端口作为与权限列表请求报文对应的访问地址。Optionally, based on the correspondence between attribute information and preset message information, determining the access address corresponding to the permission list request message includes: judging whether the attribute information is based on the correspondence between the power service security level and preset message information Pass the verification; if the attribute information passes the verification, use the access IP address and port as the access address corresponding to the permission list request message.

可选地,基于电力业务安全级别与预设报文信息的对应关系,判断属性信息是否通过校验,包括:基于电力业务安全级别与预设报文信息的对应关系,确定报文适配规则;基于报文适配规则,判断报文类型、电力业务类型及报文类型包含的业务数据与报文适配规则是否适配;在报文类型、电力业务类型及报文类型包含的业务数据与报文适配规则适配的情况下,则判定属性信息通过校验。Optionally, based on the correspondence between the power service security level and the preset message information, judging whether the attribute information passes the verification includes: determining the message adaptation rule based on the correspondence between the power service security level and the preset message information ;Based on the message adaptation rules, determine whether the message type, power service type, and business data contained in the message type are compatible with the message adaptation rules; If it matches the packet adaptation rule, it is determined that the attribute information passes the verification.

可选地,基于属性信息与预设权限信息的对应关系,确定与权限列表请求报文对应的权限,包括:基于电力业务目标、电力业务对象类型与预设权限信息的对应关系,确定与权限列表请求报文对应的权限。Optionally, based on the correspondence between the attribute information and the preset permission information, determining the permission corresponding to the permission list request message includes: determining the corresponding relationship with the permission List the permissions corresponding to the request message.

可选地,业务对象的权限控制方法,还包括:对业务对象进行认证,获得认证证书及与认证证书对应的对象IP;获取业务对象的证书与IP;在证书与认证证书相同,且IP与对象IP相同时,则判定业务对象合法。Optionally, the authority control method of the business object also includes: authenticating the business object, obtaining the authentication certificate and the object IP corresponding to the authentication certificate; obtaining the certificate and IP of the business object; when the certificate is the same as the authentication certificate, and the IP and IP When the object IPs are the same, it is determined that the business object is legal.

可选地,业务对象的权限控制方法,还包括:接收业务对象基于本地权限列表进行业务访问时失败的信息;基于信息,降低业务对象的信任值,并在信任值低于预设信任阈值时,断开与业务对象的连接。Optionally, the permission control method of the business object further includes: receiving information that the business object fails to perform business access based on the local permission list; based on the information, reducing the trust value of the business object, and when the trust value is lower than the preset trust threshold , to disconnect from the business object.

根据第二方面,本发明实施例提供了一种业务对象的权限控制装置,包括:报文接收单元,被配置为接收业务对象发送的权限列表请求报文;属性信息提取单元,被配置为基于权限列表请求报文,提取业务对象的属性信息;访问地址确定单元,被配置为基于属性信息与预设报文信息的对应关系,确定与权限列表请求报文对应的访问地址,预设报文信息为属性信息对应的属性信息适配规则;权限确定单元,被配置为基于属性信息与预设权限信息的对应关系,确定与权限列表请求报文对应的权限,预设权限信息为属性信息对应的权限;发送单元,被配置为发送访问地址与权限至业务对象,以使业务对象更新本地权限列表,并基于本地权限列表进行业务访问。According to the second aspect, an embodiment of the present invention provides a device for controlling authority of a business object, including: a message receiving unit configured to receive a permission list request message sent by the business object; an attribute information extracting unit configured to The permission list request message extracts the attribute information of the business object; the access address determination unit is configured to determine the access address corresponding to the permission list request message based on the corresponding relationship between the attribute information and the preset message information, and the preset message The information is an attribute information adaptation rule corresponding to the attribute information; the authority determining unit is configured to determine the authority corresponding to the authority list request message based on the correspondence between the attribute information and the preset authority information, and the preset authority information is the corresponding attribute information the authority; the sending unit is configured to send the access address and the authority to the business object, so that the business object updates the local authority list, and performs business access based on the local authority list.

可选地,访问地址确定单元,包括:校验判断子单元,被配置为基于电力业务安全级别与预设报文信息的对应关系,判断属性信息是否通过校验;访问地址确定子单元,若属性信息通过校验,将访问IP地址与端口作为与权限列表请求报文对应的访问地址。Optionally, the access address determination unit includes: a verification judgment subunit configured to judge whether the attribute information passes the verification based on the correspondence between the power service security level and the preset message information; the access address determination subunit, if The attribute information is verified, and the access IP address and port are used as the access address corresponding to the permission list request message.

可选地,校验判断子单元,包括:报文适配规则确定子单元,被配置为基于电力业务安全级别与预设报文信息的对应关系,确定报文适配规则;适配判断子单元,被配置为基于报文适配规则,判断报文类型、电力业务类型及报文类型包含的业务数据与报文适配规则是否适配;校验结果子单元,被配置为在报文类型、电力业务类型及报文类型包含的业务数据与报文适配规则适配的情况下,则判定属性信息通过校验。Optionally, the verification and judgment subunit includes: a message adaptation rule determination subunit configured to determine the message adaptation rule based on the correspondence between the power service security level and preset message information; the adaptation judgment subunit The unit is configured to determine whether the message type, power service type, and service data contained in the message type are compatible with the message adaptation rule based on the message adaptation rule; the verification result sub-unit is configured to be in the message If the service data contained in the type, power service type, and message type match the message adaptation rule, it is determined that the attribute information passes the verification.

根据第三方面,本发明实施例提供了一种非暂态计算机可读存储介质,非暂态计算机可读存储介质存储有计算机指令,计算机指令被处理器执行时,实现如第一方面任一实施方式所述的业务对象的权限控制方法。According to a third aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium. The non-transitory computer-readable storage medium stores computer instructions. When the computer instructions are executed by a processor, any one of the first aspect can be realized. The permission control method of the business object described in the implementation manner.

根据第四方面,本发明实施例提供了一种计算机设备,包括至少一个处理器;以及与至少一个处理器通信连接的存储器;其中,存储器存储有可被所述至少一个处理器执行的指令,指令被至少一个处理器执行,从而执行如第一方面任一实施方式所述的业务对象的权限控制方法。According to a fourth aspect, an embodiment of the present invention provides a computer device, including at least one processor; and a memory communicatively connected to the at least one processor; wherein, the memory stores instructions executable by the at least one processor, The instruction is executed by at least one processor, so as to execute the method for controlling authority of a business object as described in any implementation manner of the first aspect.

本发明技术方案,具有如下优点:The technical solution of the present invention has the following advantages:

本发明提供的一种业务对象的权限控制方法,包括:接收业务对象发送的权限列表请求报文;基于权限列表请求报文,提取业务对象的属性信息;基于属性信息与预设报文信息的对应关系,确定与权限列表请求报文对应的访问地址;预设报文信息为属性信息对应的属性信息适配规则;基于属性信息与预设权限信息的对应关系,确定与权限列表请求报文对应的权限;预设权限信息为属性信息对应的权限;发送访问地址与权限至业务对象,以使业务对象更新本地权限列表,并基于本地权限列表进行业务访问。本发明实施例,通过提取权限列表请求报文中的属性信息,将属性信息进行汇总,并分别通过属性信息与预设报文信息的对应规则、与预设权限信息的对应规则,使得业务对象获得与权限列表请求报文对应的权限,实现对业务对象权限的统一管理,提供精细化的权限管理方式,满足不同业务对象中不同业务访问的权限控制需求,从而提高了电力系统的安全性。A permission control method for a business object provided by the present invention includes: receiving a permission list request message sent by the business object; extracting attribute information of the business object based on the permission list request message; Correspondence, determine the access address corresponding to the permission list request message; preset message information is the attribute information adaptation rule corresponding to the attribute information; based on the corresponding relationship between attribute information and preset permission information, determine Corresponding authority; the default authority information is the authority corresponding to the attribute information; send the access address and authority to the business object, so that the business object can update the local authority list, and perform business access based on the local authority list. In the embodiment of the present invention, by extracting the attribute information in the permission list request message, the attribute information is summarized, and the corresponding rules between the attribute information and the preset message information and the corresponding rules between the preset permission information are used to make the business object Obtain the permissions corresponding to the permission list request message, realize the unified management of business object permissions, provide refined permission management methods, and meet the permission control requirements of different business access in different business objects, thereby improving the security of the power system.

附图说明Description of drawings

为了更清楚地说明本发明具体实施方式或现有技术中的技术方案,下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the specific implementation of the present invention or the technical solutions in the prior art, the following will briefly introduce the accompanying drawings that need to be used in the specific implementation or description of the prior art. Obviously, the accompanying drawings in the following description The drawings show some implementations of the present invention, and those skilled in the art can obtain other drawings based on these drawings without any creative work.

图1为本发明实施例提供的一种业务对象的权限控制方法的一个具体示例的流程图;FIG. 1 is a flow chart of a specific example of a method for controlling authority of a business object provided by an embodiment of the present invention;

图2为本发明实施例提供的一种业务对象的权限控制方法的一个具体示例的流程图;FIG. 2 is a flow chart of a specific example of a method for controlling authority of a business object provided by an embodiment of the present invention;

图3为本发明实施例提供的一种业务对象的权限控制装置的一个具体示例的结构示例图;FIG. 3 is a structural example diagram of a specific example of an apparatus for controlling authority of a business object provided by an embodiment of the present invention;

图4为本发明实施例中计算机设备的结构示例图。Fig. 4 is a structural example diagram of a computer device in an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合附图对本发明的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions of the present invention will be clearly and completely described below in conjunction with the accompanying drawings. Apparently, the described embodiments are some of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

此外,下面所描述的本发明不同实施方式中所涉及的技术特征只要彼此之间未构成冲突就可以相互结合。In addition, the technical features involved in the different embodiments of the present invention described below may be combined with each other as long as there is no conflict with each other.

本实施例提供的一种业务对象的权限控制方法、装置应用于电力安全接入网关,电力安全接入网关是电力系统中与业务对象相连通的网关装置,用于实现业务对象在电力系统中的接入与权限分配。The authority control method and device of a business object provided in this embodiment are applied to a power security access gateway. The power security access gateway is a gateway device connected to a business Access and permission assignment.

本发明实施例提供一种业务对象的权限控制方法,如图1所示,包括:An embodiment of the present invention provides a method for controlling authority of a business object, as shown in FIG. 1 , including:

S101、接收业务对象发送的权限列表请求报文。S101. Receive a permission list request message sent by a business object.

具体地,业务对象包括电力业务应用或电力业务终端。权限列表请求报文是指由电力业务应用或电力业务终端发送的针对电力业务应用或电力业务终端对应的权限的本地权限列表更新请求,以使电力业务应用或电力业务终端根据本地权限列表对应的权限进行业务访问。Specifically, the service object includes an electric service application or an electric service terminal. The permission list request message refers to the local permission list update request sent by the power service application or the power service terminal for the permissions corresponding to the power service application or the power service terminal, so that the power service application or the power service terminal is based on the local permission list. permissions for business access.

S102、基于权限列表请求报文,提取业务对象的属性信息。S102. Based on the authorization list request message, attribute information of the business object is extracted.

具体地,基于权限列表请求报文,提取业务对象的属性信息是指基于预设的报文信息存储规则,提取业务对象的属性信息。Specifically, extracting the attribute information of the business object based on the authorization list request message refers to extracting the attribute information of the business object based on a preset message information storage rule.

在实际应用中,基于权限列表请求报文,提取的业务对象的属性信息的储存行为为存储在数据库中,从而基于权限列表请求报文,实现将业务对象的属性信息汇总,以使有业务对象接入电力系统时,为业务对象的权限管理提供数据基础。In practical applications, based on the authority list request message, the attribute information of the extracted business object is stored in the database, so that based on the authority list request message, the attribute information of the business object is summarized so that there are business objects When connected to the power system, it provides a data basis for the authority management of business objects.

S103、基于属性信息与预设报文信息的对应关系,确定与权限列表请求报文对应的访问地址。S103. Based on the correspondence between the attribute information and the preset message information, determine an access address corresponding to the permission list request message.

具体地,预设报文信息是指与属性信息的适配规则。基于属性信息与预设报文信息的对应关系,确定与权限列表请求报文对应的访问地址是指在属性信息满足属性信息的适配规则的情况下,将属性信息中包括的访问IP地址与端口作为与权限列表请求报文对应的访问地址。Specifically, the preset message information refers to an adaptation rule with attribute information. Based on the corresponding relationship between attribute information and preset message information, determining the access address corresponding to the permission list request message refers to combining the access IP address included in the attribute information with The port is used as the access address corresponding to the permission list request message.

在实际应用中,属性信息对应的属性信息适配规则可以是根据电力业务安全级别,确定属性信息适配规则,即不同的电力业务安全级别,分别具有对应的属性信息适配规则。在属性信息满足属性信息的适配规则时,确定与权限列表请求报文对应的访问地址,并将与权限列表请求报文对应的访问地址与后续确定的与权限列表请求报文对应的权限,一并发送至业务对象,以使业务对象更新本地权限列表,并基于本地权限列表中的与权限列表请求报文对应的访问地址、与权限列表请求报文对应的权限进行业务访问。In practical applications, the attribute information adaptation rules corresponding to the attribute information may be determined according to the power service security level, that is, different power service security levels have corresponding attribute information adaptation rules. When the attribute information satisfies the adaptation rule of the attribute information, determine the access address corresponding to the permission list request message, and combine the access address corresponding to the permission list request message with the subsequently determined permissions corresponding to the permission list request message, Send it to the business object together, so that the business object updates the local authority list, and performs business access based on the access address corresponding to the authority list request message and the authority corresponding to the authority list request message in the local authority list.

S104、在确定与权限列表请求报文对应的访问地址之后,基于属性信息与预设权限信息的对应关系,确定与权限列表请求报文对应的权限。S104. After determining the access address corresponding to the permission list request message, determine the permission corresponding to the permission list request message based on the corresponding relationship between the attribute information and the preset permission information.

具体地,预设权限信息是指与属性信息对应的预设权限。预设权限包括读取权限、写入权限、读取及写入权限或其他权限,本申请对此不作具体限定,可根据实际工况进行选择。Specifically, the preset permission information refers to the preset permission corresponding to the attribute information. The preset permissions include read permissions, write permissions, read and write permissions, or other permissions, which are not specifically limited in this application and can be selected according to actual working conditions.

在实际应用中,若基于属性信息与预设报文信息的对应关系,未能确定与权限列表请求报文对应的访问地址,则无需确定与权限列表请求报文对应的权限。In practical applications, if the access address corresponding to the permission list request message cannot be determined based on the correspondence between the attribute information and the preset message information, there is no need to determine the permission corresponding to the permission list request message.

在实际应用中,预设权限信息的储存形式为存储在数据库中,与存储属性信息的数据库相互独立。在确定与权限列表请求报文对应的权限之后,将上述确定的与权限列表请求报文对应的访问地址,一并发送至业务对象,以使业务对象更新本地权限列表,并基于本地权限列表中的与权限列表请求报文对应的访问地址、与权限列表请求报文对应的权限进行业务访问。In practical applications, the storage form of the preset permission information is stored in a database, which is independent from the database storing attribute information. After determining the authority corresponding to the authority list request message, the above-mentioned determined access address corresponding to the authority list request message is sent to the business object, so that the business object updates the local authority list, and based on the local authority list The access address corresponding to the permission list request message and the permission corresponding to the permission list request message are used for business access.

S105、发送访问地址与权限至业务对象,以使业务对象更新本地权限列表,并基于本地权限列表进行业务访问。S105. Send the access address and the authority to the business object, so that the business object updates the local authority list, and performs service access based on the local authority list.

在实际应用中,业务对象在收到访问地址与权限后,在业务对象本地权限列表中进行权限列表更新。当业务对象需进行业务访问时,需查询本地权限列表,当对应访问地址与权限在本地权限列表中存在时,才予以访问,否则直接在业务对象侧拒绝访问动作。In practical applications, after the business object receives the access address and permission, it updates the permission list in the local permission list of the business object. When a business object needs to perform business access, it needs to query the local permission list. Only when the corresponding access address and permission exist in the local permission list, access is granted; otherwise, the access action is directly rejected on the business object side.

本发明实施例,通过提取权限列表请求报文中的属性信息,将属性信息进行汇总,并分别通过属性信息与预设报文信息的对应规则、与预设权限信息的对应规则,使得业务对象获得与权限列表请求报文对应的权限,实现对业务对象权限的统一管理,提供精细化的权限管理方式,满足不同业务对象中不同业务访问的权限控制需求,从而提高了电力系统的安全性。In the embodiment of the present invention, by extracting the attribute information in the permission list request message, the attribute information is summarized, and the corresponding rules between the attribute information and the preset message information and the corresponding rules between the preset permission information are used to make the business object Obtain the permissions corresponding to the permission list request message, realize the unified management of business object permissions, provide refined permission management methods, and meet the permission control requirements of different business access in different business objects, thereby improving the security of the power system.

在一个可选实施例中,上述的属性信息包括:电力业务目标、电力业务对象类型、访问IP地址、端口、电力业务安全级别、报文类型、电力业务类型及报文类型包含的业务数据。相对应地,上述步骤S102中,基于权限列表请求报文,提取业务对象的属性信息的过程,具体包括:In an optional embodiment, the above attribute information includes: power service target, power service object type, access IP address, port, power service security level, message type, power service type, and service data included in the message type. Correspondingly, in the above step S102, the process of extracting the attribute information of the business object based on the permission list request message specifically includes:

(1)基于预设的报文信息存储规则,提取权限列表请求报文中对应位置存储的访问IP地址、端口、电力业务安全级别、报文类型、电力业务类型及报文类型包含的业务数据中的至少一种。(1) Based on the preset message information storage rules, extract the access IP address, port, power service security level, message type, power service type and business data contained in the message type stored in the corresponding location in the permission list request message at least one of the

具体地,预设的报文信息存储规则是指访问IP地址、端口、电力业务安全级别、报文类型、电力业务类型及报文类型包含的业务数据的至少一种与报文字段存储位置的对应关系,即根据权限列表请求报文中对应存储位置实现对位置存储的访问IP地址、端口、电力业务安全级别、报文类型、电力业务类型及报文类型包含的业务数据的提取。Specifically, the preset message information storage rule refers to access to at least one of the IP address, port, power service security level, message type, power service type, and service data contained in the message type, and the storage location of the message field. Correspondence, that is, according to the corresponding storage location in the permission list request message, the extraction of the access IP address, port, power service security level, message type, power service type, and service data contained in the message type is realized.

在实际应用中,电力业务目标是指业务对象进行电力业务访问的目标设备、目标终端或目标应用。电力业务对象类型是指业务对象的类型。访问IP地址、端口是指业务对象进行业务访问的目标IP地址及目标端口。电力业务安全级别是指业务对象进行电力业务访问的对应安全级别,电力业务安全级别可以是一级、二级、三级或其他安全级别,其中,可以是三级对应安全级别最高,或一级对应安全级别最高,本申请对此不做具体限定,只要可用于反应业务对象进行业务访问具有不同的安全级别即可。报文类型是指业务对象进行电力业务访问时,发送的电力业务报文的类型。电力业务类型及报文类型包含的业务数据是指业务对象进行电力业务访问时,所对应的电力业务类型,其中,报文类型包含的业务数据是指在不同报文类型中包含的不同业务数据,如证书获取报文类型中包含的认证证书名称及与认证证书名称对应的电力业务终端地址。In practical applications, the power service target refers to a target device, a target terminal or a target application for a business object to access power services. The power business object type refers to the type of business object. The access IP address and port refer to the target IP address and target port of the business object for business access. The power business security level refers to the corresponding security level for the business object to access the power business. The power business security level can be level 1, level 2, level 3 or other security levels, among which level 3 can correspond to the highest security level, or level 1 Corresponding to the highest security level, this application does not specifically limit it, as long as it can be used to reflect different security levels for business access of business objects. The message type refers to the type of the power service message sent by the business object when accessing the power service. The business data contained in the power business type and the message type refers to the corresponding power business type when the business object accesses the power business, and the business data contained in the message type refers to different business data contained in different message types , such as the name of the authentication certificate included in the certificate acquisition message type and the address of the power service terminal corresponding to the name of the authentication certificate.

在实际应用中,访问IP地址、端口、电力业务安全级别、报文类型、电力业务类型及报文类型包含的业务数据在权限列表请求报文中的存储位置可根据实际情况进行设置,本申请对此不做具体限定,只要可用于反应根据报文存储位置提取报文属性信息即可。In practical applications, the access IP address, port, power service security level, message type, power service type, and the storage location of the service data contained in the message type in the permission list request message can be set according to the actual situation. There is no specific limitation on this, as long as it can be used to reflect the extraction of message attribute information according to the message storage location.

(2)根据访问IP地址、端口与电力业务目标、电力业务对象类型的对应关系,确定与权限列表请求报文对应的电力业务目标、电力业务对象类型。(2) Determine the power service target and power service object type corresponding to the permission list request message according to the corresponding relationship between the access IP address, the port, and the power service target and power service object type.

在实际应用中,如表1所示,表1示例性地示出访问IP地址、端口与电力业务目标、电力业务对象类型的对应关系。In practical applications, as shown in Table 1, Table 1 exemplarily shows the correspondence between access IP addresses, ports, power service objects, and power service object types.

表1Table 1

访问IP地址Access IP address 端口port 电力业务目标Power Business Goals 电力业务对象类型Power Business Object Type 第一访问IP地址The first access IP address 第一端口first port 第一目标first goal 第一类型first type 第一访问IP地址The first access IP address 第二端口second port 第二目标second goal 第二类型second type ...... ...... ...... ...... 第N访问IP地址Nth access IP address 第N端口Nth port 第N目标Nth target 第N类型Type N

在实际应用中,基于访问IP地址与端口的不同,根据访问IP地址、端口与电力业务目标的对应关系,可以确定业务对象进行电力业务访问的目标,即确定电力业务目标。根据访问IP地址、端口与电力业务对象类型的对应关系,可以确定业务对象的类型,即通过业务对象进行业务访问的目标IP地址及目标端口,确定业务对象要进行哪种类型的访问,从而确定电力业务对象类型。In practical applications, based on the difference between the access IP address and the port, and according to the corresponding relationship between the access IP address, the port, and the power service target, the target of the power service access of the business object can be determined, that is, the power service target can be determined. According to the corresponding relationship between the access IP address, port and the type of power business object, the type of business object can be determined, that is, the target IP address and target port for business access through the business object, and the type of access to be determined by the business object, so as to determine Electricity business object type.

通过实施本实施例,通过预设的报文信息存储规则提取权限列表请求报文中对应位置存储的访问IP地址、端口、电力业务安全级别、报文类型、电力业务类型及报文类型包含的业务数据中的至少一种,并基于访问IP地址、端口提取电力业务目标、电力业务对象类型,从而实现将业务对象的属性信息进行提取汇总,以使有业务对象接入电力系统时,为业务对象的权限管理提供数据基础。Through the implementation of this embodiment, the access IP address, port, power service security level, message type, power service type, and message type contained in the access IP address, port, power service security level, message type, power service type, and message type are extracted from the permission list through the preset message information storage rules. At least one of the business data, and extract the power business target and power business object type based on the access IP address and port, so as to realize the extraction and summary of the attribute information of the business object, so that when a business object is connected to the power system, it is a business Object rights management provides the data foundation.

在一个可选实施例中,上述步骤S103中,基于属性信息与预设报文信息的对应关系,确定与权限列表请求报文对应的访问地址的过程,具体包括:In an optional embodiment, in the above step S103, the process of determining the access address corresponding to the permission list request message based on the correspondence between the attribute information and the preset message information specifically includes:

(1)基于电力业务安全级别与预设报文信息的对应关系,判断属性信息是否通过校验。(1) Based on the corresponding relationship between the security level of the power service and the preset message information, it is judged whether the attribute information passes the verification.

具体地,判断属性信息是否通过校验作为判断业务对象发送的权限列表请求报文是否符合对应电力业务安全级别的过程。在实际应用中,若属性信息未能通过校验,则表示业务对象发送的权限列表请求报文违规或请求错误,不能将访问IP地址与端口作为与权限列表请求报文对应的访问地址,因此,与发送的权限列表请求报文对应的业务对象,无需进行上述步骤S104涉及的过程,即对应业务对象无法更新本地权限列表。Specifically, judging whether the attribute information passes the check is a process of judging whether the permission list request message sent by the business object meets the security level of the corresponding electric power business. In practical applications, if the attribute information fails to pass the verification, it means that the permission list request message sent by the business object is illegal or the request is wrong, and the access IP address and port cannot be used as the access address corresponding to the permission list request message. , the business object corresponding to the sent permission list request message does not need to perform the process involved in the above step S104, that is, the corresponding business object cannot update the local permission list.

(2)若属性信息通过校验,将访问IP地址与端口作为与权限列表请求报文对应的访问地址。(2) If the attribute information passes the verification, use the access IP address and port as the access address corresponding to the permission list request message.

在实际应用中,将访问IP地址与端口作为与权限列表请求报文对应的访问地址是指与发送的权限列表请求报文对应的业务对象可以获得访问地址,并通过上述步骤S104涉及的过程获得对应权限,从而更新对应业务对象的本地权限列表。In practical applications, using the access IP address and port as the access address corresponding to the permission list request message means that the business object corresponding to the sent permission list request message can obtain the access address, and obtain the access address through the process involved in the above step S104. Corresponding authority, thereby updating the local authority list of the corresponding business object.

在一个可选实施例中,上述步骤中,基于电力业务安全级别与预设报文信息的对应关系,判断属性信息是否通过校验的过程,具体包括:In an optional embodiment, in the above steps, based on the corresponding relationship between the power service security level and the preset message information, the process of judging whether the attribute information passes the verification includes:

(1)基于电力业务安全级别与预设报文信息的对应关系,确定报文适配规则。(1) Based on the corresponding relationship between the power service security level and the preset message information, determine the message adaptation rule.

具体地,根据电力业务安全级别的不同,基于电力业务安全级别与预设报文信息的对应关系,确定报文适配规则是指在电力业务安全级别越高的情况下,所对应的报文适配规则中所需与规则相适配的项目数越多。Specifically, according to the different power service security levels, based on the corresponding relationship between the power service security level and preset message information, it is determined that the message adaptation rule means that when the power service security level is higher, the corresponding message The greater the number of items that need to match the rule in the matching rule.

在实际应用中,在电力业务安全级别最低时,根据电力业务安全级别与预设报文信息的对应关系,确定的报文适配规则可以是至少一项相同即认为适配。在电力业务安全级别最高时,根据电力业务安全级别与预设报文信息的对应关系,确定的报文适配规则可以是部分或全部相同才认为适配。In practical applications, when the security level of the power service is the lowest, according to the corresponding relationship between the security level of the power service and the preset message information, the determined message adaptation rules can be considered to be adapted if at least one of them is the same. When the security level of the power service is the highest, according to the corresponding relationship between the security level of the power service and the preset message information, the determined message adaptation rules may be partially or completely identical before being considered suitable.

(2)基于报文适配规则,判断报文类型、电力业务类型及报文类型包含的业务数据与报文适配规则是否适配。(2) Based on the message adaptation rules, determine whether the message type, the power service type, and the service data included in the message type are compatible with the message adaptation rules.

在实际应用中,基于报文适配规则判断报文类型、电力业务类型及报文类型包含的业务数据与报文适配规则是否适配的过程,是指根据报文适配规则所规定的报文类型、电力业务类型及报文类型包含的业务数据中的至少一项是否与报文适配规则中要求的内容相同,如报文适配规则可以规定报文类型相同,报文类型包含的业务数据相同;或,电力业务类型相同,报文类型包含的业务数据部分相同,本申请对此不作具体限定,可根据实际工况设定。In practical applications, the process of judging whether the message type, power service type, and service data contained in the message type is compatible with the message adaptation rule based on the message adaptation rule refers to the Whether at least one of the message type, power service type, and service data contained in the message type is the same as the content required in the message adaptation rule. For example, the message adaptation rule can stipulate that the message type is the same, and the message type contains or, the power service type is the same, and the business data contained in the message type is partly the same. This application does not specifically limit this, and it can be set according to actual working conditions.

(3)在报文类型、电力业务类型及报文类型包含的业务数据与报文适配规则适配的情况下,则判定属性信息通过校验。(3) If the message type, the power service type, and the service data included in the message type match the message adaptation rule, it is determined that the attribute information passes the verification.

通过实施本实施例,通过电力业务安全级别确定属性信息是否满足报文适配规则,并在属性信息满足属性信息的适配规则时,确定与权限列表请求报文对应的访问地址,并将与权限列表请求报文对应的访问地址与后续确定的与权限列表请求报文对应的权限,一并发送至业务对象,以使业务对象更新本地权限列表,并基于本地权限列表中的与权限列表请求报文对应的访问地址、与权限列表请求报文对应的权限进行业务访问,实现对业务对象权限的统一管理,提供精细化的权限管理方式,满足不同业务对象中不同业务访问的权限控制需求,从而提高了电力系统的安全性。By implementing this embodiment, it is determined whether the attribute information satisfies the message adaptation rule through the power service security level, and when the attribute information meets the attribute information adaptation rule, determine the access address corresponding to the permission list request message, and link it with the The access address corresponding to the permission list request message and the subsequently determined permissions corresponding to the permission list request message are sent to the business object together, so that the business object updates the local permission list, and based on the local permission list and the permission list request The access address corresponding to the message and the authority corresponding to the authority list request message are used for business access, so as to realize the unified management of business object authority, provide refined authority management mode, and meet the authority control requirements of different business access in different business objects. Thereby improving the security of the power system.

在一个可选实施例中,上述步骤S104中,基于属性信息与预设权限信息的对应关系,确定与权限列表请求报文对应的权限的过程,包括:In an optional embodiment, in the above step S104, the process of determining the authority corresponding to the authority list request message based on the correspondence between the attribute information and the preset authority information includes:

基于电力业务目标、电力业务对象类型与预设权限信息的对应关系,确定与权限列表请求报文对应的权限。The authority corresponding to the authority list request message is determined based on the corresponding relationship between the power service target, the power service object type, and the preset authority information.

具体地,基于电力业务目标、电力业务对象类型与预设权限信息的对应关系,确定与权限列表请求报文对应的权限是指将预设权限信息中与电力业务目标、电力业务对象类型均相同的对应权限作为与权限列表请求报文对应的权限。Specifically, based on the corresponding relationship between the power business target, the power business object type, and the preset permission information, determining the permission corresponding to the permission list request message means that the preset permission information is the same as the power business target and the power business object type. The corresponding authority of is used as the authority corresponding to the authority list request message.

在实际应用中,与权限列表请求报文对应的权限的确定是在确定与权限列表请求报文对应的访问地址之后,即,属性信息未通过校验时,无需进行权限的分配,属性信息未通过校验的相关过程详见上述实施例中关于步骤S102的描述,不再进行赘述。In practical applications, the determination of the authority corresponding to the authority list request message is after determining the access address corresponding to the authority list request message, that is, when the attribute information fails to pass the verification, there is no need to assign authority, and the attribute information does not pass the verification. Refer to the description of step S102 in the above-mentioned embodiment for details about the process of passing the verification, and details are not repeated here.

通过实施本实施例,通过预设权限信息确定与权限列表请求报文对应的权限,并将确定的与权限列表请求报文对应的访问地址,一并发送至业务对象,以使业务对象更新本地权限列表,并基于本地权限列表中的与权限列表请求报文对应的访问地址、与权限列表请求报文对应的权限进行业务访问。实现对业务对象权限的统一管理,提供精细化的权限管理方式,满足不同业务对象中不同业务访问的权限控制需求,从而提高了电力系统的安全性。By implementing this embodiment, the authority corresponding to the authority list request message is determined through the preset authority information, and the determined access address corresponding to the authority list request message is sent to the business object, so that the business object updates the local The authority list, and based on the access address corresponding to the authority list request message in the local authority list, and the authority corresponding to the authority list request message, the service access is performed. Realize the unified management of business object permissions, provide refined permission management methods, and meet the permission control requirements of different business access in different business objects, thereby improving the security of the power system.

在一个可选实施例中,为保证与业务对象的连接是安全、符合规定的,在接收业务对象发送的权限列表请求报文之前,本实施例的业务对象的权限控制方法,还包括:In an optional embodiment, in order to ensure that the connection with the business object is safe and compliant, before receiving the permission list request message sent by the business object, the method for controlling the permission of the business object in this embodiment further includes:

(1)对业务对象进行认证,获得认证证书及与认证证书对应的对象IP。(1) Authenticate the business object, and obtain the authentication certificate and the object IP corresponding to the authentication certificate.

在实际应用中,对业务对象进行认证可以是通过SM2国密算法认证方式进行。SM2国密算法属于较为成熟的技术,在此不再赘述。In practical applications, the authentication of the business object may be performed through SM2 national secret algorithm authentication. The SM2 national secret algorithm is a relatively mature technology, so I won't repeat it here.

具体地,获得认证证书及与认证证书对应的对象IP是指获得SM2终端证书名称及与终端证书名称对应的电力业务终端IP地址。Specifically, obtaining the authentication certificate and the object IP corresponding to the authentication certificate refers to obtaining the name of the SM2 terminal certificate and the IP address of the power service terminal corresponding to the name of the terminal certificate.

(2)获取业务对象的证书与IP。(2) Obtain the certificate and IP of the business object.

在实际应用中,获取业务对象的证书与IP是指获取发送权限列表请求报文的业务对象的认证证书名称及业务对象的IP地址。In practical applications, obtaining the certificate and IP of the business object refers to obtaining the name of the authentication certificate and the IP address of the business object that sends the permission list request message.

(3)在证书与认证证书相同,且IP与对象IP相同时,则判定业务对象合法。(3) When the certificate is the same as the authentication certificate, and the IP is the same as the IP of the object, it is determined that the business object is legal.

本发明实施例提供一种业务对象的权限控制方法,如图2所示,包括:An embodiment of the present invention provides a method for controlling authority of a business object, as shown in FIG. 2 , including:

S201、接收业务对象发送的权限列表请求报文。S201. Receive a permission list request message sent by a business object.

S202、基于权限列表请求报文,提取业务对象的属性信息。S202. Based on the permission list request message, attribute information of the business object is extracted.

S203、基于属性信息与预设报文信息的对应关系,确定与权限列表请求报文对应的访问地址。S203. Based on the correspondence between the attribute information and the preset message information, determine an access address corresponding to the permission list request message.

S204、在确定与权限列表请求报文对应的访问地址之后,基于属性信息与预设权限信息的对应关系,确定与权限列表请求报文对应的权限。S204. After determining the access address corresponding to the permission list request message, determine the permission corresponding to the permission list request message based on the corresponding relationship between the attribute information and the preset permission information.

S205、发送访问地址与权限至业务对象,以使业务对象更新本地权限列表,并基于本地权限列表进行业务访问。S205. Send the access address and the authority to the business object, so that the business object updates the local authority list, and performs service access based on the local authority list.

其中,步骤S201-步骤S205的内容,可以详细参见上述任意实施例的步骤S101-步骤S105的相关描述,在此不再赘述。Wherein, for the content of step S201-step S205, refer to the related description of step S101-step S105 in any of the above-mentioned embodiments in detail, and details are not repeated here.

S206、接收业务对象基于本地权限列表进行业务访问时失败的信息。S206. Receive information that the business object fails to access the business based on the local authority list.

具体地,接收业务对象基于本地权限列表进行业务访问时失败的信息是指记录业务对象基于本地权限列表进行业务访问的失败次数。Specifically, receiving the information about the failure of the business object to perform business access based on the local authority list refers to recording the number of failures of the business object to perform business access based on the local authority list.

S207、基于信息,降低业务对象的信任值,并在信任值低于预设信任阈值时,断开与业务对象的连接。S207. Based on the information, reduce the trust value of the business object, and disconnect the connection with the business object when the trust value is lower than the preset trust threshold.

具体地,基于信息,降低业务对象的信任值是指业务对象每次基于本地权限列表进行业务访问时,降低对应业务对象的信任值。Specifically, based on the information, reducing the trust value of the business object refers to reducing the trust value of the corresponding business object each time the business object performs business access based on the local authority list.

在实际应用中,业务对象的信任值初始值可以是99、101、200或其他数字。业务对象每次基于本地权限列表进行业务访问时,降低的对应业务对象的信任值可以是10、20、15或其他数值。预设信任阈值可以是59、62、95或其他数值。In practical applications, the initial value of the trust value of the business object may be 99, 101, 200 or other numbers. Every time a business object conducts business access based on the local authority list, the reduced trust value of the corresponding business object may be 10, 20, 15 or other values. The preset trust threshold may be 59, 62, 95 or other numerical values.

通过实施本实施例,通过提取权限列表请求报文中的属性信息,将属性信息进行汇总,并分别通过属性信息与预设报文信息的对应规则、与预设权限信息的对应规则,使得业务对象获得与权限列表请求报文对应的权限,实现对业务对象权限的统一管理,提供精细化的权限管理方式,满足不同业务对象中不同业务访问的权限控制需求,并基于业务对象的访问失败信息,在业务对象的信任值低于预设信任阈值时,断开与对应业务对象的通信连接,进一步提高了电力系统的安全性。Through the implementation of this embodiment, by extracting the attribute information in the permission list request message, the attribute information is summarized, and the corresponding rules between the attribute information and the preset message information and the corresponding rules between the preset permission information make the business The object obtains the authority corresponding to the authority list request message, realizes the unified management of the authority of the business object, provides a refined authority management method, meets the authority control requirements of different business access in different business objects, and access failure information based on the business object , when the trust value of the business object is lower than the preset trust threshold, the communication connection with the corresponding business object is disconnected, which further improves the security of the power system.

本发明实施例提供一种业务对象的权限控制装置,如图3所示,包括:报文接收单元31、属性信息提取单元32、访问地址确定单元33、权限确定单元34、发送单元35。The embodiment of the present invention provides an authority control device for business objects, as shown in FIG.

报文接收单元31,被配置为接收业务对象发送的权限列表请求报文。具体过程可参见上述实施例中关于步骤S101的描述,在此不再赘述。The message receiving unit 31 is configured to receive the permission list request message sent by the business object. For the specific process, reference may be made to the description of step S101 in the foregoing embodiments, and details are not repeated here.

属性信息提取单元32,被配置为基于权限列表请求报文,提取业务对象的属性信息。具体过程可参见上述实施例中关于步骤S102的描述,在此不再赘述。The attribute information extracting unit 32 is configured to extract the attribute information of the business object based on the permission list request message. For the specific process, reference may be made to the description of step S102 in the foregoing embodiments, and details are not repeated here.

访问地址确定单元33,被配置为基于属性信息与预设报文信息的对应关系,确定与权限列表请求报文对应的访问地址,预设报文信息为属性信息对应的属性信息适配规则。具体过程可参见上述实施例中关于步骤S103的描述,在此不再赘述。The access address determining unit 33 is configured to determine the access address corresponding to the permission list request message based on the correspondence between attribute information and preset message information, where the preset message information is an attribute information adaptation rule corresponding to the attribute information. For the specific process, reference may be made to the description of step S103 in the foregoing embodiments, and details are not repeated here.

权限确定单元34,被配置为基于属性信息与预设权限信息的对应关系,确定与权限列表请求报文对应的权限,预设权限信息为属性信息对应的权限。具体过程可参见上述实施例中关于步骤S104的描述,在此不再赘述。The authority determination unit 34 is configured to determine the authority corresponding to the authority list request message based on the correspondence between attribute information and preset authority information, where the preset authority information is the authority corresponding to the attribute information. For the specific process, reference may be made to the description of step S104 in the foregoing embodiments, and details are not repeated here.

发送单元35,被配置为发送访问地址与权限至业务对象,以使业务对象更新本地权限列表,并基于本地权限列表进行业务访问。具体过程可参见上述实施例中关于步骤S105的描述,在此不再赘述。The sending unit 35 is configured to send the access address and the authority to the business object, so that the business object updates the local authority list, and performs service access based on the local authority list. For the specific process, reference may be made to the description of step S105 in the foregoing embodiments, and details are not repeated here.

在一个可选实施方式中,上述访问地址确定单元33,包括:校验判断子单元、访问地址确定子单元。In an optional implementation manner, the access address determination unit 33 includes: a verification and judgment subunit, and an access address determination subunit.

校验判断子单元,被配置为基于电力业务安全级别与预设报文信息的对应关系,判断属性信息是否通过校验。具体过程可参见上述实施例中关于步骤S103的描述,在此不再赘述。The verification judgment subunit is configured to judge whether the attribute information passes the verification based on the corresponding relationship between the power service security level and the preset message information. For the specific process, reference may be made to the description of step S103 in the foregoing embodiments, and details are not repeated here.

访问地址确定子单元,若属性信息通过校验,将访问IP地址与端口作为与权限列表请求报文对应的访问地址。具体过程可参见上述实施例中关于步骤S103的描述,在此不再赘述。The access address determination subunit, if the attribute information passes the verification, uses the access IP address and port as the access address corresponding to the permission list request message. For the specific process, reference may be made to the description of step S103 in the foregoing embodiments, and details are not repeated here.

在一个可选实施方式中,上述校验判断子单元,包括:报文适配规则确定子单元、适配判断子单元、校验结果子单元。In an optional implementation manner, the verification and judgment subunit includes: a packet adaptation rule determination subunit, an adaptation judgment subunit, and a verification result subunit.

报文适配规则确定子单元,被配置为基于电力业务安全级别与预设报文信息的对应关系,确定报文适配规则。具体过程可参见上述实施例中关于步骤S103的描述,在此不再赘述。The message adaptation rule determination subunit is configured to determine the message adaptation rule based on the correspondence between the power service security level and preset message information. For the specific process, reference may be made to the description of step S103 in the foregoing embodiments, and details are not repeated here.

适配判断子单元,被配置为基于报文适配规则,判断报文类型、电力业务类型及报文类型包含的业务数据与报文适配规则是否适配。具体过程可参见上述实施例中关于步骤S103的描述,在此不再赘述。The adaptation judging subunit is configured to judge whether the message type, the power service type, and the service data contained in the message type are compatible with the message adaptation rule based on the message adaptation rule. For the specific process, reference may be made to the description of step S103 in the foregoing embodiments, and details are not repeated here.

校验结果子单元,被配置为在报文类型、电力业务类型及报文类型包含的业务数据与报文适配规则适配的情况下,则判定属性信息通过校验。具体过程可参见上述实施例中关于步骤S103的描述,在此不再赘述。The verification result subunit is configured to determine that the attribute information passes the verification when the message type, the power service type, and the service data contained in the message type match the message adaptation rule. For the specific process, reference may be made to the description of step S103 in the foregoing embodiments, and details are not repeated here.

本发明实施例,通过报文接收单元、属性信息提取单元提取权限列表请求报文中的属性信息,并分别通过访问地址确定单元、权限确定单元将属性信息进行汇总,属性信息与预设报文信息的对应规则、与预设权限信息的对应规则,使得业务对象获得与权限列表请求报文对应的权限,实现对业务对象权限的统一管理,提供精细化的权限管理方式,满足不同业务对象中不同业务访问的权限控制需求,从而提高了电力系统的安全性。In the embodiment of the present invention, the attribute information in the permission list request message is extracted by the message receiving unit and the attribute information extracting unit, and the attribute information is summarized by the access address determining unit and the permission determining unit respectively, and the attribute information and the preset message The corresponding rules of the information and the corresponding rules of the preset authority information enable the business object to obtain the authority corresponding to the authority list request message, realize the unified management of the authority of the business object, provide a refined authority management method, and meet the needs of different business objects. The authority control requirements for different business access, thus improving the security of the power system.

本发明一个实施例还提供了一种非暂态计算机存储介质,计算机存储介质存储有计算机可执行指令,该计算机可执行指令可执行上述任意方法实施例中的业务对象的权限控制方法。其中,所述存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)、随机存储记忆体(Random Access Memory,RAM)、快闪存储器(Flash Memory)、硬盘(HardDisk Drive,缩写:HDD)或固态硬盘(Solid-State Drive,SSD)等;所述存储介质还可以包括上述种类的存储器的组合。An embodiment of the present invention also provides a non-transitory computer storage medium. The computer storage medium stores computer-executable instructions, and the computer-executable instructions can execute the method for controlling the authority of a business object in any method embodiment above. Wherein, the storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), a random access memory (Random Access Memory, RAM), a flash memory (Flash Memory), a hard disk (Hard Disk Drive, abbreviation: HDD) or a solid-state drive (Solid-State Drive, SSD), etc.; the storage medium may also include a combination of the above-mentioned types of memory.

本发明一个实施例还提供一种计算机设备,如图4所示,图4是本发明一个可选实施例提供的一种计算机设备的结构示意图,该计算机设备可以包括至少一个处理器41、至少一个通信接口42、至少一个通信总线43和至少一个存储器44,其中,通信接口42可以包括显示屏(Display)、键盘(Keyboard),可选通信接口42还可以包括标准的有线接口、无线接口。存储器64可以是高速RAM存储器(Random Access Memory,易挥发性随机存取存储器),也可以是非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。存储器44可选的还可以是至少一个位于远离前述处理器41的存储装置。其中处理器41可以结合图3所描述的装置,存储器44中存储应用程序,且处理器41调用存储器44中存储的程序代码,以用于执行上述任意方法实施例所述的业务对象的权限控制方法的步骤。An embodiment of the present invention also provides a computer device, as shown in FIG. 4 , which is a schematic structural diagram of a computer device provided in an optional embodiment of the present invention. The computer device may include at least one processor 41, at least A communication interface 42, at least one communication bus 43 and at least one memory 44, wherein the communication interface 42 may include a display screen (Display), a keyboard (Keyboard), and the optional communication interface 42 may also include a standard wired interface and a wireless interface. The memory 64 may be a high-speed RAM memory (Random Access Memory, volatile random access memory), or a non-volatile memory, such as at least one disk memory. Optionally, the memory 44 may also be at least one storage device located away from the aforementioned processor 41 . Wherein the processor 41 can be combined with the device described in FIG. 3 , the application program is stored in the memory 44, and the processor 41 calls the program code stored in the memory 44 to perform the authority control of the business object described in any of the above method embodiments method steps.

其中,通信总线43可以是外设部件互连标准(peripheral componentinterconnect,简称PCI)总线或扩展工业标准结构(extended industry standardarchitecture,简称EISA)总线等。通信总线43可以分为地址总线、数据总线、控制总线等。为便于表示,图4中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。Wherein, the communication bus 43 may be a peripheral component interconnect (PCI for short) bus or an extended industry standard architecture (EISA for short) bus or the like. The communication bus 43 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is used in FIG. 4 , but it does not mean that there is only one bus or one type of bus.

其中,存储器44可以包括易失性存储器(英文:volatile memory),例如随机存取存储器(英文:random-access memory,缩写:RAM);存储器也可以包括非易失性存储器(英文:non-volatile memory),例如快闪存储器(英文:flash memory),硬盘(英文:hard diskdrive,缩写:HDD)或固态硬盘(英文:solid-state drive,缩写:SSD);存储器44还可以包括上述种类的存储器的组合。Wherein, the memory 44 may include a volatile memory (English: volatile memory), such as a random-access memory (English: random-access memory, abbreviated as RAM); the memory may also include a non-volatile memory (English: non-volatile memory), such as flash memory (English: flash memory), hard disk (English: hard diskdrive, abbreviated: HDD) or solid-state hard disk (English: solid-state drive, abbreviated: SSD); memory 44 can also include the above-mentioned types of memory The combination.

其中,处理器41可以是中央处理器(英文:central processing unit,缩写:CPU),网络处理器(英文:network processor,缩写:NP)或者CPU和NP的组合。Wherein, the processor 41 may be a central processing unit (English: central processing unit, abbreviated: CPU), a network processor (English: network processor, abbreviated: NP) or a combination of CPU and NP.

其中,处理器41还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(英文:application-specific integrated circuit,缩写:ASIC),可编程逻辑器件(英文:programmable logic device,缩写:PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(英文:complex programmable logic device,缩写:CPLD),现场可编程逻辑门阵列(英文:field-programmable gate array,缩写:FPGA),通用阵列逻辑(英文:generic arraylogic,缩写:GAL)或其任意组合。Wherein, the processor 41 may further include a hardware chip. The aforementioned hardware chip may be an application-specific integrated circuit (English: application-specific integrated circuit, abbreviation: ASIC), a programmable logic device (English: programmable logic device, abbreviation: PLD) or a combination thereof. The above-mentioned PLD can be a complex programmable logic device (English: complex programmable logic device, abbreviation: CPLD), field-programmable logic gate array (English: field-programmable gate array, abbreviation: FPGA), general array logic (English: generic array logic , Abbreviation: GAL) or any combination thereof.

可选地,存储器44还用于存储程序指令。处理器41可以调用程序指令,实现本发明任一实施例中所述的业务对象的权限控制方法。Optionally, memory 44 is also used to store program instructions. The processor 41 may invoke program instructions to implement the method for controlling the authority of a business object in any embodiment of the present invention.

显然,上述实施例仅仅是为清楚地说明所作的举例,而并非对实施方式的限定。对于所属领域的普通技术人员来说,在上述说明的基础上还可以做出其它不同形式的变化或变动。这里无需也无法对所有的实施方式予以穷举。而由此所引伸出的显而易见的变化或变动仍处于本发明创造的保护范围之中。Apparently, the above-mentioned embodiments are only examples for clear description, rather than limiting the implementation. For those of ordinary skill in the art, other changes or changes in different forms can be made on the basis of the above description. It is not necessary and impossible to exhaustively list all the implementation manners here. And the obvious changes or changes derived therefrom are still within the scope of protection of the present invention.

Claims (12)

1.一种业务对象的权限控制方法,其特征在于,包括:1. A permission control method for a business object, comprising: 接收业务对象发送的权限列表请求报文;Receive the permission list request message sent by the business object; 基于所述权限列表请求报文,提取所述业务对象的属性信息;Extracting attribute information of the business object based on the permission list request message; 基于所述属性信息与预设报文信息的对应关系,确定与所述权限列表请求报文对应的访问地址,所述预设报文信息为所述属性信息对应的属性信息适配规则;Determining an access address corresponding to the permission list request message based on the correspondence between the attribute information and preset message information, where the preset message information is an attribute information adaptation rule corresponding to the attribute information; 在确定与所述权限列表请求报文对应的访问地址之后,基于所述属性信息与预设权限信息的对应关系,确定与所述权限列表请求报文对应的权限,所述预设权限信息为所述属性信息对应的权限;After determining the access address corresponding to the permission list request message, based on the corresponding relationship between the attribute information and preset permission information, determine the permission corresponding to the permission list request message, and the preset permission information is The authority corresponding to the attribute information; 发送所述访问地址与所述权限至所述业务对象,以使所述业务对象更新本地权限列表,并基于所述本地权限列表进行业务访问。Sending the access address and the authority to the business object, so that the business object updates a local authority list, and performs service access based on the local authority list. 2.根据权利要求1所述的业务对象的权限控制方法,其特征在于,所述属性信息包括:电力业务目标、电力业务对象类型、访问IP地址、端口、电力业务安全级别、报文类型、电力业务类型及所述报文类型包含的业务数据,2. The authority control method for business objects according to claim 1, wherein the attribute information includes: power business target, power business object type, access IP address, port, power business security level, message type, The type of power service and the service data contained in the message type, 所述基于所述权限列表请求报文,提取所述业务对象的属性信息,包括:The extracting the attribute information of the business object based on the permission list request message includes: 基于预设的报文信息存储规则,提取所述权限列表请求报文中对应位置存储的所述访问IP地址、所述端口、所述电力业务安全级别、所述报文类型、所述电力业务类型及所述报文类型包含的业务数据中的至少一种;Based on the preset message information storage rules, extract the access IP address, the port, the power service security level, the message type, and the power service stored in the corresponding position in the permission list request message type and at least one of the business data contained in the message type; 根据所述访问IP地址、所述端口与所述电力业务目标、所述电力业务对象类型的对应关系,确定与所述权限列表请求报文对应的所述电力业务目标、所述电力业务对象类型。Determine the power service target and the power service object type corresponding to the permission list request message according to the corresponding relationship between the access IP address, the port, the power service target, and the power service object type . 3.根据权利要求2所述的业务对象的权限控制方法,其特征在于,所述基于所述属性信息与预设报文信息的对应关系,确定与所述权限列表请求报文对应的访问地址,包括:3. The authority control method of a business object according to claim 2, wherein the access address corresponding to the authority list request message is determined based on the correspondence between the attribute information and the preset message information ,include: 基于所述电力业务安全级别与预设报文信息的对应关系,判断所述属性信息是否通过校验;Based on the corresponding relationship between the power service security level and preset message information, determine whether the attribute information passes the verification; 若所述属性信息通过校验,将所述访问IP地址与所述端口作为与所述权限列表请求报文对应的访问地址。If the attribute information passes the verification, use the access IP address and the port as the access address corresponding to the permission list request message. 4.根据权利要求3所述的业务对象的权限控制方法,其特征在于,所述基于所述电力业务安全级别与预设报文信息的对应关系,判断所述属性信息是否通过校验,包括:4. The authority control method of a business object according to claim 3, characterized in that, based on the corresponding relationship between the power service security level and preset message information, judging whether the attribute information passes the verification includes : 基于所述电力业务安全级别与预设报文信息的对应关系,确定报文适配规则;Determine message adaptation rules based on the correspondence between the power service security level and preset message information; 基于所述报文适配规则,判断所述报文类型、所述电力业务类型及所述报文类型包含的所述业务数据与所述报文适配规则是否适配;Based on the message adaptation rule, judging whether the message type, the power service type, and the service data contained in the message type are compatible with the message adaptation rule; 在所述报文类型、所述电力业务类型及所述报文类型包含的所述业务数据与所述报文适配规则适配的情况下,则判定所述属性信息通过校验。If the message type, the power service type, and the service data included in the message type match the message adaptation rule, it is determined that the attribute information passes the verification. 5.根据权利要求2所述的业务对象的权限控制方法,其特征在于,所述基于所述属性信息与预设权限信息的对应关系,确定与所述权限列表请求报文对应的权限,包括:5. The authority control method for a business object according to claim 2, wherein the determination of the authority corresponding to the authority list request message based on the corresponding relationship between the attribute information and the preset authority information includes : 基于所述电力业务目标、所述电力业务对象类型与预设权限信息的对应关系,确定与所述权限列表请求报文对应的权限。Based on the correspondence between the power service object, the power service object type, and preset permission information, the permission corresponding to the permission list request message is determined. 6.根据权利要求1所述的业务对象的权限控制方法,其特征在于,在所述接收业务对象发送的权限列表请求报文之前,还包括:6. The authority control method of the business object according to claim 1, characterized in that, before the authority list request message sent by the receiving business object, it also includes: 对业务对象进行认证,获得认证证书及与所述认证证书对应的对象IP;Authenticating the business object, obtaining the authentication certificate and the object IP corresponding to the authentication certificate; 获取所述业务对象的证书与IP;Obtain the certificate and IP of the business object; 在所述证书与所述认证证书相同,且所述IP与所述对象IP相同时,则判定所述业务对象合法。When the certificate is the same as the authentication certificate, and the IP is the same as the IP of the object, it is determined that the business object is legal. 7.根据权利要求1所述的业务对象的权限控制方法,其特征在于,所述方法,还包括:7. The authority control method of a business object according to claim 1, wherein the method further comprises: 接收所述业务对象基于所述本地权限列表进行业务访问时失败的信息;receiving information that the business object fails to perform business access based on the local permission list; 基于所述信息,降低所述业务对象的信任值,并在所述信任值低于预设信任阈值时,断开与所述业务对象的连接。Based on the information, reduce the trust value of the business object, and disconnect the connection with the business object when the trust value is lower than a preset trust threshold. 8.一种业务对象的权限控制装置,其特征在于,包括:8. A permission control device for a business object, characterized in that it comprises: 报文接收单元,被配置为接收业务对象发送的权限列表请求报文;The message receiving unit is configured to receive the permission list request message sent by the business object; 属性信息提取单元,被配置为基于所述权限列表请求报文,提取所述业务对象的属性信息;An attribute information extraction unit configured to extract attribute information of the business object based on the permission list request message; 访问地址确定单元,被配置为基于所述属性信息与预设报文信息的对应关系,确定与所述权限列表请求报文对应的访问地址,所述预设报文信息为所述属性信息对应的属性信息适配规则;The access address determination unit is configured to determine the access address corresponding to the permission list request message based on the correspondence between the attribute information and preset message information, and the preset message information corresponds to the attribute information The attribute information adaptation rules of ; 权限确定单元,被配置为基于所述属性信息与预设权限信息的对应关系,确定与所述权限列表请求报文对应的权限,所述预设权限信息为所述属性信息对应的权限;The authority determining unit is configured to determine the authority corresponding to the authority list request message based on the corresponding relationship between the attribute information and preset authority information, and the preset authority information is the authority corresponding to the attribute information; 发送单元,被配置为发送所述访问地址与所述权限至所述业务对象,以使所述业务对象更新本地权限列表,并基于所述本地权限列表进行业务访问。The sending unit is configured to send the access address and the authority to the business object, so that the business object updates a local authority list, and performs service access based on the local authority list. 9.根据权利要求8所述的业务对象的权限控制装置,其特征在于,所述访问地址确定单元,包括:9. The authority control device for business objects according to claim 8, wherein the access address determining unit comprises: 校验判断子单元,被配置为基于所述电力业务安全级别与预设报文信息的对应关系,判断所述属性信息是否通过校验;The verification judgment subunit is configured to judge whether the attribute information passes the verification based on the correspondence between the power service security level and the preset message information; 访问地址确定子单元,若所述属性信息通过校验,将所述访问IP地址与所述端口作为与所述权限列表请求报文对应的访问地址。The access address determining subunit, if the attribute information passes the verification, uses the access IP address and the port as the access address corresponding to the permission list request message. 10.据权利要求9所述的业务对象的权限控制装置,其特征在于,所述校验判断子单元,包括:10. The authority control device for business objects according to claim 9, wherein the verification and judgment subunit includes: 报文适配规则确定子单元,被配置为基于所述电力业务安全级别与预设报文信息的对应关系,确定报文适配规则;The message adaptation rule determination subunit is configured to determine a message adaptation rule based on the correspondence between the power service security level and preset message information; 适配判断子单元,被配置为基于所述报文适配规则,判断所述报文类型、所述电力业务类型及所述报文类型包含的所述业务数据与所述报文适配规则是否适配;An adaptation judging subunit configured to judge the message type, the power service type, and the service data included in the message type and the message adaptation rule based on the message adaptation rule whether it fits; 校验结果子单元,被配置为在所述报文类型、所述电力业务类型及所述报文类型包含的所述业务数据与所述报文适配规则适配的情况下,则判定所述属性信息通过校验。The verification result subunit is configured to determine whether the message type, the power service type, and the service data contained in the message type match the message adaptation rule The above attribute information has passed the verification. 11.一种非暂态计算机可读存储介质,其特征在于,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令被处理器执行时实现如权利要求1-7中任一项所述的业务对象的权限控制方法。11. A non-transitory computer-readable storage medium, characterized in that the non-transitory computer-readable storage medium stores computer instructions, and when the computer instructions are executed by a processor, any one of claims 1-7 is implemented. The permission control method of the business object described in the item. 12.一种计算机设备,其特征在于,包括:至少一个处理器;以及与所述至少一个处理器通信连接的存储器;其中,所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,从而执行如权利要求1-7中任一项所述的业务对象的权限控制方法。12. A computer device, characterized in that it comprises: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, The instructions are executed by the at least one processor, so as to execute the method for controlling authority of a business object according to any one of claims 1-7.
CN202211205408.3A 2022-09-30 2022-09-30 Authority control method, device, medium and equipment of service object Pending CN115766074A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211205408.3A CN115766074A (en) 2022-09-30 2022-09-30 Authority control method, device, medium and equipment of service object

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211205408.3A CN115766074A (en) 2022-09-30 2022-09-30 Authority control method, device, medium and equipment of service object

Publications (1)

Publication Number Publication Date
CN115766074A true CN115766074A (en) 2023-03-07

Family

ID=85350684

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211205408.3A Pending CN115766074A (en) 2022-09-30 2022-09-30 Authority control method, device, medium and equipment of service object

Country Status (1)

Country Link
CN (1) CN115766074A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118713936A (en) * 2024-08-29 2024-09-27 中孚信息股份有限公司 Data monitoring method, system, device and medium based on API traffic data

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040044779A1 (en) * 2000-06-05 2004-03-04 Lambert Martin R. Digital rights management
CN109088875A (en) * 2018-08-24 2018-12-25 郑州云海信息技术有限公司 A kind of access authority method of calibration and device
CN110457612A (en) * 2019-10-14 2019-11-15 江苏金恒信息科技股份有限公司 A kind of terminal page access method and system
CN112925645A (en) * 2021-03-01 2021-06-08 北京电信易通信息技术股份有限公司 Method and system for automatically constructing cloud access control
CN113783861A (en) * 2021-09-01 2021-12-10 国网湖北省电力有限公司信息通信公司 An information security control method, device and storage medium based on edge computing

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040044779A1 (en) * 2000-06-05 2004-03-04 Lambert Martin R. Digital rights management
CN109088875A (en) * 2018-08-24 2018-12-25 郑州云海信息技术有限公司 A kind of access authority method of calibration and device
CN110457612A (en) * 2019-10-14 2019-11-15 江苏金恒信息科技股份有限公司 A kind of terminal page access method and system
CN112925645A (en) * 2021-03-01 2021-06-08 北京电信易通信息技术股份有限公司 Method and system for automatically constructing cloud access control
CN113783861A (en) * 2021-09-01 2021-12-10 国网湖北省电力有限公司信息通信公司 An information security control method, device and storage medium based on edge computing

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118713936A (en) * 2024-08-29 2024-09-27 中孚信息股份有限公司 Data monitoring method, system, device and medium based on API traffic data

Similar Documents

Publication Publication Date Title
CN113596033B (en) Access control method and device, equipment and storage medium
US8365294B2 (en) Hardware platform authentication and multi-platform validation
US20190149550A1 (en) Securing permissioned blockchain network from pseudospoofing network attacks
CN108881309A (en) Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform
CN110855709A (en) Access control method, device, equipment and medium for security access gateway
US11553007B2 (en) Multiple level validation
CN112165455A (en) Data access control method and device, computer equipment and storage medium
KR102415567B1 (en) System for controlling network access of virtualization terminal and method of the same
CN116529729A (en) Integrated circuit for obtaining enhanced rights to network-based resources and performing actions in accordance therewith
CN111147425A (en) Data access processing method, device, equipment and storage medium
WO2019037521A1 (en) Security detection method, device, system, and server
CN110881186B (en) Illegal device identification method and device, electronic device and readable storage medium
US20180234430A1 (en) Data classification and access control for cloud based data
CN115766074A (en) Authority control method, device, medium and equipment of service object
CN105282166A (en) Identity authentication method and system for linux operating system
JP2023533597A (en) How to identify charging stations for electric vehicles
CN106937282A (en) VPN access method and system based on mobile terminal
CN117177245A (en) Vehicle WIFI security testing methods, systems and equipment
CN112307487A (en) Message processing method and device and message cluster server
CN112671765B (en) Method and device for verifying validity of wireless network equipment
CN115714660A (en) Authority configuration method and device
CN111383003B (en) Method, device, computer equipment and storage medium for fast platform access
CN117014222B (en) Computer network information security event processing method
US11861004B2 (en) Software distribution compromise detection
CN118713876A (en) Network cutting method and device based on virtual private network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination