Search

CN-120602149-B - Two-segment user access authentication and authorization method based on network twinning

CN120602149BCN 120602149 BCN120602149 BCN 120602149BCN-120602149-B

Abstract

The invention provides a two-section user access authentication and authorization method based on network twinning, which comprises the steps that an authentication and authorization module (ABAC) access control gateway on a network twinning side receives a user service access request, an ABAC access and authorization decision module invokes an ABAC loading model and service, comprehensively evaluates and makes an access and authorization decision, the ABAC access and control gateway executes the access and authorization decision, when the user service access is allowed, an authentication and authorization module (RBAC) access and control gateway on a cloud native application side receives the service access request sent by the ABAC access and control gateway and forwards the service access request to the RBAC access and authorization decision module, and the RBAC access and authorization decision module invokes the service and rules of RBAC loading to make an access control policy, and the RBAC access and control gateway executes the access control policy.

Inventors

  • YU QUAN
  • LIU QIANLI
  • SHI YUNFANG
  • WANG JINGCHAO
  • GAO XIANMING

Assignees

  • 中国人民解放军32008部队

Dates

Publication Date
20260512
Application Date
20250606

Claims (10)

  1. 1. The two-segment user access authentication and authorization method based on network twinning is characterized by comprising the following steps of: An authentication and authorization module (ABAC) access control gateway at the network twinning side receives a user service access request and forwards the user service access request to an ABAC access and authorization decision module; The ABAC access authorization decision module calls an ABAC loading model and service, comprehensively evaluates and makes an access authorization decision, and sends the access authorization decision to an ABAC access control gateway, and the ABAC access control gateway executes the access authorization decision; When allowing user service access, an authentication authorization module RBAC access control gateway of a cloud native application side receives a service access request sent by the ABAC access control gateway and forwards the service access request to an RBAC access authorization decision module, wherein the authentication authorization module RBAC access control gateway specifically comprises the steps that after a data access main body is authorized by a network twinned ABAC, if the network twinned caches data required by a user, the cached data is directly pushed to the user, if no related data exists, the network twinned applies for data access to the cloud native application side, a second section authentication authorization mode is developed, namely, the network twinned performs authentication authorization to the cloud native application, and the network twinned comprehensive state information directly performs fine-granularity authentication authorization on the access main body; the RBAC access authorization decision module invokes the services and rules loaded by the RBAC, makes an access control policy, sends the access control policy to the RBAC access control gateway, and the RBAC access control gateway executes the access control policy.
  2. 2. The method of claim 1, wherein the user service access request includes network and terminal security information of a network environment, risk information of a physical environment, and identity information of a user, the user being a person or a machine or an object.
  3. 3. The method of claim 2, wherein the ABAC loaded models and services include a network trust assessment model, a resource sensitivity inference service, an access control policy model, and a security posture analysis service.
  4. 4. The method of claim 3, wherein the resource sensitivity inference service is implemented by invoking a data or application risk database and the security posture analysis service is implemented by invoking a log or index or monitoring database.
  5. 5. The method of claim 3, wherein the network trust evaluation model comprises an identity authentication service, a terminal or access network security evaluation service, a physical environment risk evaluation service, and a role authority inference model.
  6. 6. The method of claim 5, wherein the authentication service is implemented by invoking a user, device, software or service feature library, and wherein the role authority inference model is implemented by invoking an identity-role mapping database.
  7. 7. The method according to claim 5, wherein the ABAC access authorization decision module invokes the loaded model and services to comprehensively evaluate and make access authorization decisions, comprising in particular: the ABAC access authorization decision module invokes a network trust evaluation model to verify the identity of the user and give an identity trust score, evaluates the security of the terminal and the access network and gives a network environment trust score, evaluates the security of the physical environment and gives a physical environment trust score, and gives a role access authority score based on the role and authority rules of the user; the ABAC access authorization decision module invokes a resource sensitivity inference service to infer the sensitivity of the resource and provides an environmental sensitivity score; the ABAC access authorization decision module invokes an access control strategy model, evaluates and infers authorization risks according to the current network trust level evaluation and resource sensitivity inference, and obtains authorization risk scores; The ABAC access authorization decision module invokes a security situation analysis service to analyze the security situation of the system, monitor abnormal events, provide alarm information of the abnormal events and acquire security situation scores; And comprehensively acquiring a final score according to the identity credibility score, the network environment credibility score, the physical environment credibility score, the role access authority score, the environment sensitivity score, the authorized risk score and the security situation score, comparing the final score with a set threshold, and if the score is higher than the threshold, allowing the user service access request, otherwise rejecting the user service access request.
  8. 8. The method of claim 7, wherein the access body of the service access request sent by the ABAC access control gateway is a person, a machine, an object, or a network twinning corresponding to the person, the machine, or the object, and the service access request sent by the ABAC access control gateway further includes identity authentication information.
  9. 9. The method of claim 8, wherein the RBAC access authorization decision module invokes RBAC loaded services and rules, makes access control policies, and sends the access control policies to the RBAC access control gateway, comprising: The RBAC access authorization decision module transmits the received identity authentication information to RBAC identity authentication service and sends an identity authentication request, and the RBAC identity authentication service performs identity authentication on the user to confirm whether the identity of the user is true and effective; If the identity of the user is true and effective, the RBAC access authorization decision module confirms the character condition information currently activated by the user according to the character binding rule; And according to the role condition information of the user, the RBAC access authorization decision module confirms the authority corresponding to the role according to the access control rule, generates an access control strategy of the service access request sent by the ABAC access control gateway based on all the authorities, and sends the access control strategy to the RBAC access control gateway.
  10. 10. The method of claim 9, wherein the role binding rules are implemented by invoking an identity role mapping database and the access control rules are implemented by invoking a role rights mapping database.

Description

Two-segment user access authentication and authorization method based on network twinning Technical Field The invention relates to the technical field of network twinning, in particular to a two-segment user access authentication and authorization method based on network twinning. Background The existing RBAC technology has the problems of insufficient flexibility, expanded roles, limited authority granularity and difficulty in supporting dynamic environments. RBACs rely on predefined roles and rights assignments and are difficult to adapt to complex dynamic environments. When temporary requirements or context-dependent access control exists, RBACs tend to be stiff, in large enterprises, in order to meet different authority requirements, the number of roles may be rapidly increased, so that management and maintenance difficulties are increased, role explosion is easy to cause, the RBACs mainly control the authorities based on the roles, environmental factors such as time, place and equipment type are ignored, the requirements of fine-grained authority control are difficult to meet, the RBACs lack of processing on dynamic attributes (such as access time and geographic position), and real-time security policy adjustment is difficult to realize. The existing ABAC technology has the problems of high implementation complexity, high performance cost, high management difficulty and lack of structural management. ABAC relies on definition and real-time management of attributes, configuration and implementation are complex, requirements for writing and managing strategies are high, multiple attributes need to be checked during authorization of the ABAC, complex rule judgment is possibly involved, system performance cost is high, particularly under the condition of more concurrent requests, a large number of attribute rules and strategies need to be defined and maintained by the ABAC, authority management is difficult to be carried out briefly for complex systems or large-scale users, authority control of the ABAC is scattered, hierarchical structures similar to roles in RBACs are lacked, and concise authority management and audit are difficult to be achieved. Therefore, how to improve flexibility and fine granularity control, reduce role expansion problem, support dynamic environment change, optimize system performance, enhance security, simplify management and compliance when users access authentication is one of the prior art problems to be solved urgently. Disclosure of Invention The invention provides a two-section user access authentication authorization method based on network twinning, which is used for improving flexibility and fine granularity control, reducing role expansion problem, supporting dynamic environment change, optimizing system performance, enhancing security and simplifying management and compliance when a user accesses authentication. In a first aspect, a two-segment user access authentication and authorization method based on network twinning is provided, including: An authentication and authorization module (ABAC) access control gateway at the network twinning side receives a user service access request and forwards the user service access request to an ABAC access and authorization decision module; The ABAC access authorization decision module calls an ABAC loading model and service, comprehensively evaluates and makes an access authorization decision, and sends the access authorization decision to an ABAC access control gateway, and the ABAC access control gateway executes the access authorization decision; When allowing user service access, an authentication authorization module RBAC access control gateway of a cloud native application side receives a service access request sent by the ABAC access control gateway and forwards the service access request to an RBAC access authorization decision module; the RBAC access authorization decision module invokes the services and rules loaded by the RBAC, makes an access control policy, sends the access control policy to the RBAC access control gateway, and the RBAC access control gateway executes the access control policy. In one embodiment, the user service access request comprises network and terminal security information of a network environment, risk information of a physical environment and identity information of a user, wherein the user is a person, a machine or an object. In one embodiment, the ABAC-loaded models and services include a network trust assessment model, a resource sensitivity inference service, an access control policy model, and a security posture analysis service. In one embodiment, the resource sensitivity inference service is implemented by invoking a data or application risk database, and the security posture analysis service is implemented by invoking a log or index or monitoring database. In one embodiment, the network trust level assessment model comprises an identity authentication service, a terminal or access netw