Search

EP-4290827-B1 - ACCESS CONTROL METHOD AND RELATED APPARATUS

EP4290827B1EP 4290827 B1EP4290827 B1EP 4290827B1EP-4290827-B1

Inventors

  • REN, Bingfei
  • MAO, Zhewen

Dates

Publication Date
20260506
Application Date
20220310

Claims (15)

  1. An access control method, wherein the method is applied to a communications system comprising a first device and a second device, and the method comprises: sending (101), by the first device, a first request to the second device ,the first request carries information about a third device; selecting (102), by the second device, a first access policy from a plurality of access policies based on one or more of the following: restriction levels set by the second device for a first environment, restriction categories for functions of electronic devices in the first environment, a device type or a login user of the first device, a time point at which the second device receives the first request, or an area in which the first device is located in the first environment; sending (103), by the second device, the first access policy to the first device in response to the first request; and receiving, by the first device, the first access policy, and executing (104) the first access policy, or refusing (105) to execute the first access policy; sending, by the second device, a second access policy to the first device; and sending, by the first device, the second access policy to the third device, wherein the second access policy and the first access policy are a same access policy, or the second access policy and the first access policy are different access policies.
  2. The method according to claim 1, wherein the executing the first access policy specifically comprises: generating, by the first device, a first access request used to perform a first function; and if the first device determines that functions that can be performed by the first device and that are indicated by the first access policy comprise the first function, performing the first function; or if the first device determines that functions that cannot be performed by the first device and that are indicated by the first access policy comprise the first function, refusing to perform the first function.
  3. The method according to claim 1 or 2, wherein the refusing to execute the first access policy specifically comprises: generating, by the first device, a second access request used to perform a second function; and if the first device determines that functions that can be performed by the first device and that are indicated by the first access policy comprise the second function, refusing to perform the second function; or if the first device determines that functions that cannot be performed by the first device and that are indicated by the first access policy comprise the second function, performing the second function.
  4. The method according to any one of claims 1 to 3, wherein after the receiving, by the first device, the first access policy, and executing the first access policy, or refusing to execute the first access policy, the method further comprises: sending, by the first device, a second request to the second device in response to a received user operation; and sending, by the second device, first feedback information to the first device in response to the second request; or sending, by the second device, first feedback information to the first device after first duration after sending the first access policy to the first device; and deleting or disabling, by the first device, the first access policy in response to the first feedback information; or the first access policy comprises second duration or a first area, and the receiving, by the first device, the first access policy, and executing the first access policy specifically comprises: executing, by the first device, the first access policy within the second duration after receiving the first access policy or when the first device is located in the first area; and deleting or disabling the first access policy after the second duration after receiving the first access policy, or when the first device is located outside the first area.
  5. The method according to any one of claims 1 to 4, wherein the second device stores a plurality of access policies, and the plurality of access policies comprise one or more of the following: access policies respectively corresponding to a plurality of restriction levels for the first environment; access policies respectively corresponding to a plurality of restriction categories for functions of electronic devices in the first environment; access policies respectively corresponding to a plurality of device types of electronic devices in the first environment, or access policies respectively corresponding to a plurality of login users of electronic devices in the first environment; access policies respectively corresponding to a plurality of time periods in the first environment; and access policies respectively corresponding to a plurality of areas in the first environment.
  6. The method according to any one of claims 1 to 5, wherein the receiving, by the first device, the first access policy, and executing the first access policy, or refusing to execute the first access policy specifically comprises: after the first device receives the first access policy, receiving, by the first device, a first user operation, and executing, by the first device, the first access policy in response to the first user operation; or after the first device receives the first access policy, receiving, by the first device, a second user operation, and refusing, by the first device in response to the second user operation, to execute the first access policy.
  7. The method according to any one of claims 1 to 6, wherein after the receiving, by the first device, the first access policy, and executing the first access policy, or refusing to execute the first access policy, the method further comprises: sending, by the first device, an execution status of the first access policy to the second device, wherein the execution status of the first access policy comprises: an executed state, and an execution-refused state; and when the execution status is the execution-refused state, outputting, by the second device, information about the first device, or sending, by the second device, first prompt information to the first device.
  8. An access control method, wherein the method is applied to a second device, and the method comprises: receiving (101), by the second device, a first request sent by a first device, the first request carries information about a third device; selecting (102), by the second device, a first access policy from a plurality of access policies based on one or more of the following: restriction levels set by the second device for a first environment, restriction categories for functions of electronic devices in the first environment, a device type or a login user of the first device, a time point at which the second device receives the first request, or an area in which the first device is located in the first environment; and sending (103), by the second device, the first access policy to the first device in response to the first request; sending, by the second device, a second access policy to the third device through the first device, wherein the second access policy and the first access policy are a same access policy, or the second access policy and the first access policy are different access policies.
  9. The method according to claim 8, wherein after the sending, by the second device, the first access policy to the first device, the method further comprises: receiving, by the second device, a second request sent by the first device; and sending, by the second device, first feedback information to the first device in response to the second request; or sending, by the second device, first feedback information to the first device after first duration after sending the first access policy to the first device, wherein the first feedback information is used by the first device to delete or disable the first access policy.
  10. The method according to claim 8 or 9, wherein the second device stores a plurality of access policies, and the plurality of access policies comprise one or more of the following: access policies respectively corresponding to a plurality of restriction levels of the first environment; access policies respectively corresponding to a plurality of restriction categories for functions of electronic devices in the first environment; access policies respectively corresponding to a plurality of device types of electronic devices in the first environment, or access policies respectively corresponding to a plurality of login users of electronic devices in the first environment; access policies respectively corresponding to a plurality of time periods in the first environment; and access policies respectively corresponding to a plurality of areas in the first environment.
  11. The method according to any one of claims 8 to 10, wherein after the sending, by the second device, the first access policy to the first device, the method further comprises: receiving, by the second device, an execution status of the first access policy sent by the first device, wherein the execution status of the first access policy comprises: an executed state, and an execution-refused state; and when the execution status is the execution-refused state, outputting, by the second device, information about the first device, or sending, by the second device, first prompt information to the first device.
  12. The method according to claim 8, wherein after the sending, by the second device, a second access policy to the third device through the first device, the method further comprises: receiving, by the second device, an execution status that is of executing the second access policy by the third device and that is obtained by the first device, wherein the execution status of the second access policy comprises: an executed state, and an execution-refused state; and when the execution status of the second access policy is the execution-refused state, outputting, by the second device, the information about the third device, or sending, by the second device, second prompt information to the third device.
  13. An electronic device (200), comprising: a memory (202) and one or more processors (201), wherein the memory is coupled to the one or more processors, the memory is configured to store computer program code, the computer program code comprises computer instructions, and the one or more processors invoke the computer instructions to enable a computer to perform the method according to any one of claims 8 to 12.
  14. A computer-readable storage medium, comprising instructions, wherein when the instructions are run on an electronic device, the electronic device is enabled to perform the method according to any one of claims 8 to 12.
  15. A computer program product, wherein when the computer program product is run on a computer, the computer is enabled to perform the method according to any one of claims 8 to 12.

Description

TECHNICAL FIELD This application relates to the field of terminals and communications technologies, and in particular, to an access control method and a related apparatus. BACKGROUND At present, electronic devices such as a mobile phone, a tablet, and a computer have gradually become portable products for people. When a user carrying an electronic device such as a mobile phone enters a specific place or area, a management party usually restricts functions of the electronic device that enters the specific environment, for example, no recording, no photographing, or no access to specific resources. To restrict functions of the electronic device when the electronic device enters a specific environment, there is an existing solution that the management party notifies the user carrying the electronic device of an access requirement for the electronic device in the specific environment, and the user actively configures a corresponding policy to restrict the functions of the electronic device. However, the method can only be performed through management means. The management party requires the user to actively comply with the access requirement for the electronic device in the specific environment. This depends on the user's consciousness, and cannot totally ensure an execution effect of the user. US 2006/0191017 Al relates to an access control management method, an access control management system and a terminal device with an access control management function which dynamically change a function to be used of a terminal device having a wired communication function or a radio communication function. US 2008/0148350 Al relates to a system and method for implementing security features and policies between paired devices. US 2015/0050922 Al relates to enterprise security, and more particularly to a location based mobile device security enforcement system. US 2007/0185980 Al relates to devices that automatically adjust policies based upon environmental factors. US 2014/0038577 A1 relates to prohibiting electronic device usage based on geographical location. In other words, in a specific environment, how to ensure that an electronic device entering the specific environment can comply with a corresponding access requirement is an urgent problem to be resolved currently. SUMMARY This application provides an access control method and a related apparatus. According to the access control method, a user can directly obtain an access policy corresponding to a specific environment without performing complex operations, and a management party device may send different access policies for different electronic devices, to improve user experience. The present invention is defined according to the independent claims. The dependent claims recite advantageous embodiments of the invention. According to the technical solutions provided in embodiments of this application, the electronic device can directly obtain an access policy corresponding to a specific environment without performing complex operations. In addition, the management party device may select different access policies based on information about different electronic devices, or the management party device may formulate an access policy for a specific environment. For different electronic devices in a specific environment, the management party device may restrict different functions of the different electronic devices, to improve a management and monitoring effect of the management party on the electronic device carried by the user. BRIEF DESCRIPTION OF DRAWINGS FIG. 1 is a schematic diagram of a structure of a communications system 1000 according to an embodiment of this application;FIG. 2 is a diagram of a hardware structure of an electronic device 100 according to an embodiment of this application;FIG. 3 is a diagram of a hardware structure of an electronic device 200 according to an embodiment of this application;FIG. 4A to FIG. 4I show a group of user interfaces according to an embodiment of this application;FIG. 5A and FIG. 5B show another group of user interfaces according to an embodiment of this application;FIG. 6A to FIG. 6F show another group of user interfaces according to an embodiment of this application;FIG. 7 is an overall schematic flowchart of an access control method according to an embodiment of this application;FIG. 8 is a block diagram of a software structure of an electronic device 100 according to an embodiment of this application;FIG. 9 is a schematic diagram of an example of an information flow according to an embodiment of this application; andFIG. 10 is a block diagram of a software structure of an electronic device 200 according to an embodiment of this application. DESCRIPTION OF EMBODIMENTS The technical solutions according to embodiments of this application are clearly and completely described in the following with reference to the accompanying drawings. In descriptions of embodiments of this application, "/" indicates "or" unless otherwise