A dynamic authorization method and system based on user context and policy

Abstract

The invention discloses a dynamic authorization method and system based on user context and strategy. The system includes a dynamic authorization pre-module, a dynamic authorization engine module, a dynamic authority group module, and a dynamic authority policy configuration module. When a user initiates a request to the client, the client collects the user context information and verifies whether it has been authorized. If the user is not authorized, the client uploads the context information to the server; the server verifies whether the user has the right to access resources, If the user has no authority, the user authority is dynamically calculated according to the context information. If the calculation result meets the set access authorization requirements, the user is granted the access authority to the resource in real time. The present invention is different from the traditional method of using static authority configuration to realize user and resource authorization, and the present invention is oriented to more convenient, safe and efficient authorization management in use and equipment scenarios.

Description

technical field [0001] The invention belongs to the technical field of dynamic authorization, and in particular relates to a dynamic authorization method and system based on user context and policies. Background technique [0002] With the rapid development and wide application of Internet technology, the scale of enterprises continues to expand, and the data of enterprise information resources is becoming more and more diversified. A major problem faced by the information management system. Therefore, the authority access control of information resources occupies an important position in the design and development of information systems. [0003] Authority management appears in almost any IT system, and user authorization is an indispensable part of IT system management. The traditional method is to configure the corresponding permissions uniformly by the administrator according to users, attributes, etc. The basic idea of ​​the main authorization implementation scheme a...

AI Technical Summary

Problems solved by technology

[0007] 4.MAC: (Mandatory Access Control) mandatory access control, all access control policies are formulated by the system administrator, and users cannot change them

This deficiency makes the RBAC model difficult to apply to entity systems that require a strict order of operations

[0010] 2) DAC: The biggest defect is that the authority control is relatively scattered, which is not easy to manage. For example, it is impossible to simply set a unified authority for a group of files and open it to a designated group of users

At the same time, this model has a large security risk. When a security crack occurs in a program, it will affect all objects that the user can access

This makes the DAC particularly vulnerable to Trojan horses

[0011] 3) ABAC: The ABAC permission control model requires complex calculations on resource attributes, and is not widely used because of its complexity. If the rules are a little more complicated or the design is chaotic, it will cause trouble for managers to maintain and trace. At the same time, if Permission judgment needs to be executed in real time, too many rules will lead to performance problems

[0012] 4) MAC: MAC was born to make up for the problem of over-dispersion of DAC authority control. MAC is very suitable for confidential institutions or other industries with a strong sense of hierarchy, but for similar commercial service systems, it cannot be applied because it is not flexible enough

Images