A Method of User Authorization on Demand Supporting Least Privilege

Abstract

The invention discloses a user on-demand authorization method capable of supporting least privilege. The method comprises the following implementation steps: establishing a plurality of roles in an operating system, and setting a verification password for each role; defining different permission classes needed by running of different application programs as different permission types; associating a user with the corresponding role and the corresponding permission type of the role during login, wherein role conversion or permission type conversion can be carried out according to program requirements; finally extracting the current role and the permission type information of the user, judging whether a program requested by the user is allowed to be executed or not on the basis of the current role and the permission type of the user, if yes, executing the program requested by the user, and otherwise, prohibiting executing the program requested by the user. According to the method, authorization can be carried out according to actual permission requirements of different applications, the applications only have associated permissions to complete normal functions when the user executes the applications, the safety is guaranteed, the usability of the system is improved, the generality is high, and the application range is wide.

Description

Technical field [0001] The invention relates to the field of user authority management of a computer system, in particular to a method for user-on-demand authorization that supports least privilege. Background technique [0002] With the gradual deepening of informatization, more and more core businesses are built on information systems, so how to ensure the security and stability of information systems is becoming more and more important. In order to solve this problem, in addition to providing the function of completing normal services, the system also needs to check the operation authority to achieve corresponding access control. [0003] Access control is an important technology in the field of information security. It prevents unauthorized users from interacting with specific resources in certain ways and ensures that authorized users will not be rejected. Based on whether there is a strict sequence between the subject set and the object set, access control is mainly divided ...

AI Technical Summary

Problems solved by technology

The system often involves more permissions. If more permissions are associated with a role, the user associated with the role will have greater operation authority, which does not conform to the principle of least privilege, and it is often easy to bring security risks; if Each role has fewer permissions, which in turn leads to the fact that users who are only associated with this role are often unable to complete all the required operations

To sum up, in the user authorization scheme of the prior art, the relevant authority is granted to the administrative user at one time, which does not conform to the principle of least privilege and may easily bring security risks

Images