A system and method for automatically constructing access control policies for high-level information systems

Abstract

The invention discloses a system and a method for automatically constructing an access control strategy of a high-level information system. The scheme is based on an information resource collection module, an access control mechanism hierarchical division module, a subject-object and relationship sorting module, a high-level demand step-by-step essence module, and an automatic strategy The generation module, the information resource collection module collects information resources for the software and hardware products in the entire network system; the access control mechanism hierarchical division module divides the access control mechanism hierarchically; the subject object and its relationship sorting module analyzes the entire network system, Sort out the subject, object and their relationship structure; the high-level requirements are gradually refined by the essence module, the essence of business access requirements and operation and maintenance management access requirements; the policy automatic generation module generates access control policies for each access control mechanism level. This solution enables network system users to perform accurate access control on users no matter what level they access from in the process of accessing resources.

Description

technical field [0001] The invention relates to a network security level protection technology, in particular to an access control technology of a network system. Background technique [0002] At present, the access control points in the entire network system are independent and have no relationship with each other, which leads to the phenomenon of "no correlation, no integrity and no consistency" in the access control process of users accessing resources. This phenomenon is mainly It is reflected in the following two aspects: [0003] 1) Missing access control [0004] That is, users are not allowed to access at a higher level, but are allowed to access at a lower level, so that the user's access control to resources can be bypassed. For example, in an FTP-based application system, according to regulations, a user does not have the ability to "write" a file. When a user logs in through an FTP client to access, the "write" operation to the file is not allowed. , but when ...

AI Technical Summary

Problems solved by technology

For example, in an FTP-based application system, according to regulations, a user does not have the ability to "write" a file. When a user logs in through an FTP client to access the file, the "write" operation to the file is not allowed. , but when the user directly logs in to the operating system, he can "write" the file, resulting in omissions in access control

[0005] 2) Conflicts in access control

[0006] That is, the user is allowed to perform access control at a higher level, but not allowed at a lower level, resulting in failure of user access to resources

For example, in the office system, according to regulations, a certain user has the ability to "approve" a certain official document. In the access control policy of the office application system, the user is assigned the ability to "approve". At the operating system level, "approval" The operation may be transformed into multiple operations on operating system resources, but one of the multiple operations is prohibited, resulting in the failure of the "approval" operation, and the phenomenon of access control conflicts

Images