Search

CN-122020630-A - Resource access control method, device, equipment, medium and program product

CN122020630ACN 122020630 ACN122020630 ACN 122020630ACN-122020630-A

Abstract

The invention discloses a control method, a device, equipment, a medium and a program product for resource access. The method comprises the steps of responding to an access request sent by a user, obtaining current attribute information corresponding to the access request, wherein the current attribute information comprises a current user attribute, a current environment attribute and a current resource attribute, determining whether the user has static operation permission according to the current user attribute and the current resource attribute, if so, determining a target operation policy corresponding to a current resource identifier in the current resource attribute by utilizing a corresponding relation between each preset resource identifier and each operation policy, wherein the target operation policy comprises a resource operation policy and an environment operation policy, matching the current resource attribute with the resource operation policy, matching the current environment attribute with the environment operation policy to obtain a matching result, determining the permission of the access request of the user according to the matching result, and controlling access by utilizing the permission. Therefore, the user permission is dynamically adjusted according to the behavior of the user, and the data security is improved.

Inventors

  • WANG GUOWEI
  • DU BING

Assignees

  • 北京鸿湖数安科技发展有限公司

Dates

Publication Date
20260512
Application Date
20260210

Claims (10)

  1. 1. A method for controlling access to resources, which is applied to a server, the method comprising: receiving an access request sent by a terminal device, and acquiring current attribute information corresponding to the access request at intervals of a designated time length, wherein the current attribute information comprises a current user attribute, a current environment attribute and a current resource attribute; determining whether the user has static operation authority according to the current user attribute and the current resource attribute; If yes, determining a target operation strategy corresponding to the current resource identifier in the current resource attribute by utilizing the preset corresponding relation between each resource identifier and each operation strategy, wherein the target operation strategy comprises a resource operation strategy and an environment operation strategy; Matching the current resource attribute with the resource operation strategy, and matching the current environment attribute with the environment operation strategy to obtain a matching result; and determining the authority of the access request of the user according to the matching result, and sending the authority of the access request of the user to the terminal equipment so that the terminal equipment can control the access of the user by using the authority.
  2. 2. The method according to claim 1, wherein the current user attribute includes a current user role, and the current resource attribute includes a current operation type corresponding to a resource to be accessed; The determining whether the user has the static operation authority according to the current user attribute and the current resource attribute comprises the following steps: determining a target resource attribute corresponding to the current user role by utilizing a preset corresponding relation between each user role and each resource attribute, wherein the target resource attribute comprises at least one target resource identifier and a target operation type corresponding to the at least one target resource identifier; if the target resource identifier has the same resource identifier as the current resource identifier and the target operation type corresponding to the current resource identifier is the same as the current operation type, determining that the user has static operation authority; otherwise, determining that the user does not have the static operation authority.
  3. 3. The method according to claim 1, wherein the current resource attribute further comprises a current operation type and a current resource sensitivity corresponding to a resource to be accessed; the matching the current resource attribute with the resource operation policy includes: Acquiring a corresponding relation between each operation type and resource sensitivity in the resource operation strategy, and determining a target resource sensitivity corresponding to the current operation type; If the current resource sensitivity is the same as the target resource sensitivity, determining that the current resource attribute is matched with the resource operation strategy; and if the current resource sensitivity is different from the target resource sensitivity, determining that the current resource attribute is not matched with the resource operation strategy.
  4. 4. The method of claim 1, wherein the current environmental attribute comprises at least one of a current device type, a current device security status, a current network environment, a current time, and a current geographic location; the matching the current environmental attribute with the environmental operation policy includes: Comparing the current environment attribute with a target environment attribute in an environment operation policy, wherein the target environment attribute comprises at least one of a standard equipment type, a standard equipment safety state, a standard network environment, a standard time period and a standard geographic position; if the current environment attribute is the same as the target environment attribute, determining that the current environment attribute is matched with the environment operation strategy; and if the current environment attribute is different from the target environment attribute, determining that the current environment attribute is not matched with the environment operation strategy.
  5. 5. The method of claim 1, wherein determining the authority of the access request of the user based on the matching result comprises: If the current resource attribute is matched with the resource operation strategy and the current environment attribute is matched with the environment operation strategy, passing through the access request of the user; and rejecting the access request of the user if the current resource attribute is not matched with the resource operation strategy and/or the current environment attribute is not matched with the environment operation strategy.
  6. 6. The method according to claim 1, wherein after determining the authority of the access request of the user according to the matching result, the method further comprises: And sending the authority of the access request of the user to other terminal equipment so as to facilitate the other terminal equipment to update the authority of the user, wherein the other terminal equipment is other terminal equipment except for the terminal equipment receiving the access request of the user in a plurality of terminal equipment provided with OpenHarmony systems.
  7. 7. A control device for resource access, wherein the control device is applied to a server, and the device comprises: The access control system comprises an acquisition module, a storage module and a storage module, wherein the acquisition module is used for responding to an access request sent by a user and acquiring current attribute information corresponding to the access request at intervals of a designated time length, wherein the current attribute information comprises a current user attribute, a current environment attribute and a current resource attribute; The first permission determining module is used for determining whether the user has static operation permission or not according to the current user attribute and the current resource attribute; the operation strategy determining module is used for determining a target operation strategy corresponding to the current resource identifier in the current resource attribute by utilizing the preset corresponding relation between each resource identifier and each operation strategy if the current resource identifier is in the preset corresponding relation, wherein the target operation strategy comprises a resource operation strategy and an environment operation strategy; The matching module is used for matching the current resource attribute with the resource operation strategy and matching the current environment attribute with the environment operation strategy to obtain a matching result; And the second permission determination module is used for determining the permission of the access request of the user according to the matching result and controlling the access of the user by utilizing the permission.
  8. 8. An electronic device, the electronic device comprising: at least one processor, and A memory communicatively coupled to the at least one processor, wherein, The memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of controlling resource access of any one of claims 1-6.
  9. 9. A computer readable storage medium storing computer instructions for causing a processor to implement the method of controlling resource access of any one of claims 1-6 when executed.
  10. 10. A computer program product, characterized in that the computer program product comprises a computer program which, when executed by a processor, implements the method of controlling resource access according to any of claims 1-6.

Description

Resource access control method, device, equipment, medium and program product Technical Field The present invention relates to the field of data security technologies, and in particular, to a method, an apparatus, a device, a medium, and a program product for controlling resource access. Background Rights management is a key technology for realizing orderly access of digital resources and preventing unauthorized operation and data leakage as a core component of an information security system. In the prior art, the rights management system, especially the system based on the traditional RBAC (Role-Based Access Control ) model, is applied to the distributed scene of devices such as OpenHarmony, wherein the types of the devices are various, the network environment is dynamically changed, and the user behaviors cross the devices, and the system can not be dynamically adjusted according to the user behaviors depending on the Role-rights mapping which is statically allocated in advance. The permission model is stiff, and cannot adapt to dynamic environments, so that the security of data is low. Disclosure of Invention The embodiment of the invention provides a control method, a device, equipment, a medium and a program product for resource access, which are used for dynamically adjusting user permission according to the behavior of a user, are applicable to dynamic environments and improve the security of data. According to an aspect of the embodiment of the present invention, there is provided a method for controlling resource access, which is applied to a server, and the method includes: receiving an access request sent by a terminal device, and acquiring current attribute information corresponding to the access request at intervals of a designated time length, wherein the current attribute information comprises a current user attribute, a current environment attribute and a current resource attribute; determining whether the user has static operation authority according to the current user attribute and the current resource attribute; If yes, determining a target operation strategy corresponding to the current resource identifier in the current resource attribute by utilizing the preset corresponding relation between each resource identifier and each operation strategy, wherein the target operation strategy comprises a resource operation strategy and an environment operation strategy; Matching the current resource attribute with the resource operation strategy, and matching the current environment attribute with the environment operation strategy to obtain a matching result; and determining the authority of the access request of the user according to the matching result, and sending the authority of the access request of the user to the terminal equipment so that the terminal equipment can control the access of the user by using the authority. According to another aspect of the embodiment of the present invention, there is provided a control apparatus for resource access, the apparatus including: the access request processing module is used for receiving an access request sent by the terminal equipment, and acquiring current attribute information corresponding to the access request at intervals of a designated time length, wherein the current attribute information comprises a current user attribute, a current environment attribute and a current resource attribute; The first permission determining module is used for determining whether the user has static operation permission or not according to the current user attribute and the current resource attribute; the operation strategy determining module is used for determining a target operation strategy corresponding to the current resource identifier in the current resource attribute by utilizing the preset corresponding relation between each resource identifier and each operation strategy if the current resource identifier is in the preset corresponding relation, wherein the target operation strategy comprises a resource operation strategy and an environment operation strategy; The matching module is used for matching the current resource attribute with the resource operation strategy and matching the current environment attribute with the environment operation strategy to obtain a matching result; and the second permission determination module is used for determining the permission of the access request of the user according to the matching result and sending the permission of the access request of the user to the terminal equipment so that the terminal equipment can control the access of the user by using the permission. According to another aspect of an embodiment of the present invention, there is provided an electronic apparatus including: at least one processor, and A memory communicatively coupled to the at least one processor, wherein, The memory stores a computer program executable by the at least one processor to enable the at least one processor to per