Search

EP-4740393-A1 - METHODS, DEVICES AND STORAGE MEDIUM FOR DATA ACCESS CONTROL

EP4740393A1EP 4740393 A1EP4740393 A1EP 4740393A1EP-4740393-A1

Abstract

Embodiments of the present disclosure provide methods, devices, and storage medium for data access control. In a method, a communication device receives a request for accessing Network Configuration Protocol (NETCONF) data. The communication device determines one or more access rules for a target user associated with the received request. Then, the communication device determines a target access rule from the one or more access rules based on information about respective priority of the one or more access rules. Based on the target access rule, the communication device determines an access right of the target user for accessing the NETCONF data.

Inventors

  • AI, Zhaoyu
  • QIN, Xing
  • ZHANG, PENGFEI
  • LIU, Daiying

Assignees

  • Telefonaktiebolaget LM Ericsson (publ)

Dates

Publication Date
20260513
Application Date
20231031

Claims (20)

  1. A method (200) implemented at a communication device (110) , the method (200) comprising: receiving (210) a request for accessing Network Configuration Protocol, NETCONF, data; determining (220) one or more access rules for a target user (150) associated with the received request; determining (230) a target access rule from the one or more access rules based on information about respective priority of the one or more access rules; and determining (240) , based on the target access rule, an access right of the target user (150) for accessing the NETCONF data.
  2. The method (200) of claim 1, further comprising: generating access control data associated with the NETCONF data, the access control data including the one or more access rules and the information about the respective priority of the one or more access rules.
  3. The method (200) of claim 2, wherein the access control data has respective priority attributes for the one or more access rules, and the priority attributes indicate the information about the respective priority of the one or more access rules.
  4. The method (200) of claim 3, further comprising: receiving a configuration for adding a priority attribute for an access rule, wherein the access control data is generated based on the received configuration.
  5. The method (200) of any of claims 2-4, wherein the access control data is based on a network configuration access control model.
  6. The method (200) of any of claims 1-5, wherein the information about the respective priority of the one or more access rules comprises at least one of a default priority level, a defined priority level, or a priority weight for the one or more access rules.
  7. The method (200) of any of claims 1-6, wherein the one or more access rules comprises a first plurality of access rules associated with the target user, and the first plurality of access rules has respective first priority levels, and determining (230) the target access rule from the one or more access rules comprises: determining the target access rule from the first plurality of access rules based on a comparison among the respective first priority levels of the first plurality of access rules.
  8. The method (200) of claim 7, wherein determining the target access rule from the first plurality of access rules comprises: determining a second plurality of access rules from the first plurality of access rules, the second plurality of access rules having a same first priority level and respective priority weights; determining respective second priority levels for the second plurality of access rules by applying the respective priority weights of the second plurality of access rules to the first priority level; and determining the target access rule from the second plurality of access rules based on a comparison among the respective second priority levels of the second plurality of access rules.
  9. A method (400) implemented at a communication device (110) , the method (400) comprising: generating (410) access control data associated with Network Configuration Protocol, NETCONF, data, the access control data including a plurality of lists of access rules, the plurality of lists of access rules being mapped to a plurality of operator roles of users; receiving (420) a request for accessing the NETCONF data; and determining, based on at least one target list of access rules from the plurality of lists of access rules, an access right of a target user (150) for accessing the NETCONF data, wherein the at least one target list of access rules is mapped to at least one operator role of the target user (150) and the target user (150) is associated with the received request.
  10. The method (400) of claim 9, further comprising: receiving a login request associated with the target user; determining the at least one operator role of the target user; and associating the target user (150) with the at least one target list of access rules, based on the mapping between the at least one target list of access rules and the at least one operator role of the target user.
  11. The method (400) of claim 10, further comprising: receiving a logoff request associated with the target user; and disassociating the target user (150) with the at least one target list of access rules.
  12. The method (400) of claim 10 or 11, wherein generating the access control data comprises: creating a plurality of groups of users for the plurality of operator roles; and creating the plurality of lists of access rules associated with the plurality of groups of users, wherein the access control data includes the plurality of lists of access rules and the plurality of groups of users.
  13. The method (400) of claim 12, wherein associating the target user (150) with the at least one target list of access rules comprises: determining, based on the at least one operator role of the target user, at least one group of users from the plurality of groups of users, wherein the at least one group of users is associated with the at least one target list of access rules; and adding the target user (150) to the at least one group of users.
  14. The method (400) of claim 13, wherein disassociating the target user (150) with the at least one list of access rules comprises: deleting the target user (150) from the at least one group of users.
  15. The method (400) of any of claims 12-14, further comprising: causing the plurality of lists of access rules to be stored in association with the plurality of groups of users in a data base (120) .
  16. The method (400) of any of claims 10-15, wherein determining the at least one operator role of the target user (150) comprises: obtaining the at least one operator role of the target user (150) from at least one of: a local configuration associated with the target user, or an authentication and authorization server (130) .
  17. The method (400) of any of claims 9-16, wherein the access control data is based on a network configuration access control model.
  18. A communication device (110, 900) , comprising: a processor (905) ; and a memory (910) , the memory (910) containing instructions (915) executable by the processor (905) , whereby the communication device (110, 900) is operative to: receive (210) a request for accessing NETCONF data; determine (220) one or more access rules for a target user (150) associated with the received request; determine (230) a target access rule from the one or more access rules based on information about respective priority of the one or access rules; and determine (240) , based on the target access rule, an access right of the target user (150) for accessing the NETCONF data.
  19. The communication device (110, 900) of claim 18, wherein the communication device (110, 900) is further operative to implement the method (200) according to any of claims 2-8.
  20. A communication device (110, 900) , comprising: a processor (905) ; and a memory (910) , the memory (910) containing instructions (915) executable by the processor (905) , whereby the communication device (110, 900) is operative to: generate (410) access control data associated with NETCONF data, the access control data including a plurality of lists of access rules, the plurality of lists of access rules being mapped to a plurality of operator roles of users; receive (420) a request for accessing the NETCONF data; and determine (430) , based on at least one target list of access rules from the plurality of list of access rules, an access right of a target user (150) for accessing the NETCONF data, wherein the at least one target list of access rules is mapped to at least one operator role of the target user (150) and the target user (150) is associated with the received request.

Description

METHODS, DEVICES AND STORAGE MEDIUM FOR DATA ACCESS CONTROL TECHNICAL FIELD The non-limiting and embodiments of the present disclosure generally relate to the technical field of telecommunications, and specifically to methods, devices, and storage medium for data access control. BACKGROUND This section introduces aspects that may facilitate a better understanding of the disclosure. Accordingly, the statements of this section are to be read in this light and are not to be understood as admissions about what is in the prior art or what is not in the prior art. Network Configuration Protocol (NETCONF) is a network management protocol developed and standardized by Institute of Electrical and Electronics Engineers (IETF) . It was developed in the NETCONF working group and published in December 2006 as Request for Comments (RFC) 4741 and later revised in June 2011 and published as RFC 6241. The NETCONF protocol specification is an Internet Standards Track document. NETCONF provides mechanisms to install, manipulate, and delete configurations of network devices. NETCONF operations are implemented on top of a simple Remote Procedure Call (RPC) layer. The NETCONF protocol uses an Extensible Markup Language (XML) based data encoding for configuration data as well as protocol messages. The protocol messages are exchanged on top of a secure transport protocol. The standardization of network configuration interfaces for use with NETCONF or Representational State Transfer Configuration Protocol (RESTCONF) protocol requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability. SUMMARY This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. Network Configuration Access Control Model (NACM) is a standard mechanism to restrict NETCONF or RESTCONF protocol-based access for particular users to a preconfigured subset of all available NETCONF or RESTCONF protocol-based operations and content.  However, the use of NACM is complex and error-prone, which would bring trouble to the users, increase user workloads, and bring security risks. To overcome or mitigate at least one of the above-mentioned problems or other problems or provide a useful solution, embodiments of the present disclosure propose methods, devices, and storage medium for data access control. In a first aspect of the present disclosure, there is provided a method implemented at a communication device. In the method, the communication device receives a request for accessing Network Configuration Protocol (NETCONF) data. The communication device determines one or more access rules for a target user associated with the received request. Then, the communication device determines a target access rule from the one or more access rules based on information about respective priority of the one or more access rules. Based on the target access rule, the communication device determines an access right of the target user for accessing the NETCONF data. In an embodiment, the communication device may generate access control data associated with the NETCONF data. The access control data may include the one or more access rules and the information about the respective priority of the one or more access rules. In an embodiment, the access control data may have respective priority attributes for the one or more access rules, and the priority attributes indicate the information about the respective priority of the one or more access rules. In an embodiment, the communication device may receive a configuration for adding a priority attribute for an access rule. The access control data may be generated based on the received configuration. In an embodiment, the access control data may be based on a network configuration access control model. In an embodiment, the information about the respective priority of the one or more access rules may comprise at least one of a default priority level, a defined priority level, or a priority weight for the one or more access rules. In an embodiment, the one or more access rules may comprise a first plurality of access rules associated with the target user, and the first plurality of access rules has respective first priority levels. In an embodiment, the communication device may determine the target access rule from the first plurality of access rules based on a comparison among the respective first priority levels of the first plurality of access rules. In an embodiment, the communication device may determine a second plurality of  access rules from the first plurality of access rules, the second plurality of access rules having a same first priority level and respective priority weights. Then, the commun