[go: up one dir, main page]

CN113779525B - Role-based Handle system differentiation analysis method - Google Patents

Role-based Handle system differentiation analysis method Download PDF

Info

Publication number
CN113779525B
CN113779525B CN202111073857.2A CN202111073857A CN113779525B CN 113779525 B CN113779525 B CN 113779525B CN 202111073857 A CN202111073857 A CN 202111073857A CN 113779525 B CN113779525 B CN 113779525B
Authority
CN
China
Prior art keywords
role
user
identification
handle
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111073857.2A
Other languages
Chinese (zh)
Other versions
CN113779525A (en
Inventor
宋世杰
白宏钢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mako Workshop Industrial Technology Beijing Co ltd
Original Assignee
Mako Workshop Industrial Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mako Workshop Industrial Technology Beijing Co ltd filed Critical Mako Workshop Industrial Technology Beijing Co ltd
Priority to CN202111073857.2A priority Critical patent/CN113779525B/en
Publication of CN113779525A publication Critical patent/CN113779525A/en
Application granted granted Critical
Publication of CN113779525B publication Critical patent/CN113779525B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a role-based Handle system differentiation analysis method, which comprises the following steps: the mark publishers such as enterprises upload the established role authority module and the mark related content to the LHS local Handle service site to perform mark application and related content storage work; a user applying for analysis applies for relevant role authorities of the existing mark to the mark publisher through a Handle client; and the user analyzes the identification of the existing authority to obtain an analysis value set with the corresponding authority. The invention realizes the analysis value set for dynamically distributing the identification to the user through the dynamic request role of the user requesting the identification.

Description

Role-based Handle system differentiation analysis method
Technical Field
The invention belongs to the technical field of Internet technology identification, and particularly relates to a role-based Handle system differentiation analysis method.
Background
The Handle system is a distributed information system that is intended to provide an efficient, scalable and secure global title service for the internet. The Handle system includes a reference implementation of an open source protocol, a namespace, and a protocol. Its protocol enables a distributed computer system to store the name or identification (Handle) of a digital resource. The Handle identification technology originates from the Internet, is applied to an identification symbol of the Internet of things, gives various objects (documents, images, multimedia and the like) on the Internet a unique, legal, safe and permanent identification in a certain mode, and can realize the functions of reading, positioning, tracking, inquiring, applying and the like of the identified objects through the identification. The identification method is characterized in that the association value of the Handle can be changed according to the requirement to reflect the current state of the identified resource, and the Handle naming itself is not required to be changed. This allows the name of the identity to remain unchanged during the change of location and other current state information. The Handle system provides a binding service that identifies values, each Handle being resolvable into a set of values, each value being an item profile, message digest, URL, or other custom information. The Handle system adopts an iterative resolution mode and a hierarchical resolution architecture, and is divided into two layers of GHR (global HANDLE REGISTRY global Handle registry) and LHS (LHS, local HANDLE SERVICE local Handle service), and the complete resolution architecture consists of 3 parts of a Handle client, GHR and LHS.
However, the existing Handle identifier parsing mechanism generally returns the same value set to the same identifier, lacks control capability for parsing authority, and cannot ensure that the access authority of some individuals is not too large, so that the privacy of the content of the identifier is revealed. The access control technology is a defensive measure for using resources for unauthorized use, and a differential analysis method of a Handle system can be constructed through some access control thought models. There were early researchers to access control the Handle identity by adding a key to a single value record ([ 1] Sun Bin, mao Wei.) an extended Handle system supporting single record access control [ a ]. Chinese society of communication information communication network technology committee 2009 annual meeting discussion (upper book) [ C ]. Chinese society of communication information communication network technology committee: chinese society of communication, 2009:5.), but this method requires the identified publisher to determine the access key and distribute it to the user requiring parsing, has a security problem of easy leakage in the key distribution and transmission process, and the key distribution requires the publisher to spend a lot of energy management as the number of users requesting parsing increases in the industrial internet field, so that the method is not intelligent enough. While there are two types of autonomous access control and forced access control for the early access control model, they have the problem of difficult management and large workload. Role-based access control models (RBACs), task-based access control models, security-attribute-based access control models, and the like have emerged as network and computer technology evolves. Because the industrial internet domain comes from the numerous characteristics of users with different roles in different applications, RBACs that separate the logic of users and rights by introducing the concept of roles can be used more independently for access control here. However, as various kinds of identification data are numerous, the requirements on flexibility and adaptability are higher, various kinds of identification information are increasingly shared, and the change and revocation of authority become more complex, the existing general RBAC model cannot meet the requirement of Handle identification resolution. Therefore, it is imperative to design a differential analysis method for returning different value sets for users with different roles.
Disclosure of Invention
In order to overcome the problems, the invention aims to provide the role-based Handle system differentiation analysis method, which can determine the role of a Handle analysis requester by an identification publisher according to a certain rule, so that corresponding rights are dynamically allocated to the identification publisher, and the privacy of identification content is more flexibly and conveniently ensured.
The invention is realized by adopting the following technical scheme:
a role-based Handle system differentiation analysis method comprises the following steps:
step one, the mark publisher (such as enterprise) uploads the established role authority module and the mark related content to LHS (LHS, local HANDLE SERVICE local Handle service) to perform mark application and related content storage work.
Step two, the user applying for analysis applies for the relevant role authority of the existing mark to the mark publisher through the Handle client.
And thirdly, the user analyzes the identification of the existing authority to obtain an analysis value set with the corresponding authority.
(1) The Handle client in the method comprises the following steps:
and the identification uploading module: the method comprises the steps of receiving content of an identification publisher, judging rationality and completing related operations;
request parsing module: the method is used for receiving a user request and returning the user request to a final analysis result of the user;
Role granting module: the system is used for responding to the request of granting the role user and completing related operations;
The credibility calculation module: for calculating a comprehensive trustworthiness of the user requesting the identification rights;
role management database: and the user IP and role correspondence relation is used for storing the application identification.
(2) Further, the specific process of the first step is as follows:
1.1, an identification publisher such as an enterprise firstly models on a role access control model supporting Handle analysis according to own settings, wherein the role access control model comprises a role set and a permission set; wherein:
the set of roles includes one or more roles, each role awarding a unique role identification for the identity herein.
The authority set contains one or more different authorities, unlike the ordinary RBAC, where the authorities do not represent basic authorities such as reading, writing, controlling, etc., but rather are analytic authorities for a certain value, and in general, there are several authorities for several value information, i.e., the authority set is equivalent to a complete value set.
Each role corresponds to one or more rights, which role has which rights, i.e. which value it has resolved qualification.
Here, the role and the authority are specified to correspond by using an authority code, and the authority code has a plurality of bits if the authority code has a plurality of authorities, and each bit of the authority code represents the resolution qualification of the corresponding value and is fixed from front to back according to the sequence of the value set. When a character has resolution qualification to a certain value, the corresponding weight bit of the value is 1, otherwise, the corresponding weight bit is 0.
It is required to have a generic basic role for each identity that has the resolution authority of the value set by the enterprise without regard to its privacy.
Specifically, in the role access control model based on Handle analysis, different roles are divided into different service levels according to the number of the roles with analysis values, and the different service levels have different authority numbers and different trust value ranges. And in the actual request process of the user, selecting the role identifier corresponding to the attribute key word from the service level corresponding to the credibility or the service level lower than the service level, and returning the role identifier to the user for use. The service level C T partition is shown as the following formula:
Wherein S 1、S2......Sk represents each service level, T r represents the credibility of the user, and d 1、d2......dk-1 represents the credibility range set by the identity publisher.
1.2, The enterprise sends the built module and the corresponding value set information to an identification uploading module of the Handle client, and the module forwards the request to a local naming authority after judging that the request is reasonable.
1.3, The local naming authority receives the modeling and value set information, creates a local unique identity for it. And analyzing the modeling, and newly adding a record related to the identification in a local database for the identification, wherein the record comprises the newly created unique identification, the character identifications of the characters in the modeling, the corresponding permission codes of each character and the value set of the identifications.
And 1.4, returning the universal basic character code set by the publisher obtained by analysis to the identifier uploading module by the local naming mechanism. The identification uploading module adds the identification into the character management database, adds a record that the user IP is empty and the character identification is the general basic character identification for the user who does not apply for the character to analyze the identification.
And 1.5, the mark uploading module returns the complete mark to the uploading person and informs that the release is completed. (3) Further, the specific process of the second step is as follows:
2.1, the user sends a request to a role granting module of the Handle client, and the request grants a certain role or certain rights of a certain Handle identifier, and can also contain life cycle information of the authorized role.
And 2.2, the role granting module receives the request, analyzes the request information, and analyzes the information of the corresponding publisher, the requested user and the related information of the user.
And 2.3, the role granting module sends the relevant information of the user to the credibility calculation module, the module calculates the comprehensive credibility of the requested user, and the result is returned to the role granting module.
Specifically, the integrated reliability is calculated by the following formula:
T=β*AT+(1-β)*BT (2)
Where A T represents the user basic confidence level, B T represents the user behavior confidence level, and β represents the user basic confidence level and the adjustment factor of the user behavior confidence level.
Factors affecting user confidence mainly have five: static properties (which represent their degree of trust with static trustworthiness), trusted platforms, systems, security devices, and application software (referred to as applications).
The user basic credibility A T is calculated by the following formula:
AT=ω1*t+ω2*(m1÷n1)+ω3*(m2÷n2)+ω4*(m3÷n3)+ω5*(m4÷n4) (3)
Wherein n 1,n2,n3,n4 represents the number of four types of operands of the trusted platform, the system, the secure device and the application program respectively, and m 1,m2,m3,m4 represents the number of trusted operations in the trusted platform, the system, the secure device and the application program respectively, wherein t is static credibility (set by the system). Omega 1、ω2、ω3、ω4、ω5 represents the weight duty cycle of static trustworthiness, trusted platform, system, security device, application, respectively.
The user behavior credibility B T is calculated by the following formula:
BT=∑νi÷∑|νi| (4)
Where v i represents the sensitivity of the access event. The sensitivity value of the benign access event is determined as v i =1, and the malicious access event v i = -2 so as to embody the principle of slow rising and falling of the credibility. The sensitive value can be determined through the history record of the system and the history access of the user, and can also be directly determined through the current access behavior purpose of the user and the authority degree of the user.
And 2.4, the role granting module combines the information such as the requested user attribute and the obtained comprehensive credibility into a new message and sends the new message to an authorization management department of the corresponding publisher. The authorization management department reviews the request and selects a corresponding service level according to the comprehensive credibility of the user. And matching the keywords of the user attributes in the service level to further obtain the roles of the users. After the authorization is successful, the unique character code of the user activatable character is fed back to the character granting module of the Handle client, and the life cycle given to the character is added.
2.5, After the enterprise returns the authorization information to the role granting module, the module stores the complete Handle identifier, the IP of the application user, the received role identifier and the corresponding life cycle in the role management database (if the role identifier is a general basic role identifier, the role identifier may not be stored). And then returns a message to the requesting user that the authorization is complete.
And 2.6, after the user receives the authorization information, the related analysis access operation can be performed.
And 2.7, deleting the corresponding entry of the Handle role management database by the Handle client when the expiration time of the life cycle is reached, and authorizing termination.
(4) Further, the specific process of the third step is as follows:
And 3.1, submitting the Handle identifier applied for analysis to a request analysis module of the Handle client by a user.
And 3.2, a request analysis module of the Handle client receives the identification, searches whether the identification really exists in a role management database, and returns error information of the user identification if the identification does not exist. If so, searching whether the user IP analyzed by the corresponding application exists or not, and if so, returning to the corresponding role identification; and if the general basic roles do not exist, returning the role identification of the general basic roles set by the enterprise.
3.3. The request parsing module sends a prefix to a GHR (global HANDLE REGISTRY global Handle registry) and parses the prefix to obtain relevant information of the local service site.
And 3.4, combining the role identifier corresponding to the user and the complete Handle identifier into a new message by the request analysis module, and transmitting the new message to the LHS local service site.
And 3.5, the local service site receives the message and analyzes the Handle identifier and the corresponding role identifier.
And 3.6, the local service site determines the authority code of the user according to the Handle identifier and the corresponding role identifier, and copies the corresponding value set to be returned to the request analysis module of the Handle client.
And 3.7, the request analysis module of the Handle client returns the final result value set to the user, and analysis is finished.
(5) Furthermore, in order to improve the parsing efficiency, a Hash table and a memory pool can be added to the Handle client.
Hash table: the Hash table carries an LRU linked list for recording the latest hit time of each Hash node. Determining a position in the Hash table according to the Handle name and the Hash result value of the corresponding character code, and storing an address pointer of the corresponding Handle analysis result in the corresponding memory pool at the position.
And (3) a memory pool: and storing the message of the Handle identification analysis result in the memory pool.
When the request analysis module of the Handle client analyzes the keratin code of the application IP, firstly searching whether the corresponding record exists in the Hash table, if so, taking the pointer of the corresponding record in the memory pool of the record, then quickly acquiring a value set and updating the LRU nearest hit linked list. And if the corresponding record does not exist, the method starts to be executed in sequence according to the second step and the third step until the analysis is finished, checks whether the Hash table has idle nodes after returning the value set to the client, stores the value set information into the memory pool, stores the corresponding pointer into the Hash node and writes the time information into the LRU linked list. If no free node exists, deleting all records of the earliest hit node in the LRU, storing the value set information into a memory pool, storing the corresponding pointer into the Hash node, and writing the time information into the LRU linked list storage information.
Compared with the prior art, the method has the advantages that:
1. The invention designs the role division, so that the analysis result has different return value sets for users with different roles, and the roles can be changed by the user applying for the analysis result again, and the determination of the roles is more dynamic.
2. The invention designs a credibility measuring method, so that corresponding malicious requesters which do not meet the conditions cannot be authorized even if the corresponding malicious requesters can be matched with roles.
3. The invention designs the permission codes as bridges between roles and permissions, so that different roles correspond to different permissions through the unique permission codes, management of the role permissions becomes simple and convenient, and the requirements of the industrial Internet field are met.
The invention has reasonable design, and realizes the analysis value set for dynamically distributing the identification to the user by the dynamic request role of the user requesting the identification.
Drawings
FIG. 1 shows a diagram of a conventional Handle resolution system.
FIG. 2 shows a Handle identifier resolution flow chart provided by the invention.
FIG. 3 shows a Handle client architecture diagram in accordance with the present invention.
FIG. 4 illustrates the invention based on a role access control model supporting Handle resolution.
Figure 5 shows a role-based access control schematic of the present invention.
Detailed Description
The technical scheme of the present invention will be explained in detail with reference to specific examples, but the present invention is not limited thereto.
The present embodiment will be described by taking identification analysis of a machine in industrial production as an example.
In a role-based Handle system differentiation analysis method, a Handle client comprises: and the identification uploading module: the method comprises the steps of receiving content of an identification publisher, judging rationality and completing related operations; request parsing module: the method is used for receiving a user request and returning the user request to a final analysis result of the user; role granting module: the system is used for responding to the request of granting the role user and completing related operations; the credibility calculation module: for calculating a comprehensive trustworthiness of the user requesting the identification rights; role management database: and the user IP and role correspondence relation is used for storing the application identification.
The specific method comprises the following steps:
Step one, the mark publishers of enterprises and the like upload established role authority models and mark related contents to the LHS local Handle service site to apply for marks and store the related works.
1.1, An enterprise and other identification publishers firstly model on a role access control model supporting Handle analysis according to own settings, wherein the role access control model comprises a role set and a permission set, and the role set and the permission set are as follows:
the set of roles includes one or more roles, each role awarding a unique role identification for the identity herein.
The authority set contains one or more different authorities, unlike the ordinary RBAC, where the authorities do not represent basic authorities such as reading, writing, controlling, etc., but rather are analytic authorities for a certain value, and in general, there are several authorities for several value information, i.e., the authority set is equivalent to a complete value set.
Each role corresponds to one or more rights, which role has which rights, i.e. which value it has resolved qualification.
Here, the role and the authority are specified to correspond by using an authority code, and the authority code has a plurality of bits if the authority code has a plurality of authorities, and each bit of the authority code represents the resolution qualification of the corresponding value and is fixed from front to back according to the sequence of the value set. When a character has resolution qualification to a certain value, the corresponding weight bit of the value is 1, otherwise, the corresponding weight bit is 0.
It is required to have a generic basic role for each identity that has the resolution authority of the value set by the enterprise without regard to its privacy.
Table 1 shows the model for which the machine identity publisher builds on the Handle resolution based role access control model:
Table 1 identifies publisher modeling
Service class Confidence range Character key Character identification Authority code
S1 0≤Tr≤0.3 General basic roles Base 11000
S2 0.3<Tr≤0.5 Machine maintenance manufacturer repair 11001
S2 0.3<Tr≤0.5 Logistics manufacturer transmit 11100
S3 0.5<Tr≤0.8 Dealer sell 11101
S4 0.8<Tr≤1 Terminal customer client 11111
S4 0.8<Tr≤1 Machine production Co Ltd make 11111
Wherein the universal basic role authority code 11000 indicates that the mark set by the publisher has five authorities, and the role has resolution qualification to the first and second value information and has no resolution qualification to the third, fourth and fifth value information.
The five pieces of value information are respectively: model: XCV94, origin: zhejiang wenzhou, price: 1870, product VIN code: GDIISALOIJD5G65945568, company website: http: /(www.xyj.com/.
1.2, The enterprise sends the built module and the corresponding value set information to an identification uploading module of the Handle client, and the module forwards the request to a local naming authority after judging that the request is reasonable.
1.3, The local naming authority receives the modeling and value set information, creates a local unique identifier for it as: 20.500.12357/SPARE_ PARTS (20.500.12357 is a prefix to denote the naming authority, SPARE_ PARTS is a suffix to be defined by the naming authority). And then analyzing the modeling, and newly adding a record related to the identification in a local database for the identification, wherein the record comprises the identification, the character codes corresponding to the characters, the authority codes corresponding to each character, and the value set of the identification. The local database records are shown in table 2 below:
table 2 local database records
And 1.4, returning the universal basic character code set by the publisher obtained by analysis to the identifier uploading module by the local naming mechanism. The identification uploading module adds the identification into the character management database, adds a record that the user IP is empty and the character identification is the general basic character identification for the user who does not apply for the character to analyze the identification. The character management database addition data is shown in table 3 below:
Table 3 role management database
Identification mark User IP Character identification Role deadlines
20.500.12357/SPARE_PARTS Null base Null
And 1.5, the mark uploading module returns the complete mark to the uploading person and informs that the release is completed.
Step two, the user applying for analysis applies for the relevant role authority of the existing mark to the mark publisher through the Handle client.
2.1, A user sends a request to a role granting module of the Handle client to grant the relevant role or corresponding authority of the Handle identifier, and the request can also contain life cycle information of the authorized role.
And 2.2, the role granting module receives the request, analyzes the request information, and analyzes the information of the corresponding publisher, the requested user and the related information of the user.
And 2.3, the role granting module sends the relevant information of the user to the trusted computing module, the module computes the comprehensive credibility of the requested user, and the result is returned to the role granting module.
The comprehensive credibility of the user is calculated according to the captured information, 540 relevant operation records of the user are recorded in the credible report, and the number of the score credible platform, the system, the safety equipment and the application software is as follows in sequence: 90. 120, 140, 190, and the number of the sub-trusted operation libraries is in turn: 72. 84, 126, 152, the system gives its static confidence level of 0.9. Assuming that the weights are determined by expert scoring, the values are in turn: 0.2, 0.3, 0.1, 0.2. According to formula (3), a user basic confidence level a T =0.8 is obtained. User benign behavior 30, adverse behavior event 10 in the log record, B T = 0.6 according to equation (4). The final user confidence value can be calculated by equation (2) and the adjustment factor β=0.6, t=0.6×0.8+0.4×0.6=0.72 is given by the expert.
And 2.4, the role granting module combines the information such as the requested user attribute and the obtained comprehensive credibility into a new message and sends the new message to an authorization management department of the corresponding publisher. The authorization authority reviews the request and selects a corresponding service level, in this embodiment 0.72, S 3, based on the user' S overall trustworthiness. And matching the key value of the user attribute in the service level to further obtain the role of the user. If the user attribute keywords are matched with the dealer, directly returning a sel character identifier, and adding a life cycle given to the character; if not, matching the low service level, namely S 1 and S 2 attribute keywords, and returning to the general basic role identifier if the matching is unsuccessful.
And 2.5, after the enterprise returns the authorization information to the role granting module, the module stores the complete identifier, the IP of the application user, the received role identifier and the corresponding life cycle in a local role management database. And then returns a message to the requesting user that the authorization is complete.
And 2.6, after the user receives the authorization information, the related analysis access operation can be performed.
And 2.7, deleting the corresponding entry of the Handle role management database by the Handle client when the expiration time of the life cycle is reached, and authorizing termination.
And thirdly, the user analyzes the identification of the existing authority to obtain an analysis value set with the corresponding authority.
And 3.1, submitting the Handle identifier applied for analysis to a request analysis module of the Handle client by a user.
And 3.2, a request analysis module of the Handle client receives the identification, searches whether the identification really exists in a role management database, and returns error information of the user identification if the identification does not exist. If so, searching whether the user IP analyzed by the corresponding application exists or not, and if so, returning to the corresponding role identification; and if the general basic roles do not exist, returning the role identification of the general basic roles set by the enterprise.
And 3.3, the request analysis module sends a prefix to a GHR (global HANDLE REGISTRY global Handle registry) and analyzes the prefix to obtain the related information of the local service site.
And 3.4, combining the corresponding character code of the user and the complete Handle identifier into a new message by the request analysis module and sending the new message to the LHS.
And 3.5, the LHS receives the message and analyzes the Handle identifier and the corresponding role identifier.
3.6, The local service site determines that the authority code of the user is 11101 according to the Handle identifier and the corresponding role identifier sel, and the corresponding value set { model: XCV94, origin: zhejiang Wen Hua, price: 1870, corporate web site: the http:// www.xyj.com/} copy is returned to the request parsing module of the Handle client.
And 3.7, the request analysis module of the Handle client returns the final result value set to the user, and analysis is finished.
Finally, it should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the detailed description is given with reference to the embodiments of the present invention, it should be understood by those skilled in the art that the technical solution of the present invention may be modified or substituted without departing from the spirit and scope of the technical solution of the present invention, and it should be covered by the scope of the claims of the present invention.

Claims (5)

1. A role-based Handle system differentiation analysis method is characterized in that: the method comprises the following steps:
(1) Uploading the established role authority model and the identification related content to the LHS by the identification publisher to perform identification application and related content storage work; the specific flow is as follows:
1) The identification publisher firstly models on a role access control model based on supporting Handle analysis according to own settings, and comprises a role set and a permission set: wherein:
The character set comprises one or more characters, each character awarding a character identification unique to the identification herein;
the authority set comprises one or more different authorities, the authorities are analytic authorities for a certain value, and a plurality of value information has a plurality of authorities, namely the authority set is equivalent to a complete value set;
each character corresponds to one or more rights, and the character has which rights, namely, has analytic qualifications for which corresponding values;
The following is specified: the role and the authority are corresponding by utilizing an authority code, a plurality of authorities have a plurality of bits, each bit of the authority code represents the analytic qualification of the corresponding value, and the analytic qualification is fixed from front to back according to the sequence of the value set; when a character has resolution qualification to a certain value, the corresponding weight bit of the value is 1, otherwise, the corresponding weight bit is 0;
Requiring a common basic role for each identifier, the role having resolution authority of the value set by the identifier issuer without considering the privacy;
2) The mark publisher sends the built module and the corresponding value set information to the mark uploading module of the Handle client, and the module forwards the request to the local naming authority after judging that the request is reasonable;
3) The local naming authority receives the modeling and value set information and creates a local unique identifier for the modeling and value set information; analyzing the modeling, and newly adding a record related to the identification in a local database for the identification, wherein the record comprises a newly created unique identification, character identifications of all characters in the modeling, and corresponding permission codes and value sets of the identifications of each character;
4) The local naming authority returns the identification and the universal basic character code set by the publisher obtained by analysis to the identification uploading module; the identification uploading module adds the identification into the character management database, adds a record that the user IP is empty and the character identification is the general basic character identification for the user who does not apply for the character to carry out identification analysis;
5) The mark uploading module returns the complete mark to the uploading user and informs that the release is completed;
(2) A user applying for analysis applies for relevant role authorities of the existing mark to the mark publisher through a Handle client; the specific flow is as follows:
1) A user sends a request to a role granting module of a Handle client to grant a certain role or certain rights of a certain Handle identifier, and the life cycle information of the authorized role can be contained;
2) The role granting module receives the request, analyzes the request information and analyzes the information of the publisher corresponding to the identification, the user of the request and the related information of the user;
3) The role grant module sends the relevant information of the user to the trusted computing module, the module computes the comprehensive credibility of the requested user, and returns the result to the role grant module;
4) The role granting module combines the requested user attribute information and the obtained comprehensive credibility into a new message and sends the new message to an authorization management department of a corresponding publisher; the authorization management department examines the request and selects a corresponding service level according to the comprehensive credibility of the user; matching the key value of the user attribute in the service level to further obtain the role of the user; after the authorization is successful, the unique role code of the user activated role is fed back to the role granting module of the Handle client, and the life cycle given to the role is added;
5) After the mark publisher returns the authorization information to the role granting module, the module stores the complete mark, the IP of the application user, the received role mark and the corresponding life cycle in a role management database; then returning a message that the authorization is completed to the application user;
6) After receiving the authorization information, the user can perform related analysis access operation;
7) When the expiration time of the life cycle arrives, deleting the corresponding entry of the Handle role management database by the Handle client, and authorizing termination;
(3) Analyzing the identification of the existing authority by the user to obtain an analysis value set with the corresponding authority; the specific flow is as follows:
1) The user submits the Handle identifier applied for analysis to a request analysis module of the Handle client;
2) The request analysis module of the Handle client receives the identification, searches whether the identification exists truly in the role management database, and returns to the user identification error information if the identification does not exist; if so, searching whether the user IP analyzed by the corresponding application exists or not, and if so, returning to the corresponding role identification; if the general basic roles do not exist, the role identification of the general basic roles set by the enterprise is returned;
3) The request analysis module sends a prefix to the GHR and analyzes the prefix to obtain relevant information of the local service site;
4) The request analysis module combines the role identifier corresponding to the user and the complete Handle identifier into a new message and sends the new message to the local service site;
5) The local service site receives the message and analyzes the Handle identifier and the corresponding role identifier;
6) The local service site determines the authority code of the user according to the Handle identifier and the corresponding role identifier, and copies the corresponding value set to be returned to the request analysis module of the Handle client;
7) And the request analysis module of the Handle client returns the final result value set to the user, and analysis is finished.
2. The role-based Handle system differentiation analysis method according to claim 1, wherein: the Handle client includes:
and the identification uploading module: the method comprises the steps of receiving content of an identification publisher, judging rationality and completing related operations;
request parsing module: the method is used for receiving a user request and returning the user request to a final analysis result of the user;
Role granting module: the system is used for responding to the request of granting the role user and completing related operations;
The credibility calculation module: for calculating a comprehensive trustworthiness of the user requesting the identification rights;
role management database: and the user IP and role correspondence relation is used for storing the application identification.
3. The role-based Handle system differentiation analysis method according to claim 1, wherein: in the step 1) of the step (1), based on the role access control model supporting Handle analysis, different roles are divided into different service levels according to the number of the roles with analysis values, and the different service levels have different numbers of authorities and different trust value ranges; in the actual request process of the user, selecting the role identifier corresponding to the attribute key words from the service level corresponding to the credibility or the service level lower than the service level, and returning the role identifier to the user for use; the service level division is as follows:
Wherein S 1、S2......Sk represents each service level, T r represents the credibility of the user, and d 1、d2......dk-1 represents the credibility range set by the identity publisher.
4. The role-based Handle system differentiation analysis method according to claim 1, wherein: in step 3) of step (2), the integrated reliability is calculated by the following formula:
T=β*AT+(1-β)*BT (2)
Wherein A T represents the user basic credibility, B T represents the user behavior credibility, and beta represents the user basic credibility and the adjustment factor of the user behavior credibility;
The user basic credibility A T is calculated by the following formula:
AT=ω1*t+ω2*(m1÷n1)+ω3*(m2÷n2)+ω4*(m3÷n3)+ω5*(m4÷n4) (3)
Wherein n 1,n2,n3,n4 represents the number of four types of operands of the trusted platform, the system, the security device and the application program respectively; m 1,m2,m3,m4 represents the number of trusted operations in the trusted platform, system, security device, application, respectively; wherein t is static credibility and is set by the system; omega 1、ω2、ω3、ω4、ω5 respectively represents the weight duty ratio of static credibility, credible platform, system, safety equipment and application program;
the user behavior credibility B T is calculated by the following formula:
BT=∑νi÷∑|νi| (4)
Where v i represents the sensitivity of the access event; setting the sensitivity value of benign access events as v i = 1, and setting the sensitivity value of malicious access events v i = -2 so as to embody the principle of slow rising and suddenly dropping of the credibility; the sensitive value is determined by the history record of the system and the history access of the user, or is directly determined by the current access behavior purpose of the user and the authority degree of the user.
5. The role-based Handle system differentiation analysis method according to claim 2, wherein: a Hash table and a memory pool are additionally arranged on a Handle client;
Hash table: the Hash table carries an LRU chain table for recording the latest hit time of each Hash node; determining a position in the Hash table according to the Handle name and the Hash result value of the corresponding character code, and storing an address pointer of the corresponding Handle analysis result in the corresponding memory pool at the position;
and (3) a memory pool: storing a message of a Handle identification analysis result in a memory pool;
After a request analysis module of a Handle client analyzes a character code of an application IP, searching whether a corresponding record exists in a Hash table, if so, taking a pointer of the corresponding record in a memory pool of the record, and then quickly acquiring a value set and updating a LRU nearest hit linked list; if no corresponding record exists, starting to sequentially execute the steps (2) and (3) until the analysis is finished, then checking whether the Hash table has idle nodes after returning a value set to the client, if so, storing the value set information into a memory pool, storing a corresponding pointer into the Hash node, and writing time information into an LRU linked list; if no free node exists, deleting all records of the earliest hit node in the LRU, storing the value set information into a memory pool, storing the corresponding pointer into the Hash node, and writing the time information into the LRU linked list storage information.
CN202111073857.2A 2021-09-14 2021-09-14 Role-based Handle system differentiation analysis method Active CN113779525B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111073857.2A CN113779525B (en) 2021-09-14 2021-09-14 Role-based Handle system differentiation analysis method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111073857.2A CN113779525B (en) 2021-09-14 2021-09-14 Role-based Handle system differentiation analysis method

Publications (2)

Publication Number Publication Date
CN113779525A CN113779525A (en) 2021-12-10
CN113779525B true CN113779525B (en) 2024-05-03

Family

ID=78843522

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111073857.2A Active CN113779525B (en) 2021-09-14 2021-09-14 Role-based Handle system differentiation analysis method

Country Status (1)

Country Link
CN (1) CN113779525B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114372249A (en) * 2022-03-21 2022-04-19 北京纷扬科技有限责任公司 Data authority control method and device based on authority codes

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110807144A (en) * 2018-07-20 2020-02-18 恩地爱事业有限公司 Internet Custom Information Release and Search Service System
CN112417511A (en) * 2020-12-15 2021-02-26 重庆忽米网络科技有限公司 Method for analyzing data authority control based on Handle identification

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050289642A1 (en) * 2004-06-25 2005-12-29 Microsoft Corporation Using web services for online permissions
US8010991B2 (en) * 2007-01-29 2011-08-30 Cisco Technology, Inc. Policy resolution in an entitlement management system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110807144A (en) * 2018-07-20 2020-02-18 恩地爱事业有限公司 Internet Custom Information Release and Search Service System
CN112417511A (en) * 2020-12-15 2021-02-26 重庆忽米网络科技有限公司 Method for analyzing data authority control based on Handle identification

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于角色的访问控制模型在校园绿化与卫生管理系统中的应用;张妍琰;;科技信息(33);全文 *
角色管理自动化的访问控制;李佳;徐向阳;;计算机工程(05);全文 *

Also Published As

Publication number Publication date
CN113779525A (en) 2021-12-10

Similar Documents

Publication Publication Date Title
US11023438B2 (en) System and method for exposing internal search indices to internet search engines
AU2005202279B2 (en) Method, system, and apparatus for discovering and connecting to data sources
US7299171B2 (en) Method and system for processing grammar-based legality expressions
US8224851B2 (en) Tag creation system
US8341144B2 (en) Selecting and presenting user search results based on user information
US8931109B2 (en) Context-based security screening for accessing data
US20090063448A1 (en) Aggregated Search Results for Local and Remote Services
US8799321B2 (en) License management apparatus, license management method, and computer readable medium
US20160379139A1 (en) Adaptive classification of data items
US20080288516A1 (en) Universal meme identification
US20210286822A1 (en) Application programming interface ("apis") for accessing and amalgamating data from incongruent sources
CN101283354A (en) Agent ranking
US20080301299A1 (en) Automatically targeting and filtering shared network resources
US8079065B2 (en) Indexing encrypted files by impersonating users
US8095873B2 (en) Promoting content from one content management system to another content management system
CN113779525B (en) Role-based Handle system differentiation analysis method
RU2377641C2 (en) Registration information system for use in computer environment
JP2002117215A (en) Patent management system
Boixo et al. Proof of concept for an XBRL report indexer with integrity and non-repudiation secured by Blockchain using a smart contract: XBRLchain demo
US20160292259A1 (en) Methods and a computing device for carrying out data collection
US20060015803A1 (en) Systems, methods, and media for updating a knowledge management system
Bellwood et al. UDDI Version 2.03 data structure reference
US20250220018A1 (en) Content collaboration system having access controls for public access to digital content
JP4811451B2 (en) Database system and data generation method
Bellwood et al. UDDI Version 2.03 Data Structure Reference UDDI Committee Specification, 19 July 2002

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant